From 533e88487eeb93d8fa02c432390635555c99da59 Mon Sep 17 00:00:00 2001 From: kungasc Date: Fri, 24 Jan 2025 17:52:35 +0300 Subject: [PATCH] test permissions --- ydb/core/base/auth.cpp | 2 +- ydb/core/sys_view/auth/permissions.cpp | 2 - ydb/core/sys_view/auth/users.cpp | 4 +- ydb/core/sys_view/ut_kqp.cpp | 135 +++++++++++++++++++++++++ 4 files changed, 137 insertions(+), 6 deletions(-) diff --git a/ydb/core/base/auth.cpp b/ydb/core/base/auth.cpp index a90125369638..4994e96fbb00 100644 --- a/ydb/core/base/auth.cpp +++ b/ydb/core/base/auth.cpp @@ -21,7 +21,7 @@ bool IsAdministrator(const TAppData* appData, const TString& userToken) { return true; } - if (!userToken || userToken->GetSerializedToken().empty()) { + if (!userToken) { return false; } diff --git a/ydb/core/sys_view/auth/permissions.cpp b/ydb/core/sys_view/auth/permissions.cpp index a4498dcd2796..11d1066ccb49 100644 --- a/ydb/core/sys_view/auth/permissions.cpp +++ b/ydb/core/sys_view/auth/permissions.cpp @@ -39,8 +39,6 @@ class TPermissionsScan : public TAuthScanBase { TVector cells(::Reserve(Columns.size())); - // TODO: add rows according to request's sender user rights - auto entryPath = CanonizePath(entry.Path); for (const NACLibProto::TACE& ace : entry.SecurityObject->GetACL().GetACE()) { diff --git a/ydb/core/sys_view/auth/users.cpp b/ydb/core/sys_view/auth/users.cpp index 800122dd5dff..97371c7eb66a 100644 --- a/ydb/core/sys_view/auth/users.cpp +++ b/ydb/core/sys_view/auth/users.cpp @@ -96,8 +96,6 @@ class TUsersScan : public TScanActorBase { void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const NKikimrScheme::TEvListUsersResult& result) { TVector cells(::Reserve(Columns.size())); - // TODO: add rows according to request's sender user rights - for (const auto& user : result.GetUsers()) { if (!user.HasName() || !CanAccessUser(user.GetName())) { continue; @@ -164,7 +162,7 @@ class TUsersScan : public TScanActorBase { return true; } - return UserToken->IsExist(user); + return UserToken && UserToken->IsExist(user); } private: diff --git a/ydb/core/sys_view/ut_kqp.cpp b/ydb/core/sys_view/ut_kqp.cpp index bdcf6adce1c1..730666ef975e 100644 --- a/ydb/core/sys_view/ut_kqp.cpp +++ b/ydb/core/sys_view/ut_kqp.cpp @@ -2963,6 +2963,141 @@ Y_UNIT_TEST_SUITE(SystemView) { } } + Y_UNIT_TEST(AuthPermissions_Access) { + TTestEnv env; + SetupAuthAccessEnvironment(env); + TTableClient client(env.GetDriver()); + + env.GetClient().MkDir("/Root", "Dir1"); + env.GetClient().MkDir("/Root", "Dir2"); + env.GetClient().MkDir("/Root/Tenant1", "Dir3"); + env.GetClient().MkDir("/Root/Tenant1", "Dir4"); + + { + NACLib::TDiffACL acl; + acl.AddAccess(NACLib::EAccessType::Allow, NACLib::SelectRow, "user1"); + env.GetClient().ModifyACL("/Root", "Dir1", acl.SerializeAsString()); + } + { + NACLib::TDiffACL acl; + acl.AddAccess(NACLib::EAccessType::Allow, NACLib::EraseRow, "user2"); + env.GetClient().ModifyACL("/Root", "Dir2", acl.SerializeAsString()); + } + { + NACLib::TDiffACL acl; + acl.AddAccess(NACLib::EAccessType::Allow, NACLib::SelectRow, "user3"); + acl.AddAccess(NACLib::EAccessType::Allow, NACLib::EraseRow, "user4"); + env.GetClient().ModifyACL("/Root/Tenant1", "Dir3", acl.SerializeAsString()); + } + + { // anonymous + auto driverConfig = TDriverConfig() + .SetEndpoint(env.GetEndpoint()); + auto driver = TDriver(driverConfig); + TTableClient client(driver); + + auto it = client.StreamExecuteScanQuery(R"( + SELECT * + FROM `Root/.sys/auth_permissions` + )").GetValueSync(); + + auto expected = R"([ + [["/Root"];["ydb.generic.use"];["user1"]]; + [["/Root"];["ydb.generic.use"];["user2"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["root@builtin"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["user1"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["all-users@well-known"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["all-users@well-known"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["root@builtin"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["root@builtin"]]; + [["/Root/Dir1"];["ydb.granular.select_row"];["user1"]]; + [["/Root/Dir2"];["ydb.granular.erase_row"];["user2"]] + ])"; + NKqp::CompareYson(expected, NKqp::StreamResultToYson(it)); + } + + { // user1 has /Root GenericUse access + auto driverConfig = TDriverConfig() + .SetEndpoint(env.GetEndpoint()) + .SetCredentialsProviderFactory(NYdb::CreateLoginCredentialsProviderFactory({ + .User = "user1", + .Password = "password1", + })); + auto driver = TDriver(driverConfig); + TTableClient client(driver); + + { + auto it = client.StreamExecuteScanQuery(R"( + SELECT * + FROM `Root/.sys/auth_permissions` + )").GetValueSync(); + + auto expected = R"([ + [["/Root"];["ydb.generic.use"];["user1"]]; + [["/Root"];["ydb.generic.use"];["user2"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["root@builtin"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["user1"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["all-users@well-known"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["all-users@well-known"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["root@builtin"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["root@builtin"]]; + [["/Root/Dir1"];["ydb.granular.select_row"];["user1"]]; + [["/Root/Dir2"];["ydb.granular.erase_row"];["user2"]] + ])"; + NKqp::CompareYson(expected, NKqp::StreamResultToYson(it)); + } + + { + auto it = client.StreamExecuteScanQuery(R"( + SELECT * + FROM `Root/Tenant1/.sys/auth_permissions` + )").GetValueSync(); + + auto expected = R"([ + [["/Root/Tenant1/Dir3"];["ydb.granular.select_row"];["user3"]]; + [["/Root/Tenant1/Dir3"];["ydb.granular.erase_row"];["user4"]] + ])"; + NKqp::CompareYson(expected, NKqp::StreamResultToYson(it)); + } + } + + { // revoke user1 /Root/Dir2 GenericUse access + NACLib::TDiffACL acl; + acl.AddAccess(NACLib::EAccessType::Deny, NACLib::GenericUse, "user1"); + env.GetClient().ModifyACL("/Root", "Dir2", acl.SerializeAsString()); + + auto driverConfig = TDriverConfig() + .SetEndpoint(env.GetEndpoint()) + .SetCredentialsProviderFactory(NYdb::CreateLoginCredentialsProviderFactory({ + .User = "user1", + .Password = "password1", + })); + auto driver = TDriver(driverConfig); + TTableClient client(driver); + + auto it = client.StreamExecuteScanQuery(R"( + SELECT * + FROM `Root/.sys/auth_permissions` + )").GetValueSync(); + + auto expected = R"([ + [["/Root"];["ydb.generic.use"];["user1"]]; + [["/Root"];["ydb.generic.use"];["user2"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["root@builtin"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.generic.full"];["user1"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["all-users@well-known"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["all-users@well-known"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.select_row"];["root@builtin"]]; + [["/Root/.metadata/workload_manager/pools/default"];["ydb.granular.describe_schema"];["root@builtin"]]; + [["/Root/Dir1"];["ydb.granular.select_row"];["user1"]]; + ])"; + NKqp::CompareYson(expected, NKqp::StreamResultToYson(it)); + } + + // TODO: fix https://github.com/ydb-platform/ydb/issues/13730 + // and test tenant user and tenant admin + } + Y_UNIT_TEST(AuthEffectivePermissions) { TTestEnv env; SetupAuthEnvironment(env);