Added an integration test for table grants (#20150)

yurikiselev · web-flow · commit c0ee97d64131 · 2025-07-01T09:50:09.000+05:00
diff --git a/ydb/tests/functional/security/__init__.py b/ydb/tests/functional/security/__init__.py
@@ -0,0 +1 @@
+
diff --git a/ydb/tests/functional/security/conftest.py b/ydb/tests/functional/security/conftest.py
@@ -0,0 +1 @@
+pytest_plugins = ['ydb.tests.library.fixtures', 'ydb.tests.library.flavours']
diff --git a/ydb/tests/functional/security/test_grants.py b/ydb/tests/functional/security/test_grants.py
@@ -0,0 +1,219 @@
+# -*- coding: utf-8 -*-
+import logging
+from ydb.tests.oss.ydb_sdk_import import ydb
+
+logger = logging.getLogger(__name__)
+
+
+# local configuration for the ydb cluster (fetched by ydb_cluster_configuration fixture)
+CLUSTER_CONFIG = dict(
+    additional_log_configs={
+        # 'TX_PROXY': LogLevels.DEBUG,
+    }
+)
+DATABASE = "/Root/test"
+TABLE_NAME = "table"
+TABLE_PATH = f"{DATABASE}/{TABLE_NAME}"
+CREATE_TABLE_GRANTS = ['ydb.granular.create_table']
+ALTER_TABLE_ADD_COLUMN_GRANTS = ['ydb.granular.alter_schema', 'ydb.granular.describe_schema']
+ALTER_TABLE_DROP_COLUMN_GRANTS = ['ydb.granular.alter_schema', 'ydb.granular.describe_schema']
+DROP_TABLE_GRANTS = ['ydb.granular.remove_schema', 'ydb.granular.describe_schema']
+ALTER_TABLE_ADD_CHANGEFEED_GRANTS = ['ydb.granular.alter_schema', 'ydb.granular.describe_schema']
+ALTER_TOPIC_ADD_CONSUMER_GRANTS = ['ydb.granular.alter_schema', 'ydb.granular.describe_schema']
+READ_TOPIC_GRANTS = []
+ALTER_TABLE_DROP_CHANGEFEED_GRANTS = ['ydb.granular.alter_schema', 'ydb.granular.describe_schema']
+ALL_USED_GRANS = set(
+    CREATE_TABLE_GRANTS
+    + ALTER_TABLE_ADD_COLUMN_GRANTS
+    + ALTER_TABLE_DROP_COLUMN_GRANTS
+    + DROP_TABLE_GRANTS
+    + ALTER_TABLE_ADD_CHANGEFEED_GRANTS
+    + ALTER_TOPIC_ADD_CONSUMER_GRANTS
+    + READ_TOPIC_GRANTS
+    + ALTER_TABLE_DROP_CHANGEFEED_GRANTS
+)
+
+
+def run_query(config, query):
+    with ydb.Driver(config) as driver:
+        with ydb.QuerySessionPool(driver, size=1) as pool:
+            pool.execute_with_retries(query)
+
+
+def run_with_assert(config, query, expected_err=None):
+    if not expected_err:
+        run_query(config, query)
+        return
+
+    try:
+        run_query(config, query)
+        assert False, 'Error expected'
+    except Exception as e:
+        assert expected_err in str(e)
+
+
+def create_user(ydb_cluster, admin_config, user_name):
+    run_with_assert(admin_config, f"CREATE USER {user_name};")
+    return ydb.DriverConfig(
+        endpoint="%s:%s" % (ydb_cluster.nodes[1].host, ydb_cluster.nodes[1].port),
+        database=DATABASE,
+        credentials=ydb.StaticCredentials.from_user_password(user_name, ""),
+    )
+
+
+def revoke_grants(admin_config, user_name, object_name, all_grants):
+    if all_grants is None or len(all_grants) == 0:
+        return
+
+    revoke_grants_query = ''
+    for grant in all_grants:
+        revoke_grants_query += f"REVOKE '{grant}' ON `{object_name}` FROM {user_name};"
+    run_with_assert(admin_config, revoke_grants_query)
+
+
+def provide_grants(admin_config, user_name, object_name, required_grants):
+    if required_grants is None or len(required_grants) == 0:
+        return
+
+    provide_grants_query = ''
+    for grant in required_grants:
+        assert grant in ALL_USED_GRANS, 'Keep ALL_USED_GRANS updated with all used grants'
+        provide_grants_query += f"GRANT '{grant}' ON `{object_name}` TO {user_name};"
+    run_with_assert(admin_config, provide_grants_query)
+
+
+def _test_grants(admin_config, user_config, user_name, query, object_name, required_grants, expected_err):
+    revoke_grants(admin_config, user_name, object_name, ALL_USED_GRANS)
+    if required_grants is not None and len(required_grants) > 0:  # means the query does not require any grants
+        run_with_assert(user_config, query, expected_err=expected_err)
+        provide_grants(admin_config, user_name, object_name, required_grants)
+    run_with_assert(user_config, query)
+
+
+def test_granular_grants_for_tables(ydb_cluster):
+    ydb_cluster.create_database(DATABASE, storage_pool_units_count={"hdd": 1})
+    database_nodes = ydb_cluster.register_and_start_slots(DATABASE, count=1)
+    ydb_cluster.wait_tenant_up(DATABASE)
+
+    tenant_admin_config = ydb.DriverConfig(
+        endpoint="%s:%s" % (ydb_cluster.nodes[1].host, ydb_cluster.nodes[1].port),
+        database=DATABASE,
+    )
+
+    # CREATE TABLE
+    user1_config = create_user(ydb_cluster, tenant_admin_config, "user1")
+    create_table_query = f"CREATE TABLE {TABLE_NAME} (a Uint64, b Uint64, PRIMARY KEY (a));"
+    _test_grants(
+        tenant_admin_config,
+        user1_config,
+        'user1',
+        create_table_query,
+        DATABASE,
+        CREATE_TABLE_GRANTS,
+        "Access denied for scheme request",
+    )
+
+    # ALTER TABLE ... ADD COLUMN
+    user2_config = create_user(ydb_cluster, tenant_admin_config, "user2")
+    add_column_query = f"ALTER TABLE `{TABLE_PATH}` ADD COLUMN `d` Uint64;"
+    _test_grants(
+        tenant_admin_config,
+        user2_config,
+        'user2',
+        add_column_query,
+        TABLE_PATH,
+        ALTER_TABLE_ADD_COLUMN_GRANTS,
+        "you do not have access permissions",
+    )
+
+    # ALTER TABLE ... DROP COLUMN
+    drop_column_query = f"ALTER TABLE `{TABLE_PATH}` DROP COLUMN `d`;"
+    _test_grants(
+        tenant_admin_config,
+        user2_config,
+        'user2',
+        drop_column_query,
+        TABLE_PATH,
+        ALTER_TABLE_DROP_COLUMN_GRANTS,
+        "you do not have access permissions",
+    )
+
+    # DROP TABLE
+    drop_table_query = f"DROP TABLE `{TABLE_PATH}`;"
+    _test_grants(
+        tenant_admin_config,
+        user2_config,
+        'user2',
+        drop_table_query,
+        TABLE_PATH,
+        DROP_TABLE_GRANTS,
+        "you do not have access permissions",
+    )
+
+    ydb_cluster.remove_database(DATABASE)
+    ydb_cluster.unregister_and_stop_slots(database_nodes)
+
+
+def test_cdc_grants(ydb_cluster):
+    ydb_cluster.create_database(DATABASE, storage_pool_units_count={"hdd": 1})
+    database_nodes = ydb_cluster.register_and_start_slots(DATABASE, count=1)
+    ydb_cluster.wait_tenant_up(DATABASE)
+
+    tenant_admin_config = ydb.DriverConfig(
+        endpoint="%s:%s" % (ydb_cluster.nodes[1].host, ydb_cluster.nodes[1].port),
+        database=DATABASE,
+    )
+
+    # setup table
+    user1_config = create_user(ydb_cluster, tenant_admin_config, "user1")
+    run_with_assert(tenant_admin_config, f"GRANT CREATE TABLE ON `{DATABASE}` TO user1;")
+    run_with_assert(user1_config, f"CREATE TABLE {TABLE_NAME} (a Uint64, b Uint64, PRIMARY KEY (a));")
+    run_with_assert(user1_config, f"INSERT INTO `{TABLE_PATH}` (a, b) VALUES (1, 1);")
+
+    # ALTER TABLE ... ADD CHANGEFEED
+    user2_config = create_user(ydb_cluster, tenant_admin_config, "user2")
+    create_changefeed_query = f"ALTER TABLE `{TABLE_PATH}` ADD CHANGEFEED updates WITH (FORMAT = 'JSON', MODE = 'NEW_AND_OLD_IMAGES', INITIAL_SCAN = TRUE);"
+    _test_grants(
+        tenant_admin_config,
+        user2_config,
+        'user2',
+        create_changefeed_query,
+        TABLE_PATH,
+        ALTER_TABLE_ADD_CHANGEFEED_GRANTS,
+        "you do not have access permissions",
+    )
+
+    # ALTER TOPIC ... ADD CONSUMER
+    user3_config = create_user(ydb_cluster, tenant_admin_config, "user3")
+    add_consumer_query = f"ALTER TOPIC `{TABLE_PATH}/updates` ADD CONSUMER consumer;"
+    _test_grants(
+        tenant_admin_config,
+        user3_config,
+        'user3',
+        add_consumer_query,
+        TABLE_PATH,
+        ALTER_TOPIC_ADD_CONSUMER_GRANTS,
+        "you do not have access rights",
+    )
+
+    # READ CHANGEFEED
+    user4_config = create_user(ydb_cluster, tenant_admin_config, "user4")
+    with ydb.Driver(user4_config) as driver:
+        with driver.topic_client.reader(f"{TABLE_PATH}/updates", consumer="consumer", buffer_size_bytes=1000) as reader:
+            message = reader.receive_message(timeout=5)
+            assert '"newImage"' in message.data.decode("utf-8")
+
+    # ALTER TABLE ... DROP CHANGEFEED
+    drop_changefeed_query = f"ALTER TABLE `{TABLE_PATH}` DROP CHANGEFEED updates;"
+    _test_grants(
+        tenant_admin_config,
+        user4_config,
+        'user4',
+        drop_changefeed_query,
+        TABLE_PATH,
+        ALTER_TABLE_DROP_CHANGEFEED_GRANTS,
+        "you do not have access permissions",
+    )
+
+    ydb_cluster.remove_database(DATABASE)
+    ydb_cluster.unregister_and_stop_slots(database_nodes)
diff --git a/ydb/tests/functional/security/ya.make b/ydb/tests/functional/security/ya.make
@@ -0,0 +1,34 @@
+PY3TEST()
+
+INCLUDE(${ARCADIA_ROOT}/ydb/tests/ydbd_dep.inc)
+
+TEST_SRCS(
+    conftest.py
+    test_grants.py
+)
+
+SPLIT_FACTOR(20)
+
+INCLUDE(${ARCADIA_ROOT}/ydb/tests/library/flavours/flavours_deps.inc)
+
+DEPENDS(
+)
+
+PEERDIR(
+    ydb/tests/library
+    ydb/tests/library/fixtures
+    ydb/tests/library/flavours
+    ydb/tests/oss/ydb_sdk_import
+)
+
+FORK_SUBTESTS()
+
+IF (SANITIZER_TYPE)
+    SIZE(LARGE)
+    INCLUDE(${ARCADIA_ROOT}/ydb/tests/large.inc)
+    REQUIREMENTS(ram:10 cpu:1)
+ELSE()
+    SIZE(MEDIUM)
+ENDIF()
+
+END()
diff --git a/ydb/tests/functional/ya.make b/ydb/tests/functional/ya.make
@@ -25,6 +25,7 @@ RECURSE(
     scheme_tests
     script_execution
     sdk/cpp/sdk_credprovider
+    security
     serializable
     serverless
     sqs

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+pytest_plugins = ['ydb.tests.library.fixtures', 'ydb.tests.library.flavours']`