Skip to content

Commit

Permalink
Describe users even they haven't been logged in (#12574)
Browse files Browse the repository at this point in the history
  • Loading branch information
kunga authored Dec 12, 2024
1 parent 1b88031 commit d779ea8
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 17 deletions.
5 changes: 4 additions & 1 deletion ydb/core/grpc_services/grpc_request_proxy.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -479,7 +479,8 @@ void TGRpcRequestProxyImpl::HandleSchemeBoard(TSchemeBoardEvents::TEvNotifyUpdat
}

if (describeScheme.GetPathDescription().HasDomainDescription()
&& describeScheme.GetPathDescription().GetDomainDescription().HasSecurityState()) {
&& describeScheme.GetPathDescription().GetDomainDescription().HasSecurityState()
&& describeScheme.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0) {
LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_SERVER, "Updating SecurityState for " << databaseName);
Send(MakeTicketParserID(), new TEvTicketParser::TEvUpdateLoginSecurityState(
describeScheme.GetPathDescription().GetDomainDescription().GetSecurityState()
Expand All @@ -489,6 +490,8 @@ void TGRpcRequestProxyImpl::HandleSchemeBoard(TSchemeBoardEvents::TEvNotifyUpdat
LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_SERVER, "Can't update SecurityState for " << databaseName << " - no DomainDescription");
} else if (!describeScheme.GetPathDescription().GetDomainDescription().HasSecurityState()) {
LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_SERVER, "Can't update SecurityState for " << databaseName << " - no SecurityState");
} else if (describeScheme.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() == 0) {
LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_SERVER, "Can't update SecurityState for " << databaseName << " - no PublicKeys");
}
}

Expand Down
4 changes: 0 additions & 4 deletions ydb/core/tx/schemeshard/schemeshard_info_types.h
Original file line number Diff line number Diff line change
Expand Up @@ -2012,10 +2012,6 @@ struct TSubDomainInfo: TSimpleRefCount<TSubDomainInfo> {
DiskQuotaExceeded = value;
}

bool HasSecurityState() const {
return SecurityState.PublicKeysSize() > 0;
}

const NLoginProto::TSecurityState& GetSecurityState() const {
return SecurityState;
}
Expand Down
4 changes: 1 addition & 3 deletions ydb/core/tx/schemeshard/schemeshard_path_describer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -939,9 +939,7 @@ void TPathDescriber::DescribeDomainExtra(TPathElement::TPtr pathEl) {
for (auto& pool: subDomainInfo->GetStoragePools()) {
*entry->AddStoragePools() = pool;
}
if (subDomainInfo->HasSecurityState()) {
entry->MutableSecurityState()->CopyFrom(subDomainInfo->GetSecurityState());
}
entry->MutableSecurityState()->CopyFrom(subDomainInfo->GetSecurityState());
}

void TPathDescriber::DescribeBlockStoreVolume(TPathId pathId, TPathElement::TPtr pathEl) {
Expand Down
47 changes: 38 additions & 9 deletions ydb/core/tx/schemeshard/ut_login/ut_login.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -40,20 +40,49 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
TTestBasicRuntime runtime;
TTestEnv env(runtime);
ui64 txId = 100;

{
auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
Cerr << describe.DebugString() << Endl;
UNIT_ASSERT(describe.HasPathDescription());
UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
UNIT_ASSERT_VALUES_EQUAL(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize(), 0);
UNIT_ASSERT_VALUES_EQUAL(describe.GetPathDescription().GetDomainDescription().GetSecurityState().SidsSize(), 0);
}

CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");

{
auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
UNIT_ASSERT(describe.HasPathDescription());
UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
UNIT_ASSERT_VALUES_EQUAL(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize(), 0);
UNIT_ASSERT_VALUES_EQUAL(describe.GetPathDescription().GetDomainDescription().GetSecurityState().SidsSize(), 1);
}

// public keys are filled after the first login
auto resultLogin = Login(runtime, "user1", "password1");
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
UNIT_ASSERT(describe.HasPathDescription());
UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0);

{
auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
UNIT_ASSERT(describe.HasPathDescription());
UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
UNIT_ASSERT_VALUES_EQUAL(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize(), 1);
UNIT_ASSERT_VALUES_EQUAL(describe.GetPathDescription().GetDomainDescription().GetSecurityState().SidsSize(), 1);
}

// check token
NLogin::TLoginProvider login;
login.UpdateSecurityState(describe.GetPathDescription().GetDomainDescription().GetSecurityState());
auto resultValidate = login.ValidateToken({.Token = resultLogin.token()});
UNIT_ASSERT_VALUES_EQUAL(resultValidate.User, "user1");
{
auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
NLogin::TLoginProvider login;
login.UpdateSecurityState(describe.GetPathDescription().GetDomainDescription().GetSecurityState());
auto resultValidate = login.ValidateToken({.Token = resultLogin.token()});
UNIT_ASSERT_VALUES_EQUAL(resultValidate.User, "user1");
}
}

Y_UNIT_TEST(DisableBuiltinAuthMechanism) {
Expand Down

0 comments on commit d779ea8

Please sign in to comment.