require admin access for force operations

adameat · adameat · commit da1bdc398258 · 2024-06-05T05:31:42.000Z
diff --git a/ydb/core/viewer/json_pdisk_restart.h b/ydb/core/viewer/json_pdisk_restart.h
@@ -73,6 +73,10 @@ class TJsonPDiskRestart : public TViewerPipeClient<TJsonPDiskRestart> {
                 0, NMon::IEvHttpInfoRes::EContentType::Custom));
             return PassAway();
         }
+        if (Force && !Viewer->CheckAccessAdministration(Event->Get())) {
+            TBase::Send(Event->Sender, new NMon::TEvHttpInfoRes(Viewer->GetHTTPFORBIDDEN(Event->Get()), 0, NMon::IEvHttpInfoRes::EContentType::Custom));
+            return PassAway();
+        }
 
         if (!NodeId) {
             NodeId = TlsActivationContext->ActorSystem()->NodeId;
@@ -136,35 +140,18 @@ class TJsonPDiskRestart : public TViewerPipeClient<TJsonPDiskRestart> {
         TBase::PassAway();
     }
 
-    void TryToTranslateFromBSC2Human(TString& bscError, bool& forceRetryPossible) {
-        if (IsMatchesWildcard(bscError, "GroupId# * ExpectedStatus# *")) {
-            TStringBuf groupId = TStringBuf(bscError).After(' ').Before(' ');
-            TStringBuf expectedStatus = TStringBuf(bscError).After('#').After('#').After(' ');
-            if (expectedStatus == "DEGRADED") {
-                bscError = TStringBuilder() << "Calling this operation will cause at least group " << groupId << " to go into a degraded state";
-                forceRetryPossible = true;
-                return;
-            }
-            if (expectedStatus == "DISINTEGRATED") {
-                bscError = TStringBuilder() << "Calling this operation will cause at least group " << groupId << " to go into a dead state";
-                return;
-            }
-        }
-        forceRetryPossible = false;
-    }
-
     void ReplyAndPassAway() {
         NJson::TJsonValue json;
         if (Response != nullptr) {
             if (Response->Record.GetResponse().GetSuccess()) {
                 json["result"] = true;
             } else {
                 json["result"] = false;
-                TString error = Response->Record.GetResponse().GetErrorDescription();
+                TString error;
                 bool forceRetryPossible = false;
-                TryToTranslateFromBSC2Human(error, forceRetryPossible);
+                Viewer->TranslateFromBSC2Human(Response->Record.GetResponse(), error, forceRetryPossible);
                 json["error"] = error;
-                if (forceRetryPossible) {
+                if (forceRetryPossible && Viewer->CheckAccessAdministration(Event->Get())) {
                     json["forceRetryPossible"] = true;
                 }
             }
diff --git a/ydb/core/viewer/json_vdisk_evict.h b/ydb/core/viewer/json_vdisk_evict.h
@@ -108,6 +108,11 @@ class TJsonVDiskEvict : public TViewerPipeClient<TJsonVDiskEvict> {
         Retries = FromStringWithDefault<ui32>(params.Get("retries"), 0);
         RetryPeriod = TDuration::MilliSeconds(FromStringWithDefault<ui32>(params.Get("retry_period"), RetryPeriod.MilliSeconds()));
 
+        if (Force && !Viewer->CheckAccessAdministration(Event->Get())) {
+            TBase::Send(Event->Sender, new NMon::TEvHttpInfoRes(Viewer->GetHTTPFORBIDDEN(Event->Get()), 0, NMon::IEvHttpInfoRes::EContentType::Custom));
+            return PassAway();
+        }
+
         SendRequest();
 
         TBase::Become(&TThis::StateWork, TDuration::MilliSeconds(Timeout), new TEvents::TEvWakeup());
@@ -161,43 +166,18 @@ class TJsonVDiskEvict : public TViewerPipeClient<TJsonVDiskEvict> {
         TBase::PassAway();
     }
 
-    void TryToTranslateFromBSC2Human(const NKikimrBlobStorage::TConfigResponse& response, TString& bscError, bool& forceRetryPossible) {
-        if (response.GroupsGetDisintegratedByExpectedStatusSize()) {
-            bscError = TStringBuilder() << "Calling this operation will cause at least groups [" << JoinStrings(response.GetGroupsGetDisintegratedByExpectedStatus().begin(), response.GetGroupsGetDisintegratedByExpectedStatus().end(), ", ") << "] to go into a dead state";
-        } else if (response.GroupsGetDisintegratedSize()) {
-            bscError = TStringBuilder() << "Calling this operation will cause at least groups [" << JoinStrings(response.GetGroupsGetDisintegrated().begin(), response.GetGroupsGetDisintegrated().end(), ", ") << "] to go into a dead state";
-        } else if (response.GroupsGetDegradedSize()) {
-            bscError = TStringBuilder() << "Calling this operation will cause at least groups [" << JoinStrings(response.GetGroupsGetDegraded().begin(), response.GetGroupsGetDegraded().end(), ", ") << "] to go into a degraded state";
-            forceRetryPossible = true;
-        } else if (response.StatusSize()) {
-            const auto& lastStatus = response.GetStatus(response.StatusSize() - 1);
-            TVector<ui32> groups;
-            for (auto& failParam: lastStatus.GetFailParam()) {
-                if (failParam.HasGroupId()) {
-                    groups.emplace_back(failParam.GetGroupId());
-                }
-            }
-            if (lastStatus.GetFailReason() == NKikimrBlobStorage::TConfigResponse::TStatus::kMayGetDegraded) {
-                bscError = TStringBuilder() << "Calling this operation will cause at least groups [" << JoinVectorIntoString(groups, ", ") << "] to go into a degraded state";
-                forceRetryPossible = true;
-            } else if (lastStatus.GetFailReason() == NKikimrBlobStorage::TConfigResponse::TStatus::kMayLoseData) {
-                bscError = TStringBuilder() << "Calling this operation may result in data loss for at least groups [" << JoinVectorIntoString(groups, ", ") << "]";
-            }
-        }
-    }
-
     void ReplyAndPassAway() {
         NJson::TJsonValue json;
         if (Response != nullptr) {
             if (Response->Record.GetResponse().GetSuccess()) {
                 json["result"] = true;
             } else {
                 json["result"] = false;
-                TString error = Response->Record.GetResponse().GetErrorDescription();
+                TString error;
                 bool forceRetryPossible = false;
-                TryToTranslateFromBSC2Human(Response->Record.GetResponse(), error, forceRetryPossible);
+                Viewer->TranslateFromBSC2Human(Response->Record.GetResponse(), error, forceRetryPossible);
                 json["error"] = error;
-                if (forceRetryPossible) {
+                if (forceRetryPossible && Viewer->CheckAccessAdministration(Event->Get())) {
                     json["forceRetryPossible"] = true;
                 }
             }
diff --git a/ydb/core/viewer/viewer.cpp b/ydb/core/viewer/viewer.cpp
@@ -198,6 +198,92 @@ class TViewer : public TActorBootstrapped<TViewer>, public IViewer {
     TString GetHTTPFORBIDDEN(const NMon::TEvHttpInfo* request) override;
     TString GetHTTPNOTFOUND(const NMon::TEvHttpInfo* request) override;
 
+    bool CheckAccessAdministration(const NMon::TEvHttpInfo* request) override {
+        if (!KikimrRunConfig.AppConfig.GetDomainsConfig().GetSecurityConfig().GetEnforceUserTokenRequirement()) {
+            if (!KikimrRunConfig.AppConfig.GetDomainsConfig().GetSecurityConfig().GetEnforceUserTokenCheckRequirement() || request->UserToken.empty()) {
+                return true;
+            }
+        }
+        if (request->UserToken.empty()) {
+            return false;
+        }
+        auto token = std::make_unique<NACLib::TUserToken>(request->UserToken);
+        for (const auto& allowedSID : KikimrRunConfig.AppConfig.GetDomainsConfig().GetSecurityConfig().GetAdministrationAllowedSIDs()) {
+            if (token->IsExist(allowedSID)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    static bool IsStaticGroup(ui32 groupId) {
+        return groupId & 0x80000000 == 0;
+    }
+
+    TString GetGroupList(const auto& groups) {
+        std::vector<ui32> groupIds;
+        for (auto group : groups) {
+            groupIds.push_back(group);
+        }
+        std::sort(groupIds.begin(), groupIds.end());
+        TStringBuilder result;
+        if (groups.empty()) {
+            return result << "something";
+        }
+        result << "at least " << groups.size();
+        if (groups.size() > 1) {
+            result << " groups (";
+        } else {
+            result << " group (";
+        }
+        auto was_groups = 0;
+        auto max_groups = 3;
+        for (auto group : groupIds) {
+            if (was_groups > 0) {
+                result << ", ";
+            }
+            if (was_groups >= max_groups) {
+                result << "...";
+            }
+            if (IsStaticGroup(group)) {
+                result << "static ";
+            }
+            result << group;
+            ++was_groups;
+        }
+        result << ")";
+        return result;
+    }
+
+    void TranslateFromBSC2Human(const NKikimrBlobStorage::TConfigResponse& response, TString& bscError, bool& forceRetryPossible) override {
+        forceRetryPossible = false;
+        if (response.GroupsGetDisintegratedByExpectedStatusSize()) {
+            bscError = TStringBuilder() << "Calling this operation could cause " << GetGroupList(response.GetGroupsGetDisintegratedByExpectedStatus()) << " to go into a dead state";
+        } else if (response.GroupsGetDisintegratedSize()) {
+            bscError = TStringBuilder() << "Calling this operation will cause " << GetGroupList(response.GetGroupsGetDisintegrated()) << " to go into a dead state";
+        } else if (response.GroupsGetDegradedSize()) {
+            bscError = TStringBuilder() << "Calling this operation will cause " << GetGroupList(response.GetGroupsGetDegraded()) << " to go into a degraded state";
+            forceRetryPossible = true;
+        } else if (response.StatusSize()) {
+            const auto& lastStatus = response.GetStatus(response.StatusSize() - 1);
+            TVector<ui32> groups;
+            for (auto& failParam: lastStatus.GetFailParam()) {
+                if (failParam.HasGroupId()) {
+                    groups.emplace_back(failParam.GetGroupId());
+                }
+            }
+            if (lastStatus.GetFailReason() == NKikimrBlobStorage::TConfigResponse::TStatus::kMayGetDegraded) {
+                bscError = TStringBuilder() << "Calling this operation will cause " << GetGroupList(groups) << " to go into a degraded state";
+                forceRetryPossible = true;
+            } else if (lastStatus.GetFailReason() == NKikimrBlobStorage::TConfigResponse::TStatus::kMayLoseData) {
+                bscError = TStringBuilder() << "Calling this operation may result in data loss for " << GetGroupList(groups);
+            }
+        }
+        if (bscError.empty()) {
+            bscError = response.GetErrorDescription();
+        }
+    }
+
     void RegisterVirtualHandler(
             NKikimrViewer::EObjectType parentObjectType,
             TVirtualHandlerType handler) override {
diff --git a/ydb/core/viewer/viewer.h b/ydb/core/viewer/viewer.h
@@ -173,6 +173,8 @@ class IViewer {
     virtual TString GetHTTPBADREQUEST(const NMon::TEvHttpInfo* request, TString contentType = {}, TString response = {}) = 0;
     virtual TString GetHTTPFORBIDDEN(const NMon::TEvHttpInfo* request) = 0;
     virtual TString GetHTTPNOTFOUND(const NMon::TEvHttpInfo* request) = 0;
+    virtual bool CheckAccessAdministration(const NMon::TEvHttpInfo* request) = 0;
+    virtual void TranslateFromBSC2Human(const NKikimrBlobStorage::TConfigResponse& response, TString& bscError, bool& forceRetryPossible) = 0;
 };
 
 void SetupPQVirtualHandlers(IViewer* viewer);
