Skip to content

Commit e98a3cd

Browse files
kungasckungasc
authored
Merge 39c40aa into 7c90d7c 
2 parents 7c90d7c + 39c40aa commit e98a3cd

File tree

9 files changed

+176
-4
lines changed

9 files changed

+176
-4
lines changed

ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp

Lines changed: 52 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3401,6 +3401,23 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
34013401
TKikimrRunner kikimr;
34023402
auto db = kikimr.GetTableClient();
34033403
auto session = db.CreateSession().GetValueSync().GetSession();
3404+
{
3405+
auto query = TStringBuilder() << R"(
3406+
--!syntax_v1
3407+
CREATE USER user1 PASSWORD 'password1';
3408+
CREATE USER user2 PASSWORD 'password2';
3409+
CREATE USER user3 PASSWORD 'password3';
3410+
CREATE USER user4 PASSWORD 'password4';
3411+
CREATE USER user5 PASSWORD 'password5';
3412+
CREATE USER user6 PASSWORD 'password6';
3413+
CREATE USER user7 PASSWORD 'password7';
3414+
CREATE USER user8 PASSWORD 'password8';
3415+
CREATE USER user9 PASSWORD 'password9';
3416+
)";
3417+
auto session = db.CreateSession().GetValueSync().GetSession();
3418+
auto result = session.ExecuteSchemeQuery(query).GetValueSync();
3419+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
3420+
}
34043421
{
34053422
auto query = TStringBuilder() << R"(
34063423
--!syntax_v1
@@ -3794,6 +3811,14 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
37943811
TKikimrRunner kikimr;
37953812
auto db = kikimr.GetTableClient();
37963813
auto session = db.CreateSession().GetValueSync().GetSession();
3814+
{
3815+
auto query = TStringBuilder() << R"(
3816+
--!syntax_v1
3817+
CREATE USER user1 PASSWORD 'password1';
3818+
)";
3819+
auto result = session.ExecuteSchemeQuery(query).GetValueSync();
3820+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
3821+
}
37973822
{
37983823
auto query = TStringBuilder() << R"(
37993824
--!syntax_v1
@@ -3843,7 +3868,15 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
38433868
TKikimrRunner kikimr;
38443869
auto db = kikimr.GetTableClient();
38453870
auto session = db.CreateSession().GetValueSync().GetSession();
3846-
3871+
3872+
{
3873+
auto query = TStringBuilder() << R"(
3874+
--!syntax_v1
3875+
CREATE USER ydbuser PASSWORD 'password1';
3876+
)";
3877+
auto result = session.ExecuteSchemeQuery(query).GetValueSync();
3878+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
3879+
}
38473880
{
38483881
{
38493882
const TString query = R"(
@@ -3883,6 +3916,7 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
38833916
auto runnerSettings = TKikimrSettings().SetAppConfig(appConfig);
38843917
TTestHelper testHelper(runnerSettings);
38853918
auto client = testHelper.GetKikimr().GetQueryClient();
3919+
auto db = testHelper.GetKikimr().GetTableClient();
38863920

38873921
TVector<TTestHelper::TColumnSchema> schema = {
38883922
TTestHelper::TColumnSchema().SetName("id").SetType(NScheme::NTypeIds::Int32).SetNullable(false),
@@ -3893,6 +3927,15 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
38933927
testTable.SetName("/Root/MyApp/Orders").SetPrimaryKey({ "id" }).SetSchema(schema);
38943928
testHelper.CreateTable(testTable);
38953929

3930+
{
3931+
auto query = TStringBuilder() << R"(
3932+
--!syntax_v1
3933+
CREATE USER ydbuser PASSWORD 'password1';
3934+
)";
3935+
auto session = db.CreateSession().GetValueSync().GetSession();
3936+
auto result = session.ExecuteSchemeQuery(query).GetValueSync();
3937+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
3938+
}
38963939
{
38973940
{
38983941
const TString query = R"(
@@ -3918,6 +3961,14 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
39183961
TKikimrRunner kikimr;
39193962
auto db = kikimr.GetTableClient();
39203963
auto session = db.CreateSession().GetValueSync().GetSession();
3964+
{
3965+
auto query = TStringBuilder() << R"(
3966+
--!syntax_v1
3967+
CREATE USER user1 PASSWORD 'password1';
3968+
)";
3969+
auto result = session.ExecuteSchemeQuery(query).GetValueSync();
3970+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
3971+
}
39213972
{
39223973
auto query = TStringBuilder() << R"(
39233974
--!syntax_v1

ydb/core/kqp/ut/service/kqp_qs_queries_ut.cpp

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1826,6 +1826,23 @@ Y_UNIT_TEST_SUITE(KqpQueryService) {
18261826
}
18271827
};
18281828

1829+
{
1830+
auto query = TStringBuilder() << R"(
1831+
--!syntax_v1
1832+
CREATE USER user1 PASSWORD 'password1';
1833+
CREATE USER user2 PASSWORD 'password2';
1834+
CREATE USER user3 PASSWORD 'password3';
1835+
CREATE USER user4 PASSWORD 'password4';
1836+
CREATE USER user5 PASSWORD 'password5';
1837+
CREATE USER user6 PASSWORD 'password6';
1838+
CREATE USER user7 PASSWORD 'password7';
1839+
CREATE USER user8 PASSWORD 'password8';
1840+
CREATE USER user9 PASSWORD 'password9';
1841+
)";
1842+
auto result = session.ExecuteSchemeQuery(query).GetValueSync();
1843+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
1844+
}
1845+
18291846
auto result = db.ExecuteQuery(R"(
18301847
GRANT ROW SELECT ON `/Root` TO user1;
18311848
)", TTxControl::NoTx()).ExtractValueSync();

ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,26 @@ class TModifyACL: public TSubOperationBase {
5151
return result;
5252
}
5353

54+
if (acl) {
55+
NACLib::TDiffACL diffACL(acl);
56+
for (const NACLibProto::TDiffACE& diffACE : diffACL.GetDiffACE()) {
57+
if (static_cast<NACLib::EDiffType>(diffACE.GetDiffType()) == NACLib::EDiffType::Add) {
58+
if (!context.SS->LoginProvider.CheckSidExistsOrIsNonYdb(diffACE.GetACE().GetSID())) {
59+
result->SetError(NKikimrScheme::StatusPreconditionFailed,
60+
TStringBuilder() << "SID " << diffACE.GetACE().GetSID() << " not found");
61+
return result;
62+
}
63+
} // remove diff type is allowed in any case
64+
}
65+
}
66+
if (owner) {
67+
if (!context.SS->LoginProvider.CheckSidExistsOrIsNonYdb(owner)) {
68+
result->SetError(NKikimrScheme::StatusPreconditionFailed,
69+
TStringBuilder() << "Owner SID " << owner << " not found");
70+
return result;
71+
}
72+
}
73+
5474
THashSet<TPathId> subTree;
5575
if (acl || (owner && path.Base()->IsTable())) {
5676
subTree = context.SS->ListSubTree(path.Base()->PathId, context.Ctx);

ydb/core/tx/schemeshard/ut_login/ut_login.cpp

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
9191
TTestEnv env(runtime);
9292
ui64 txId = 100;
9393
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
94+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "password2");
9495
auto resultLogin = Login(runtime, "user1", "password1");
9596
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
9697

@@ -150,6 +151,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
150151
TTestEnv env(runtime);
151152
ui64 txId = 100;
152153
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
154+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "password2");
153155
auto resultLogin = Login(runtime, "user1", "password1");
154156
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
155157

@@ -228,6 +230,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
228230
TTestEnv env(runtime);
229231
ui64 txId = 100;
230232
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
233+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "password2");
231234
auto resultLogin = Login(runtime, "user1", "password1");
232235
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
233236

@@ -268,6 +271,53 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
268271
}
269272
}
270273

274+
Y_UNIT_TEST(AddAccess_NonExisting) {
275+
TTestBasicRuntime runtime;
276+
TTestEnv env(runtime);
277+
ui64 txId = 100;
278+
279+
AsyncMkDir(runtime, ++txId, "/MyRoot", "Dir1");
280+
TestModificationResult(runtime, txId, NKikimrScheme::StatusAccepted);
281+
282+
{
283+
NACLib::TDiffACL diffACL;
284+
diffACL.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user1");
285+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", diffACL.SerializeAsString(), "");
286+
TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "SID user1 not found"}});
287+
}
288+
289+
{
290+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1");
291+
TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "Owner SID user1 not found"}});
292+
}
293+
294+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
295+
296+
TestDescribeResult(DescribePath(runtime, "/MyRoot/Dir1"),
297+
{NLs::HasNoRight("+U:user1"), NLs::HasNoEffectiveRight("+U:user1"), NLs::HasOwner("root@builtin")});
298+
}
299+
300+
Y_UNIT_TEST(AddAccess_NonYdb) {
301+
TTestBasicRuntime runtime;
302+
TTestEnv env(runtime);
303+
ui64 txId = 100;
304+
305+
AsyncMkDir(runtime, ++txId, "/MyRoot", "Dir1");
306+
TestModificationResult(runtime, txId, NKikimrScheme::StatusAccepted);
307+
308+
{
309+
NACLib::TDiffACL diffACL;
310+
diffACL.AddAccess(NACLib::EAccessType::Allow, NACLib::GenericUse, "user1@staff");
311+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", diffACL.SerializeAsString(), "");
312+
TestModificationResult(runtime, txId, NKikimrScheme::StatusSuccess);
313+
}
314+
315+
{
316+
AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1@staff");
317+
TestModificationResult(runtime, txId, NKikimrScheme::StatusSuccess);
318+
}
319+
}
320+
271321
Y_UNIT_TEST(DisableBuiltinAuthMechanism) {
272322
TTestBasicRuntime runtime;
273323
TTestEnv env(runtime);

ydb/core/viewer/viewer_ut.cpp

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1599,7 +1599,7 @@ Y_UNIT_TEST_SUITE(Viewer) {
15991599
void Success(TEvTicketParser::TEvAuthorizeTicket::TPtr& ev) {
16001600
++AuthorizeTicketSuccesses;
16011601
NACLib::TUserToken::TUserTokenInitFields args;
1602-
args.UserSID = "user_name";
1602+
args.UserSID = "username";
16031603
args.GroupSIDs.push_back("group_name");
16041604
TIntrusivePtr<NACLib::TUserToken> userToken = MakeIntrusive<NACLib::TUserToken>(args);
16051605
LOG_INFO_S(*TlsActivationContext, NKikimrServices::TICKET_PARSER, "Send TEvAuthorizeTicketResult success");
@@ -1616,7 +1616,8 @@ Y_UNIT_TEST_SUITE(Viewer) {
16161616
}
16171617

16181618
void GrantConnect(TClient& client) {
1619-
client.GrantConnect("user_name");
1619+
client.CreateUser("/Root", "username", "password");
1620+
client.GrantConnect("username");
16201621

16211622
const auto alterAttrsStatus = client.AlterUserAttributes("/", "Root", {
16221623
{ "folder_id", "test_folder_id" },

ydb/library/login/login.cpp

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,11 @@ bool TLoginProvider::CheckUserExists(const TString& user) {
9292
return CheckSubjectExists(user, ESidType::USER);
9393
}
9494

95+
bool TLoginProvider::CheckSidExistsOrIsNonYdb(const TString& sid) {
96+
// non-YDB user's sid format is <login>@<subsystem>
97+
return sid.Contains('@') || Sids.contains(sid);
98+
}
99+
95100
TLoginProvider::TBasicResponse TLoginProvider::ModifyUser(const TModifyUserRequest& request) {
96101
TBasicResponse response;
97102

ydb/library/login/login.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,7 @@ class TLoginProvider {
162162
TBasicResponse ModifyUser(const TModifyUserRequest& request);
163163
TRemoveUserResponse RemoveUser(const TString& user);
164164
bool CheckUserExists(const TString& user);
165+
bool CheckSidExistsOrIsNonYdb(const TString& sid);
165166

166167
TBasicResponse CreateGroup(const TCreateGroupRequest& request);
167168
TBasicResponse AddGroupMembership(const TAddGroupMembershipRequest& request);

ydb/services/ydb/ydb_ut.cpp

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -421,6 +421,10 @@ Y_UNIT_TEST_SUITE(TGRpcClientLowTest) {
421421
TString location = TStringBuilder() << "localhost:" << grpc;
422422
auto clientConfig = NGRpcProxy::TGRpcClientConfig(location);
423423

424+
{
425+
TClient client(*server.ServerSettings);
426+
client.CreateUser("/Root", "qqq", "password");
427+
}
424428
{
425429
NYdbGrpc::TGRpcClientLow clientLow;
426430
auto connection = clientLow.CreateGRpcServiceConnection<Ydb::Scheme::V1::SchemeService>(clientConfig);

ydb/tests/functional/ydb_cli/test_ydb_backup.py

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,6 @@ def sort_permissions(permissions):
6565
permission.permission_names = sorted(permission.permission_names)
6666
return sorted(permissions, key=lambda p: p.subject)
6767

68-
6968
def create_table_with_data(session, path, not_null=False):
7069
path = "/Root/" + path
7170
session.create_table(
@@ -271,6 +270,23 @@ def scheme_listdir(self, path):
271270
for child in self.driver.scheme_client.list_directory(path).children
272271
if not is_system_object(child)
273272
]
273+
274+
def create_user(self, user, password = "password"):
275+
yatest.common.execute(
276+
[
277+
backup_bin(),
278+
"--verbose",
279+
"--endpoint", "grpc://localhost:%d" % self.cluster.nodes[1].grpc_port,
280+
"--database", "/Root",
281+
"yql",
282+
"--script", f"CREATE USER {user} PASSWORD '{password}'",
283+
]
284+
)
285+
286+
def create_users(self):
287+
self.create_user("alice")
288+
self.create_user("bob")
289+
self.create_user("eve")
274290

275291

276292
class TestBackupSingle(BaseTestBackupInFiles):
@@ -825,6 +841,7 @@ def test_single_table(self):
825841
session = self.driver.table_client.session().create()
826842

827843
# Create table and modify permissions on it
844+
self.create_users()
828845
create_table_with_data(session, "folder/table")
829846
modify_permissions(self.driver.scheme_client, "folder/table")
830847

@@ -879,6 +896,7 @@ def test_single_table(self):
879896
class TestPermissionsBackupRestoreFolderWithTable(BaseTestBackupInFiles):
880897
def test_folder_with_table(self):
881898
# Create folder and modify permissions on it
899+
self.create_users()
882900
self.driver.scheme_client.make_directory("/Root/folder")
883901
modify_permissions(self.driver.scheme_client, "folder")
884902

@@ -935,6 +953,7 @@ def test_folder_with_table(self):
935953
class TestPermissionsBackupRestoreDontOverwriteOnAlreadyExisting(BaseTestBackupInFiles):
936954
def test_dont_overwrite_on_already_existing(self):
937955
# Create folder and modify permissions on it
956+
self.create_users()
938957
self.driver.scheme_client.make_directory("/Root/folder")
939958
modify_permissions(self.driver.scheme_client, "folder")
940959

@@ -1034,6 +1053,7 @@ def test_dont_overwrite_on_already_existing(self):
10341053
class TestPermissionsBackupRestoreSchemeOnly(BaseTestBackupInFiles):
10351054
def test_scheme_only(self):
10361055
# Create folder and modify permissions on it
1056+
self.create_users()
10371057
self.driver.scheme_client.make_directory("/Root/folder")
10381058
modify_permissions(self.driver.scheme_client, "folder")
10391059

@@ -1091,6 +1111,7 @@ def test_scheme_only(self):
10911111
class TestPermissionsBackupRestoreEmptyDir(BaseTestBackupInFiles):
10921112
def test_empty_dir(self):
10931113
# Create empty folder and modify permissions on it
1114+
self.create_users()
10941115
self.driver.scheme_client.make_directory("/Root/folder")
10951116
modify_permissions(self.driver.scheme_client, "folder")
10961117

@@ -1141,6 +1162,7 @@ def test_restore_acl_option(self):
11411162
session = self.driver.table_client.session().create()
11421163

11431164
# Create table and modify permissions on it
1165+
self.create_users()
11441166
create_table_with_data(session, "folder/table")
11451167
modify_permissions(self.driver.scheme_client, "folder/table")
11461168

@@ -1208,6 +1230,7 @@ def test_restore_no_data(self):
12081230
session = self.driver.table_client.session().create()
12091231

12101232
# Create table and modify permissions on it
1233+
self.create_users()
12111234
create_table_with_data(session, "folder/table")
12121235
modify_permissions(self.driver.scheme_client, "folder/table")
12131236

0 commit comments

Comments
 (0)