Merge 19c8b20 into ada1a64

Author: andrewstalin

ydb/core/tx/schemeshard/schemeshard__operation.cpp

@@ -346,6 +346,7 @@ struct TSchemeShard::TTxOperationPropose: public NTabletFlatExecutor::TTransacti
     TProposeRequest::TPtr Request;
     THolder<TProposeResponse> Response = nullptr;
 
+    TString PeerName;
     TString UserSID;
     TString SanitizedToken;
 
@@ -378,10 +379,12 @@ struct TSchemeShard::TTxOperationPropose: public NTabletFlatExecutor::TTransacti
             UserSID = userToken->GetUserSID();
             SanitizedToken = userToken->GetSanitizedToken();
         }
+        PeerName = Request->Get()->Record.GetPeerName();
 
         TMemoryChanges memChanges;
         TStorageChanges dbChanges;
         TOperationContext context{Self, txc, ctx, OnComplete, memChanges, dbChanges, std::move(userToken)};
+        context.PeerName = PeerName;
 
         //NOTE: Successful IgniteOperation will leave created operation in Self->Operations and accumulated changes in the context.
         // Unsuccessful IgniteOperation will leave no operation and context will also be clean.
@@ -444,7 +447,7 @@ struct TSchemeShard::TTxOperationPropose: public NTabletFlatExecutor::TTransacti
                         << ", response: " << Response->Record.ShortDebugString()
                         << ", at schemeshard: " << Self->TabletID());
 
-        AuditLogModifySchemeTransaction(record, Response->Record, Self, UserSID, SanitizedToken);
+        AuditLogModifySchemeTransaction(record, Response->Record, Self, PeerName, UserSID, SanitizedToken);
 
         //NOTE: Double audit output into the common log as a way to ease
         // transition to a new auditlog stream.

ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp

@@ -1,3 +1,4 @@
+#include "schemeshard_audit_log.h"
 #include "schemeshard__operation_part.h"
 #include "schemeshard__operation_common.h"
 #include "schemeshard_impl.h"
@@ -12,17 +13,37 @@ class TAlterLogin: public TSubOperationBase {
 public:
     using TSubOperationBase::TSubOperationBase;
 
+    void AddLastSuccessfulAttempt(const TString& user, NIceDb::TNiceDb& db, TParts& additionalParts) {
+        static const TString LastSuccessfulAttemptAuditParam = "last_login";
+
+        auto row = db.Table<Schema::LoginSids>().Key(user).Select();
+        if (!row.IsReady() || !row.IsValid()) {
+            return;
+        }
+
+        const auto time = TInstant::FromValue(row.GetValueOrDefault<Schema::LoginSids::LastSuccessfulAttempt>(0));
+        if (!time) {
+            return;
+        }
+
+        additionalParts.emplace_back(LastSuccessfulAttemptAuditParam, time.ToString());
+    }
+
     THolder<TProposeResponse> Propose(const TString&, TOperationContext& context) override {
         NIceDb::TNiceDb db(context.GetTxc().DB); // do not track is there are direct writes happen
         TTabletId ssId = context.SS->SelfTabletId();
-        auto result = MakeHolder<TProposeResponse>(OperationId.GetTxId(), ssId);
+        const auto txId = OperationId.GetTxId();
+        auto result = MakeHolder<TProposeResponse>(txId, ssId);
         if (!AppData()->AuthConfig.GetEnableLoginAuthentication()) {
             result->SetStatus(NKikimrScheme::StatusPreconditionFailed, "Login authentication is disabled");
         } else if (Transaction.GetWorkingDir() != context.SS->LoginProvider.Audience) {
             result->SetStatus(NKikimrScheme::StatusPreconditionFailed, "Wrong working dir");
         } else {
             const NKikimrConfig::TDomainsConfig::TSecurityConfig& securityConfig = context.SS->GetDomainsConfig().GetSecurityConfig();
             const NKikimrSchemeOp::TAlterLogin& alterLogin = Transaction.GetAlterLogin();
+
+            TParts additionalParts;
+
             switch (alterLogin.GetAlterCase()) {
                 case NKikimrSchemeOp::TAlterLogin::kCreateUser: {
                     const auto& createUser = alterLogin.GetCreateUser();
@@ -48,6 +69,9 @@ class TAlterLogin: public TSubOperationBase {
                 }
                 case NKikimrSchemeOp::TAlterLogin::kModifyUser: {
                     const auto& modifyUser = alterLogin.GetModifyUser();
+
+                    AddLastSuccessfulAttempt(modifyUser.GetUser(), db, additionalParts);
+
                     auto response = context.SS->LoginProvider.ModifyUser({.User = modifyUser.GetUser(), .Password = modifyUser.GetPassword()});
                     if (response.Error) {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
@@ -60,6 +84,9 @@ class TAlterLogin: public TSubOperationBase {
                 }
                 case NKikimrSchemeOp::TAlterLogin::kRemoveUser: {
                     const auto& removeUser = alterLogin.GetRemoveUser();
+
+                    AddLastSuccessfulAttempt(removeUser.GetUser(), db, additionalParts);
+
                     auto response = RemoveUser(context, removeUser, db);
                     if (response.Error) {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
@@ -158,6 +185,13 @@ class TAlterLogin: public TSubOperationBase {
                     break;
                 }
             }
+
+            TString userSID, sanitizedToken;
+            if (context.UserToken) {
+                userSID = context.UserToken->GetUserSID();
+                sanitizedToken = context.UserToken->GetSanitizedToken();
+            }
+            AuditLogModifySchemeTransaction(Transaction, result->Record, context.SS, context.PeerName, userSID, sanitizedToken, ui64(txId), additionalParts);
         }
 
         if (result->Record.GetStatus() == NKikimrScheme::StatusSuccess) {

ydb/core/tx/schemeshard/schemeshard__operation_part.h

@@ -95,6 +95,7 @@ struct TOperationContext {
     TStorageChanges& DbChanges;
 
     TMaybe<NACLib::TUserToken> UserToken;
+    TString PeerName;
     bool IsAllowedPrivateTables = false;
 
 private:

ydb/core/tx/schemeshard/schemeshard_audit_log.cpp

@@ -81,57 +81,75 @@ TPath DatabasePathFromWorkingDir(TSchemeShard* SS, const TString &opWorkingDir)
 
 }  // anonymous namespace
 
-void AuditLogModifySchemeTransaction(const NKikimrScheme::TEvModifySchemeTransaction& request, const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS, const TString& userSID, const TString& sanitizedToken) {
+void AuditLogModifySchemeTransaction(const NKikimrSchemeOp::TModifyScheme& operation,
+                                     const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
+                                     const TString& peerName, const TString& userSID, const TString& sanitizedToken,
+                                     ui64 txId, const TParts& additionalParts) {
+    auto logEntry = MakeAuditLogFragment(operation);
+
+    TPath databasePath = DatabasePathFromWorkingDir(SS, operation.GetWorkingDir());
+    auto [cloud_id, folder_id, database_id] = GetDatabaseCloudIds(databasePath);
+    auto address = NKikimr::NAddressClassifier::ExtractAddress(peerName);
+
+    AUDIT_LOG(
+        AUDIT_PART("component", SchemeshardComponentName)
+        AUDIT_PART("tx_id", std::to_string(txId))
+        AUDIT_PART("remote_address", (!address.empty() ? address : EmptyValue))
+        AUDIT_PART("subject", (!userSID.empty() ? userSID : EmptyValue))
+        AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
+        AUDIT_PART("database", (!databasePath.IsEmpty() ? databasePath.GetDomainPathString() : EmptyValue))
+        AUDIT_PART("operation", logEntry.Operation)
+        AUDIT_PART("paths", RenderList(logEntry.Paths), !logEntry.Paths.empty())
+        AUDIT_PART("status", GeneralStatus(response.GetStatus()))
+        AUDIT_PART("detailed_status", NKikimrScheme::EStatus_Name(response.GetStatus()))
+        AUDIT_PART("reason", response.GetReason(), response.HasReason())
+
+        for (const auto& [name, value] : additionalParts) {
+            AUDIT_PART(name, (!value.empty() ? value : EmptyValue))
+        }
+
+        AUDIT_PART("cloud_id", cloud_id, !cloud_id.empty());
+        AUDIT_PART("folder_id", folder_id, !folder_id.empty());
+        AUDIT_PART("resource_id", database_id, !database_id.empty());
+
+        // Additionally:
+
+        // ModifyACL.
+        // Technically, non-empty ModifyACL field could come with any ModifyScheme operation.
+        // In practice, ModifyACL will get processed only by:
+        // 1. explicit operation ESchemeOpModifyACL -- to modify ACL on a path
+        // 2. ESchemeOpMkDir or ESchemeOpCreate* operations -- to set rights to newly created paths/entities
+        // 3. ESchemeOpCopyTable -- to be checked against acl size limit, not to be applied in any way
+        AUDIT_PART("new_owner", logEntry.NewOwner, !logEntry.NewOwner.empty());
+        AUDIT_PART("acl_add", RenderList(logEntry.ACLAdd), !logEntry.ACLAdd.empty());
+        AUDIT_PART("acl_remove", RenderList(logEntry.ACLRemove), !logEntry.ACLRemove.empty());
+
+        // AlterUserAttributes.
+        // 1. explicit operation ESchemeOpAlterUserAttributes -- to modify user attributes on a path
+        // 2. ESchemeOpMkDir or some ESchemeOpCreate* operations -- to set user attributes for newly created paths/entities
+        AUDIT_PART("user_attrs_add", RenderList(logEntry.UserAttrsAdd), !logEntry.UserAttrsAdd.empty());
+        AUDIT_PART("user_attrs_remove", RenderList(logEntry.UserAttrsRemove), !logEntry.UserAttrsRemove.empty());
+
+        // AlterLogin.
+        // explicit operation ESchemeOpAlterLogin -- to modify user and groups
+        AUDIT_PART("login_user", logEntry.LoginUser);
+        AUDIT_PART("login_group", logEntry.LoginGroup);
+        AUDIT_PART("login_member", logEntry.LoginMember);
+    );
+}
+
+void AuditLogModifySchemeTransaction(const NKikimrScheme::TEvModifySchemeTransaction& request,
+                                     const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
+                                     const TString& peerName, const TString& userSID, const TString& sanitizedToken) { 
     // Each TEvModifySchemeTransaction.Transaction is a self sufficient operation and should be logged independently
     // (even if it was packed into a single TxProxy transaction with some other operations).
+    const auto txId = request.GetTxId();
     for (const auto& operation : request.GetTransaction()) {
-        auto logEntry = MakeAuditLogFragment(operation);
-
-        TPath databasePath = DatabasePathFromWorkingDir(SS, operation.GetWorkingDir());
-        auto [cloud_id, folder_id, database_id] = GetDatabaseCloudIds(databasePath);
-        auto peerName = NKikimr::NAddressClassifier::ExtractAddress(request.GetPeerName());
-
-        AUDIT_LOG(
-            AUDIT_PART("component", SchemeshardComponentName)
-            AUDIT_PART("tx_id", std::to_string(request.GetTxId()))
-            AUDIT_PART("remote_address", (!peerName.empty() ? peerName : EmptyValue))
-            AUDIT_PART("subject", (!userSID.empty() ? userSID : EmptyValue))
-            AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
-            AUDIT_PART("database", (!databasePath.IsEmpty() ? databasePath.GetDomainPathString() : EmptyValue))
-            AUDIT_PART("operation", logEntry.Operation)
-            AUDIT_PART("paths", RenderList(logEntry.Paths), !logEntry.Paths.empty())
-            AUDIT_PART("status", GeneralStatus(response.GetStatus()))
-            AUDIT_PART("detailed_status", NKikimrScheme::EStatus_Name(response.GetStatus()))
-            AUDIT_PART("reason", response.GetReason(), response.HasReason())
-
-            AUDIT_PART("cloud_id", cloud_id, !cloud_id.empty());
-            AUDIT_PART("folder_id", folder_id, !folder_id.empty());
-            AUDIT_PART("resource_id", database_id, !database_id.empty());
-
-            // Additionally:
-
-            // ModifyACL.
-            // Technically, non-empty ModifyACL field could come with any ModifyScheme operation.
-            // In practice, ModifyACL will get processed only by:
-            // 1. explicit operation ESchemeOpModifyACL -- to modify ACL on a path
-            // 2. ESchemeOpMkDir or ESchemeOpCreate* operations -- to set rights to newly created paths/entities
-            // 3. ESchemeOpCopyTable -- to be checked against acl size limit, not to be applied in any way
-            AUDIT_PART("new_owner", logEntry.NewOwner, !logEntry.NewOwner.empty());
-            AUDIT_PART("acl_add", RenderList(logEntry.ACLAdd), !logEntry.ACLAdd.empty());
-            AUDIT_PART("acl_remove", RenderList(logEntry.ACLRemove), !logEntry.ACLRemove.empty());
-
-            // AlterUserAttributes.
-            // 1. explicit operation ESchemeOpAlterUserAttributes -- to modify user attributes on a path
-            // 2. ESchemeOpMkDir or some ESchemeOpCreate* operations -- to set user attributes for newly created paths/entities
-            AUDIT_PART("user_attrs_add", RenderList(logEntry.UserAttrsAdd), !logEntry.UserAttrsAdd.empty());
-            AUDIT_PART("user_attrs_remove", RenderList(logEntry.UserAttrsRemove), !logEntry.UserAttrsRemove.empty());
-
-            // AlterLogin.
-            // explicit operation ESchemeOpAlterLogin -- to modify user and groups
-            AUDIT_PART("login_user", logEntry.LoginUser);
-            AUDIT_PART("login_group", logEntry.LoginGroup);
-            AUDIT_PART("login_member", logEntry.LoginMember);
-        );
+        const auto type = operation.GetOperationType();
+        if (NKikimrSchemeOp::EOperationType::ESchemeOpAlterLogin == type) {
+            continue;
+        }
+        AuditLogModifySchemeTransaction(operation, response, SS, peerName, userSID, sanitizedToken, txId, TParts());
     }
 }
 
@@ -194,7 +212,7 @@ struct TXxportRecord {
     TString Status;
     Ydb::StatusIds::StatusCode DetailedStatus;
     TString Reason;
-    TVector<std::pair<TString, TString>> AdditionalParts;
+    TParts AdditionalParts;
     TString StartTime;
     TString EndTime;
     TString CloudId;

ydb/core/tx/schemeshard/schemeshard_audit_log.h

@@ -24,13 +24,26 @@ namespace NHttp {
 class THttpIncomingRequest;
 }
 
+namespace NKikimrSchemeOp {
+class TModifyScheme;
+}
+
 namespace NKikimr::NSchemeShard {
 
 class TSchemeShard;
 struct TExportInfo;
 struct TImportInfo;
 
-void AuditLogModifySchemeTransaction(const NKikimrScheme::TEvModifySchemeTransaction& request, const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS, const TString& userSID, const TString& sanitizedToken);
+using TParts = TVector<std::pair<TString, TString>>;
+
+void AuditLogModifySchemeTransaction(const NKikimrSchemeOp::TModifyScheme& operation,
+                                     const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
+                                     const TString& peerName, const TString& userSID, const TString& sanitizedToken,
+                                     ui64 txId, const TParts& additionalParts);
+
+void AuditLogModifySchemeTransaction(const NKikimrScheme::TEvModifySchemeTransaction& request,
+                                     const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
+                                     const TString& peerName, const TString& userSID, const TString& sanitizedToken);
 void AuditLogModifySchemeTransactionDeprecated(const NKikimrScheme::TEvModifySchemeTransaction& request, const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS, const TString& userSID);
 
 void AuditLogExportStart(const NKikimrExport::TEvCreateExportRequest& request, const NKikimrExport::TEvCreateExportResponse& response, TSchemeShard* SS);