Skip to content

Commit a4d1689

Browse files
kungasckungasc
authored
Merge ec68807 into 8de259d 
2 parents 8de259d + ec68807 commit a4d1689

File tree

4 files changed

+74
-0
lines changed

4 files changed

+74
-0
lines changed

ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,24 @@ class TModifyACL: public TSubOperationBase {
5151
return result;
5252
}
5353

54+
if (acl) {
55+
NACLib::TDiffACL diffACL(acl);
56+
for (const NACLibProto::TDiffACE& diffACE : diffACL.GetDiffACE()) {
57+
if (static_cast<NACLib::EDiffType>(diffACE.GetDiffType()) == NACLib::EDiffType::Add) {
58+
if (!context.SS->LoginProvider.CheckSidExistsOrIsNonYdb(diffACE.GetACE().GetSID())) {
59+
result->SetError(NKikimrScheme::StatusPreconditionFailed, "SID not found");
60+
return result;
61+
}
62+
} // remove diff type is allowed in any case
63+
}
64+
}
65+
if (owner) {
66+
if (!context.SS->LoginProvider.CheckSidExistsOrIsNonYdb(owner)) {
67+
result->SetError(NKikimrScheme::StatusPreconditionFailed, "Owner SID not found");
68+
return result;
69+
}
70+
}
71+
5472
THashSet<TPathId> subTree;
5573
if (acl || (owner && path.Base()->IsTable())) {
5674
subTree = context.SS->ListSubTree(path.Base()->PathId, context.Ctx);

ydb/core/tx/schemeshard/ut_login/ut_login.cpp

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
9191
TTestEnv env(runtime);
9292
ui64 txId = 100;
9393
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
94+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "password2");
9495
auto resultLogin = Login(runtime, "user1", "password1");
9596
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
9697

@@ -150,6 +151,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
150151
TTestEnv env(runtime);
151152
ui64 txId = 100;
152153
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
154+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "password2");
153155
auto resultLogin = Login(runtime, "user1", "password1");
154156
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
155157

@@ -228,6 +230,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
228230
TTestEnv env(runtime);
229231
ui64 txId = 100;
230232
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
233+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "password2");
231234
auto resultLogin = Login(runtime, "user1", "password1");
232235
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
233236

@@ -268,6 +271,53 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
268271
}
269272
}
270273

274+
Y_UNIT_TEST(AddAccess_NonExisting) {
275+
TTestBasicRuntime runtime;
276+
TTestEnv env(runtime);
277+
ui64 txId = 100;
278+
279+
AsyncMkDir(runtime, ++txId, "/MyRoot", "Dir1");
280+
TestModificationResult(runtime, txId, NKikimrScheme::StatusAccepted);
281+
282+
{
283+
NACLib::TDiffACL diffACL;
284+
diffACL.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user1");
285+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", diffACL.SerializeAsString(), "");
286+
TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "SID not found"}});
287+
}
288+
289+
{
290+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1");
291+
TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "Owner SID not found"}});
292+
}
293+
294+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
295+
296+
TestDescribeResult(DescribePath(runtime, "/MyRoot/Dir1"),
297+
{NLs::HasNoRight("+U:user1"), NLs::HasNoEffectiveRight("+U:user1"), NLs::HasOwner("root@builtin")});
298+
}
299+
300+
Y_UNIT_TEST(AddAccess_NonYdb) {
301+
TTestBasicRuntime runtime;
302+
TTestEnv env(runtime);
303+
ui64 txId = 100;
304+
305+
AsyncMkDir(runtime, ++txId, "/MyRoot", "Dir1");
306+
TestModificationResult(runtime, txId, NKikimrScheme::StatusAccepted);
307+
308+
{
309+
NACLib::TDiffACL diffACL;
310+
diffACL.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user1@staff");
311+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", diffACL.SerializeAsString(), "");
312+
TestModificationResult(runtime, txId, NKikimrScheme::StatusSuccess);
313+
}
314+
315+
{
316+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1@staff");
317+
TestModificationResult(runtime, txId, NKikimrScheme::StatusSuccess);
318+
}
319+
}
320+
271321
Y_UNIT_TEST(DisableBuiltinAuthMechanism) {
272322
TTestBasicRuntime runtime;
273323
TTestEnv env(runtime);

ydb/library/login/login.cpp

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,11 @@ bool TLoginProvider::CheckUserExists(const TString& user) {
9292
return CheckSubjectExists(user, ESidType::USER);
9393
}
9494

95+
bool TLoginProvider::CheckSidExistsOrIsNonYdb(const TString& sid) {
96+
// non-YDB user's sid format is <login>@<subsystem>
97+
return sid.Contains('@') || Sids.contains(sid);
98+
}
99+
95100
TLoginProvider::TBasicResponse TLoginProvider::ModifyUser(const TModifyUserRequest& request) {
96101
TBasicResponse response;
97102

ydb/library/login/login.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,7 @@ class TLoginProvider {
162162
TBasicResponse ModifyUser(const TModifyUserRequest& request);
163163
TRemoveUserResponse RemoveUser(const TString& user);
164164
bool CheckUserExists(const TString& user);
165+
bool CheckSidExistsOrIsNonYdb(const TString& sid);
165166

166167
TBasicResponse CreateGroup(const TCreateGroupRequest& request);
167168
TBasicResponse AddGroupMembership(const TAddGroupMembershipRequest& request);

0 commit comments

Comments
 (0)