Update IAM API. Use attributes for proper access to IAM permissions (#3099)

Author: UgnineSirdis

ydb/core/grpc_services/grpc_request_check_actor.h

@@ -73,7 +73,7 @@ class TGrpcRequestCheckActor
     }
 
     void ProcessCommonAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) {
-        static std::vector<TString> allowedAttributes = {"folder_id", "service_account_id", "database_id"};
+        static std::vector<TString> allowedAttributes = {"folder_id", "service_account_id", "database_id", "container_id"};
         TVector<std::pair<TString, TString>> attributes;
         attributes.reserve(schemeData.GetPathDescription().UserAttributesSize());
         for (const auto& attr : schemeData.GetPathDescription().GetUserAttributes()) {

ydb/core/security/ticket_parser_impl.h

@@ -387,12 +387,22 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
     }
 
     template <>
-    static void AddResourcePath<nebius::iam::v1::ResourcePath*>(nebius::iam::v1::ResourcePath* pathsContainer, const TString& id, const TString& type) {
-        auto resourcePath = pathsContainer->add_path();
+    static void AddResourcePath<nebius::iam::v1::AuthorizeCheck*>(nebius::iam::v1::AuthorizeCheck* pathsContainer, const TString& id, const TString& type) {
+        auto resourcePath = pathsContainer->mutable_resource_path()->add_path();
         resourcePath->set_id(id);
         Y_UNUSED(type);
     }
 
+    template <typename TPathsContainerPtr>
+    static void AddContainerId(TPathsContainerPtr pathsContainer, const TString& id) {
+        Y_UNUSED(pathsContainer, id);
+    }
+
+    template <>
+    static void AddContainerId<nebius::iam::v1::AuthorizeCheck*>(nebius::iam::v1::AuthorizeCheck* pathsContainer, const TString& id) {
+        pathsContainer->set_container_id(id);
+    }
+
     template <typename TTokenRecord, typename TPathsContainerPtr>
     void addResourcePaths(const TTokenRecord& record, const TString& permission, TPathsContainerPtr pathsContainer) const {
         if (const auto databaseId = record.GetAttributeValue(permission, "database_id"); databaseId) {
@@ -412,6 +422,10 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
         if (const TString gizmoId = record.GetAttributeValue(permission, "gizmo_id"); gizmoId) {
             AddResourcePath(pathsContainer, gizmoId, "iam.gizmo");
         }
+
+        if (const TString containerId = record.GetAttributeValue(permission, "container_id"); containerId) {
+            AddContainerId(pathsContainer, containerId);
+        }
     }
 
     template <typename TTokenRecord>
@@ -452,7 +466,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             auto& check = (*request->Request.mutable_checks())[i];
             check.set_iam_token(record.Ticket);
             check.mutable_permission()->set_name(permissionName);
-            addResourcePaths(record, permissionName, check.mutable_resource_path());
+            addResourcePaths(record, permissionName, &check);
             requestForPermissions << " " << permissionName;
             ++i;
         }
@@ -555,6 +569,10 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
     }
 
     bool ApplySubjectName(const nebius::iam::v1::AuthenticateResponse& response, TString& subject, TString& error) {
+        if (response.resultcode() != nebius::iam::v1::AuthenticateResponse::OK) {
+            error = nebius::iam::v1::AuthenticateResponse::ResultCode_Name(response.resultcode());
+            return false;
+        }
         return ApplySubjectName(response.account(), subject, error);
     }
 
@@ -1033,7 +1051,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                         }
                         const auto& check = checkIt->second;
 
-                        if (!subjectIsResolved && result.authorized()) {
+                        if (!subjectIsResolved && result.resultcode() == nebius::iam::v1::AuthorizeResult::OK) {
                             const auto& account = result.account();
                             TString errorMessage;
                             if (!ApplySubjectName(account, record.Subject, errorMessage)) {
@@ -1056,7 +1074,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                         if (permissionIt != examinedPermissions.end()) {
                             processedPermissions.insert(permissionIt->first);
                             auto& permissionRecord = permissionIt->second;
-                            if (!result.authorized()) {
+                            if (result.resultcode() != nebius::iam::v1::AuthorizeResult::OK) {
                                 permissionDeniedCount++;
                                 permissionRecord.Subject.clear();
                                 BLOG_TRACE("Ticket " << record.GetMaskedTicket() << " permission " << permissionName << " access denied for subject \"" << (record.Subject ? record.Subject : "<not resolved>") << "\"");
@@ -1070,7 +1088,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                                     errorMessage << " - ";
                                     requiredPermissions.push_back(permissionIt);
                                 }
-                                errorMessage << "Access Denied";
+                                errorMessage << nebius::iam::v1::AuthorizeResult::ResultCode_Name(result.resultcode());
                                 permissionRecord.Error = {.Message = errorMessage, .Retryable = false};
                             }
                         } else {

ydb/core/security/ticket_parser_ut.cpp

@@ -253,23 +253,23 @@ void SetUseAccessService<NKikimr::TNebiusAccessServiceMock>(NKikimrProto::TAuthC
 }
 
 template <class TAccessServiceMock>
-bool IsApiKeySupported() {
-    return true;
+constexpr bool IsNebiusAccessService() {
+    return false;
 }
 
 template <>
-bool IsApiKeySupported<NKikimr::TNebiusAccessServiceMock>() {
-    return false;
+constexpr bool IsNebiusAccessService<NKikimr::TNebiusAccessServiceMock>() {
+    return true;
 }
 
 template <class TAccessServiceMock>
-bool IsSignatureSupported() {
-    return true;
+constexpr bool IsApiKeySupported() {
+    return !IsNebiusAccessService<TAccessServiceMock>();
 }
 
-template <>
-bool IsSignatureSupported<NKikimr::TNebiusAccessServiceMock>() {
-    return false;
+template <class TAccessServiceMock>
+constexpr bool IsSignatureSupported() {
+    return !IsNebiusAccessService<TAccessServiceMock>();
 }
 
 } // namespace
@@ -1666,10 +1666,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
         TActorId sender = runtime->AllocateEdgeActor();
         TAutoPtr<IEventHandle> handle;
 
+        TVector<std::pair<TString, TString>> attrs = {{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}};
+        if constexpr (IsNebiusAccessService<TAccessServiceMock>()) {
+            accessServiceMock.ContainerId = "my_container";
+            attrs.emplace_back("container_id", "my_container");
+        }
+
         // Authorization successful.
         runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
                                            userToken,
-                                           {{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}},
+                                           attrs,
                                            {"something.read"})), 0);
         TEvTicketParser::TEvAuthorizeTicketResult* result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
         UNIT_ASSERT_C(result->Error.empty(), result->Error);
@@ -1679,7 +1685,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
         accessServiceMock.AllowedUserPermissions.insert("user1-something.connect");
         runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
                                            userToken,
-                                           {{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}},
+                                           attrs,
                                            {"something.read", "something.connect", "something.list", "something.update"})), 0);
         result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
         UNIT_ASSERT_C(result->Error.empty(), result->Error);
@@ -1689,17 +1695,31 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
         UNIT_ASSERT_C(!result->Token->IsExist("something.update-bbbb4554@as"), result->Token->ShortDebugString());
 
         // Authorization ApiKey successful.
-        if (IsApiKeySupported<TAccessServiceMock>()) {
+        if constexpr (IsApiKeySupported<TAccessServiceMock>()) {
             runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
                                             "ApiKey ApiKey-value-valid",
-                                            {{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}},
+                                            attrs,
                                             {"something.read"})), 0);
             result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
             UNIT_ASSERT_C(result->Error.empty(), result->Error);
             UNIT_ASSERT_C(result->Token->IsExist("something.read-bbbb4554@as"), result->Token->ShortDebugString());
             UNIT_ASSERT_C(!result->Token->IsExist("something.write-bbbb4554@as"), result->Token->ShortDebugString());
         }
 
+        if constexpr (IsNebiusAccessService<TAccessServiceMock>()) {
+            // check wrong container
+            accessServiceMock.ContainerId = "other_container";
+            runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
+                                           userToken,
+                                           attrs,
+                                           {"something.read", "read.something", "something.connect", "something.list", "something.update"})), 0);
+            TEvTicketParser::TEvAuthorizeTicketResult* result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
+            UNIT_ASSERT_C(!result->Error.empty(), result->Token->ShortDebugString());
+
+            // switch off this check
+            accessServiceMock.ContainerId = "";
+        }
+
         // Authorization failure with not enough permissions.
         runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
                                            userToken,

ydb/library/ncloud/impl/access_service_ut.cpp

@@ -108,7 +108,7 @@ Y_UNIT_TEST_SUITE_F(TNebiusAccessServiceTest, TTestSetup) {
         auto& resp = AccessServiceMock.AuthorizeData["token-perm-path_id"];
         {
             auto& result = (*resp.Response.mutable_results())[0];
-            result.set_authorized(true);
+            result.set_resultcode(nebius::iam::v1::AuthorizeResult::OK);
             result.mutable_account()->mutable_user_account()->set_id("user_id");
         }
 

ydb/library/testlib/service_mocks/nebius_access_service_mock.h

@@ -154,6 +154,7 @@ class TTicketParserNebiusAccessServiceMock : public nebius::iam::v1::AccessServi
     THashMap<TString, TString> AllowedServicePermissions = {{"service1-something.write", "root1/folder1"}};
     THashSet<TString> AllowedResourceIds;
     THashSet<TString> UnavailableUserPermissions;
+    TString ContainerId;
 
     grpc::Status Authorize(
             grpc::ServerContext*,
@@ -193,15 +194,21 @@ class TTicketParserNebiusAccessServiceMock : public nebius::iam::v1::AccessServi
                     "Authorize");
             }
 
-            auto& result = (*response->mutable_results())[checkId];
-
             if (IsIn(UnavailableUserPermissions, mockPermToFind)) {
                 return LogResponse(
                     grpc::Status(grpc::StatusCode::UNAVAILABLE, "Service Unavailable"),
                     response,
                     "Authorize");
             }
 
+            auto& result = (*response->mutable_results())[checkId];
+            result.set_resultcode(nebius::iam::v1::AuthorizeResult::PERMISSION_DENIED);
+
+            if (ContainerId && check.container_id() != ContainerId) {
+                result.set_resultcode(nebius::iam::v1::AuthorizeResult::PERMISSION_DENIED);
+                continue;
+            }
+
             bool allowedResource = true;
             if (!AllowedResourceIds.empty()) {
                 allowedResource = false;
@@ -216,14 +223,14 @@ class TTicketParserNebiusAccessServiceMock : public nebius::iam::v1::AccessServi
                 if (IsIn(AllowedUserTokens, token)) {
                     if (IsIn(AllowedUserPermissions, mockPermToFind)) {
                         result.mutable_account()->mutable_user_account()->set_id(token);
-                        result.set_authorized(true);
+                        result.set_resultcode(nebius::iam::v1::AuthorizeResult::OK);
                     }
                 }
 
                 if (IsIn(AllowedServiceTokens, token)) {
                     if (IsIn(AllowedServicePermissions, mockPermToFind)) {
                         result.mutable_account()->mutable_service_account()->set_id(token);
-                        result.set_authorized(true);
+                        result.set_resultcode(nebius::iam::v1::AuthorizeResult::OK);
                     }
                 }
             }

ydb/public/api/client/nc_private/accessservice/access_service.proto

@@ -23,12 +23,20 @@ service AccessService {
 message AuthenticateRequest {
   oneof credentials {
     string iam_token = 1;
+    AwsCompatibleSignature aws_compatible_signature = 2;
   }
 }
 
 message AuthenticateResponse {
-  Account account = 1;
-  google.protobuf.Timestamp session_expires_at = 2;
+  ResultCode resultCode = 1;
+  Account account = 2;
+  google.protobuf.Timestamp session_expires_at = 3;
+
+  enum ResultCode {
+    OK = 0; // authentication was successful.
+    UNKNOWN_SUBJECT = 1; // if the subject: doesn't exist, deleted, not found or account doesn't exist in the tenant owning the resource.
+    INVALID_TOKEN = 2; // The iam_token is not valid. It has an invalid length, invalid signature, etc.
+  }
 }
 
 message AuthorizeRequest {
@@ -43,13 +51,34 @@ message AuthorizeCheck {
   Permission permission = 1;
   string container_id = 2;
   ResourcePath resource_path = 3;
-  oneof credentials {
+  oneof identifier {
     string iam_token = 4;
     Account account = 5;
+    AwsCompatibleSignature aws_compatible_signature = 6;
   }
 }
 
 message AuthorizeResult {
-  bool authorized = 1;
+  ResultCode resultCode = 1;
   Account account = 2;
+
+  enum ResultCode {
+    OK = 0; // Access granted.
+    PERMISSION_DENIED = 1; // Other cases of access denied.
+    UNKNOWN_SUBJECT = 2; // if the subject: doesn't exist, deleted, not found or account doesn't exist in the tenant owning the resource.
+    INVALID_TOKEN = 3; // The iam_token is not valid. It has an invalid length, invalid signature, etc.
+  }
+}
+
+message AwsCompatibleSignature {
+  string aws_access_key_id = 1;
+  string string_to_sign = 2;
+  string signature = 3;
+  AmzSignatureV4KeyParams sign_key_params = 4;
+}
+
+message AmzSignatureV4KeyParams {
+  google.protobuf.Timestamp amz_date = 1;
+  string amz_region = 2;
+  string amz_service = 3;
 }