SystemView Auth Permissions (#13403)

Author: kunga

ydb/core/sys_view/auth/owners.cpp

@@ -34,15 +34,18 @@ class TOwnersScan : public TAuthScanBase<TOwnersScan> {
         // TODO: add rows according to request's sender user rights
 
         auto entryPath = CanonizePath(entry.Path);
-        auto entryOwner = entry.Self->Info.GetOwner();
 
         for (auto& column : Columns) {
             switch (column.Tag) {
             case Schema::AuthOwners::Path::ColumnId:
                 cells.push_back(TCell(entryPath.data(), entryPath.size()));
                 break;
             case Schema::AuthOwners::Sid::ColumnId:
-                cells.push_back(TCell(entryOwner.data(), entryOwner.size()));
+                if (entry.SecurityObject->HasOwnerSID()) {
+                    cells.push_back(TCell(entry.SecurityObject->GetOwnerSID().data(), entry.SecurityObject->GetOwnerSID().size()));
+                } else {
+                    cells.emplace_back();
+                }
                 break;
             default:
                 cells.emplace_back();

ydb/core/sys_view/auth/permissions.cpp

@@ -0,0 +1,89 @@
+#include "auth_scan_base.h"
+#include "permissions.h"
+
+#include <ydb/core/sys_view/common/events.h>
+#include <ydb/core/sys_view/common/schema.h>
+#include <ydb/core/sys_view/common/scan_actor_base_impl.h>
+#include <ydb/core/base/tablet_pipecache.h>
+#include <ydb/core/ydb_convert/ydb_convert.h>
+#include <ydb/library/login/protos/login.pb.h>
+
+#include <ydb/library/actors/core/hfunc.h>
+
+namespace NKikimr::NSysView::NAuth {
+
+using namespace NSchemeShard;
+using namespace NActors;
+
+class TPermissionsScan : public TAuthScanBase<TPermissionsScan> {
+public:
+    using TScanBase = TScanActorBase<TPermissionsScan>;
+    using TAuthBase = TAuthScanBase<TPermissionsScan>;
+
+    TPermissionsScan(bool effective, const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
+        const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns)
+        : TAuthBase(ownerId, scanId, tableId, tableRange, columns)
+        , Effective(effective)
+    {
+    }
+
+protected:
+    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TEntry& entry) override {
+        Y_ABORT_UNLESS(entry.Status == TNavigate::EStatus::Ok);
+        
+        TVector<TCell> cells(::Reserve(Columns.size()));
+
+        // TODO: add rows according to request's sender user rights
+
+        auto entryPath = CanonizePath(entry.Path);
+
+        for (const NACLibProto::TACE& ace : entry.SecurityObject->GetACL().GetACE()) {
+            if (ace.GetAccessType() != (ui32)NACLib::EAccessType::Allow) {
+                continue;
+            }
+            if (!Effective && ace.GetInherited()) {
+                continue;
+            }
+
+            auto permissions = ConvertACLMaskToYdbPermissionNames(ace.GetAccessRight());
+            for (const auto& permission : permissions) {
+                for (auto& column : Columns) {
+                    switch (column.Tag) {
+                    case Schema::AuthPermissions::Path::ColumnId:
+                        cells.push_back(TCell(entryPath.data(), entryPath.size()));
+                        break;
+                    case Schema::AuthPermissions::Sid::ColumnId:
+                        if (ace.HasSID()) {
+                            cells.push_back(TCell(ace.GetSID().data(), ace.GetSID().size()));
+                        } else {
+                            cells.emplace_back();
+                        }
+                        break;
+                    case Schema::AuthPermissions::Permission::ColumnId:
+                        cells.push_back(TCell(permission.data(), permission.size()));
+                        break;
+                    default:
+                        cells.emplace_back();
+                    }
+                }
+
+                TArrayRef<const TCell> ref(cells);
+                batch.Rows.emplace_back(TOwnedCellVec::Make(ref));
+                cells.clear();
+            }
+        }
+
+        batch.Finished = false;
+    }
+
+private:
+    const bool Effective;
+};
+
+THolder<NActors::IActor> CreatePermissionsScan(bool effective, const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
+    const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns)
+{
+    return MakeHolder<TPermissionsScan>(effective, ownerId, scanId, tableId, tableRange, columns);
+}
+
+}

ydb/core/sys_view/auth/permissions.h

@@ -0,0 +1,13 @@
+#pragma once
+
+#include <ydb/core/kqp/runtime/kqp_compute.h>
+
+#include <ydb/library/actors/core/actor.h>
+#include <ydb/library/actors/core/actorid.h>
+
+namespace NKikimr::NSysView::NAuth {
+
+THolder<NActors::IActor> CreatePermissionsScan(bool effective, const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
+    const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns);
+
+}

ydb/core/sys_view/auth/ya.make

@@ -7,6 +7,8 @@ SRCS(
     groups.h
     owners.cpp
     owners.h
+    permissions.cpp
+    permissions.h
     users.cpp
     users.h
 )

ydb/core/sys_view/common/schema.cpp

@@ -293,6 +293,8 @@ class TSystemViewResolver : public ISystemViewResolver {
             RegisterSystemView<Schema::AuthGroups>(NAuth::GroupsName);
             RegisterSystemView<Schema::AuthGroupMembers>(GroupMembersName);
             RegisterSystemView<Schema::AuthOwners>(OwnersName);
+            RegisterSystemView<Schema::AuthPermissions>(PermissionsName);
+            RegisterSystemView<Schema::AuthPermissions>(EffectivePermissionsName);
         }
     }
 

ydb/core/sys_view/common/schema.h

@@ -54,6 +54,8 @@ namespace NAuth {
     constexpr TStringBuf GroupsName = "auth_groups";
     constexpr TStringBuf GroupMembersName = "auth_group_members";
     constexpr TStringBuf OwnersName = "auth_owners";
+    constexpr TStringBuf PermissionsName = "auth_permissions";
+    constexpr TStringBuf EffectivePermissionsName = "auth_effective_permissions";
 }
 
 
@@ -658,6 +660,19 @@ struct Schema : NIceDb::Schema {
         >;
     };
 
+    struct AuthPermissions : Table<19> {
+        struct Path: Column<1, NScheme::NTypeIds::Utf8> {};
+        struct Sid: Column<2, NScheme::NTypeIds::Utf8> {};
+        struct Permission: Column<3, NScheme::NTypeIds::Utf8> {};
+
+        using TKey = TableKey<Path, Sid, Permission>;
+        using TColumns = TableColumns<
+            Path,
+            Sid,
+            Permission
+        >;
+    };
+
     struct PgColumn {
         NIceDb::TColumnId _ColumnId;
         NScheme::TTypeInfo _ColumnTypeInfo;

ydb/core/sys_view/scan.cpp

@@ -2,10 +2,11 @@
 
 #include <ydb/core/kqp/compute_actor/kqp_compute_events.h>
 
+#include <ydb/core/sys_view/auth/group_members.h>
+#include <ydb/core/sys_view/auth/groups.h>
 #include <ydb/core/sys_view/auth/owners.h>
+#include <ydb/core/sys_view/auth/permissions.h>
 #include <ydb/core/sys_view/auth/users.h>
-#include <ydb/core/sys_view/auth/groups.h>
-#include <ydb/core/sys_view/auth/group_members.h>
 #include <ydb/core/sys_view/common/schema.h>
 #include <ydb/core/sys_view/partition_stats/partition_stats.h>
 #include <ydb/core/sys_view/nodes/nodes.h>
@@ -256,6 +257,10 @@ THolder<NActors::IActor> CreateSystemViewScan(
         if (tableId.SysViewInfo == OwnersName) {
             return NAuth::CreateOwnersScan(ownerId, scanId, tableId, tableRange, columns);
         }
+        if (tableId.SysViewInfo == PermissionsName || tableId.SysViewInfo == EffectivePermissionsName) {
+            return NAuth::CreatePermissionsScan(tableId.SysViewInfo == EffectivePermissionsName,
+                ownerId, scanId, tableId, tableRange, columns);
+        }
     }
 
     return {};