25-1: Cherry pick audit logs (#17114)

Author: flown4qqqq

ydb/core/tx/schemeshard/schemeshard_audit_log.cpp

@@ -128,9 +128,9 @@ void AuditLogModifySchemeOperation(const NKikimrSchemeOp::TModifyScheme& operati
             AUDIT_PART(name, (!value.empty() ? value : EmptyValue))
         }
 
-        AUDIT_PART("cloud_id", cloud_id, !cloud_id.empty());
-        AUDIT_PART("folder_id", folder_id, !folder_id.empty());
-        AUDIT_PART("resource_id", database_id, !database_id.empty());
+        AUDIT_PART("cloud_id", cloud_id, !cloud_id.empty())
+        AUDIT_PART("folder_id", folder_id, !folder_id.empty())
+        AUDIT_PART("resource_id", database_id, !database_id.empty())
 
         // Additionally:
 
@@ -140,21 +140,23 @@ void AuditLogModifySchemeOperation(const NKikimrSchemeOp::TModifyScheme& operati
         // 1. explicit operation ESchemeOpModifyACL -- to modify ACL on a path
         // 2. ESchemeOpMkDir or ESchemeOpCreate* operations -- to set rights to newly created paths/entities
         // 3. ESchemeOpCopyTable -- to be checked against acl size limit, not to be applied in any way
-        AUDIT_PART("new_owner", logEntry.NewOwner, !logEntry.NewOwner.empty());
-        AUDIT_PART("acl_add", RenderList(logEntry.ACLAdd), !logEntry.ACLAdd.empty());
-        AUDIT_PART("acl_remove", RenderList(logEntry.ACLRemove), !logEntry.ACLRemove.empty());
+        AUDIT_PART("new_owner", logEntry.NewOwner, !logEntry.NewOwner.empty())
+        AUDIT_PART("acl_add", RenderList(logEntry.ACLAdd), !logEntry.ACLAdd.empty())
+        AUDIT_PART("acl_remove", RenderList(logEntry.ACLRemove), !logEntry.ACLRemove.empty())
 
         // AlterUserAttributes.
         // 1. explicit operation ESchemeOpAlterUserAttributes -- to modify user attributes on a path
         // 2. ESchemeOpMkDir or some ESchemeOpCreate* operations -- to set user attributes for newly created paths/entities
-        AUDIT_PART("user_attrs_add", RenderList(logEntry.UserAttrsAdd), !logEntry.UserAttrsAdd.empty());
-        AUDIT_PART("user_attrs_remove", RenderList(logEntry.UserAttrsRemove), !logEntry.UserAttrsRemove.empty());
+        AUDIT_PART("user_attrs_add", RenderList(logEntry.UserAttrsAdd), !logEntry.UserAttrsAdd.empty())
+        AUDIT_PART("user_attrs_remove", RenderList(logEntry.UserAttrsRemove), !logEntry.UserAttrsRemove.empty())
 
         // AlterLogin.
         // explicit operation ESchemeOpAlterLogin -- to modify user and groups
-        AUDIT_PART("login_user", logEntry.LoginUser);
-        AUDIT_PART("login_group", logEntry.LoginGroup);
-        AUDIT_PART("login_member", logEntry.LoginMember);
+        AUDIT_PART("login_user", logEntry.LoginUser)
+        AUDIT_PART("login_group", logEntry.LoginGroup)
+        AUDIT_PART("login_member", logEntry.LoginMember)
+
+        AUDIT_PART("login_user_change", RenderList(logEntry.LoginUserChange), logEntry.LoginUserChange)
     );
 }
 

ydb/core/tx/schemeshard/schemeshard_audit_log_fragment.cpp

@@ -678,40 +678,74 @@ struct TChangeLogin {
     TString LoginUser;
     TString LoginGroup;
     TString LoginMember;
+    TVector<TString> LoginUserChange;
 };
 
 TChangeLogin ExtractLoginChange(const NKikimrSchemeOp::TModifyScheme& tx) {
     if (tx.HasAlterLogin()) {
+        const auto& alter = tx.GetAlterLogin();
+
         TChangeLogin result;
         switch (tx.GetAlterLogin().GetAlterCase()) {
-            case NKikimrSchemeOp::TAlterLogin::kCreateUser:
-                result.LoginUser = tx.GetAlterLogin().GetCreateUser().GetUser();
+            case NKikimrSchemeOp::TAlterLogin::kCreateUser: {
+                result.LoginUser = alter.GetCreateUser().GetUser();
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kModifyUser:
-                result.LoginUser = tx.GetAlterLogin().GetModifyUser().GetUser();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kModifyUser: {
+                const auto& modify = alter.GetModifyUser();
+                result.LoginUser = modify.GetUser();
+
+                if (modify.HasPassword()) { // there is no difference beetwen password and password's hash
+                    result.LoginUserChange.push_back("password");
+                }
+
+                if (modify.HasCanLogin() && modify.GetCanLogin()) {
+                    result.LoginUserChange.push_back("unblocking");
+                }
+
+                if (modify.HasCanLogin() && !modify.GetCanLogin()) {
+                    result.LoginUserChange.push_back("blocking");
+                }
+
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kRemoveUser:
-                result.LoginUser = tx.GetAlterLogin().GetRemoveUser().GetUser();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kRemoveUser: {
+                result.LoginUser = alter.GetRemoveUser().GetUser();
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kCreateGroup:
-                result.LoginGroup = tx.GetAlterLogin().GetCreateGroup().GetGroup();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kCreateGroup: {
+                result.LoginGroup = alter.GetCreateGroup().GetGroup();
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kAddGroupMembership:
-                result.LoginGroup = tx.GetAlterLogin().GetAddGroupMembership().GetGroup();
-                result.LoginMember = tx.GetAlterLogin().GetAddGroupMembership().GetMember();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kAddGroupMembership: {
+                result.LoginGroup = alter.GetAddGroupMembership().GetGroup();
+                result.LoginMember = alter.GetAddGroupMembership().GetMember();
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kRemoveGroupMembership:
-                result.LoginGroup = tx.GetAlterLogin().GetRemoveGroupMembership().GetGroup();
-                result.LoginMember = tx.GetAlterLogin().GetRemoveGroupMembership().GetMember();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kRemoveGroupMembership: {
+                result.LoginGroup = alter.GetRemoveGroupMembership().GetGroup();
+                result.LoginMember = alter.GetRemoveGroupMembership().GetMember();
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kRenameGroup:
-                result.LoginGroup = tx.GetAlterLogin().GetRenameGroup().GetGroup();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kRenameGroup: {
+                result.LoginGroup = alter.GetRenameGroup().GetGroup();
                 break;
-            case NKikimrSchemeOp::TAlterLogin::kRemoveGroup:
-                result.LoginGroup = tx.GetAlterLogin().GetRemoveGroup().GetGroup();
+            }
+
+            case NKikimrSchemeOp::TAlterLogin::kRemoveGroup: {
+                result.LoginGroup = alter.GetRemoveGroup().GetGroup();
                 break;
-            default:
+            }
+
+            default: {
                 Y_ABORT("switch should cover all operation types");
+            }
         }
         return result;
     }
@@ -725,7 +759,7 @@ namespace NKikimr::NSchemeShard {
 TAuditLogFragment MakeAuditLogFragment(const NKikimrSchemeOp::TModifyScheme& tx) {
     auto [aclAdd, aclRemove] = ExtractACLChange(tx);
     auto [userAttrsAdd, userAttrsRemove] = ExtractUserAttrChange(tx);
-    auto [loginUser, loginGroup, loginMember] = ExtractLoginChange(tx);
+    auto [loginUser, loginGroup, loginMember, loginUserChange] = ExtractLoginChange(tx);
 
     return {
         .Operation = DefineUserOperationName(tx),
@@ -738,6 +772,7 @@ TAuditLogFragment MakeAuditLogFragment(const NKikimrSchemeOp::TModifyScheme& tx)
         .LoginUser = loginUser,
         .LoginGroup = loginGroup,
         .LoginMember = loginMember,
+        .LoginUserChange = loginUserChange
     };
 }
 

ydb/core/tx/schemeshard/schemeshard_audit_log_fragment.h

@@ -21,6 +21,7 @@ struct TAuditLogFragment {
     TString LoginUser;
     TString LoginGroup;
     TString LoginMember;
+    TVector<TString> LoginUserChange;
 };
 
 TAuditLogFragment MakeAuditLogFragment(const NKikimrSchemeOp::TModifyScheme& tx);

ydb/core/tx/schemeshard/ut_helpers/helpers.cpp

@@ -2059,20 +2059,41 @@ namespace NSchemeShardUT_Private {
         return event->Record;
     }
 
-    void ChangeIsEnabledUser(TTestActorRuntime& runtime, ui64 txId, const TString& database, const TString& user, bool isEnabled) {
+    void ModifyUser(TTestActorRuntime& runtime, ui64 txId, const TString& database, std::function<void(::NKikimrSchemeOp::TLoginModifyUser*)>&& initiator) {
         auto modifyTx = std::make_unique<TEvSchemeShard::TEvModifySchemeTransaction>(txId, TTestTxConfig::SchemeShard);
         auto transaction = modifyTx->Record.AddTransaction();
         transaction->SetWorkingDir(database);
         transaction->SetOperationType(NKikimrSchemeOp::EOperationType::ESchemeOpAlterLogin);
 
         auto alterUser = transaction->MutableAlterLogin()->MutableModifyUser();
 
-        alterUser->SetUser(user);
-        alterUser->SetCanLogin(isEnabled);
+        initiator(alterUser);
 
         AsyncSend(runtime, TTestTxConfig::SchemeShard, modifyTx.release());
         TAutoPtr<IEventHandle> handle;
-        [[maybe_unused]]auto event = runtime.GrabEdgeEvent<TEvSchemeShard::TEvModifySchemeTransactionResult>(handle); // wait()
+        [[maybe_unused]]auto event = runtime.GrabEdgeEvent<TEvSchemeShard::TEvModifySchemeTransactionResult>(handle); // wait()        
+    }
+
+    void ChangeIsEnabledUser(TTestActorRuntime& runtime, ui64 txId, const TString& database, const TString& user, bool isEnabled) {
+        ModifyUser(runtime, txId, database, [user, isEnabled](auto* alterUser) {
+            alterUser->SetUser(std::move(user));
+            alterUser->SetCanLogin(isEnabled);
+        });
+    }
+
+    void ChangePasswordUser(TTestActorRuntime& runtime, ui64 txId, const TString& database, const TString& user, const TString& password) {
+        ModifyUser(runtime, txId, database, [user, password](auto* alterUser) {
+            alterUser->SetUser(std::move(user));
+            alterUser->SetPassword(std::move(password));
+        });
+    }
+
+    void ChangePasswordHashUser(TTestActorRuntime& runtime, ui64 txId, const TString& database, const TString& user, const TString& hash) {
+        ModifyUser(runtime, txId, database, [user, hash](auto* alterUser) {
+            alterUser->SetUser(std::move(user));
+            alterUser->SetPassword(std::move(hash));
+            alterUser->SetIsHashedPassword(true);
+        });
     }
 
     // class TFakeDataReq {

ydb/core/tx/schemeshard/ut_helpers/helpers.h

@@ -551,9 +551,17 @@ namespace NSchemeShardUT_Private {
     NKikimrScheme::TEvLoginResult Login(TTestActorRuntime& runtime,
         const TString& user, const TString& password);
 
+    void ModifyUser(TTestActorRuntime& runtime, ui64 txId, const TString& database, std::function<void(::NKikimrSchemeOp::TLoginModifyUser*)>&& initiator);
+
     void ChangeIsEnabledUser(TTestActorRuntime& runtime, ui64 txId, const TString& database,
         const TString& user, bool isEnabled);
 
+    void ChangePasswordUser(TTestActorRuntime& runtime, ui64 txId, const TString& database,
+        const TString& user, const TString& password);
+
+    void ChangePasswordHashUser(TTestActorRuntime& runtime, ui64 txId, const TString& database,
+        const TString& user, const TString& hash);
+    
     // Mimics data query to a single table with multiple partitions
     class TFakeDataReq {
     public: