Add grants for groups (#26063)

Author: yurikiselev

ydb/core/kqp/common/events/script_executions.h

@@ -3,6 +3,7 @@
 #include <ydb/core/protos/kqp.pb.h>
 #include <ydb/core/protos/kqp_stats.pb.h>
 #include <ydb/core/protos/kqp_physical.pb.h>
+#include <ydb/library/aclib/aclib.h>
 #include <yql/essentials/public/issue/yql_issue.h>
 #include <ydb/public/api/protos/ydb_operation.pb.h>
 #include <ydb/public/api/protos/ydb_query.pb.h>
@@ -281,7 +282,7 @@ struct TEvSaveScriptExternalEffectRequest : public TEventLocal<TEvSaveScriptExte
         TString Database;
 
         TString CustomerSuppliedId;
-        TString UserToken;
+        TIntrusiveConstPtr<NACLib::TUserToken> UserToken;
         std::vector<NKqpProto::TKqpExternalSink> Sinks;
         std::vector<TString> SecretNames;
     };
@@ -386,7 +387,7 @@ struct TEvSaveScriptFinalStatusResponse : public TEventLocal<TEvSaveScriptFinalS
     bool OperationAlreadyFinalized = false;
     bool WaitRetry = false;
     TString CustomerSuppliedId;
-    TString UserToken;
+    TIntrusiveConstPtr<NACLib::TUserToken> UserToken;
     std::vector<NKqpProto::TKqpExternalSink> Sinks;
     std::vector<TString> SecretNames;
     Ydb::StatusIds::StatusCode Status;

ydb/core/kqp/executer_actor/kqp_executer_impl.h

@@ -941,7 +941,7 @@ class TKqpExecuterBase : public TActor<TDerived> {
     }
 
     void GetSecretsSnapshot() {
-        RegisterDescribeSecretsActor(this->SelfId(), UserToken ? UserToken->GetUserSID() : "", SecretNames, this->ActorContext().ActorSystem());
+        RegisterDescribeSecretsActor(this->SelfId(), UserToken, SecretNames, this->ActorContext().ActorSystem());
     }
 
     void GetResourcesSnapshot() {

ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp

@@ -216,19 +216,19 @@ void TDescribeSchemaSecretsService::SaveIncomingRequestInfo(const TEvResolveSecr
     ResolveInFlight[LastCookie] = std::move(ctx);
 }
 
-void TDescribeSchemaSecretsService::SendSchemeCacheRequests(const TVector<TString>& secretNames, const NACLib::TUserToken& userToken) {
+void TDescribeSchemaSecretsService::SendSchemeCacheRequests(const TVector<TString>& secretNames, const TIntrusiveConstPtr<NACLib::TUserToken> userToken) {
     TAutoPtr<NSchemeCache::TSchemeCacheNavigate> request(new NSchemeCache::TSchemeCacheNavigate());
     for (const auto& secretName : secretNames) {
         NSchemeCache::TSchemeCacheNavigate::TEntry entry;
         entry.Operation = NSchemeCache::TSchemeCacheNavigate::OpPath;
         entry.Path = SplitPath(secretName);    
-        if (userToken.GetUserSID()) {    
+        if (userToken && userToken->GetUserSID()) {
             entry.Access = NACLib::SelectRow;
         }
         request->ResultSet.emplace_back(entry);
     }
-    if (userToken.GetUserSID()) {        
-        request->UserToken = new NACLib::TUserToken(userToken);
+    if (userToken && userToken->GetUserSID()) {
+        request->UserToken = userToken;
     }
 
     Send(MakeSchemeCacheID(), new TEvTxProxySchemeCache::TEvNavigateKeySet(request), 0, LastCookie++);
@@ -305,7 +305,11 @@ void TDescribeSchemaSecretsService::HandleNotifyDelete(TSchemeBoardEvents::TEvNo
     SchemeBoardSubscribers.erase(subscriberIt);
 }
 
-NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeSecret(const TVector<TString>& secretNames, const TString& ownerUserId, TActorSystem* actorSystem) {
+NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeSecret(
+    const TVector<TString>& secretNames,
+    const TIntrusiveConstPtr<NACLib::TUserToken> userToken,
+    TActorSystem* actorSystem
+) {
     auto promise = NThreading::NewPromise<TEvDescribeSecretsResponse::TDescription>();
     if (actorSystem->AppData<TAppData>()->FeatureFlags.GetEnableSchemaSecrets()) {
         bool schemaSecrets = false;
@@ -318,53 +322,62 @@ NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeSecret(con
         if (schemaSecrets) {
             actorSystem->Send(
                 MakeKqpDescribeSchemaSecretServiceId(actorSystem->NodeId),
-                new TDescribeSchemaSecretsService::TEvResolveSecret(ownerUserId, secretNames, promise));
+                new TDescribeSchemaSecretsService::TEvResolveSecret(userToken, secretNames, promise));
             return promise.GetFuture();
         }
     }
 
-    actorSystem->Register(CreateDescribeSecretsActor(ownerUserId, secretNames, promise));
+    actorSystem->Register(CreateDescribeSecretsActor(userToken ? userToken->GetUserSID() : "", secretNames, promise));
     return promise.GetFuture();
 }
 
-void RegisterDescribeSecretsActor(const NActors::TActorId& replyActorId, const TString& ownerUserId, const std::vector<TString>& secretIds, NActors::TActorSystem* actorSystem) {
+void RegisterDescribeSecretsActor(
+    const NActors::TActorId& replyActorId,
+    const TIntrusiveConstPtr<NACLib::TUserToken> userToken,
+    const std::vector<TString>& secretIds,
+    NActors::TActorSystem* actorSystem
+) {
     TVector<TString> secretNames{secretIds.begin(), secretIds.end()};
-    auto future = DescribeSecret(secretNames, ownerUserId, actorSystem);
+    auto future = DescribeSecret(secretNames, userToken, actorSystem);
     future.Subscribe([actorSystem, replyActorId](const NThreading::TFuture<TEvDescribeSecretsResponse::TDescription>& result){
         actorSystem->Send(replyActorId, new TEvDescribeSecretsResponse(result.GetValue()));
     });
 }
 
-NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeExternalDataSourceSecrets(const NKikimrSchemeOp::TAuth& authDescription, const TString& ownerUserId, TActorSystem* actorSystem) {
+NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeExternalDataSourceSecrets(
+    const NKikimrSchemeOp::TAuth& authDescription,
+    const TIntrusiveConstPtr<NACLib::TUserToken> userToken,
+    TActorSystem* actorSystem
+) {
     switch (authDescription.identity_case()) {
         case NKikimrSchemeOp::TAuth::kServiceAccount: {
             const TString& saSecretId = authDescription.GetServiceAccount().GetSecretName();
-            return DescribeSecret({saSecretId}, ownerUserId, actorSystem);
+            return DescribeSecret({saSecretId}, userToken, actorSystem);
         }
 
         case NKikimrSchemeOp::TAuth::kNone:
             return NThreading::MakeFuture(TEvDescribeSecretsResponse::TDescription({}));
 
         case NKikimrSchemeOp::TAuth::kBasic: {
             const TString& passwordSecretId = authDescription.GetBasic().GetPasswordSecretName();
-            return DescribeSecret({passwordSecretId}, ownerUserId, actorSystem);
+            return DescribeSecret({passwordSecretId}, userToken, actorSystem);
         }
 
         case NKikimrSchemeOp::TAuth::kMdbBasic: {
             const TString& saSecretId = authDescription.GetMdbBasic().GetServiceAccountSecretName();
             const TString& passwordSecreId = authDescription.GetMdbBasic().GetPasswordSecretName();
-            return DescribeSecret({saSecretId, passwordSecreId}, ownerUserId, actorSystem);
+            return DescribeSecret({saSecretId, passwordSecreId}, userToken, actorSystem);
         }
 
         case NKikimrSchemeOp::TAuth::kAws: {
             const TString& awsAccessKeyIdSecretId = authDescription.GetAws().GetAwsAccessKeyIdSecretName();
             const TString& awsAccessKeyKeySecretId = authDescription.GetAws().GetAwsSecretAccessKeySecretName();
-            return DescribeSecret({awsAccessKeyIdSecretId, awsAccessKeyKeySecretId}, ownerUserId, actorSystem);
+            return DescribeSecret({awsAccessKeyIdSecretId, awsAccessKeyKeySecretId}, userToken, actorSystem);
         }
 
         case NKikimrSchemeOp::TAuth::kToken: {
             const TString& tokenSecretId = authDescription.GetToken().GetTokenSecretName();
-            return DescribeSecret({tokenSecretId}, ownerUserId, actorSystem);
+            return DescribeSecret({tokenSecretId}, userToken, actorSystem);
         }
 
         case NKikimrSchemeOp::TAuth::IDENTITY_NOT_SET:

ydb/core/kqp/federated_query/kqp_federated_query_actors.h

@@ -25,18 +25,18 @@ class TDescribeSchemaSecretsService: public NActors::TActorBootstrapped<TDescrib
     struct TEvResolveSecret : public NActors::TEventLocal<TEvResolveSecret, EvResolveSecret> {
     public:
         TEvResolveSecret(
-            const TString& ownerUserId,
+            const TIntrusiveConstPtr<NACLib::TUserToken> userToken,
             const TVector<TString>& secretNames,
             NThreading::TPromise<TEvDescribeSecretsResponse::TDescription> promise
         )
-            : UserToken(NACLib::TUserToken{ownerUserId, TVector<NACLib::TSID>{}})
+            : UserToken(userToken)
             , SecretNames(secretNames)
             , Promise(promise)
         {
         }
 
     public:
-        const NACLib::TUserToken UserToken;
+        const TIntrusiveConstPtr<NACLib::TUserToken> UserToken;
         const TVector<TString> SecretNames;
         NThreading::TPromise<TEvDescribeSecretsResponse::TDescription> Promise;
     };
@@ -74,7 +74,7 @@ class TDescribeSchemaSecretsService: public NActors::TActorBootstrapped<TDescrib
 
     void FillResponse(const ui64& requestId, const TEvDescribeSecretsResponse::TDescription& response);
     void SaveIncomingRequestInfo(const TEvResolveSecret& req);
-    void SendSchemeCacheRequests(const TVector<TString>& secretNames, const NACLib::TUserToken& userToken);
+    void SendSchemeCacheRequests(const TVector<TString>& secretNames, const TIntrusiveConstPtr<NACLib::TUserToken> userToken);
     bool LocalCacheHasActualVersion(const TVersionedSecret& secret, const ui64& cacheSecretVersion);
     bool LocalCacheHasActualObject(const TVersionedSecret& secret, const ui64& cacheSecretPathId);
     bool HandleSchemeCacheErrorsIfAny(const ui64& requestId, NSchemeCache::TSchemeCacheNavigate& result);
@@ -104,9 +104,18 @@ class TDescribeSchemaSecretsService: public NActors::TActorBootstrapped<TDescrib
     ISecretUpdateListener* SecretUpdateListener;
 };
 
-void RegisterDescribeSecretsActor(const TActorId& replyActorId, const TString& ownerUserId, const std::vector<TString>& secretIds, TActorSystem* actorSystem);
-
-NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeExternalDataSourceSecrets(const NKikimrSchemeOp::TAuth& authDescription, const TString& ownerUserId, TActorSystem* actorSystem);
+void RegisterDescribeSecretsActor(
+    const NActors::TActorId& replyActorId,
+    const TIntrusiveConstPtr<NACLib::TUserToken> userToken,
+    const std::vector<TString>& secretIds,
+    NActors::TActorSystem* actorSystem
+);
+
+NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeExternalDataSourceSecrets(
+    const NKikimrSchemeOp::TAuth& authDescription,
+    const TIntrusiveConstPtr<NACLib::TUserToken> userToken,
+    TActorSystem* actorSystem
+);
 
 IActor* CreateDescribeSchemaSecretsService();
 

ydb/core/kqp/federated_query/kqp_federated_query_actors_ut.cpp

@@ -26,23 +26,30 @@ namespace {
     }
 
     NThreading::TPromise<NKikimr::NKqp::TEvDescribeSecretsResponse::TDescription>
-    ResolveSecret(const TVector<TString>& secretNames, NKikimr::NKqp::TKikimrRunner& kikimr, const TString& userId = "") {
+    ResolveSecret(const TVector<TString>& secretNames, NKikimr::NKqp::TKikimrRunner& kikimr, const TIntrusiveConstPtr<NACLib::TUserToken> userToken = nullptr) {
         auto promise = NThreading::NewPromise<NKikimr::NKqp::TEvDescribeSecretsResponse::TDescription>();
-        const auto evResolveSecret = new NKikimr::NKqp::TDescribeSchemaSecretsService::TEvResolveSecret(userId, secretNames, promise);
+        const auto evResolveSecret = new NKikimr::NKqp::TDescribeSchemaSecretsService::TEvResolveSecret(userToken, secretNames, promise);
         auto actorSystem = kikimr.GetTestServer().GetRuntime()->GetActorSystem(0);
         actorSystem->Send(NKikimr::NKqp::MakeKqpDescribeSchemaSecretServiceId(actorSystem->NodeId), evResolveSecret);
         return promise;
     }
 
     NThreading::TPromise<NKikimr::NKqp::TEvDescribeSecretsResponse::TDescription>
-    ResolveSecret(const TString& secretName, NKikimr::NKqp::TKikimrRunner& kikimr, const TString& userId = "") {
-        return ResolveSecret(TVector<TString>{secretName}, kikimr, userId);
+    ResolveSecret(const TString& secretName, NKikimr::NKqp::TKikimrRunner& kikimr, const TIntrusiveConstPtr<NACLib::TUserToken> userToken = nullptr) {
+        return ResolveSecret(TVector<TString>{secretName}, kikimr, userToken);
     }
 
     void AssertBadRequest(NThreading::TPromise<NKikimr::NKqp::TEvDescribeSecretsResponse::TDescription> promise, const TString& err) {
         UNIT_ASSERT_VALUES_EQUAL(Ydb::StatusIds::BAD_REQUEST, promise.GetFuture().GetValueSync().Status);
         UNIT_ASSERT_VALUES_EQUAL(err, promise.GetFuture().GetValueSync().Issues.ToString());
     }
+
+    TIntrusiveConstPtr<NACLib::TUserToken> GetUserToken(const TString& userSid = "", const TVector<TString>& groupSids = {}) {
+        if (userSid.empty() && groupSids.empty()) {
+            return nullptr;
+        }
+        return new NACLib::TUserToken(userSid, groupSids);
+    }
 }
 
 Y_UNIT_TEST_SUITE(DescribeSchemaSecretsService) {
@@ -201,11 +208,12 @@ Y_UNIT_TEST_SUITE(DescribeSchemaSecretsService) {
 
         CreateSchemaSecret(secretName, secretValue, adminSession);
 
-        auto promise = ResolveSecret(secretName, kikimr, "root@builtin");
+        auto promise = ResolveSecret(secretName, kikimr, GetUserToken("root@builtin"));
         UNIT_ASSERT_VALUES_EQUAL(secretValue, promise.GetFuture().GetValueSync().SecretValues[0]);
 
+        const auto userToken = GetUserToken("user@builtin");
         { // assert no grants by default
-            auto promise = ResolveSecret("/Root/secret-name", kikimr, "user@builtin");
+            auto promise = ResolveSecret("/Root/secret-name", kikimr, userToken);
             AssertBadRequest(promise, "<main>: Error: secret `/Root/secret-name` not found\n");
         }
 
@@ -216,7 +224,7 @@ Y_UNIT_TEST_SUITE(DescribeSchemaSecretsService) {
         UNIT_ASSERT_C(grantResult.GetStatus() == NYdb::EStatus::SUCCESS, grantResult.GetIssues().ToString());
 
         { // assert grants are ok
-            auto promise = ResolveSecret("/Root/secret-name", kikimr, "user@builtin");
+            auto promise = ResolveSecret("/Root/secret-name", kikimr, userToken);
             UNIT_ASSERT_VALUES_EQUAL(secretValue, promise.GetFuture().GetValueSync().SecretValues[0]);
         }
 
@@ -227,7 +235,54 @@ Y_UNIT_TEST_SUITE(DescribeSchemaSecretsService) {
         UNIT_ASSERT_C(revokeResult.GetStatus() == NYdb::EStatus::SUCCESS, grantResult.GetIssues().ToString());
 
         { // assert no grants after revoking
-            auto promise = ResolveSecret("/Root/secret-name", kikimr, "user@builtin");
+            auto promise = ResolveSecret("/Root/secret-name", kikimr, userToken);
+            AssertBadRequest(promise, "<main>: Error: secret `/Root/secret-name` not found\n");
+        }
+    }
+
+    Y_UNIT_TEST(GroupGrants) {
+        NKikimr::NKqp::TKikimrRunner kikimr;
+        kikimr.GetTestServer().GetRuntime()->GetAppData(0).FeatureFlags.SetEnableSchemaSecrets(true);
+
+        const TString secretName = "/Root/secret-name";
+        const TString secretValue = "secret-value";
+        auto adminSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings().AuthToken("root@builtin"))
+            .CreateSession().GetValueSync().GetSession();
+
+        CreateSchemaSecret(secretName, secretValue, adminSession);
+
+        auto promise = ResolveSecret(secretName, kikimr, GetUserToken("root@builtin"));
+        UNIT_ASSERT_VALUES_EQUAL(secretValue, promise.GetFuture().GetValueSync().SecretValues[0]);
+
+        const auto userToken = GetUserToken("user@builtin", {"group"});
+        { // assert no grants by default
+            auto promise = ResolveSecret("/Root/secret-name", kikimr, userToken);
+            AssertBadRequest(promise, "<main>: Error: secret `/Root/secret-name` not found\n");
+        }
+
+        const auto createGroupResult = adminSession.ExecuteSchemeQuery(
+            Sprintf("CREATE GROUP `group` WITH USER `user@builtin`;")
+        ).GetValueSync();
+        UNIT_ASSERT_C(createGroupResult.GetStatus() == NYdb::EStatus::SUCCESS, createGroupResult.GetIssues().ToString());
+
+        const auto grantResult = adminSession.ExecuteSchemeQuery(
+            Sprintf("GRANT 'ydb.granular.select_row' ON `%s` TO `%s`;", secretName.data(), "group")
+        ).GetValueSync();
+        UNIT_ASSERT_C(grantResult.GetStatus() == NYdb::EStatus::SUCCESS, grantResult.GetIssues().ToString());
+
+        { // assert group grants are ok
+            auto promise = ResolveSecret("/Root/secret-name", kikimr, userToken);
+            UNIT_ASSERT_VALUES_EQUAL(secretValue, promise.GetFuture().GetValueSync().SecretValues[0]);
+        }
+
+        // revoke grants
+        const auto revokeResult = adminSession.ExecuteSchemeQuery(
+            Sprintf("REVOKE 'ydb.granular.select_row' ON `%s` FROM `%s`;", secretName.data(), "group")
+        ).GetValueSync();
+        UNIT_ASSERT_C(revokeResult.GetStatus() == NYdb::EStatus::SUCCESS, grantResult.GetIssues().ToString());
+
+        { // assert no grants after revoking
+            auto promise = ResolveSecret("/Root/secret-name", kikimr, userToken);
             AssertBadRequest(promise, "<main>: Error: secret `/Root/secret-name` not found\n");
         }
     }
@@ -331,8 +386,9 @@ Y_UNIT_TEST_SUITE(DescribeSchemaSecretsService) {
         ).GetValueSync();
         UNIT_ASSERT_C(grantResult.GetStatus() == NYdb::EStatus::SUCCESS, grantResult.GetIssues().ToString());
 
+        auto userToken = GetUserToken("user@builtin");
         { // user has grants for names[0], has no grants for names[1]
-            auto promise = ResolveSecret({names[0], names[1]}, kikimr, "user@builtin");
+            auto promise = ResolveSecret({names[0], names[1]}, kikimr, userToken);
             AssertBadRequest(promise, "<main>: Error: secret `/Root/secret-name-1` not found\n");
         }
 
@@ -342,7 +398,7 @@ Y_UNIT_TEST_SUITE(DescribeSchemaSecretsService) {
         UNIT_ASSERT_C(grantResult.GetStatus() == NYdb::EStatus::SUCCESS, grantResult.GetIssues().ToString());
 
         { // user has grants for all names[0]
-            auto promise = ResolveSecret({names[0], names[1]}, kikimr, "user@builtin");
+            auto promise = ResolveSecret({names[0], names[1]}, kikimr, userToken);
             for (size_t i = 0; i < values.size(); ++i) {
                 UNIT_ASSERT_VALUES_EQUAL(values[i], promise.GetFuture().GetValueSync().SecretValues[i]);
             }

ydb/core/kqp/finalize_script_service/kqp_finalize_script_actor.cpp

@@ -226,7 +226,7 @@ class TScriptFinalizerActor : public TActorBootstrapped<TScriptFinalizerActor> {
     TString CustomerSuppliedId;
     std::vector<NKqpProto::TKqpExternalSink> Sinks;
 
-    TString UserToken;
+    TIntrusiveConstPtr<NACLib::TUserToken> UserToken;
     std::vector<TString> SecretNames;
     std::unordered_map<TString, TString> SecureParams;
 };

ydb/core/kqp/gateway/behaviour/external_data_source/manager.cpp

@@ -24,8 +24,8 @@ using TYqlConclusion = TConclusionImpl<TYqlConclusionStatus, TValue>;
 
 TAsyncStatus ValidateExternalDatasourceSecrets(const NKikimrSchemeOp::TExternalDataSourceDescription& externalDataSourceDesc, const TExternalDataSourceManager::TInternalModificationContext& context) {
     const auto& externalData = context.GetExternalData();
-    const auto& userToken = externalData.GetUserToken();
-    auto describeFuture = DescribeExternalDataSourceSecrets(externalDataSourceDesc.GetAuth(), userToken ? userToken->GetUserSID() : "", externalData.GetActorSystem());
+    const std::optional<NACLib::TUserToken>& userToken = externalData.GetUserToken();
+    auto describeFuture = DescribeExternalDataSourceSecrets(externalDataSourceDesc.GetAuth(), userToken ? new NACLib::TUserToken(*userToken) : nullptr, externalData.GetActorSystem());
 
     return describeFuture.Apply([](const NThreading::TFuture<TEvDescribeSecretsResponse::TDescription>& f) {
         if (const auto& value = f.GetValue(); value.Status != Ydb::StatusIds::SUCCESS) {

ydb/core/kqp/gateway/kqp_metadata_loader.cpp

@@ -574,7 +574,7 @@ void UpdateExternalDataSourceSecretsValue(TTableMetadataResult& externalDataSour
 
 NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> LoadExternalDataSourceSecretValues(const NSchemeCache::TSchemeCacheNavigate::TEntry& entry, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TActorSystem* actorSystem) {
     const auto& authDescription = entry.ExternalDataSourceInfo->Description.GetAuth();
-    return DescribeExternalDataSourceSecrets(authDescription, userToken ? userToken->GetUserSID() : "", actorSystem);
+    return DescribeExternalDataSourceSecrets(authDescription, userToken, actorSystem);
 }
 
 } // anonymous namespace