System views creation in SchemeShard under FeatureFlag (#19377)

Author: n00bcracker

ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp

@@ -1172,7 +1172,7 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
                 Value String,
                 PRIMARY KEY (Key)
             )
-            )") 
+            )")
             + (СolumnTable ? TString("WITH (STORE = COLUMN)") : "");
             auto result = session.ExecuteSchemeQuery(query).GetValueSync();
             UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
@@ -4850,6 +4850,150 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
         }
     }
 
+    Y_UNIT_TEST(ModifySysViewDirPermissions) {
+        NKikimrConfig::TFeatureFlags featureFlags;
+        featureFlags.SetEnableRealSystemViewPaths(true);
+        TKikimrRunner kikimr(featureFlags);
+        kikimr.GetTestServer().GetRuntime()->GetAppData().AdministrationAllowedSIDs.push_back("root@builtin");
+
+        auto adminSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings()
+            .AuthToken("root@builtin")).CreateSession().GetValueSync().GetSession();
+
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT 'ydb.granular.describe_schema' ON `/Root` TO `root@builtin`;
+                GRANT 'ydb.database.connect' ON `/Root` TO `user@builtin`;
+                )";
+            auto result = adminSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+        }
+
+        auto driverConfig = kikimr.GetDriverConfig();
+        driverConfig.SetAuthToken("user@builtin");
+        const auto driver = TDriver(driverConfig);
+        auto userSchemeClient = NYdb::NScheme::TSchemeClient(driver);
+
+        auto userSession = kikimr.GetTableClient(NYdb::NTable::TClientSettings()
+            .AuthToken("user@builtin")).CreateSession().GetValueSync().GetSession();
+
+        {
+            auto result = userSchemeClient.ListDirectory("/Root/.sys").GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL(result.GetStatus(), EStatus::UNAUTHORIZED);
+            UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(), "Access denied",
+                result.GetIssues().ToString()
+            );
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT 'ydb.granular.describe_schema' ON `/Root/.sys` TO `user@builtin`;
+                )";
+            auto result = adminSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+            CheckPermissions(adminSession, {
+                                            {.Path = "/Root/.sys",
+                                                .Permissions = {
+                                                    {"user@builtin", {"ydb.granular.describe_schema"}}
+                                                }
+                                            },
+                                        });
+        }
+        {
+            auto result = userSchemeClient.ListDirectory("/Root/.sys").GetValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+
+            auto children = result.GetChildren();
+            THashSet<TString> names;
+            for (const auto& child : children) {
+                names.insert(TString{child.Name});
+                UNIT_ASSERT_VALUES_EQUAL(child.Type, NYdb::NScheme::ESchemeEntryType::SysView);
+            }
+            UNIT_ASSERT(names.contains("partition_stats"));
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT 'ydb.granular.alter_schema' ON `/Root/.sys` TO `root@builtin`;
+                )";
+            auto result = userSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL(result.GetStatus(), EStatus::UNAUTHORIZED);
+            UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(), "Access denied",
+                result.GetIssues().ToString()
+            );
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT 'ydb.access.grant', 'ydb.granular.alter_schema' ON `/Root/.sys` TO `user@builtin`;
+                )";
+            auto result = adminSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+            CheckPermissions(adminSession, {{.Path = "/Root/.sys",
+                                        .Permissions = {
+                                            {"user@builtin", {"ydb.granular.describe_schema",
+                                                              "ydb.granular.alter_schema",
+                                                              "ydb.access.grant"}}
+                                            }
+                                        }});
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT 'ydb.granular.alter_schema' ON `/Root/.sys` TO `root@builtin`;
+                )";
+            auto result = userSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+        }
+    }
+
+    Y_UNIT_TEST(ModifySysViewPermissions) {
+        NKikimrConfig::TFeatureFlags featureFlags;
+        featureFlags.SetEnableRealSystemViewPaths(true);
+        TKikimrRunner kikimr(featureFlags, "root@builtin");
+
+        auto userSchemeClient = kikimr.GetSchemeClient();
+        auto db = kikimr.GetTableClient();
+        auto userSession = db.CreateSession().GetValueSync().GetSession();
+        auto querySelect = TStringBuilder() << R"(
+            --!syntax_v1
+            SELECT * FROM `/Root/.sys/partition_stats`;
+            )";
+
+        {
+            auto result = userSession.ExecuteDataQuery(querySelect, TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_VALUES_EQUAL(result.GetStatus(), EStatus::SCHEME_ERROR);
+            UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
+                "it does not exist or you do not have access permissions",
+                result.GetIssues().ToString()
+            );
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT 'ydb.generic.read' ON `/Root/.sys/partition_stats` TO `root@builtin`;
+                )";
+            auto result = userSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+            CheckPermissions(userSession, {
+                                            {.Path = "/Root/.sys/partition_stats",
+                                                .Permissions = {
+                                                    {"root@builtin", {"ydb.generic.read"}}
+                                                }
+                                            },
+                                        });
+        }
+        {
+            auto result = userSession.ExecuteDataQuery(querySelect, TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+            UNIT_ASSERT_VALUES_EQUAL(result.GetResultSets().size(), 1);
+
+            auto rs = result.GetResultSet(0);
+            UNIT_ASSERT_VALUES_EQUAL(rs.RowsCount(), 34);
+            UNIT_ASSERT_VALUES_EQUAL(rs.ColumnsCount(), 30);
+        }
+    }
+
     Y_UNIT_TEST(ModifyUnknownPermissions) {
         TKikimrRunner kikimr;
         auto db = kikimr.GetTableClient();