From 92d5d9f6ea69fb28312f4a33117a7b5a7183ba2d Mon Sep 17 00:00:00 2001 From: Vasily Gerasimov Date: Thu, 9 May 2024 12:40:58 +0000 Subject: [PATCH] EnforceUserTokenCheckRequirement option: require token check if token was specified --- ydb/core/base/appdata_fwd.h | 1 + ydb/core/driver_lib/run/run.cpp | 1 + ydb/core/grpc_services/grpc_request_proxy.cpp | 2 +- ydb/core/protos/config.proto | 1 + ydb/core/security/secure_request.h | 23 +++++++++++++++++-- ydb/core/testlib/test_client.cpp | 1 + 6 files changed, 26 insertions(+), 3 deletions(-) diff --git a/ydb/core/base/appdata_fwd.h b/ydb/core/base/appdata_fwd.h index bcb70177ed19..d8befc945e13 100644 --- a/ydb/core/base/appdata_fwd.h +++ b/ydb/core/base/appdata_fwd.h @@ -233,6 +233,7 @@ struct TAppData { NKikimrConfig::TBackgroundCleaningConfig& BackgroundCleaningConfig; NKikimrConfig::TGraphConfig& GraphConfig; bool EnforceUserTokenRequirement = false; + bool EnforceUserTokenCheckRequirement = true; // check token if it was specified bool AllowHugeKeyValueDeletes = true; // delete when all clients limit deletes per request bool EnableKqpSpilling = false; bool AllowShadowDataInSchemeShardForTests = false; diff --git a/ydb/core/driver_lib/run/run.cpp b/ydb/core/driver_lib/run/run.cpp index 57805f87bfd1..970b06183a2b 100644 --- a/ydb/core/driver_lib/run/run.cpp +++ b/ydb/core/driver_lib/run/run.cpp @@ -212,6 +212,7 @@ class TDomainsInitializer : public IAppDataInitializer { const auto& securityConfig(Config.GetDomainsConfig().GetSecurityConfig()); appData->EnforceUserTokenRequirement = securityConfig.GetEnforceUserTokenRequirement(); + appData->EnforceUserTokenCheckRequirement = securityConfig.GetEnforceUserTokenCheckRequirement(); if (securityConfig.AdministrationAllowedSIDsSize() > 0) { TVector administrationAllowedSIDs(securityConfig.GetAdministrationAllowedSIDs().begin(), securityConfig.GetAdministrationAllowedSIDs().end()); appData->AdministrationAllowedSIDs = std::move(administrationAllowedSIDs); diff --git a/ydb/core/grpc_services/grpc_request_proxy.cpp b/ydb/core/grpc_services/grpc_request_proxy.cpp index 18c99a16d953..2838d2b66eed 100644 --- a/ydb/core/grpc_services/grpc_request_proxy.cpp +++ b/ydb/core/grpc_services/grpc_request_proxy.cpp @@ -187,7 +187,7 @@ class TGRpcRequestProxyImpl databaseName = CanonizePath(maybeDatabaseName.GetRef()); } else { if (!AllowYdbRequestsWithoutDatabase && DynamicNode) { - requestBaseCtx->ReplyUnauthenticated("Requests without specified database is not allowed"); + requestBaseCtx->ReplyUnauthenticated("Requests without specified database are not allowed"); requestBaseCtx->FinishSpan(); return; } else { diff --git a/ydb/core/protos/config.proto b/ydb/core/protos/config.proto index 17049b6f0f76..6cf8b7ad2585 100644 --- a/ydb/core/protos/config.proto +++ b/ydb/core/protos/config.proto @@ -232,6 +232,7 @@ message TDomainsConfig { message TSecurityConfig { optional bool EnforceUserTokenRequirement = 1 [default = false]; + optional bool EnforceUserTokenCheckRequirement = 7 [default = false]; // Check if a token was specified // If not, or if the token was incorrect or access was denied, the request will be handled as if no token was provided repeated string MonitoringAllowedSIDs = 2; repeated string AdministrationAllowedSIDs = 3; repeated string DefaultUserSIDs = 4; diff --git a/ydb/core/security/secure_request.h b/ydb/core/security/secure_request.h index c18c83d4b063..0ff6e4012f6c 100644 --- a/ydb/core/security/secure_request.h +++ b/ydb/core/security/secure_request.h @@ -20,6 +20,10 @@ class TSecureRequestActor : public TBase { return AppData()->EnforceUserTokenRequirement; } + static bool GetEnforceUserTokenCheckRequirement() { + return AppData()->EnforceUserTokenCheckRequirement; + } + static const TVector& GetAdministrationAllowedSIDs() { return AppData()->AdministrationAllowedSIDs; } @@ -137,7 +141,23 @@ class TSecureRequestActor : public TBase { public: bool IsTokenRequired() const { - return GetEnforceUserTokenRequirement() || (RequireAdminAccess && !GetAdministrationAllowedSIDs().empty()); + if (GetEnforceUserTokenRequirement()) { + return true; + } + + // Admin access + if (RequireAdminAccess && !GetAdministrationAllowedSIDs().empty()) { + return true; + } + + // Acts in case of !EnforceUserTokenRequirement: If user specify token, + // it is checked and required to be valid for futher usage of YDB. + // If user doesn't specify token, no checks are made. + if (GetEnforceUserTokenCheckRequirement() && IsTokenExists()) { + return true; + } + + return false; } void Bootstrap(const TActorContext& ctx) { @@ -185,4 +205,3 @@ class TActorBootstrappedSecureRequest : public TSecureRequestActorNetClassifierConfig); appData.StreamingConfig.MergeFrom(Settings->AppConfig->GetGRpcConfig().GetStreamingConfig()); appData.EnforceUserTokenRequirement = Settings->AppConfig->GetDomainsConfig().GetSecurityConfig().GetEnforceUserTokenRequirement(); + appData.EnforceUserTokenCheckRequirement = Settings->AppConfig->GetDomainsConfig().GetSecurityConfig().GetEnforceUserTokenCheckRequirement(); appData.DomainsConfig.MergeFrom(Settings->AppConfig->GetDomainsConfig()); appData.ColumnShardConfig.MergeFrom(Settings->AppConfig->GetColumnShardConfig()); appData.PersQueueGetReadSessionsInfoWorkerFactory = Settings->PersQueueGetReadSessionsInfoWorkerFactory.get();