fix review remarks

andrewstalin · andrewstalin · commit 982f3dcfc7a6 · 2025-01-16T03:51:36.000Z
diff --git a/ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp b/ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp
@@ -35,8 +35,6 @@ class TAlterLogin: public TSubOperationBase {
                     auto response = context.SS->LoginProvider.CreateUser(
                         {.User = createUser.GetUser(), .Password = createUser.GetPassword()});
 
-                    AddIsUserAdmin(createUser.GetUser(), context.SS->LoginProvider, additionalParts);
-
                     if (response.Error) {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
@@ -54,34 +52,41 @@ class TAlterLogin: public TSubOperationBase {
                             }
                         }
                         result->SetStatus(NKikimrScheme::StatusSuccess);
+
+                        AddIsUserAdmin(createUser.GetUser(), context.SS->LoginProvider, additionalParts);
                     }
                     break;
                 }
                 case NKikimrSchemeOp::TAlterLogin::kModifyUser: {
                     const auto& modifyUser = alterLogin.GetModifyUser();
-
-                    AddIsUserAdmin(modifyUser.GetUser(), context.SS->LoginProvider, additionalParts);
-
                     auto response = context.SS->LoginProvider.ModifyUser({.User = modifyUser.GetUser(), .Password = modifyUser.GetPassword()});
                     if (response.Error) {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
                         auto& sid = context.SS->LoginProvider.Sids[modifyUser.GetUser()];
                         db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType, Schema::LoginSids::SidHash>(sid.Type, sid.Hash);
                         result->SetStatus(NKikimrScheme::StatusSuccess);
+
+                        AddIsUserAdmin(modifyUser.GetUser(), context.SS->LoginProvider, additionalParts);
+                        AddLastSuccessfulLogin(sid, additionalParts);
                     }
                     break;
                 }
                 case NKikimrSchemeOp::TAlterLogin::kRemoveUser: {
                     const auto& removeUser = alterLogin.GetRemoveUser();
 
-                    AddIsUserAdmin(removeUser.GetUser(), context.SS->LoginProvider, additionalParts);
+                    auto sid = context.SS->LoginProvider.Sids.find(removeUser.GetUser());
+                    if (context.SS->LoginProvider.Sids.end() != sid) {
+                        AddLastSuccessfulLogin(sid->second, additionalParts);
+                    }
 
                     auto response = RemoveUser(context, removeUser, db);
                     if (response.Error) {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
                         result->SetStatus(NKikimrScheme::StatusSuccess);
+
+                        AddIsUserAdmin(removeUser.GetUser(), context.SS->LoginProvider, additionalParts);
                     }
                     break;
                 }
@@ -182,7 +187,9 @@ class TAlterLogin: public TSubOperationBase {
                 userSID = context.UserToken->GetUserSID();
                 sanitizedToken = context.UserToken->GetSanitizedToken();
             }
-            AuditLogModifySchemeTransaction(Transaction, result->Record, context.SS, context.PeerName, userSID, sanitizedToken, ui64(txId), additionalParts);
+            const auto status = result->Record.GetStatus();
+            const auto reason = result->Record.HasReason() ? result->Record.GetReason() : TString();
+            AuditLogModifySchemeOperation(Transaction, status, reason, context.SS, context.PeerName, userSID, sanitizedToken, ui64(txId), additionalParts);
         }
 
         if (result->Record.GetStatus() == NKikimrScheme::StatusSuccess) {
@@ -282,7 +289,13 @@ class TAlterLogin: public TSubOperationBase {
         }
 
         if (isAdmin) {
-            additionalParts.emplace_back("account_type", "admin");
+            additionalParts.emplace_back("login_user_level", "admin");
+        }
+    }
+
+    void AddLastSuccessfulLogin(NLogin::TLoginProvider::TSidRecord& sid, TParts& additionalParts) {
+        if (sid.LastSuccessfulLogin) {
+            additionalParts.emplace_back("last_login", TInstant::FromValue(sid.LastSuccessfulLogin).ToString());
         }
     }
 };
diff --git a/ydb/core/tx/schemeshard/schemeshard_audit_log.cpp b/ydb/core/tx/schemeshard/schemeshard_audit_log.cpp
@@ -5,7 +5,6 @@
 
 #include <ydb/library/actors/http/http.h>
 
-#include <ydb/core/protos/flat_tx_scheme.pb.h>
 #include <ydb/core/protos/export.pb.h>
 #include <ydb/core/protos/import.pb.h>
 
@@ -81,10 +80,10 @@ TPath DatabasePathFromWorkingDir(TSchemeShard* SS, const TString &opWorkingDir)
 
 }  // anonymous namespace
 
-void AuditLogModifySchemeTransaction(const NKikimrSchemeOp::TModifyScheme& operation,
-                                     const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
-                                     const TString& peerName, const TString& userSID, const TString& sanitizedToken,
-                                     ui64 txId, const TParts& additionalParts) {
+void AuditLogModifySchemeOperation(const NKikimrSchemeOp::TModifyScheme& operation,
+                                   NKikimrScheme::EStatus status, const TString& reason, TSchemeShard* SS,
+                                   const TString& peerName, const TString& userSID, const TString& sanitizedToken,
+                                   ui64 txId, const TParts& additionalParts) {
     auto logEntry = MakeAuditLogFragment(operation);
 
     TPath databasePath = DatabasePathFromWorkingDir(SS, operation.GetWorkingDir());
@@ -100,9 +99,9 @@ void AuditLogModifySchemeTransaction(const NKikimrSchemeOp::TModifyScheme& opera
         AUDIT_PART("database", (!databasePath.IsEmpty() ? databasePath.GetDomainPathString() : EmptyValue))
         AUDIT_PART("operation", logEntry.Operation)
         AUDIT_PART("paths", RenderList(logEntry.Paths), !logEntry.Paths.empty())
-        AUDIT_PART("status", GeneralStatus(response.GetStatus()))
-        AUDIT_PART("detailed_status", NKikimrScheme::EStatus_Name(response.GetStatus()))
-        AUDIT_PART("reason", response.GetReason(), response.HasReason())
+        AUDIT_PART("status", GeneralStatus(status))
+        AUDIT_PART("detailed_status", NKikimrScheme::EStatus_Name(status))
+        AUDIT_PART("reason", reason, !reason.empty())
 
         for (const auto& [name, value] : additionalParts) {
             AUDIT_PART(name, (!value.empty() ? value : EmptyValue))
@@ -144,12 +143,14 @@ void AuditLogModifySchemeTransaction(const NKikimrScheme::TEvModifySchemeTransac
     // Each TEvModifySchemeTransaction.Transaction is a self sufficient operation and should be logged independently
     // (even if it was packed into a single TxProxy transaction with some other operations).
     const auto txId = request.GetTxId();
+    const auto status = response.GetStatus();
+    const auto reason = response.HasReason() ? response.GetReason() : TString();
     for (const auto& operation : request.GetTransaction()) {
         const auto type = operation.GetOperationType();
         if (NKikimrSchemeOp::EOperationType::ESchemeOpAlterLogin == type) {
             continue;
         }
-        AuditLogModifySchemeTransaction(operation, response, SS, peerName, userSID, sanitizedToken, txId, TParts());
+        AuditLogModifySchemeOperation(operation, status, reason, SS, peerName, userSID, sanitizedToken, txId, TParts());
     }
 }
 
diff --git a/ydb/core/tx/schemeshard/schemeshard_audit_log.h b/ydb/core/tx/schemeshard/schemeshard_audit_log.h
@@ -1,14 +1,7 @@
 #pragma once
 
 #include <util/generic/string.h>
-
-namespace NKikimrScheme {
-class TEvModifySchemeTransaction;
-class TEvModifySchemeTransactionResult;
-
-class TEvLogin;
-class TEvLoginResult;
-}
+#include <ydb/core/protos/flat_tx_scheme.pb.h>
 
 namespace NKikimrExport {
 class TEvCreateExportRequest;
@@ -36,10 +29,10 @@ struct TImportInfo;
 
 using TParts = TVector<std::pair<TString, TString>>;
 
-void AuditLogModifySchemeTransaction(const NKikimrSchemeOp::TModifyScheme& operation,
-                                     const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
-                                     const TString& peerName, const TString& userSID, const TString& sanitizedToken,
-                                     ui64 txId, const TParts& additionalParts);
+void AuditLogModifySchemeOperation(const NKikimrSchemeOp::TModifyScheme& operation,
+                                   NKikimrScheme::EStatus status, const TString& reason, TSchemeShard* SS,
+                                   const TString& peerName, const TString& userSID, const TString& sanitizedToken,
+                                   ui64 txId, const TParts& additionalParts);
 
 void AuditLogModifySchemeTransaction(const NKikimrScheme::TEvModifySchemeTransaction& request,
                                      const NKikimrScheme::TEvModifySchemeTransactionResult& response, TSchemeShard* SS,
