Add user attribute to keep gizmo resource id (#17952)

StekPerepolnen · StekPerepolnen · commit fafbd911b666 · 2025-05-15T15:51:48.000+02:00
diff --git a/ydb/core/grpc_services/grpc_request_check_actor.h b/ydb/core/grpc_services/grpc_request_check_actor.h
@@ -39,37 +39,40 @@ bool TGRpcRequestProxyHandleMethods::ValidateAndReplyOnError(TCtx* ctx) {
     }
 }
 
-inline const TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry>& GetEntriesForAuthAndCheckRequest(TEvRequestAuthAndCheck::TPtr& ev) {
+inline TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry> GetEntriesForAuthAndCheckRequest(TEvRequestAuthAndCheck::TPtr& ev, const TVector<std::pair<TString, TString>>& rootAttributes) {
     const bool isBearerToken = ev->Get()->YdbToken && ev->Get()->YdbToken->StartsWith("Bearer");
     const bool useAccessService = AppData()->AuthConfig.GetUseAccessService();
-    const bool hasClusterAccessResourceId = !AppData()->AuthConfig.GetClusterAccessResourceId().empty();
     const bool needClusterAccessResourceCheck = AppData()->DomainsConfig.GetSecurityConfig().ViewerAllowedSIDsSize() > 0 ||
                                 AppData()->DomainsConfig.GetSecurityConfig().MonitoringAllowedSIDsSize() > 0;
 
-    if (!isBearerToken || !useAccessService || !hasClusterAccessResourceId || !needClusterAccessResourceCheck) {
-        static const TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> emptyEntries = {};
-        return emptyEntries;
+    if (!isBearerToken || !useAccessService || !needClusterAccessResourceCheck) {
+        return {};
     }
 
-    auto makeEntries = []() -> TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> {
-        const TString& accessServiceType = AppData()->AuthConfig.GetAccessServiceType();
-        TVector<TString> permissions;
-        if (accessServiceType == "Yandex_v2") {
-            permissions = {"ydb.developerApi.get", "ydb.developerApi.update"};
-        } else if (accessServiceType == "Nebius_v1") {
-            permissions = {"ydb.clusters.get", "ydb.clusters.monitor", "ydb.clusters.manage"};
-        } else {
+    const TString& accessServiceType = AppData()->AuthConfig.GetAccessServiceType();
+
+    if (accessServiceType == "Yandex_v2") {
+        static const TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> entries = {
+            {NKikimr::TEvTicketParser::TEvAuthorizeTicket::ToPermissions({"ydb.developerApi.get", "ydb.developerApi.update"}), {{"gizmo_id", "gizmo"}}}
+        };
+        return entries;
+    } else if (accessServiceType == "Nebius_v1") {
+        static const auto permissions = NKikimr::TEvTicketParser::TEvAuthorizeTicket::ToPermissions({
+            "ydb.clusters.get", "ydb.clusters.monitor", "ydb.clusters.manage"
+        });
+        auto it = std::find_if(rootAttributes.begin(), rootAttributes.end(),
+        [](const std::pair<TString, TString>& p) {
+            return p.first == "container_id";
+        });
+        if (it == rootAttributes.end()) {
             return {};
         }
-        const TString& clusterAccessResourceId = AppData()->AuthConfig.GetClusterAccessResourceId();
-        TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> entries = {
-            {NKikimr::TEvTicketParser::TEvAuthorizeTicket::ToPermissions(permissions), {{"gizmo_id", clusterAccessResourceId}}}
+        return {
+            {permissions, {{"gizmo_id", it->second}}}
         };
-        return entries;
-    };
-
-    static TVector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> entries = makeEntries();
-    return entries;
+    } else {
+        return {};
+    }
 }
 
 template <typename TEvent>
@@ -99,14 +102,14 @@ class TGrpcRequestCheckActor
 
     static const TVector<TString>& GetPermissions();
 
-    void InitializeAttributesFromSchema(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) {
+    void InitializeAttributesFromSchema(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData, const TVector<std::pair<TString, TString>>& rootAttributes) {
         CheckedDatabaseName_ = CanonizePath(schemeData.GetPath());
         if (!GrpcRequestBaseCtx_->TryCustomAttributeProcess(schemeData, this)) {
-            ProcessCommonAttributes(schemeData);
+            ProcessCommonAttributes(schemeData, rootAttributes);
         }
     }
 
-    void ProcessCommonAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) {
+    void ProcessCommonAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData, const TVector<std::pair<TString, TString>>& rootAttributes) {
         TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry> entries;
         static std::vector<TString> allowedAttributes = {"folder_id", "service_account_id", "database_id"};
         TVector<std::pair<TString, TString>> attributes;
@@ -121,7 +124,7 @@ class TGrpcRequestCheckActor
         }
 
         if constexpr (std::is_same_v<TEvent, TEvRequestAuthAndCheck>) {
-            const auto& e = GetEntriesForAuthAndCheckRequest(Request_);
+            const auto& e = GetEntriesForAuthAndCheckRequest(Request_, rootAttributes);
             entries.insert(entries.end(), e.begin(), e.end());
         }
 
@@ -134,12 +137,12 @@ class TGrpcRequestCheckActor
         TBase::SetEntries(entries);
     }
 
-    void InitializeAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData);
+    void InitializeAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData, const TVector<std::pair<TString, TString>>& rootAttributes);
 
-    void Initialize(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) {
+    void Initialize(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData, const TVector<std::pair<TString, TString>>& rootAttributes) {
         TString peerName = GrpcRequestBaseCtx_->GetPeerName();
         TBase::SetPeerName(peerName);
-        InitializeAttributes(schemeData);
+        InitializeAttributes(schemeData, rootAttributes);
         TBase::SetDatabase(CheckedDatabaseName_);
         InitializeAuditSettings(schemeData);
     }
@@ -151,7 +154,8 @@ class TGrpcRequestCheckActor
         TAutoPtr<TEventHandle<TEvent>> request,
         IGRpcProxyCounters::TPtr counters,
         bool skipCheckConnectRights,
-        const IFacilityProvider* facilityProvider)
+        const IFacilityProvider* facilityProvider,
+        const TVector<std::pair<TString, TString>>& rootAttributes)
         : Owner_(owner)
         , Request_(std::move(request))
         , Counters_(counters)
@@ -171,7 +175,7 @@ class TGrpcRequestCheckActor
                 TBase::SetSecurityToken(TString(clientCertificates.front()));
             }
         }
-        Initialize(schemeData);
+        Initialize(schemeData, rootAttributes);
     }
 
     void Bootstrap(const TActorContext& ctx) {
@@ -614,11 +618,11 @@ class TGrpcRequestCheckActor
 
 // default behavior - attributes in schema
 template <typename TEvent>
-void TGrpcRequestCheckActor<TEvent>::InitializeAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData) {
+void TGrpcRequestCheckActor<TEvent>::InitializeAttributes(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData, const TVector<std::pair<TString, TString>>& rootAttributes) {
     for (const auto& attr : schemeData.GetPathDescription().GetUserAttributes()) {
         Attributes_.emplace_back(std::make_pair(attr.GetKey(), attr.GetValue()));
     }
-    InitializeAttributesFromSchema(schemeData);
+    InitializeAttributesFromSchema(schemeData, rootAttributes);
 }
 
 template<typename T>
@@ -662,9 +666,10 @@ IActor* CreateGrpcRequestCheckActor(
     TAutoPtr<TEventHandle<TEvent>> request,
     IGRpcProxyCounters::TPtr counters,
     bool skipCheckConnectRights,
+    const TVector<std::pair<TString, TString>>& rootAttributes,
     const IFacilityProvider* facilityProvider) {
 
-    return new TGrpcRequestCheckActor<TEvent>(owner, schemeData, std::move(securityObject), std::move(request), counters, skipCheckConnectRights, facilityProvider);
+    return new TGrpcRequestCheckActor<TEvent>(owner, schemeData, std::move(securityObject), std::move(request), counters, skipCheckConnectRights, facilityProvider, rootAttributes);
 }
 
 }
diff --git a/ydb/core/grpc_services/grpc_request_proxy.cpp b/ydb/core/grpc_services/grpc_request_proxy.cpp
@@ -227,6 +227,25 @@ class TGRpcRequestProxyImpl
         }
 
         if (database) {
+            TVector<std::pair<TString, TString>> rootAttributes;
+            auto rootIt = Databases.find(RootDatabase);
+            if (rootIt == Databases.end() || !rootIt->second.IsDatabaseReady() || !rootIt->second.SchemeBoardResult) {
+                Counters->IncDatabaseUnavailableCounter();
+                const TString error = "Grpc proxy is not ready to accept request, root database unknown";
+                LOG_ERROR(ctx, NKikimrServices::GRPC_SERVER, error);
+                const auto issue = MakeIssue(NKikimrIssues::TIssuesIds::YDB_DB_NOT_READY, error);
+                requestBaseCtx->RaiseIssue(issue);
+                requestBaseCtx->ReplyWithYdbStatus(Ydb::StatusIds::UNAVAILABLE);
+                requestBaseCtx->FinishSpan();
+                return;
+            }
+
+            const auto& schemeData = rootIt->second.SchemeBoardResult->DescribeSchemeResult;
+            rootAttributes.reserve(schemeData.GetPathDescription().UserAttributesSize());
+            for (const auto& attr : schemeData.GetPathDescription().GetUserAttributes()) {
+                rootAttributes.emplace_back(std::make_pair(attr.GetKey(), attr.GetValue()));
+            }
+
             if (database->SchemeBoardResult) {
                 const auto& domain = database->SchemeBoardResult->DescribeSchemeResult.GetPathDescription().GetDomainDescription();
                 if (domain.HasResourcesDomainKey() && !skipResourceCheck && DynamicNode) {
@@ -272,6 +291,7 @@ class TGRpcRequestProxyImpl
                 event.Release(),
                 Counters,
                 skipCheckConnectRigths,
+                rootAttributes,
                 this));
             return;
         }
diff --git a/ydb/core/grpc_services/grpc_request_proxy_simple.cpp b/ydb/core/grpc_services/grpc_request_proxy_simple.cpp
@@ -132,7 +132,7 @@ class TGRpcRequestProxySimple
 
         {
             TSchemeBoardEvents::TDescribeSchemeResult schemeData;
-            Register(CreateGrpcRequestCheckActor<TEvent>(SelfId(), schemeData, nullptr, event.Release(), Counters, false, this));
+            Register(CreateGrpcRequestCheckActor<TEvent>(SelfId(), schemeData, nullptr, event.Release(), Counters, false, {}, this));
             return;
         }
 
diff --git a/ydb/core/protos/auth.proto b/ydb/core/protos/auth.proto
@@ -58,7 +58,6 @@ message TAuthConfig {
     optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];
     optional TPasswordComplexity PasswordComplexity = 83;
     optional TAccountLockout AccountLockout = 84;
-    optional string ClusterAccessResourceId = 85 [default = "gizmo"];
 }
 
 message TUserRegistryConfig {
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
@@ -462,7 +462,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
         pathsContainer->mutable_resource_path()->add_path()->set_id(id);
     }
 
-    static void AddNebiusContainerId(nebius::iam::v1::AuthorizeCheck* pathsContainer, const TString& id) {
+    static void SetNebiusContainerId(nebius::iam::v1::AuthorizeCheck* pathsContainer, const TString& id) {
         pathsContainer->set_container_id(id);
     }
 
@@ -474,16 +474,17 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             AddNebiusResourcePath(pathsContainer, databaseId);
         }
 
-        // Use attribute "folder_id" as container id that contains our database
-        // IAM can link roles for containers hierarchy
-        if (const auto folderId = record.GetAttributeValue(permission, "folder_id"); folderId) {
-            AddNebiusContainerId(pathsContainer, folderId);
-        }
-
         // Use attribute "gizmo_id" as container id that contains cluster access resource
         // IAM can link roles for cluster access resource
+        // Note: "gizmo_id" and "folder_id" are always sent in separate TEvAuthorizeTicket requests
         if (const auto gizmoId = record.GetAttributeValue(permission, "gizmo_id"); gizmoId) {
-            AddNebiusContainerId(pathsContainer, gizmoId);
+            SetNebiusContainerId(pathsContainer, gizmoId);
+        }
+
+        // Use attribute "folder_id" as container id that contains our database
+        // IAM can link roles for containers hierarchy
+        if (const auto folderId = record.GetAttributeValue(permission, "folder_id"); folderId) {
+            SetNebiusContainerId(pathsContainer, folderId);
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ class TGRpcRequestProxySimple`
`132`	`132`
`133`	`133`	`{`
`134`	`134`	`TSchemeBoardEvents::TDescribeSchemeResult schemeData;`
`135`		`- Register(CreateGrpcRequestCheckActor<TEvent>(SelfId(), schemeData, nullptr, event.Release(), Counters, false, this));`
	`135`	`+ Register(CreateGrpcRequestCheckActor<TEvent>(SelfId(), schemeData, nullptr, event.Release(), Counters, false, {}, this));`
`136`	`136`	`return;`
`137`	`137`	`}`
`138`	`138`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,6 @@ message TAuthConfig {`
`58`	`58`	`optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];`
`59`	`59`	`optional TPasswordComplexity PasswordComplexity = 83;`
`60`	`60`	`optional TAccountLockout AccountLockout = 84;`
`61`		`- optional string ClusterAccessResourceId = 85 [default = "gizmo"];`
`62`	`61`	`}`
`63`	`62`
`64`	`63`	`message TUserRegistryConfig {`
Original file line number	Diff line number	Diff line change
`@@ -462,7 +462,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {`
`462`	`462`	`pathsContainer->mutable_resource_path()->add_path()->set_id(id);`
`463`	`463`	`}`
`464`	`464`
`465`		`- static void AddNebiusContainerId(nebius::iam::v1::AuthorizeCheck* pathsContainer, const TString& id) {`
	`465`	`+ static void SetNebiusContainerId(nebius::iam::v1::AuthorizeCheck* pathsContainer, const TString& id) {`
`466`	`466`	`pathsContainer->set_container_id(id);`
`467`	`467`	`}`
`468`	`468`
`@@ -474,16 +474,17 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {`
`474`	`474`	`AddNebiusResourcePath(pathsContainer, databaseId);`
`475`	`475`	`}`
`476`	`476`
`477`		`- // Use attribute "folder_id" as container id that contains our database`
`478`		`- // IAM can link roles for containers hierarchy`
`479`		`- if (const auto folderId = record.GetAttributeValue(permission, "folder_id"); folderId) {`
`480`		`- AddNebiusContainerId(pathsContainer, folderId);`
`481`		`- }`
`482`		`-`
`483`	`477`	`// Use attribute "gizmo_id" as container id that contains cluster access resource`
`484`	`478`	`// IAM can link roles for cluster access resource`
	`479`	`+ // Note: "gizmo_id" and "folder_id" are always sent in separate TEvAuthorizeTicket requests`
`485`	`480`	`if (const auto gizmoId = record.GetAttributeValue(permission, "gizmo_id"); gizmoId) {`
`486`		`- AddNebiusContainerId(pathsContainer, gizmoId);`
	`481`	`+ SetNebiusContainerId(pathsContainer, gizmoId);`
	`482`	`+ }`
	`483`	`+`
	`484`	`+ // Use attribute "folder_id" as container id that contains our database`
	`485`	`+ // IAM can link roles for containers hierarchy`
	`486`	`+ if (const auto folderId = record.GetAttributeValue(permission, "folder_id"); folderId) {`
	`487`	`+ SetNebiusContainerId(pathsContainer, folderId);`
`487`	`488`	`}`
`488`	`489`	`}`
`489`	`490`