Fixes + test

Author: UgnineSirdis

ydb/core/grpc_services/grpc_request_check_actor.h

@@ -87,6 +87,7 @@ class TGrpcRequestCheckActor
     }
 
     void ProcessCommonAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) {
+        TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry> entries;
         static std::vector<TString> allowedAttributes = {"folder_id", "service_account_id", "database_id"};
         TVector<std::pair<TString, TString>> attributes;
         attributes.reserve(schemeData.GetPathDescription().UserAttributesSize());
@@ -96,16 +97,16 @@ class TGrpcRequestCheckActor
             }
         }
         if (!attributes.empty()) {
-            SetEntries({{GetPermissions(), attributes}});
-        } else {
-            if constexpr (std::is_same_v<TEvent, TEvRequestAuthAndCheck>) {
-                if (!Request_->Get()->GetDatabaseName()) {
-                    const auto& entries = GetEntriesForAuthAndCheckRequest(Request_);
-                    if (!entries.empty()) {
-                        SetEntries(entries);
-                    }
-                }
-            }
+            entries.emplace_back(GetPermissions(), attributes);
+        }
+
+        if constexpr (std::is_same_v<TEvent, TEvRequestAuthAndCheck>) {
+            const auto& e = GetEntriesForAuthAndCheckRequest(Request_);
+            entries.insert(entries.end(), e.begin(), e.end());
+        }
+
+        if (!entries.empty()) {
+            SetEntries(entries);
         }
     }
 

ydb/core/mon/mon.cpp

@@ -9,22 +9,29 @@
 #include <library/cpp/json/json_value.h>
 #include <library/cpp/json/json_reader.h>
 
+#include <util/string/ascii.h>
+
 namespace NActors {
 
 using namespace NMonitoring;
 using namespace NKikimr;
 
 namespace {
 
+bool HasJsonContent(NMonitoring::IMonHttpRequest& request) {
+    const TStringBuf header = request.GetHeader("Content-Type");
+    return header.empty() || AsciiEqualsIgnoreCase(header, "application/json"); // by default we will try to parse json, no error will be generated if parsing fails
+}
+
 TString GetDatabase(NMonitoring::IMonHttpRequest& request) {
     if (const auto dbIt = request.GetParams().Find("database"); dbIt != request.GetParams().end()) {
         return dbIt->second;
     }
-    if (request.GetMethod() == HTTP_METHOD_POST) {
+    if (request.GetMethod() == HTTP_METHOD_POST && HasJsonContent(request)) {
         static NJson::TJsonReaderConfig JsonConfig;
         NJson::TJsonValue requestData;
         if (NJson::ReadJsonTree(request.GetPostContent(), &JsonConfig, &requestData)) {
-            return requestData["database"].GetString();
+            return requestData["database"].GetString(); // empty if not string or no such key
         }
     }
     return {};

ydb/core/testlib/actors/test_runtime.cpp

@@ -4,6 +4,7 @@
 #include <ydb/core/base/blobstorage.h>
 #include <ydb/core/base/counters.h>
 #include <ydb/core/mon/sync_http_mon.h>
+#include <ydb/core/mon/async_http_mon.h>
 #include <ydb/core/mon_alloc/profiler.h>
 #include <ydb/core/tablet/tablet_impl.h>
 
@@ -175,11 +176,19 @@ namespace NActors {
 
             if (NeedMonitoring && !SingleSysEnv) {
                 ui16 port = MonitoringPortOffset ? MonitoringPortOffset + nodeIndex : GetPortManager().GetPort();
-                node->Mon.Reset(new NActors::TSyncHttpMon({
-                    .Port = port,
-                    .Threads = 10,
-                    .Title = "KIKIMR monitoring"
-                }));
+                if (MonitoringTypeAsync) {
+                    node->Mon.Reset(new NActors::TAsyncHttpMon({
+                        .Port = port,
+                        .Threads = 10,
+                        .Title = "KIKIMR monitoring"
+                    }));
+                } else {
+                    node->Mon.Reset(new NActors::TSyncHttpMon({
+                        .Port = port,
+                        .Threads = 10,
+                        .Title = "KIKIMR monitoring"
+                    }));
+                }
                 nodeAppData->Mon = node->Mon.Get();
                 node->Mon->RegisterCountersPage("counters", "Counters", node->DynamicCounters);
                 auto actorsMonPage = node->Mon->RegisterIndexPage("actors", "Actors");
@@ -191,7 +200,7 @@ namespace NActors {
 
             node->ActorSystem->Start();
             if (nodeAppData->Mon) {
-                nodeAppData->Mon->Start();
+                nodeAppData->Mon->Start(node->ActorSystem.Get());
             }
         }
 

ydb/core/testlib/test_client.cpp

@@ -225,7 +225,7 @@ namespace Tests {
 
         NKikimr::SetupChannelProfiles(app);
 
-        Runtime->SetupMonitoring(Settings->MonitoringPortOffset);
+        Runtime->SetupMonitoring(Settings->MonitoringPortOffset, Settings->MonitoringTypeAsync);
         Runtime->SetLogBackend(Settings->LogBackend);
 
         Runtime->AddAppDataInit([this](ui32 nodeIdx, NKikimr::TAppData& appData) {

ydb/core/testlib/test_client.h

@@ -108,6 +108,7 @@ namespace Tests {
         ui16 GrpcPort = 0;
         int GrpcMaxMessageSize = 0;  // 0 - default (4_MB), -1 - no limit
         ui16 MonitoringPortOffset = 0;
+        bool MonitoringTypeAsync = false;
         NKikimrProto::TAuthConfig AuthConfig;
         NKikimrPQ::TPQConfig PQConfig;
         NKikimrPQ::TPQClusterDiscoveryConfig PQClusterDiscoveryConfig;
@@ -162,7 +163,7 @@ namespace Tests {
 
         TServerSettings& SetGrpcPort(ui16 value) { GrpcPort = value; return *this; }
         TServerSettings& SetGrpcMaxMessageSize(int value) { GrpcMaxMessageSize = value; return *this; }
-        TServerSettings& SetMonitoringPortOffset(ui16 value) { MonitoringPortOffset = value; return *this; }
+        TServerSettings& SetMonitoringPortOffset(ui16 value, bool monitoringTypeAsync = false) { MonitoringPortOffset = value; MonitoringTypeAsync = monitoringTypeAsync; return *this; }
         TServerSettings& SetSupportsRedirect(bool value) { SupportsRedirect = value; return *this; }
         TServerSettings& SetTracePath(const TString& value) { TracePath = value; return *this; }
         TServerSettings& SetDomain(ui32 value) { Domain = value; return *this; }

ydb/core/viewer/json_query.h

@@ -122,7 +122,7 @@ class TJsonQuery : public TViewerPipeClient<TJsonQuery> {
         if (IsPostContent()) {
             TStringBuf content = Event->Get()->Request.GetPostContent();
             if (!ParsePostContent(content)) {
-                return ReplyAndPassAway(Viewer->GetHTTPBADREQUEST(Event->Get(), "text/plain", "Bad content recieved"));
+                return ReplyAndPassAway(Viewer->GetHTTPBADREQUEST(Event->Get(), "text/plain", "Bad content received"));
             }
         }
         if (Query.empty() && Action != "cancel-query") {

ydb/core/viewer/ut/ya.make

@@ -2,7 +2,7 @@ UNITTEST_FOR(ydb/core/viewer)
 
 FORK_SUBTESTS()
 
-TIMEOUT(600)
+TIMEOUT(30)
 
 SIZE(MEDIUM)
 
@@ -13,6 +13,8 @@ SRCS(
 )
 
 PEERDIR(
+    library/cpp/http/misc
+    library/cpp/http/simple
     ydb/core/testlib/default
 )
 

ydb/core/viewer/viewer_ut.cpp

@@ -2,6 +2,8 @@
 #include <library/cpp/testing/unittest/tests_data.h>
 #include <ydb/library/actors/interconnect/interconnect.h>
 #include <ydb/library/actors/helpers/selfping_actor.h>
+#include <library/cpp/http/misc/httpcodes.h>
+#include <library/cpp/http/simple/http_client.h>
 #include <library/cpp/json/json_value.h>
 #include <library/cpp/json/json_reader.h>
 #include <util/stream/null.h>
@@ -23,6 +25,8 @@
 #include <ydb/core/node_whiteboard/node_whiteboard.h>
 #include <ydb/library/actors/core/interconnect.h>
 
+#include <util/string/builder.h>
+
 using namespace NKikimr;
 using namespace NViewer;
 using namespace NKikimrWhiteboard;
@@ -1503,4 +1507,142 @@ Y_UNIT_TEST_SUITE(Viewer) {
     Y_UNIT_TEST(JsonStorageListingV2PDiskIdFilter) {
         JsonStorage9Nodes9GroupsListingTest("v2", false, true, true, 4, 8);
     }
+
+    struct TFakeTicketParserActor : public TActor<TFakeTicketParserActor> {
+        TFakeTicketParserActor()
+            : TActor<TFakeTicketParserActor>(&TFakeTicketParserActor::StFunc)
+        {}
+
+        STFUNC(StFunc) {
+            switch (ev->GetTypeRewrite()) {
+                hFunc(TEvTicketParser::TEvAuthorizeTicket, Handle);
+                default:
+                    break;
+            }
+        }
+
+        void Handle(TEvTicketParser::TEvAuthorizeTicket::TPtr& ev) {
+            LOG_INFO_S(*TlsActivationContext, NKikimrServices::TICKET_PARSER, "Ticket parser: got TEvAuthorizeTicket event: " << ev->Get()->Ticket << " " << ev->Get()->Database << " " << ev->Get()->Entries.size());
+            ++AuthorizeTicketRequests;
+
+            if (ev->Get()->Database != "/Root") {
+                Fail(ev, TStringBuilder() << "Incorrect database " << ev->Get()->Database);
+                return;
+            }
+
+            if (ev->Get()->Ticket != "test_ydb_token") {
+                Fail(ev, TStringBuilder() << "Incorrect token " << ev->Get()->Ticket);
+                return;
+            }
+
+            bool databaseIdFound = false;
+            bool folderIdFound = false;
+            for (const TEvTicketParser::TEvAuthorizeTicket::TEntry& entry : ev->Get()->Entries) {
+                for (const std::pair<TString, TString>& attr : entry.Attributes) {
+                    if (attr.first == "database_id") {
+                        databaseIdFound = true;
+                        if (attr.second != "test_database_id") {
+                            Fail(ev, TStringBuilder() << "Incorrect database_id " << attr.second);
+                            return;
+                        }
+                    } else if (attr.first == "folder_id") {
+                        folderIdFound = true;
+                        if (attr.second != "test_folder_id") {
+                            Fail(ev, TStringBuilder() << "Incorrect folder_id " << attr.second);
+                            return;
+                        }
+                    }
+                }
+            }
+            if (!databaseIdFound) {
+                Fail(ev, "database_id not found");
+                return;
+            }
+            if (!folderIdFound) {
+                Fail(ev, "folder_id not found");
+                return;
+            }
+
+            Success(ev);
+        }
+
+        void Fail(TEvTicketParser::TEvAuthorizeTicket::TPtr& ev, const TString& message) {
+            ++AuthorizeTicketFails;
+            TEvTicketParser::TError err;
+            err.Retryable = false;
+            err.Message = message ? message : "Test error";
+            LOG_INFO_S(*TlsActivationContext, NKikimrServices::TICKET_PARSER, "Send TEvAuthorizeTicketResult: " << err.Message);
+            Send(ev->Sender, new TEvTicketParser::TEvAuthorizeTicketResult(ev->Get()->Ticket, err));
+        }
+
+        void Success(TEvTicketParser::TEvAuthorizeTicket::TPtr& ev) {
+            ++AuthorizeTicketSuccesses;
+            NACLib::TUserToken::TUserTokenInitFields args;
+            args.UserSID = "user_name";
+            args.GroupSIDs.push_back("group_name");
+            TIntrusivePtr<NACLib::TUserToken> userToken = MakeIntrusive<NACLib::TUserToken>(args);
+            LOG_INFO_S(*TlsActivationContext, NKikimrServices::TICKET_PARSER, "Send TEvAuthorizeTicketResult success");
+            Send(ev->Sender, new TEvTicketParser::TEvAuthorizeTicketResult(ev->Get()->Ticket, userToken));
+        }
+
+        size_t AuthorizeTicketRequests = 0;
+        size_t AuthorizeTicketSuccesses = 0;
+        size_t AuthorizeTicketFails = 0;
+    };
+
+    Y_UNIT_TEST(AuthorizeYdbTokenWithDatabaseAttributes) {
+        TPortManager tp;
+        ui16 port = tp.GetPort(2134);
+        ui16 grpcPort = tp.GetPort(2135);
+        ui16 monPort = tp.GetPort(8765);
+        auto settings = TServerSettings(port);
+        settings.InitKikimrRunConfig()
+                .SetNodeCount(1)
+                .SetUseRealThreads(true)
+                .SetDomainName("Root")
+                .SetMonitoringPortOffset(monPort, true); // authorization is implemented only in async mon
+
+        auto& securityConfig = *settings.AppConfig->MutableDomainsConfig()->MutableSecurityConfig();
+        securityConfig.SetEnforceUserTokenCheckRequirement(true);
+
+        TFakeTicketParserActor* ticketParser = nullptr;
+        settings.CreateTicketParser = [&](const TTicketParserSettings&) -> IActor* {
+            ticketParser = new TFakeTicketParserActor();
+            return ticketParser;
+        };
+
+        TServer server(settings);
+        server.EnableGRpc(grpcPort);
+        TClient client(settings);
+
+        const auto alterAttrsStatus = client.AlterUserAttributes("/", "Root", {
+            { "folder_id", "test_folder_id" },
+            { "database_id", "test_database_id" },
+        });
+        UNIT_ASSERT_EQUAL(alterAttrsStatus, NMsgBusProxy::MSTATUS_OK);
+
+        TTestActorRuntime& runtime = *server.GetRuntime();
+        runtime.SetLogPriority(NKikimrServices::GRPC_SERVER, NLog::PRI_TRACE);
+        runtime.SetLogPriority(NKikimrServices::TICKET_PARSER, NLog::PRI_TRACE);
+
+        TKeepAliveHttpClient httpClient("localhost", monPort);
+        TStringStream responseStream;
+        TKeepAliveHttpClient::THeaders headers;
+        headers["Content-Type"] = "application/json";
+        headers["Authorization"] = "test_ydb_token";
+        TString requestBody = R"json({
+            "query": "SELECT 42;",
+            "database": "/Root",
+            "action": "execute-script",
+            "syntax": "yql_v1",
+            "stats": "profile"
+        })json";
+        const TKeepAliveHttpClient::THttpCode statusCode = httpClient.DoPost("/viewer/query?timeout=600000&base64=false&schema=modern", requestBody, &responseStream, headers);
+        const TString response = responseStream.ReadAll();
+        UNIT_ASSERT_EQUAL_C(statusCode, HTTP_OK, statusCode << ": " << response);
+
+        UNIT_ASSERT(ticketParser);
+        UNIT_ASSERT_VALUES_EQUAL_C(ticketParser->AuthorizeTicketRequests, 1, response);
+        UNIT_ASSERT_VALUES_EQUAL_C(ticketParser->AuthorizeTicketSuccesses, 1, response);
+    }
 }

ydb/library/actors/testlib/test_runtime.cpp

@@ -1594,9 +1594,10 @@ namespace NActors {
         return node->DynamicCounters;
     }
 
-    void TTestActorRuntimeBase::SetupMonitoring(ui16 monitoringPortOffset) {
+    void TTestActorRuntimeBase::SetupMonitoring(ui16 monitoringPortOffset, bool monitoringTypeAsync) {
         NeedMonitoring = true;
         MonitoringPortOffset = monitoringPortOffset;
+        MonitoringTypeAsync = monitoringTypeAsync;
     }
 
     void TTestActorRuntimeBase::SendInternal(TAutoPtr<IEventHandle> ev, ui32 nodeIndex, bool viaActorSystem) {

ydb/library/actors/testlib/test_runtime.h

@@ -295,7 +295,7 @@ namespace NActors {
         void EnableScheduleForActor(const TActorId& actorId, bool allow = true);
         bool IsScheduleForActorEnabled(const TActorId& actorId) const;
         TIntrusivePtr<NMonitoring::TDynamicCounters> GetDynamicCounters(ui32 nodeIndex = 0);
-        void SetupMonitoring(ui16 monitoringPortOffset = 0);
+        void SetupMonitoring(ui16 monitoringPortOffset = 0, bool monitoringTypeAsync = false);
 
         using TEventObserverCollection = std::list<std::function<void(TAutoPtr<IEventHandle>& event)>>;
         class TEventObserverHolder {
@@ -321,7 +321,7 @@ namespace NActors {
                 if (this != &other)
                 {
                     Remove();
-                    
+
                     List = std::move(other.List);
                     Iter = std::move(other.Iter);
 
@@ -656,6 +656,7 @@ namespace NActors {
         TAutoPtr<TLogBackend> LogBackend;
         bool NeedMonitoring;
         ui16 MonitoringPortOffset = 0;
+        bool MonitoringTypeAsync = false;
 
         TIntrusivePtr<IRandomProvider> RandomProvider;
         TIntrusivePtr<ITimeProvider> TimeProvider;