Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KIKIMR-20378: Enable IAM BulkAuthorization #911

Merged
merged 4 commits into from
Jan 19, 2024
Merged

KIKIMR-20378: Enable IAM BulkAuthorization #911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bd3cc2b
Bulk authorization
molotkov-and Dec 28, 2023
8252833
unit tests
molotkov-and Jan 9, 2024
a16f023
small fixes
molotkov-and Jan 10, 2024
e6087d5
Add result filter ALL_FAILED
molotkov-and Jan 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ydb/core/protos/feature_flags.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,5 @@ message TFeatureFlags {
optional bool UseVDisksBalancing = 111 [default = false];
optional bool EnableViews = 112 [default = false];
optional bool EnableServerlessExclusiveDynamicNodes = 113 [default = false];
optional bool EnableAccessServiceBulkAuthorization = 114 [default = false];
}
292 changes: 241 additions & 51 deletions ydb/core/security/ticket_parser_impl.h
View file
Open in desktop

Large diffs are not rendered by default.

124 changes: 108 additions & 16 deletions ydb/core/security/ticket_parser_ut.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1158,7 +1158,8 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT_VALUES_EQUAL(result->Token->GetUserSID(), "user1@as");
}

Y_UNIT_TEST(AuthorizationRetryError) {
template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationRetryError() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1174,6 +1175,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetUseStaff(false);
authConfig.SetMinErrorRefreshTime("300ms");
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1185,7 +1187,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
client.InitRootScheme();

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder;
builder.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder.BuildAndStart());
Expand Down Expand Up @@ -1220,7 +1222,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT(!result->Token->IsExist("something.write-bbbb4554@as"));
}

Y_UNIT_TEST(AuthorizationRetryErrorImmediately) {
Y_UNIT_TEST(AuthorizationRetryError) {
AuthorizationRetryError<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationRetryError) {
AuthorizationRetryError<TTicketParserAccessServiceMockV2, true>();
}

template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationRetryErrorImmediately() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1236,6 +1247,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetUseStaff(false);
authConfig.SetRefreshPeriod("5s");
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1247,7 +1259,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
client.InitRootScheme();

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder;
builder.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder.BuildAndStart());
Expand Down Expand Up @@ -1280,6 +1292,14 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT(!result->Token->IsExist("something.write-bbbb4554@as"));
}

Y_UNIT_TEST(AuthorizationRetryErrorImmediately) {
AuthorizationRetryErrorImmediately<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationRetryErrorImmediately) {
AuthorizationRetryErrorImmediately<TTicketParserAccessServiceMockV2, true>();
}

Y_UNIT_TEST(AuthenticationUnsupported) {
using namespace Tests;

Expand Down Expand Up @@ -1371,7 +1391,8 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT_VALUES_EQUAL(result->Error.Message, "Unknown token");
}

Y_UNIT_TEST(Authorization) {
template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void Authorization() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1387,6 +1408,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetAccessServiceEndpoint(accessServiceEndpoint);
authConfig.SetUseStaff(false);
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1400,7 +1422,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
TString userToken = "user1";

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder;
builder.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder.BuildAndStart());
Expand All @@ -1419,6 +1441,18 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
UNIT_ASSERT(!result->Token->IsExist("something.write-bbbb4554@as"));

accessServiceMock.AllowedUserPermissions.insert("user1-something.connect");
runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
userToken,
{{"folder_id", "aaaa1234"}, {"database_id", "bbbb4554"}},
{"something.read", "something.connect", "something.list", "something.update"})), 0);
result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
UNIT_ASSERT(result->Error.empty());
UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
UNIT_ASSERT(result->Token->IsExist("something.connect-bbbb4554@as"));
UNIT_ASSERT(!result->Token->IsExist("something.list-bbbb4554@as"));
UNIT_ASSERT(!result->Token->IsExist("something.update-bbbb4554@as"));

// Authorization ApiKey successful.
runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
"ApiKey ApiKey-value-valid",
Expand Down Expand Up @@ -1514,7 +1548,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT(result->Token->IsExist("monitoring.view-gizmo@as"));
}

Y_UNIT_TEST(AuthorizationWithRequiredPermissions) {
Y_UNIT_TEST(Authorization) {
Authorization<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorization) {
Authorization<TTicketParserAccessServiceMockV2, true>();
}

template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationWithRequiredPermissions() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1529,6 +1572,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetAccessServiceEndpoint(accessServiceEndpoint);
authConfig.SetUseStaff(false);
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1542,7 +1586,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
TString userToken = "user1";

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder;
builder.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder.BuildAndStart());
Expand Down Expand Up @@ -1572,7 +1616,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT_VALUES_EQUAL(result->Error.Message, "something.write for folder_id aaaa1234 - Access Denied");
}

Y_UNIT_TEST(AuthorizationWithUserAccount) {
Y_UNIT_TEST(AuthorizationWithRequiredPermissions) {
AuthorizationWithRequiredPermissions<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationWithRequiredPermissions) {
AuthorizationWithRequiredPermissions<TTicketParserAccessServiceMockV2, true>();
}

template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationWithUserAccount() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1593,6 +1646,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetCacheAccessServiceAuthorization(false);
//
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1606,7 +1660,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
TString userToken = "user1";

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder1;
builder1.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder1.BuildAndStart());
Expand Down Expand Up @@ -1670,7 +1724,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT_VALUES_EQUAL(result->Token->GetUserSID(), "login1@passport");
}

Y_UNIT_TEST(AuthorizationWithUserAccount2) {
Y_UNIT_TEST(AuthorizationWithUserAccount) {
AuthorizationWithUserAccount<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationWithUserAccount) {
AuthorizationWithUserAccount<TTicketParserAccessServiceMockV2, true>();
}

template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationWithUserAccount2() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1688,6 +1751,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetUseUserAccountServiceTLS(false);
authConfig.SetUserAccountServiceEndpoint(userAccountServiceEndpoint);
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1701,7 +1765,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
TString userToken = "user1";

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder1;
builder1.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder1.BuildAndStart());
Expand Down Expand Up @@ -1735,7 +1799,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT_VALUES_EQUAL(result->Token->GetUserSID(), "login1@passport");
}

Y_UNIT_TEST(AuthorizationUnavailable) {
Y_UNIT_TEST(AuthorizationWithUserAccount2) {
AuthorizationWithUserAccount2<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationWithUserAccount2) {
AuthorizationWithUserAccount2<TTicketParserAccessServiceMockV2, true>();
}

template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationUnavailable() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1750,6 +1823,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetAccessServiceEndpoint(accessServiceEndpoint);
authConfig.SetUseStaff(false);
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1763,7 +1837,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
TString userToken = "user1";

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder;
builder.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder.BuildAndStart());
Expand All @@ -1785,7 +1859,16 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT_VALUES_EQUAL(result->Error.Message, "Service Unavailable");
}

Y_UNIT_TEST(AuthorizationModify) {
Y_UNIT_TEST(AuthorizationUnavailable) {
AuthorizationUnavailable<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationUnavailable) {
AuthorizationUnavailable<TTicketParserAccessServiceMockV2, true>();
}

template <typename TAccessServiceMock, bool EnableBulkAuthorization = false>
void AuthorizationModify() {
using namespace Tests;

TPortManager tp;
Expand All @@ -1800,6 +1883,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
authConfig.SetAccessServiceEndpoint(accessServiceEndpoint);
authConfig.SetUseStaff(false);
auto settings = TServerSettings(port, authConfig);
settings.SetEnableAccessServiceBulkAuthorization(EnableBulkAuthorization);
settings.SetDomainName("Root");
settings.CreateTicketParser = NKikimr::CreateTicketParser;
TServer server(settings);
Expand All @@ -1813,7 +1897,7 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
TString userToken = "user1";

// Access Server Mock
NKikimr::TAccessServiceMock accessServiceMock;
TAccessServiceMock accessServiceMock;
grpc::ServerBuilder builder;
builder.AddListeningPort(accessServiceEndpoint, grpc::InsecureServerCredentials()).RegisterService(&accessServiceMock);
std::unique_ptr<grpc::Server> accessServer(builder.BuildAndStart());
Expand Down Expand Up @@ -1845,5 +1929,13 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
UNIT_ASSERT(result->Token->IsExist("something.read-bbbb4554@as"));
UNIT_ASSERT(result->Token->IsExist("something.write-bbbb4554@as"));
}

Y_UNIT_TEST(AuthorizationModify) {
AuthorizationModify<NKikimr::TAccessServiceMock>();
}

Y_UNIT_TEST(BulkAuthorizationModify) {
AuthorizationModify<TTicketParserAccessServiceMockV2, true>();
}
}
}
1 change: 1 addition & 0 deletions ydb/core/testlib/basics/feature_flags.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ class TTestFeatureFlagsHolder {
FEATURE_FLAG_SETTER(EnableUuidAsPrimaryKey)
FEATURE_FLAG_SETTER(EnableTablePgTypes)
FEATURE_FLAG_SETTER(EnableServerlessExclusiveDynamicNodes)
FEATURE_FLAG_SETTER(EnableAccessServiceBulkAuthorization)

#undef FEATURE_FLAG_SETTER
};
Expand Down
Loading
Loading