diff --git a/ydb/core/mon/async_http_mon.cpp b/ydb/core/mon/async_http_mon.cpp index d2c571ae9f4a..7eabb9f8409b 100644 --- a/ydb/core/mon/async_http_mon.cpp +++ b/ydb/core/mon/async_http_mon.cpp @@ -2,6 +2,7 @@ #include #include #include +#include #include #include @@ -246,21 +247,41 @@ class THttpMonLegacyActorRequest : public TActorBootstrappedGet()->Request; NHttp::THeaders headers(request->Headers); TStringBuilder response; TStringBuilder body; - body << "

401 Unauthorized

"; - if (!error.empty()) { - body << "

" << error << "

"; + const TString httpError = YdbToHttpError(result.Status); + body << "

" << httpError << "

"; + if (result.Issues) { + body << "

" << result.Issues.ToString() << "

"; } body << ""; TString origin = TString(headers["Origin"]); if (origin.empty()) { origin = "*"; } - response << "HTTP/1.1 401 Unauthorized\r\n"; + response << "HTTP/1.1 " << httpError << "\r\n"; response << "Access-Control-Allow-Origin: " << origin << "\r\n"; response << "Access-Control-Allow-Credentials: true\r\n"; response << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept\r\n"; @@ -291,17 +312,20 @@ class THttpMonLegacyActorRequest : public TActorBootstrappedGet()->Request; if (ActorMonPage->Authorizer) { - TString user = authorizeResult ? authorizeResult->Token->GetUserSID() : "anonymous"; + TString user = (result && result->UserToken) ? result->UserToken->GetUserSID() : "anonymous"; LOG_NOTICE_S(*TlsActivationContext, NActorsServices::HTTP, (request->Address ? request->Address->ToString() : "") << " " << user << " " << request->Method << " " << request->URL); } - TString serializedToken = authorizeResult ? authorizeResult->SerializedToken : ""; + TString serializedToken; + if (result && result->UserToken) { + serializedToken = result->UserToken->GetSerializedToken(); + } Send(ActorMonPage->TargetActorId, new NMon::TEvHttpInfo( Container, serializedToken), IEventHandle::FlagTrackDelivery); } @@ -325,14 +349,14 @@ class THttpMonLegacyActorRequest : public TActorBootstrappedGet()); - if (result.Error) { - return ReplyUnathorizedAndPassAway(result.Error.Message); + void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) { + const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get()); + if (result.Status != Ydb::StatusIds::SUCCESS) { + return ReplyErrorAndPassAway(result); } bool found = false; for (const TString& sid : ActorMonPage->AllowedSIDs) { - if (result.Token->IsExist(sid)) { + if (result.UserToken->IsExist(sid)) { found = true; break; } @@ -348,7 +372,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrappedGetTypeRewrite()) { hFunc(TEvents::TEvUndelivered, HandleUndelivered); hFunc(NMon::IEvHttpInfoRes, HandleResponse); - hFunc(NKikimr::TEvTicketParser::TEvAuthorizeTicketResult, Handle); + hFunc(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult, Handle); } } }; diff --git a/ydb/core/mon/mon.cpp b/ydb/core/mon/mon.cpp index 43215ebfc24c..c04e11dc42ed 100644 --- a/ydb/core/mon/mon.cpp +++ b/ydb/core/mon/mon.cpp @@ -2,9 +2,13 @@ #include #include +#include #include +#include +#include + namespace NActors { using namespace NMonitoring; @@ -12,6 +16,7 @@ using namespace NKikimr; namespace { +/* const std::vector& GetEntries(const TString& ticket) { if (ticket.StartsWith("Bearer")) { if (AppData()->AuthConfig.GetUseAccessService() @@ -25,6 +30,32 @@ const std::vector& GetEntr static std::vector emptyEntries = {}; return emptyEntries; } +*/ + +TString GetDatabase(NMonitoring::IMonHttpRequest& request) { + if (const auto dbIt = request.GetParams().Find("database"); dbIt != request.GetParams().end()) { + return dbIt->second; + } + if (request.GetMethod() == HTTP_METHOD_POST) { + static NJson::TJsonReaderConfig JsonConfig; + NJson::TJsonValue requestData; + if (NJson::ReadJsonTree(request.GetPostContent(), &JsonConfig, &requestData)) { + return requestData["database"].GetString(); + } + } + return {}; +} + +IEventHandle* GetRequestAuthAndCheckHandle(const NActors::TActorId& owner, const TString& database, const TString& ticket) { + return new NActors::IEventHandle( + NGRpcService::CreateGRpcRequestProxyId(), + owner, + new NKikimr::NGRpcService::TEvRequestAuthAndCheck( + database, + ticket ? TMaybe(ticket) : Nothing()), + IEventHandle::FlagTrackDelivery + ); +} } // namespace @@ -32,9 +63,9 @@ NActors::IEventHandle* SelectAuthorizationScheme(const NActors::TActorId& owner, TStringBuf ydbSessionId = request.GetCookie("ydb_session_id"); TStringBuf authorization = request.GetHeader("Authorization"); if (!authorization.empty()) { - return GetAuthorizeTicketHandle(owner, TString(authorization)); + return GetRequestAuthAndCheckHandle(owner, GetDatabase(request), TString(authorization)); } else if (!ydbSessionId.empty()) { - return GetAuthorizeTicketHandle(owner, TString("Login ") + TString(ydbSessionId)); + return GetRequestAuthAndCheckHandle(owner, GetDatabase(request), TString("Login ") + TString(ydbSessionId)); } else { return nullptr; } @@ -45,35 +76,26 @@ NActors::IEventHandle* GetAuthorizeTicketResult(const NActors::TActorId& owner) return new NActors::IEventHandle( owner, owner, - new NKikimr::TEvTicketParser::TEvAuthorizeTicketResult(TString(), { - .Message = "No security credentials were provided", - .Retryable = false - }) + new NKikimr::NGRpcService::TEvRequestAuthAndCheckResult( + Ydb::StatusIds::UNAUTHORIZED, + "No security credentials were provided") ); } else if (!NKikimr::AppData()->DefaultUserSIDs.empty()) { TIntrusivePtr token = new NACLib::TUserToken(NKikimr::AppData()->DefaultUserSIDs); return new NActors::IEventHandle( owner, owner, - new NKikimr::TEvTicketParser::TEvAuthorizeTicketResult(TString(), token) + new NKikimr::NGRpcService::TEvRequestAuthAndCheckResult( + {}, + {}, + token + ) ); } else { return nullptr; } } -IEventHandle* GetAuthorizeTicketHandle(const NActors::TActorId& owner, const TString& ticket) { - return new NActors::IEventHandle( - NKikimr::MakeTicketParserID(), - owner, - new NKikimr::TEvTicketParser::TEvAuthorizeTicket({ - .Ticket = ticket, - .Entries = GetEntries(ticket), - }), - IEventHandle::FlagTrackDelivery - ); -} - IMonPage* TMon::RegisterActorPage(TIndexMonPage* index, const TString& relPath, const TString& title, bool preTag, TActorSystem* actorSystem, const TActorId& actorId, bool useAuth, bool sortPages) { return RegisterActorPage({ diff --git a/ydb/core/mon/mon.h b/ydb/core/mon/mon.h index f1ace0d40de6..69373811a836 100644 --- a/ydb/core/mon/mon.h +++ b/ydb/core/mon/mon.h @@ -13,7 +13,6 @@ namespace NActors { -IEventHandle* GetAuthorizeTicketHandle(const NActors::TActorId& owner, const TString& ticket); IEventHandle* SelectAuthorizationScheme(const NActors::TActorId& owner, NMonitoring::IMonHttpRequest& request); IEventHandle* GetAuthorizeTicketResult(const NActors::TActorId& owner); diff --git a/ydb/core/mon/ya.make b/ydb/core/mon/ya.make index acb89c15cf45..a2bd7c8a6b11 100644 --- a/ydb/core/mon/ya.make +++ b/ydb/core/mon/ya.make @@ -13,6 +13,7 @@ SRCS( PEERDIR( ydb/library/actors/core + library/cpp/json library/cpp/lwtrace/mon library/cpp/string_utils/url ydb/core/base