Skip to content

Commit 832745c

Browse files
authored
Index impl table is not private (#18159)
1 parent f5e7d6f commit 832745c

File tree

6 files changed

+260
-11
lines changed

6 files changed

+260
-11
lines changed

ydb/core/kqp/ut/common/kqp_ut_common.cpp

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1399,6 +1399,16 @@ void InitRoot(Tests::TServer::TPtr server, TActorId sender) {
13991399
server->SetupRootStoragePools(sender);
14001400
}
14011401

1402+
void Grant(NYdb::NTable::TSession& adminSession, const char* permissions, const char* path, const char* user) {
1403+
auto grantQuery = Sprintf(R"(
1404+
GRANT %s ON `%s` TO `%s`;
1405+
)",
1406+
permissions, path, user
1407+
);
1408+
auto result = adminSession.ExecuteSchemeQuery(grantQuery).ExtractValueSync();
1409+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
1410+
};
1411+
14021412
THolder<NSchemeCache::TSchemeCacheNavigate> Navigate(TTestActorRuntime& runtime, const TActorId& sender,
14031413
const TString& path, NSchemeCache::TSchemeCacheNavigate::EOp op)
14041414
{

ydb/core/kqp/ut/common/kqp_ut_common.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -379,6 +379,8 @@ void CreateSampleTablesWithIndex(NYdb::NTable::TSession& session, bool populateT
379379

380380
void InitRoot(Tests::TServer::TPtr server, TActorId sender);
381381

382+
void Grant(NYdb::NTable::TSession& adminSession, const char* permissions, const char* path, const char* user);
383+
382384
THolder<NKikimr::NSchemeCache::TSchemeCacheNavigate> Navigate(TTestActorRuntime& runtime, const TActorId& sender,
383385
const TString& path, NKikimr::NSchemeCache::TSchemeCacheNavigate::EOp op);
384386

ydb/core/kqp/ut/indexes/kqp_indexes_ut.cpp

Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5765,6 +5765,126 @@ R"([[#;#;["Primary1"];[41u]];[["Secondary2"];[2u];["Primary2"];[42u]];[["Seconda
57655765
])", FormatResultSetYson(result.GetResultSet(0)));
57665766
}
57675767
}
5768+
5769+
Y_UNIT_TEST(DirectAccessToIndexImplTable) {
5770+
NKikimrConfig::TFeatureFlags featureFlags;
5771+
featureFlags.SetEnableAccessToIndexImplTables(true);
5772+
auto settings = TKikimrSettings().SetFeatureFlags(featureFlags);
5773+
TKikimrRunner kikimr(settings);
5774+
auto db = kikimr.GetTableClient();
5775+
kikimr.GetTestClient().GrantConnect("user@builtin");
5776+
kikimr.GetTestServer().GetRuntime()->GetAppData().AdministrationAllowedSIDs.emplace_back("root@builtin");
5777+
5778+
auto adminSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings()
5779+
.AuthToken("root@builtin")).CreateSession().GetValueSync().GetSession();
5780+
5781+
CreateSampleTablesWithIndex(adminSession);
5782+
const char *tablePath = "/Root/SecondaryKeys";
5783+
const char *implTablePath = "/Root/SecondaryKeys/Index/indexImplTable";
5784+
5785+
// a user which does not have any implicit permissions
5786+
auto userSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings()
5787+
.AuthToken("user@builtin")).CreateSession().GetValueSync().GetSession();
5788+
5789+
auto selectTableQuery = [&]() {
5790+
return userSession.ExecuteDataQuery(Sprintf(R"(
5791+
SELECT * FROM `%s`;
5792+
)", tablePath), TTxControl::BeginTx(TTxSettings::SerializableRW()).CommitTx()).ExtractValueSync();
5793+
};
5794+
auto selectImplTableQuery = [&]() {
5795+
return userSession.ExecuteDataQuery(Sprintf(R"(
5796+
SELECT * FROM `%s`;
5797+
)", implTablePath), TTxControl::BeginTx(TTxSettings::SerializableRW()).CommitTx()).ExtractValueSync();
5798+
};
5799+
auto upsertTableQuery = [&]() {
5800+
return userSession.ExecuteDataQuery(Sprintf(R"(
5801+
UPSERT INTO `%s` (Key, Fk, Value) VALUES
5802+
(9, 9, "Payload9");
5803+
)", tablePath), TTxControl::BeginTx(TTxSettings::SerializableRW()).CommitTx()).ExtractValueSync();
5804+
};
5805+
auto upsertImplTableQuery = [&]() {
5806+
return userSession.ExecuteDataQuery(Sprintf(R"(
5807+
UPSERT INTO `%s` (Fk, Key) VALUES
5808+
(99, 99u);
5809+
)", implTablePath), TTxControl::BeginTx(TTxSettings::SerializableRW()).CommitTx()).ExtractValueSync();
5810+
};
5811+
5812+
// try accessing tables without permissions
5813+
{
5814+
auto result = selectTableQuery();
5815+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SCHEME_ERROR, result.GetIssues().ToString());
5816+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
5817+
"it does not exist or you do not have access permissions",
5818+
result.GetIssues().ToString()
5819+
);
5820+
}
5821+
{
5822+
auto result = selectImplTableQuery();
5823+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SCHEME_ERROR, result.GetIssues().ToString());
5824+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
5825+
"it does not exist or you do not have access permissions",
5826+
result.GetIssues().ToString()
5827+
);
5828+
}
5829+
{
5830+
auto result = upsertTableQuery();
5831+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SCHEME_ERROR, result.GetIssues().ToString());
5832+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
5833+
"it does not exist or you do not have access permissions",
5834+
result.GetIssues().ToString()
5835+
);
5836+
}
5837+
{
5838+
auto result = upsertImplTableQuery();
5839+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SCHEME_ERROR, result.GetIssues().ToString());
5840+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
5841+
"it does not exist or you do not have access permissions",
5842+
result.GetIssues().ToString()
5843+
);
5844+
}
5845+
5846+
// grant necessary permission
5847+
Grant(adminSession, "USE", tablePath, "user@builtin");
5848+
5849+
// try accessing tables with permissions
5850+
{
5851+
auto result = selectTableQuery();
5852+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5853+
}
5854+
{
5855+
auto result = selectImplTableQuery();
5856+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5857+
}
5858+
{
5859+
auto result = upsertTableQuery();
5860+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5861+
}
5862+
{
5863+
auto result = upsertImplTableQuery();
5864+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString()); // TODO should fail
5865+
}
5866+
5867+
// become superuser
5868+
kikimr.GetTestServer().GetRuntime()->GetAppData().AdministrationAllowedSIDs.emplace_back("user@builtin");
5869+
5870+
// accessing tables as superuser
5871+
{
5872+
auto result = selectTableQuery();
5873+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5874+
}
5875+
{
5876+
auto result = selectImplTableQuery();
5877+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5878+
}
5879+
{
5880+
auto result = upsertTableQuery();
5881+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5882+
}
5883+
{
5884+
auto result = upsertImplTableQuery();
5885+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
5886+
}
5887+
}
57685888
}
57695889

57705890
}

ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp

Lines changed: 126 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2928,22 +2928,138 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
29282928
}
29292929
}
29302930

2931-
Y_UNIT_TEST(AlterIndexImplTable) {
2932-
TKikimrRunner kikimr;
2931+
Y_UNIT_TEST_TWIN(AlterIndexImplTable, VectorIndex) {
2932+
NKikimrConfig::TFeatureFlags featureFlags;
2933+
featureFlags.SetEnableAccessToIndexImplTables(true);
2934+
if (VectorIndex)
2935+
featureFlags.SetEnableVectorIndex(true);
2936+
auto settings = TKikimrSettings().SetFeatureFlags(featureFlags);
2937+
TKikimrRunner kikimr(settings);
29332938
auto db = kikimr.GetTableClient();
2934-
auto session = db.CreateSession().GetValueSync().GetSession();
2935-
CreateSampleTablesWithIndex(session);
2939+
kikimr.GetTestClient().GrantConnect("user@builtin");
2940+
kikimr.GetTestServer().GetRuntime()->GetAppData().AdministrationAllowedSIDs.emplace_back("root@builtin");
2941+
2942+
auto adminSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings()
2943+
.AuthToken("root@builtin")).CreateSession().GetValueSync().GetSession();
2944+
2945+
const char *tablePath, *implTablePath;
2946+
if (VectorIndex) {
2947+
CreateTestTableWithVectorIndex(adminSession);
2948+
tablePath = "/Root/TestTable";
2949+
implTablePath = "/Root/TestTable/vector_idx/indexImplLevelTable";
2950+
}
2951+
else {
2952+
CreateSampleTablesWithIndex(adminSession);
2953+
tablePath = "/Root/SecondaryKeys";
2954+
implTablePath = "/Root/SecondaryKeys/Index/indexImplTable";
2955+
}
2956+
2957+
// a user which does not have any implicit permissions
2958+
auto userSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings()
2959+
.AuthToken("user@builtin")).CreateSession().GetValueSync().GetSession();
29362960

29372961
constexpr int minPartitionsCount = 10;
2962+
auto setPartitioningQuery = [&]() {
2963+
return userSession.ExecuteSchemeQuery(Sprintf(R"(
2964+
ALTER TABLE `%s` SET AUTO_PARTITIONING_MIN_PARTITIONS_COUNT %d;
2965+
)", implTablePath, minPartitionsCount)).ExtractValueSync();
2966+
};
2967+
constexpr int replicasCount = 3;
2968+
auto setReplicasQuery = [&]() {
2969+
return userSession.ExecuteSchemeQuery(Sprintf(R"(
2970+
ALTER TABLE `%s` SET READ_REPLICAS_SETTINGS "PER_AZ:%d";
2971+
)", implTablePath, replicasCount)).ExtractValueSync();
2972+
};
2973+
auto setForbiddenSettingsQuery = [&]() {
2974+
return userSession.ExecuteSchemeQuery(Sprintf(R"(
2975+
ALTER TABLE `%s` SET KEY_BLOOM_FILTER ENABLED;
2976+
)", implTablePath)).ExtractValueSync();
2977+
};
2978+
auto addColumnQuery = [&]() {
2979+
return userSession.ExecuteSchemeQuery(Sprintf(R"(
2980+
ALTER TABLE `%s` ADD COLUMN column1 Uint64;
2981+
)", implTablePath)).ExtractValueSync();
2982+
};
2983+
2984+
// try altering indexImplTable without ALTER SCHEMA permission
29382985
{
2939-
auto result = session.ExecuteSchemeQuery(Sprintf(R"(
2940-
ALTER TABLE `/Root/SecondaryKeys/Index/indexImplTable` SET AUTO_PARTITIONING_MIN_PARTITIONS_COUNT %d;
2941-
)", minPartitionsCount
2942-
)
2943-
).ExtractValueSync();
2986+
auto result = setPartitioningQuery();
29442987
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SCHEME_ERROR, result.GetIssues().ToString());
29452988
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
2946-
"Error: Cannot find table 'db.[/Root/SecondaryKeys/Index/indexImplTable]' because it does not exist or you do not have access permissions.",
2989+
"it does not exist or you do not have access permissions",
2990+
result.GetIssues().ToString()
2991+
);
2992+
}
2993+
{
2994+
auto result = setReplicasQuery();
2995+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SCHEME_ERROR, result.GetIssues().ToString());
2996+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
2997+
"it does not exist or you do not have access permissions",
2998+
result.GetIssues().ToString()
2999+
);
3000+
}
3001+
3002+
// grant necessary permission
3003+
Grant(adminSession, "DESCRIBE SCHEMA", tablePath, "user@builtin");
3004+
Grant(adminSession, "ALTER SCHEMA", tablePath, "user@builtin");
3005+
3006+
// alter indexImplTable
3007+
{
3008+
auto result = setPartitioningQuery();
3009+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
3010+
}
3011+
{
3012+
auto result = setReplicasQuery();
3013+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
3014+
}
3015+
// check result
3016+
{
3017+
auto describe = userSession.DescribeTable(implTablePath).ExtractValueSync();
3018+
UNIT_ASSERT_C(describe.IsSuccess(), describe.GetIssues().ToString());
3019+
auto tableDesc = describe.GetTableDescription();
3020+
3021+
UNIT_ASSERT_VALUES_EQUAL(tableDesc.GetPartitioningSettings().GetMinPartitionsCount(), minPartitionsCount);
3022+
3023+
const auto readReplicasSettings = tableDesc.GetReadReplicasSettings();
3024+
UNIT_ASSERT(readReplicasSettings);
3025+
UNIT_ASSERT(readReplicasSettings->GetMode() == NYdb::NTable::TReadReplicasSettings::EMode::PerAz);
3026+
UNIT_ASSERT_VALUES_EQUAL(readReplicasSettings->GetReadReplicasCount(), replicasCount);
3027+
}
3028+
3029+
3030+
// try altering non-partitioning setting of indexImplTable as non-superuser
3031+
{
3032+
auto result = setForbiddenSettingsQuery();
3033+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::GENERIC_ERROR, result.GetIssues().ToString());
3034+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
3035+
"path is not a common path",
3036+
result.GetIssues().ToString()
3037+
);
3038+
}
3039+
// try add column to indexImplTable as non-superuser
3040+
{
3041+
auto result = addColumnQuery();
3042+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::GENERIC_ERROR, result.GetIssues().ToString());
3043+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
3044+
"path is not a common path",
3045+
result.GetIssues().ToString()
3046+
);
3047+
}
3048+
3049+
// become superuser
3050+
kikimr.GetTestServer().GetRuntime()->GetAppData().AdministrationAllowedSIDs.emplace_back("user@builtin");
3051+
3052+
// alter non-partitioning setting of indexImplTable as superuser
3053+
{
3054+
auto result = setForbiddenSettingsQuery();
3055+
UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
3056+
}
3057+
// try add column to indexImplTable as superuser
3058+
{
3059+
auto result = addColumnQuery();
3060+
UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::BAD_REQUEST, result.GetIssues().ToString());
3061+
UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
3062+
"Adding or dropping columns in index table is not supported",
29473063
result.GetIssues().ToString()
29483064
);
29493065
}

ydb/core/protos/feature_flags.proto

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,4 +209,5 @@ message TFeatureFlags {
209209
optional bool EnableExportAutoDropping = 183 [default = false];
210210
optional bool EnableThrottlingReport = 184 [default = true];
211211
optional bool EnableNodeBrokerDeltaProtocol = 185 [default = false];
212+
optional bool EnableAccessToIndexImplTables = 186 [default = false];
212213
}

ydb/core/tx/scheme_board/cache.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -907,7 +907,7 @@ class TSchemeCache: public TMonitorableActor<TSchemeCache> {
907907
case NKikimrSchemeOp::EPathSubTypeSyncIndexImplTable:
908908
case NKikimrSchemeOp::EPathSubTypeAsyncIndexImplTable:
909909
case NKikimrSchemeOp::EPathSubTypeVectorKmeansTreeIndexImplTable:
910-
return true;
910+
return !AppData()->FeatureFlags.GetEnableAccessToIndexImplTables();
911911
default:
912912
return false;
913913
}

0 commit comments

Comments
 (0)