User for .tmp/sessions dir (#12244)

Author: nikvas0

ydb/core/kqp/common/simple/temp_tables.cpp

@@ -28,6 +28,14 @@ namespace {
     const TString SessionsDirectoryName = "sessions";
 }
 
+TString GetTmpDirPath(const TString& database) {
+    return CanonizePath(JoinPath({database, TmpDirectoryName}));
+}
+
+TString GetSessionDirName() {
+    return SessionsDirectoryName;
+}
+
 TString GetSessionDirsBasePath(const TString& database) {
     return CanonizePath(JoinPath({database, TmpDirectoryName, SessionsDirectoryName}));
 }

ydb/core/kqp/common/simple/temp_tables.h

@@ -27,6 +27,8 @@ struct TKqpTempTablesState {
     FindInfo(const std::string_view& path, bool withSessionId = false) const;
 };
 
+TString GetTmpDirPath(const TString& database);
+TString GetSessionDirName();
 TString GetSessionDirsBasePath(const TString& database);
 TString GetSessionDirPath(const TString& database, const TString& sessionId);
 TString GetTempTablePath(const TString& database, const TString& sessionId, const TString tablePath);

ydb/core/kqp/executer_actor/kqp_scheme_executer.cpp

@@ -10,6 +10,7 @@
 #include <ydb/core/protos/schemeshard/operations.pb.h>
 #include <ydb/core/tx/schemeshard/schemeshard_build_index.h>
 #include <ydb/core/tx/tx_proxy/proxy.h>
+#include <ydb/library/aclib/aclib.h>
 #include <ydb/services/metadata/abstract/kqp_common.h>
 
 
@@ -45,6 +46,7 @@ class TKqpSchemeExecuter : public TActorBootstrapped<TKqpSchemeExecuter> {
         enum EEv {
             EvResult = EventSpaceBegin(TEvents::ES_PRIVATE),
             EvMakeTempDirResult,
+            EvMakeSessionDirResult,
         };
 
         struct TEvResult : public TEventLocal<TEvResult, EEv::EvResult> {
@@ -54,6 +56,10 @@ class TKqpSchemeExecuter : public TActorBootstrapped<TKqpSchemeExecuter> {
         struct TEvMakeTempDirResult : public TEventLocal<TEvMakeTempDirResult, EEv::EvMakeTempDirResult> {
             IKqpGateway::TGenericResult Result;
         };
+
+        struct TEvMakeSessionDirResult : public TEventLocal<TEvMakeSessionDirResult, EEv::EvMakeSessionDirResult> {
+            IKqpGateway::TGenericResult Result;
+        };
     };
 public:
     static constexpr NKikimrServices::TActivity::EType ActorActivityType() {
@@ -95,6 +101,46 @@ class TKqpSchemeExecuter : public TActorBootstrapped<TKqpSchemeExecuter> {
         auto ev = MakeHolder<TEvTxUserProxy::TEvProposeTransaction>();
         auto& record = ev->Record;
 
+        record.SetDatabaseName(Database);
+        record.SetUserToken(NACLib::TSystemUsers::Tmp().SerializeAsString());
+        record.SetPeerName(ClientAddress);
+
+        auto* modifyScheme = record.MutableTransaction()->MutableModifyScheme();
+        modifyScheme->SetWorkingDir(GetTmpDirPath(Database));
+        modifyScheme->SetOperationType(NKikimrSchemeOp::EOperationType::ESchemeOpMkDir);
+        modifyScheme->SetAllowCreateInTempDir(false);
+        modifyScheme->SetInternal(true);
+
+        auto* makeDir = modifyScheme->MutableMkDir();
+        makeDir->SetName(GetSessionDirName());
+
+        NACLib::TDiffACL diffAcl;
+        diffAcl.AddAccess(
+            NACLib::EAccessType::Allow,
+            NACLib::EAccessRights::CreateDirectory | NACLib::EAccessRights::DescribeSchema,
+            AppData()->AllAuthenticatedUsers);
+
+        auto* modifyAcl = modifyScheme->MutableModifyACL();
+        modifyAcl->SetDiffACL(diffAcl.SerializeAsString());
+
+        auto promise = NewPromise<IKqpGateway::TGenericResult>();
+        IActor* requestHandler = new TSchemeOpRequestHandler(ev.Release(), promise, false);
+        RegisterWithSameMailbox(requestHandler);
+
+        auto actorSystem = TActivationContext::ActorSystem();
+        auto selfId = SelfId();
+        promise.GetFuture().Subscribe([actorSystem, selfId](const TFuture<IKqpGateway::TGenericResult>& future) {
+            auto ev = MakeHolder<TEvPrivate::TEvMakeTempDirResult>();
+            ev->Result = future.GetValue();
+            actorSystem->Send(selfId, ev.Release());
+        });
+        Become(&TKqpSchemeExecuter::ExecuteState);
+    }
+
+    void CreateSessionDirectory() {
+        auto ev = MakeHolder<TEvTxUserProxy::TEvProposeTransaction>();
+        auto& record = ev->Record;
+
         record.SetDatabaseName(Database);
         if (UserToken) {
             record.SetUserToken(UserToken->GetSerializedToken());
@@ -105,22 +151,31 @@ class TKqpSchemeExecuter : public TActorBootstrapped<TKqpSchemeExecuter> {
         modifyScheme->SetWorkingDir(GetSessionDirsBasePath(Database));
         modifyScheme->SetOperationType(NKikimrSchemeOp::EOperationType::ESchemeOpMkDir);
         modifyScheme->SetAllowCreateInTempDir(false);
+
         auto* makeDir = modifyScheme->MutableMkDir();
         makeDir->SetName(SessionId);
         ActorIdToProto(KqpTempTablesAgentActor, modifyScheme->MutableTempDirOwnerActorId());
 
+        NACLib::TDiffACL diffAcl;
+        diffAcl.RemoveAccess(
+            NACLib::EAccessType::Allow,
+            NACLib::EAccessRights::CreateDirectory | NACLib::EAccessRights::DescribeSchema,
+            AppData()->AllAuthenticatedUsers);
+
+        auto* modifyAcl = modifyScheme->MutableModifyACL();
+        modifyAcl->SetDiffACL(diffAcl.SerializeAsString());
+
         auto promise = NewPromise<IKqpGateway::TGenericResult>();
         IActor* requestHandler = new TSchemeOpRequestHandler(ev.Release(), promise, false);
         RegisterWithSameMailbox(requestHandler);
 
-        auto actorSystem = TActivationContext::ActorSystem();
+        auto actorSystem = TlsActivationContext->ActorSystem();
         auto selfId = SelfId();
         promise.GetFuture().Subscribe([actorSystem, selfId](const TFuture<IKqpGateway::TGenericResult>& future) {
-            auto ev = MakeHolder<TEvPrivate::TEvMakeTempDirResult>();
+            auto ev = MakeHolder<TEvPrivate::TEvMakeSessionDirResult>();
             ev->Result = future.GetValue();
             actorSystem->Send(selfId, ev.Release());
         });
-        Become(&TKqpSchemeExecuter::ExecuteState);
     }
 
     TString GetDatabaseForLoginOperation() const {
@@ -527,6 +582,7 @@ class TKqpSchemeExecuter : public TActorBootstrapped<TKqpSchemeExecuter> {
             switch (ev->GetTypeRewrite()) {
                 hFunc(TEvPrivate::TEvResult, HandleExecute);
                 hFunc(TEvPrivate::TEvMakeTempDirResult, Handle);
+                hFunc(TEvPrivate::TEvMakeSessionDirResult, Handle);
                 hFunc(TEvKqp::TEvAbortExecution, HandleAbortExecution);
                 hFunc(TEvTxUserProxy::TEvAllocateTxIdResult, Handle);
                 hFunc(TEvTxProxySchemeCache::TEvNavigateKeySetResult, Handle);
@@ -560,7 +616,17 @@ class TKqpSchemeExecuter : public TActorBootstrapped<TKqpSchemeExecuter> {
     void Handle(TEvPrivate::TEvMakeTempDirResult::TPtr& result) {
         if (!result->Get()->Result.Success()) {
             InternalError(TStringBuilder()
-                << "Error creating temporary directory for session " << SessionId
+                << "Error creating temporary directory: "
+                << result->Get()->Result.Issues().ToString(true));
+        }
+        
+        CreateSessionDirectory();
+    }
+
+    void Handle(TEvPrivate::TEvMakeSessionDirResult::TPtr& result) {
+        if (!result->Get()->Result.Success()) {
+            InternalError(TStringBuilder()
+                << "Error creating directory for session " << SessionId
                 << ": " << result->Get()->Result.Issues().ToString(true));
         }
         MakeSchemeOperationRequest();

ydb/core/kqp/ut/query/kqp_query_ut.cpp

@@ -1513,9 +1513,26 @@ Y_UNIT_TEST_SUITE(KqpQuery) {
         auto settings = TKikimrSettings()
             .SetAppConfig(appConfig)
             .SetWithSampleTables(false)
-            .SetEnableTempTables(true);
+            .SetEnableTempTables(true)
+            .SetAuthToken("user0@builtin");;
         TKikimrRunner kikimr(settings);
 
+        {
+            auto driverConfig = TDriverConfig()
+            .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("root@builtin");
+            auto driver = TDriver(driverConfig);
+            auto schemeClient = NYdb::NScheme::TSchemeClient(driver);
+
+            NYdb::NScheme::TPermissions permissions("user0@builtin",
+                {"ydb.generic.read", "ydb.generic.write"}
+            );
+            auto result = schemeClient.ModifyPermissions("/Root",
+                NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
+            ).ExtractValueSync();
+            AssertSuccessResult(result);
+        }
+
         const TString query = R"(
             CREATE TABLE `/Root/Source` (
                 Col1 Uint64 NOT NULL,

ydb/core/kqp/ut/service/kqp_qs_queries_ut.cpp

@@ -1694,7 +1694,8 @@ Y_UNIT_TEST_SUITE(KqpQueryService) {
         auto setting = NKikimrKqp::TKqpSetting();
         auto serverSettings = TKikimrSettings()
             .SetAppConfig(appConfig)
-            .SetKqpSettings({setting});
+            .SetKqpSettings({setting})
+            .SetAuthToken("user0@builtin");
         TKikimrRunner kikimr(
             serverSettings.SetWithSampleTables(false).SetEnableTempTables(true));
         auto clientConfig = NGRpcProxy::TGRpcClientConfig(kikimr.GetEndpoint());

ydb/library/aclib/aclib.cpp

@@ -817,4 +817,9 @@ const NACLib::TUserToken& TSystemUsers::Metadata() {
     return GlobalMetadataUser;
 }
 
+const NACLib::TUserToken& TSystemUsers::Tmp() {
+    static TUserToken GlobalTmpUser = TUserToken(BUILTIN_ACL_TMP, {});
+    return GlobalTmpUser;
+}
+
 }

ydb/library/aclib/aclib.h

@@ -12,10 +12,13 @@ namespace NACLib {
 #define BUILTIN_SYSTEM_DOMAIN "system"
 
 #define BUILTIN_ACL_METADATA "metadata@" BUILTIN_SYSTEM_DOMAIN
+#define BUILTIN_ACL_TMP "tmp@" BUILTIN_SYSTEM_DOMAIN
+
 class TUserToken;
 class TSystemUsers {
 public:
     static const TUserToken& Metadata();
+    static const TUserToken& Tmp();
 };
 
 enum EAccessRights : ui32 { // bitmask