Add account_type parameter for audit logs (#13269)

andrewstalin · web-flow · commit 179f412233cd · 2025-01-15T16:03:17.000+07:00
diff --git a/ydb/core/grpc_services/audit_logins.cpp b/ydb/core/grpc_services/audit_logins.cpp
@@ -11,10 +11,13 @@
 namespace NKikimr {
 namespace NGRpcService {
 
-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken)
+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request,
+                   const Ydb::Auth::LoginResponse& response, const TString& errorDetails,
+                   const TString& sanitizedToken, bool isAdmin)
 {
     static const TString GrpcLoginComponentName = "grpc-login";
     static const TString LoginOperationName = "LOGIN";
+    static const TString AdminAccountType = "admin";
 
     //NOTE: EmptyValue couldn't be an empty string as AUDIT_PART() skips parts with an empty values
     static const TString EmptyValue = "{none}";
@@ -50,6 +53,7 @@ void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::Log
         // Login
         AUDIT_PART("login_user", (!request.user().empty() ? request.user() : EmptyValue))
         AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
+        AUDIT_PART("account_type", AdminAccountType, (isAdmin && status == Ydb::StatusIds::SUCCESS))
 
         //TODO: (?) it is possible to show masked version of the resulting token here
     );
diff --git a/ydb/core/grpc_services/audit_logins.h b/ydb/core/grpc_services/audit_logins.h
@@ -13,6 +13,8 @@ namespace NKikimr::NGRpcService {
 class IAuditCtx;
 
 // logins log
-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken);
+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request,
+                   const Ydb::Auth::LoginResponse& response, const TString& errorDetails,
+                   const TString& sanitizedToken, bool isAdmin = false);
 
 } // namespace NKikimr::NGRpcService
diff --git a/ydb/core/grpc_services/rpc_login.cpp b/ydb/core/grpc_services/rpc_login.cpp
@@ -12,6 +12,9 @@
 #include <ydb/core/security/ldap_auth_provider/ldap_auth_provider.h>
 #include <ydb/core/security/login_shared_func.h>
 
+#include <ydb/library/aclib/aclib.h>
+#include <ydb/library/login/login.h>
+
 #include <ydb/public/api/protos/ydb_auth.pb.h>
 
 namespace NKikimr {
@@ -88,7 +91,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             ReplyErrorAndPassAway(Ydb::StatusIds::INTERNAL_ERROR, "Failed to produce a token");
         } else {
             // success = token + no errors
-            ReplyAndPassAway(loginResult.GetToken(), loginResult.GetSanitizedToken());
+            ReplyAndPassAway(loginResult);
         }
     }
 
@@ -113,9 +116,12 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
         }
     }
 
-    void ReplyAndPassAway(const TString& resultToken, const TString& sanitizedToken) {
-        TResponse response;
+    void ReplyAndPassAway(const NKikimrScheme::TEvLoginResult& loginResult) {
+        const auto& resultToken = loginResult.GetToken();
+        const auto& sanitizedToken = loginResult.GetSanitizedToken();
+        const auto& isAdmin = loginResult.GetIsAdmin();
 
+        TResponse response;
         Ydb::Operations::Operation& operation = *response.mutable_operation();
         operation.set_ready(true);
         operation.set_status(Ydb::StatusIds::SUCCESS);
@@ -126,7 +132,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             operation.mutable_result()->PackFrom(result);
         }
 
-        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, /* errorDetails */ TString(), sanitizedToken);
+        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, /* errorDetails */ TString(), sanitizedToken, isAdmin);
 
         return CleanupAndReply(response);
     }
diff --git a/ydb/core/protos/flat_tx_scheme.proto b/ydb/core/protos/flat_tx_scheme.proto
@@ -154,6 +154,7 @@ message TEvLoginResult {
     optional string Error = 1;
     optional string Token = 2;  // signed jwt token
     optional string SanitizedToken = 3;  // sanitized token without signature
+    optional bool IsAdmin = 4;
 }
 
 // Sending actor registers itself to be notified when tx completes
diff --git a/ydb/core/tx/schemeshard/schemeshard__login.cpp b/ydb/core/tx/schemeshard/schemeshard__login.cpp
@@ -87,6 +87,22 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
     }
 
 private:
+    bool IsAdmin() const {
+        const auto& adminSids = AppData()->AdministrationAllowedSIDs;
+        if (adminSids.empty()) {
+            return true;
+        }
+
+        const auto& user = Request->Get()->Record.GetUser();
+        const auto providerGroups = Self->LoginProvider.GetGroupsMembership(user);
+        const TVector<NACLib::TSID> groups(providerGroups.begin(), providerGroups.end());
+        const auto userToken = NACLib::TUserToken(user, groups);
+        auto hasSid = [&userToken](const TString& sid) -> bool {
+            return userToken.IsExist(sid);
+        };
+        return std::find_if(adminSids.begin(), adminSids.end(), hasSid) != adminSids.end();
+    }
+
     bool LoginAttempt(NIceDb::TNiceDb& db, const TActorContext& ctx) {
         const auto& loginRequest = GetLoginRequest();
         if (!loginRequest.ExternalAuth && !AppData(ctx)->AuthConfig.GetEnableLoginAuthentication()) {
@@ -105,6 +121,7 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
         case NLogin::TLoginProvider::TLoginUserResponse::EStatus::SUCCESS: {
             Result->Record.SetToken(loginResponse.Token);
             Result->Record.SetSanitizedToken(loginResponse.SanitizedToken);
+            Result->Record.SetIsAdmin(IsAdmin());
             break;
         }
         case NLogin::TLoginProvider::TLoginUserResponse::EStatus::INVALID_PASSWORD:
@@ -145,6 +162,7 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
             HandleLoginAuthSuccess(loginRequest, loginResponse, db);
             Result->Record.SetToken(loginResponse.Token);
             Result->Record.SetSanitizedToken(loginResponse.SanitizedToken);
+            Result->Record.SetIsAdmin(IsAdmin());
             break;
         }
         case NLogin::TLoginProvider::TLoginUserResponse::EStatus::INVALID_PASSWORD: {
diff --git a/ydb/core/tx/schemeshard/ut_login/ut_login.cpp b/ydb/core/tx/schemeshard/ut_login/ut_login.cpp
@@ -923,9 +923,7 @@ NHttp::THttpIncomingRequestPtr MakeLogoutRequest(const TString& cookieName, cons
 }
 
 Y_UNIT_TEST_SUITE(TWebLoginService) {
-
-    Y_UNIT_TEST(AuditLogLoginSuccess) {
-        TTestBasicRuntime runtime;
+    void AuditLogLoginTest(TTestBasicRuntime& runtime, bool isUserAdmin) {
         std::vector<std::string> lines;
         runtime.AuditLogBackends = std::move(CreateTestAuditLogBackends(lines));
         TTestEnv env(runtime);
@@ -965,6 +963,33 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1");
         UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");
         UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);
+
+        if (isUserAdmin) {
+            UNIT_ASSERT_STRING_CONTAINS(last, "account_type=admin");
+        } else {
+            UNIT_ASSERT(!last.contains("account_type=admin"));
+        }
+    }
+
+    Y_UNIT_TEST(AuditLogEmptySIDsLoginSuccess) {
+        TTestBasicRuntime runtime;
+        AuditLogLoginTest(runtime, true);
+    }
+
+    Y_UNIT_TEST(AuditLogAdminLoginSuccess) {
+        TTestBasicRuntime runtime;
+        runtime.AddAppDataInit([](ui32, NKikimr::TAppData& appData){
+            appData.AdministrationAllowedSIDs.emplace_back("user1");
+        });
+        AuditLogLoginTest(runtime, true);
+    }
+
+    Y_UNIT_TEST(AuditLogLoginSuccess) {
+        TTestBasicRuntime runtime;
+        runtime.AddAppDataInit([](ui32, NKikimr::TAppData& appData){
+            appData.AdministrationAllowedSIDs.emplace_back("user2");
+        });
+        AuditLogLoginTest(runtime, false);
     }
 
     Y_UNIT_TEST(AuditLogLoginBadPassword) {

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,9 @@`
`12`	`12`	`#include <ydb/core/security/ldap_auth_provider/ldap_auth_provider.h>`
`13`	`13`	`#include <ydb/core/security/login_shared_func.h>`
`14`	`14`
	`15`	`+#include <ydb/library/aclib/aclib.h>`
	`16`	`+#include <ydb/library/login/login.h>`
	`17`	`+`
`15`	`18`	`#include <ydb/public/api/protos/ydb_auth.pb.h>`
`16`	`19`
`17`	`20`	`namespace NKikimr {`
`@@ -88,7 +91,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`88`	`91`	`ReplyErrorAndPassAway(Ydb::StatusIds::INTERNAL_ERROR, "Failed to produce a token");`
`89`	`92`	`} else {`
`90`	`93`	`// success = token + no errors`
`91`		`- ReplyAndPassAway(loginResult.GetToken(), loginResult.GetSanitizedToken());`
	`94`	`+ ReplyAndPassAway(loginResult);`
`92`	`95`	`}`
`93`	`96`	`}`
`94`	`97`
`@@ -113,9 +116,12 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`113`	`116`	`}`
`114`	`117`	`}`
`115`	`118`
`116`		`- void ReplyAndPassAway(const TString& resultToken, const TString& sanitizedToken) {`
`117`		`- TResponse response;`
	`119`	`+ void ReplyAndPassAway(const NKikimrScheme::TEvLoginResult& loginResult) {`
	`120`	`+ const auto& resultToken = loginResult.GetToken();`
	`121`	`+ const auto& sanitizedToken = loginResult.GetSanitizedToken();`
	`122`	`+ const auto& isAdmin = loginResult.GetIsAdmin();`
`118`	`123`
	`124`	`+ TResponse response;`
`119`	`125`	`Ydb::Operations::Operation& operation = *response.mutable_operation();`
`120`	`126`	`operation.set_ready(true);`
`121`	`127`	`operation.set_status(Ydb::StatusIds::SUCCESS);`
`@@ -126,7 +132,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`126`	`132`	`operation.mutable_result()->PackFrom(result);`
`127`	`133`	`}`
`128`	`134`
`129`		`- AuditLogLogin(Request.Get(), PathToDatabase, GetProtoRequest(), response, / errorDetails */ TString(), sanitizedToken);`
	`135`	`+ AuditLogLogin(Request.Get(), PathToDatabase, GetProtoRequest(), response, / errorDetails */ TString(), sanitizedToken, isAdmin);`
`130`	`136`
`131`	`137`	`return CleanupAndReply(response);`
`132`	`138`	`}`
Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,7 @@ message TEvLoginResult {`
`154`	`154`	`optional string Error = 1;`
`155`	`155`	`optional string Token = 2; // signed jwt token`
`156`	`156`	`optional string SanitizedToken = 3; // sanitized token without signature`
	`157`	`+ optional bool IsAdmin = 4;`
`157`	`158`	`}`
`158`	`159`
`159`	`160`	`// Sending actor registers itself to be notified when tx completes`