ydb-platform · molotkov-and · Jan 14, 2025 · Dec 26, 2024 · Dec 26, 2024 · Dec 27, 2024
@@ -3883,6 +3883,7 @@ struct TSchemeShard::TTxInit : public TTransactionBase<TSchemeShard> {
                 sid.SetName(rowset.GetValue<Schema::LoginSids::SidName>());
                 sid.SetType(rowset.GetValue<Schema::LoginSids::SidType>());
                 sid.SetHash(rowset.GetValue<Schema::LoginSids::SidHash>());
+                sid.SetCreatedAt(rowset.GetValueOrDefault<Schema::LoginSids::CreatedAt>());
                 sidIndex[sid.name()] = securityState.SidsSize() - 1;
                 if (!rowset.Next()) {
                     return false;

@@ -4,6 +4,7 @@
 #include <ydb/core/tablet/tablet_exception.h>
 #include <ydb/core/tablet_flat/flat_cxx_database.h>
 #include <ydb/library/aclib/aclib.h>
+#include <ydb/library/security/util.h>
 
 namespace NKikimr {
 namespace NSchemeShard {
@@ -55,7 +56,9 @@ struct TSchemeShard::TTxInitRoot : public TSchemeShard::TRwTxBase {
                          << ", error: " << response.Error);
             } else {
                 auto& sid = Self->LoginProvider.Sids[defaultUser.GetName()];
-                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType, Schema::LoginSids::SidHash>(sid.Type, sid.Hash);
+                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                   Schema::LoginSids::SidHash,
+                                                                   Schema::LoginSids::CreatedAt>(sid.Type, sid.Hash, ToInstant(sid.CreatedAt).MilliSeconds());
                 if (owner.empty()) {
                     owner = defaultUser.GetName();
                 }
@@ -77,7 +80,8 @@ struct TSchemeShard::TTxInitRoot : public TSchemeShard::TRwTxBase {
                          << ", error: " << response.Error);
             } else {
                 auto& sid = Self->LoginProvider.Sids[defaultGroup.GetName()];
-                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType>(sid.Type);
+                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                   Schema::LoginSids::CreatedAt>(sid.Type, ToInstant(sid.CreatedAt).MilliSeconds());
                 for (const auto& member : defaultGroup.GetMembers()) {
                     auto response = Self->LoginProvider.AddGroupMembership({
                         .Group = defaultGroup.GetName(),

@@ -1,6 +1,7 @@
 #include "schemeshard__operation_part.h"
 #include "schemeshard__operation_common.h"
 #include "schemeshard_impl.h"
+#include <ydb/library/security/util.h>
 #include <ydb/core/protos/auth.pb.h>
 
 namespace {
@@ -32,7 +33,9 @@ class TAlterLogin: public TSubOperationBase {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
                         auto& sid = context.SS->LoginProvider.Sids[createUser.GetUser()];
-                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType, Schema::LoginSids::SidHash>(sid.Type, sid.Hash);
+                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                           Schema::LoginSids::SidHash,
+                                                                           Schema::LoginSids::CreatedAt>(sid.Type, sid.Hash, ToInstant(sid.CreatedAt).MilliSeconds());
                         if (securityConfig.HasAllUsersGroup()) {
                             auto response = context.SS->LoginProvider.AddGroupMembership({
                                 .Group = securityConfig.GetAllUsersGroup(),
@@ -76,7 +79,8 @@ class TAlterLogin: public TSubOperationBase {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
                         auto& sid = context.SS->LoginProvider.Sids[group];
-                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType>(sid.Type);
+                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                           Schema::LoginSids::CreatedAt>(sid.Type, ToInstant(sid.CreatedAt).MilliSeconds());
                         result->SetStatus(NKikimrScheme::StatusSuccess);
                     }
                     break;
@@ -200,7 +204,7 @@ class TAlterLogin: public TSubOperationBase {
             TPathElement::TPtr path = context.SS->PathsById.at(pathId);
             if (path->Owner == user) {
                 auto pathStr = TPath::Init(pathId, context.SS).PathString();
-                return {.Error = TStringBuilder() << 
+                return {.Error = TStringBuilder() <<
                     "User " << user << " owns " << pathStr << " and can't be removed"};
             }
         }
@@ -239,7 +243,7 @@ class TAlterLogin: public TSubOperationBase {
         for (const TString& group : removeUserResponse.TouchedGroups) {
             db.Table<Schema::LoginSidMembers>().Key(group, user).Delete();
         }
-        
+
         return {}; // success
     }
 };

@@ -1636,6 +1636,7 @@ struct Schema : NIceDb::Schema {
         struct LastSuccessfulAttempt : Column<4, NScheme::NTypeIds::Timestamp> {};
         struct LastFailedAttempt : Column<5, NScheme::NTypeIds::Timestamp> {};
         struct FailedAttemptCount : Column<6, NScheme::NTypeIds::Uint32> {using Type = ui32; static constexpr Type Default = 0;};
+        struct CreatedAt : Column<7, NScheme::NTypeIds::Timestamp> {};
 
         using TKey = TableKey<SidName>;
         using TColumns = TableColumns<
@@ -1644,7 +1645,8 @@ struct Schema : NIceDb::Schema {
             SidHash,
             LastSuccessfulAttempt,
             LastFailedAttempt,
-            FailedAttemptCount
+            FailedAttemptCount,
+            CreatedAt
         >;
     };
 

@@ -311,7 +311,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
         auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
         CheckSecurityState(describe, {.PublicKeysSize = 1, .SidsSize = 0});
     }
-    
+
     Y_UNIT_TEST(AddAccess_NonExisting) {
         TTestBasicRuntime runtime;
         TTestEnv env(runtime);
@@ -331,7 +331,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
             AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1");
             TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "Owner SID user1 not found"}});
         }
-        
+
         CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
 
         TestDescribeResult(DescribePath(runtime, "/MyRoot/Dir1"),

@@ -79,6 +79,7 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateUser(const TCreateUserReque
     TSidRecord& user = itUserCreate.first->second;
     user.Name = request.User;
     user.Hash = Impl->GenerateHash(request.Password);
+    user.CreatedAt = std::chrono::system_clock::now();
 
     return response;
 }
@@ -158,6 +159,7 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateGroup(const TCreateGroupReq
 
     TSidRecord& group = itGroupCreate.first->second;
     group.Name = request.Group;
+    group.CreatedAt = std::chrono::system_clock::now();
 
     return response;
 }
@@ -670,6 +672,7 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat
                 sid.Members.emplace(pbSubSid);
                 ChildToParentIndex[pbSubSid].emplace(sid.Name);
             }
+            sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetCreatedAt()));
         }
     }
 }

@@ -145,6 +145,7 @@ class TLoginProvider {
         TString Name;
         TString Hash;
         std::unordered_set<TString> Members;
+        std::chrono::system_clock::time_point CreatedAt; // CreatedAt does not need in describe result. We will not add to security state
     };
 
     // our current audience (database name)

@@ -356,4 +356,41 @@ Y_UNIT_TEST_SUITE(Login) {
         UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_dot"), "");
         UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_signature."), "");
     }
+
+    Y_UNIT_TEST(CheckTimeOfUserCreating) {
+        TLoginProvider provider;
+        provider.Audience = "test_audience1";
+        provider.RotateKeys();
+
+        {
+            std::chrono::time_point<std::chrono::system_clock> start = std::chrono::system_clock::now();
+            TLoginProvider::TCreateUserRequest request {
+                .User = "user1",
+                .Password = "password1"
+            };
+            auto response = provider.CreateUser(request);
+            std::chrono::time_point<std::chrono::system_clock> finish = std::chrono::system_clock::now();
+            UNIT_ASSERT(!response.Error);
+            const auto& sid = provider.Sids["user1"];
+            UNIT_ASSERT(sid.CreatedAt >= start && sid.CreatedAt <= finish);
+        }
+        {
+            std::chrono::time_point<std::chrono::system_clock> start = std::chrono::system_clock::now();
+            TLoginProvider::TCreateUserRequest request {
+                .User = "user2",
+                .Password = "password2"
+            };
+            auto response = provider.CreateUser(request);
+            std::chrono::time_point<std::chrono::system_clock> finish = std::chrono::system_clock::now();
+            UNIT_ASSERT(!response.Error);
+            const auto& sid = provider.Sids["user2"];
+            UNIT_ASSERT(sid.CreatedAt >= start && sid.CreatedAt <= finish);
+        }
+
+        {
+            const auto& sid1 = provider.Sids["user1"];
+            const auto& sid2 = provider.Sids["user2"];
+            UNIT_ASSERT(sid1.CreatedAt < sid2.CreatedAt);
+        }
+    }
 }
@@ -22,11 +22,11 @@ message TSid {
     ESidType.SidType Type = 2;
     string Hash = 3;
     repeated string Members = 4;
+    uint64 CreatedAt = 5;
 }
 
 message TSecurityState {
     repeated TPublicKey PublicKeys = 1;
     repeated TSid Sids = 2;
     string Audience = 3;
 }
-
diff --git a/...eme_tests.TestTabletSchemes.test_tablet_schemes_flat_schemeshard_/flat_schemeshard.schema b/...eme_tests.TestTabletSchemes.test_tablet_schemes_flat_schemeshard_/flat_schemeshard.schema
@@ -6592,6 +6592,11 @@
             1
         ],
         "ColumnsAdded": [
+            {
+                "ColumnId": 7,
+                "ColumnName": "CreatedAt",
+                "ColumnType": "Timestamp"
+            },
             {
                 "ColumnId": 1,
                 "ColumnName": "SidName",
@@ -6627,6 +6632,7 @@
         "ColumnFamilies": {
             "0": {
                 "Columns": [
+                    7,
                     1,
                     2,
                     3,