Configure cluster access resource Id for Nebius_v1 (#16614)

StekPerepolnen · StekPerepolnen · commit 47691b2a4e6d · 2025-05-15T15:44:07.000+02:00
diff --git a/ydb/core/grpc_services/grpc_request_check_actor.h b/ydb/core/grpc_services/grpc_request_check_actor.h
@@ -40,17 +40,36 @@ bool TGRpcRequestProxyHandleMethods::ValidateAndReplyOnError(TCtx* ctx) {
 }
 
 inline const TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry>& GetEntriesForAuthAndCheckRequest(TEvRequestAuthAndCheck::TPtr& ev) {
-    if (ev->Get()->YdbToken && ev->Get()->YdbToken->StartsWith("Bearer")) {
-        if (AppData()->AuthConfig.GetUseAccessService()
-            && (AppData()->DomainsConfig.GetSecurityConfig().ViewerAllowedSIDsSize() > 0 || AppData()->DomainsConfig.GetSecurityConfig().MonitoringAllowedSIDsSize() > 0)) {
-            static TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> entries = {
-                {NKikimr::TEvTicketParser::TEvAuthorizeTicket::ToPermissions({"ydb.developerApi.get", "ydb.developerApi.update"}), {{"gizmo_id", "gizmo"}}}
-            };
-            return entries;
+    const bool isBearerToken = ev->Get()->YdbToken && ev->Get()->YdbToken->StartsWith("Bearer");
+    const bool useAccessService = AppData()->AuthConfig.GetUseAccessService();
+    const bool hasClusterAccessResourceId = !AppData()->AuthConfig.GetClusterAccessResourceId().empty();
+    const bool needClusterAccessResourceCheck = AppData()->DomainsConfig.GetSecurityConfig().ViewerAllowedSIDsSize() > 0 ||
+                                AppData()->DomainsConfig.GetSecurityConfig().MonitoringAllowedSIDsSize() > 0;
+
+    if (!isBearerToken || !useAccessService || !hasClusterAccessResourceId || !needClusterAccessResourceCheck) {
+        static const TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> emptyEntries = {};
+        return emptyEntries;
+    }
+
+    auto makeEntries = []() -> TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> {
+        const TString& accessServiceType = AppData()->AuthConfig.GetAccessServiceType();
+        TVector<TString> permissions;
+        if (accessServiceType == "Yandex_v2") {
+            permissions = {"ydb.developerApi.get", "ydb.developerApi.update"};
+        } else if (accessServiceType == "Nebius_v1") {
+            permissions = {"ydb.clusters.get", "ydb.clusters.monitor", "ydb.clusters.manage"};
+        } else {
+            return {};
         }
-    }
-    static TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> emptyEntries = {};
-    return emptyEntries;
+        const TString& clusterAccessResourceId = AppData()->AuthConfig.GetClusterAccessResourceId();
+        TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> entries = {
+            {NKikimr::TEvTicketParser::TEvAuthorizeTicket::ToPermissions(permissions), {{"gizmo_id", clusterAccessResourceId}}}
+        };
+        return entries;
+    };
+
+    static TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> entries = makeEntries();
+    return entries;
 }
 
 template <typename TEvent>
diff --git a/ydb/core/protos/auth.proto b/ydb/core/protos/auth.proto
@@ -58,6 +58,7 @@ message TAuthConfig {
     optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];
     optional TPasswordComplexity PasswordComplexity = 83;
     optional TAccountLockout AccountLockout = 84;
+    optional string ClusterAccessResourceId = 85 [default = "gizmo"];
 }
 
 message TUserRegistryConfig {
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
@@ -479,6 +479,12 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
         if (const auto folderId = record.GetAttributeValue(permission, "folder_id"); folderId) {
             AddNebiusContainerId(pathsContainer, folderId);
         }
+
+        // Use attribute "gizmo_id" as container id that contains cluster access resource
+        // IAM can link roles for cluster access resource
+        if (const auto gizmoId = record.GetAttributeValue(permission, "gizmo_id"); gizmoId) {
+            AddNebiusContainerId(pathsContainer, gizmoId);
+        }
     }
 
     template <typename TTokenRecord>
diff --git a/ydb/core/security/ticket_parser_ut.cpp b/ydb/core/security/ticket_parser_ut.cpp
@@ -1661,19 +1661,17 @@ Y_UNIT_TEST_SUITE(TTicketParserTest) {
         UNIT_ASSERT_C(result->Error.empty(), result->Error);
         UNIT_ASSERT_C(result->Token->IsExist("something.read-bbbb4554@as"), result->Token->ShortDebugString());
 
-        if constexpr (!IsNebiusAccessService<TAccessServiceMock>()) {
-            // Authorization successful for gizmo resource
-            accessServiceMock.AllowedResourceIds.clear();
-            accessServiceMock.AllowedResourceIds.emplace("gizmo");
-            runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
-                                            userToken,
-                                            {{"gizmo_id", "gizmo"}, },
-                                            {"monitoring.view"})), 0);
-            result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
-            UNIT_ASSERT_C(result->Error.empty(), result->Error);
-            UNIT_ASSERT_C(result->Token->IsExist("monitoring.view@as"), result->Token->ShortDebugString());
-            UNIT_ASSERT_C(result->Token->IsExist("monitoring.view-gizmo@as"), result->Token->ShortDebugString());
-        }
+        // Authorization successful for gizmo resource
+        accessServiceMock.AllowedResourceIds.clear();
+        accessServiceMock.AllowedResourceIds.emplace("gizmo");
+        runtime->Send(new IEventHandle(MakeTicketParserID(), sender, new TEvTicketParser::TEvAuthorizeTicket(
+                                        userToken,
+                                        {{"gizmo_id", "gizmo"}, },
+                                        {"monitoring.view"})), 0);
+        result = runtime->GrabEdgeEvent<TEvTicketParser::TEvAuthorizeTicketResult>(handle);
+        UNIT_ASSERT_C(result->Error.empty(), result->Error);
+        UNIT_ASSERT_C(result->Token->IsExist("monitoring.view@as"), result->Token->ShortDebugString());
+        UNIT_ASSERT_C(result->Token->IsExist("monitoring.view-gizmo@as"), result->Token->ShortDebugString());
     }
 
     Y_UNIT_TEST(Authorization) {

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ message TAuthConfig {`
`58`	`58`	`optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];`
`59`	`59`	`optional TPasswordComplexity PasswordComplexity = 83;`
`60`	`60`	`optional TAccountLockout AccountLockout = 84;`
	`61`	`+ optional string ClusterAccessResourceId = 85 [default = "gizmo"];`
`61`	`62`	`}`
`62`	`63`
`63`	`64`	`message TUserRegistryConfig {`
Original file line number	Diff line number	Diff line change
`@@ -479,6 +479,12 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {`
`479`	`479`	`if (const auto folderId = record.GetAttributeValue(permission, "folder_id"); folderId) {`
`480`	`480`	`AddNebiusContainerId(pathsContainer, folderId);`
`481`	`481`	`}`
	`482`	`+`
	`483`	`+ // Use attribute "gizmo_id" as container id that contains cluster access resource`
	`484`	`+ // IAM can link roles for cluster access resource`
	`485`	`+ if (const auto gizmoId = record.GetAttributeValue(permission, "gizmo_id"); gizmoId) {`
	`486`	`+ AddNebiusContainerId(pathsContainer, gizmoId);`
	`487`	`+ }`
`482`	`488`	`}`
`483`	`489`
`484`	`490`	`template <typename TTokenRecord>`