schemeshard: add notion and protection of system path names (#19620)

New feature flag `enable_system_names_protection` prohibits users from creating paths with names reserved for current or future system use.

YDB exclusively reserves names like `.sys`, `.metadata`, `.tmp`, `.backups` etc. and any names starting with prefixes `.` and `__ydb` for its own use.

Also introduces safeguards against carelessly using reserved names in future code.

Special tests verify that:

- New scheme create operations include protection for reserved names
- Modifications to the reserved name registry will not go unnoticed

The latter is designed to protect well-meaning developers from careless actions.
YDB developers must obtain explicit consent from the project committee to add new names to the reserved list.

Author: ijon

ydb/core/kqp/proxy_service/kqp_script_executions_ut.cpp

@@ -58,7 +58,7 @@ const TVector<NKikimrSchemeOp::TColumnDescription> EXTENDED_COLUMNS = {
     Col("col5", NScheme::NTypeIds::Interval)
 };
 
-const TVector<TString> TEST_TABLE_PATH = { ".test", "test_table" };
+const TVector<TString> TEST_TABLE_PATH = { "test", "test_table" };
 
 const TVector<TString> TEST_KEY_COLUMNS = {"col1"};
 
@@ -349,15 +349,18 @@ Y_UNIT_TEST_SUITE(TableCreation) {
 
         constexpr i32 requests = 2;
 
+        auto uniqueTablePath = TEST_TABLE_PATH;
         TVector<TActorId> edgeActors;
         for (i32 i = 0; i < requests; ++i) {
-            edgeActors.push_back(ydb.CreateTableInDbAsync(DEFAULT_COLUMNS, { ".test", "test_table" + ToString(i)}));
+            uniqueTablePath.back() = TEST_TABLE_PATH.back() + ToString(i);
+            edgeActors.push_back(ydb.CreateTableInDbAsync(DEFAULT_COLUMNS, uniqueTablePath));
         }
 
         ydb.WaitTableCreation(std::move(edgeActors));
 
         for(i32 i = 0; i < requests; i++) {
-            ydb.VerifyColumnsList({".test", "test_table" + ToString(i)});
+            uniqueTablePath.back() = TEST_TABLE_PATH.back() + ToString(i);
+            ydb.VerifyColumnsList(uniqueTablePath);
         }
     }
 
@@ -367,17 +370,20 @@ Y_UNIT_TEST_SUITE(TableCreation) {
         constexpr i32 tables = 2;
         constexpr i32 requests = 20;
 
+        auto uniqueTablePath = TEST_TABLE_PATH;
         TVector<TActorId> edgeActors;
         for (i32 i = 0; i < tables; ++i) {
-            for (i32 j = 0; j < requests; ++j){
-                edgeActors.push_back(ydb.CreateTableInDbAsync(DEFAULT_COLUMNS, { ".test", "test_table" + ToString(i)}));
+            uniqueTablePath.back() = TEST_TABLE_PATH.back() + ToString(i);
+            for (i32 j = 0; j < requests; ++j) {
+                edgeActors.push_back(ydb.CreateTableInDbAsync(DEFAULT_COLUMNS, uniqueTablePath));
             }
         }
 
         ydb.WaitTableCreation(std::move(edgeActors));
 
         for(i32 i = 0; i < tables; i++) {
-            ydb.VerifyColumnsList({".test", "test_table" + ToString(i)});
+            uniqueTablePath.back() = TEST_TABLE_PATH.back() + ToString(i);
+            ydb.VerifyColumnsList(uniqueTablePath);
         }
     }
 

ydb/core/protos/feature_flags.proto

@@ -213,4 +213,5 @@ message TFeatureFlags {
     optional bool EnableAddUniqueIndex = 187 [default = false];
     optional bool EnableSharedMetadataAccessorCache = 188 [default = true, deprecated = true];
     optional bool RequireDbPrefixInSecretName = 189 [default = false];
+    optional bool EnableSystemNamesProtection = 190 [default = false];
 }

ydb/core/sys_view/ut_kqp.cpp

@@ -3578,6 +3578,12 @@ ALTER OBJECT `/Root/test_show_create` (TYPE TABLE) SET (ACTION = UPSERT_OPTIONS,
     Y_UNIT_TEST(SystemViewFailOps) {
         TTestEnv env;
 
+        // Make AdministrationAllowedSIDs non-empty to deny anonymous user cluster admin privilege.
+        // All requests here are made anonymously, effectively making all requests run with admin rights.
+        // That can cause side effects, especially when dealing with system reserved names.
+        // Using an authorized non-admin user helps avoid these side effects.
+        env.GetServer().GetRuntime()->GetAppData().AdministrationAllowedSIDs.push_back("thou-shalt-not-pass");
+
         TTableClient client(env.GetDriver());
         auto session = client.CreateSession().GetValueSync().GetSession();
 

ydb/core/testlib/basics/feature_flags.h

@@ -79,6 +79,7 @@ class TTestFeatureFlagsHolder {
     FEATURE_FLAG_SETTER(EnableShowCreate)
     FEATURE_FLAG_SETTER(EnableLocalDBBtreeIndex)
     FEATURE_FLAG_SETTER(EnableSharedMetadataAccessorCache)
+    FEATURE_FLAG_SETTER(EnableSystemNamesProtection)
 
     #undef FEATURE_FLAG_SETTER
 };

ydb/core/tx/schemeshard/olap/operations/create_store.cpp

@@ -377,7 +377,7 @@ class TCreateOlapStore: public TSubOperation {
 
             if (checks) {
                 checks
-                    .IsValidLeafName()
+                    .IsValidLeafName(context.UserToken.Get())
                     .DepthLimit()
                     .PathsLimit()
                     .DirChildrenLimit()

ydb/core/tx/schemeshard/olap/operations/create_table.cpp

@@ -665,7 +665,7 @@ class TCreateColumnTable: public TSubOperation {
 
             if (checks) {
                 checks
-                    .IsValidLeafName()
+                    .IsValidLeafName(context.UserToken.Get())
                     .DepthLimit()
                     .PathsLimit()
                     .ShardsLimit(storeInfo ? 0 : shardsCount)

ydb/core/tx/schemeshard/schemeshard__op_traits.cpp

@@ -0,0 +1,157 @@
+#include <ydb/core/protos/schemeshard/operations.pb.h>
+
+#include "schemeshard__op_traits.h"
+
+
+namespace NKikimr::NSchemeShard {
+
+enum EOperationClass {
+    Create = 0,
+    Alter,
+    Drop,
+    Other,
+    Unknown
+};
+
+EOperationClass GetOperationClass(NKikimrSchemeOp::EOperationType op) {
+    switch (op) {
+        // Simple operations that create paths
+        case NKikimrSchemeOp::EOperationType::ESchemeOpMkDir:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreatePersQueueGroup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateRtmrVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateBlockStoreVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateKesus:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateSolomonVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateIndexedTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateTableIndex:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateExtSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateFileStore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateColumnStore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateColumnTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateCdcStream:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpMoveTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpMoveTableIndex:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateSequence:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateReplication:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateBlobDepot:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateExternalTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpMoveIndex:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateExternalDataSource:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateView:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateResourcePool:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateContinuousBackup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateBackupCollection:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpMoveSequence:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateTransfer:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateSysView:
+            return EOperationClass::Create;
+
+        // Simple operations that drop paths
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropPersQueueGroup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpRmDir:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropBlockStoreVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropKesus:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpForceDropSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropSolomonVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpForceDropUnsafe:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropTableIndex:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpForceDropExtSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropLock:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropIndex:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropTableIndexAtMainTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropFileStore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropColumnStore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropColumnTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropCdcStream:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropSequence:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropReplication:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropBlobDepot:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropView:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropResourcePool:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropExternalTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropExternalDataSource:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropContinuousBackup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropBackupCollection:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropTransfer:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropTransferCascade:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropSysView:
+            return EOperationClass::Drop;
+
+        // Simple operations that alter paths
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterPersQueueGroup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpModifyACL:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterBlockStoreVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterKesus:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterUserAttributes:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterExtSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterTableIndex:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterSolomonVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterFileStore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterColumnStore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterColumnTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterCdcStream:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterSequence:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterReplication:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterBlobDepot:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterExternalTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterExternalDataSource:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterView:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterResourcePool:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterContinuousBackup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterBackupCollection:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterTransfer:
+            return EOperationClass::Alter;
+
+        // Compound or special operations
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateConsistentCopyTables:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpSplitMergeTablePartitions:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpBackup:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAssignBlockStoreVolume:
+        case NKikimrSchemeOp::EOperationType::ESchemeOp_DEPRECATED_35:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpUpgradeSubDomain:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpUpgradeSubDomainDecision:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateIndexBuild:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpInitiateBuildIndexMainTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateLock:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpApplyIndexBuild:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpFinalizeBuildIndexMainTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpFinalizeBuildIndexImplTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpInitiateBuildIndexImplTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCancelIndexBuild:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpRestore:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterLogin:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateCdcStreamImpl:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateCdcStreamAtTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterCdcStreamImpl:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterCdcStreamAtTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropCdcStreamImpl:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropCdcStreamAtTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpDropReplicationCascade:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpAlterExtSubDomainCreateHive:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateColumnBuild:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpRestoreMultipleIncrementalBackups:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpRestoreIncrementalBackupAtTable:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpBackupBackupCollection:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpBackupIncrementalBackupCollection:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpRestoreBackupCollection:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpCreateLongIncrementalRestoreOp:
+        case NKikimrSchemeOp::EOperationType::ESchemeOpChangePathState:
+            return EOperationClass::Other;
+
+        // intentionally no default -- to trigger [-Werror,-Wswitch] compile error on any new entry not handled here
+    }
+
+    return EOperationClass::Unknown;
+}
+
+bool IsCreatePathOperation(NKikimrSchemeOp::EOperationType op) {
+    return (GetOperationClass(op) == EOperationClass::Create);
+}
+
+}  // namespace NKikimr::NSchemeShard

ydb/core/tx/schemeshard/schemeshard__op_traits.h

@@ -173,6 +173,13 @@ struct TSchemeTxTraits<NKikimrSchemeOp::EOperationType::ESchemeOpRestoreBackupCo
     constexpr inline static bool CreateAdditionalDirs = true;
 };
 
+template <>
+struct TSchemeTxTraits<NKikimrSchemeOp::EOperationType::ESchemeOpCreateSequence>
+    : public TSchemeTxTraitsFallback
+{
+    constexpr inline static bool CreateDirsFromName = true;
+};
+
 template <>
 struct TSchemeTxTraits<NKikimrSchemeOp::EOperationType::ESchemeOpCreateReplication>
     : public TSchemeTxTraitsFallback
@@ -232,4 +239,6 @@ bool Rewrite(TTraits traits, TTxTransaction& tx) {
     return false;
 }
 
-}// namespace NKikimr::NSchemeShard
+bool IsCreatePathOperation(NKikimrSchemeOp::EOperationType op);
+
+}  // namespace NKikimr::NSchemeShard

ydb/core/tx/schemeshard/schemeshard__operation.cpp

@@ -91,14 +91,6 @@ struct TSchemeShard::TTxOperationProposeCancelTx: public NTabletFlatExecutor::TT
     }
 };
 
-NKikimrScheme::TEvModifySchemeTransaction GetRecordForPrint(const NKikimrScheme::TEvModifySchemeTransaction& record) {
-    auto recordForPrint = record;
-    if (record.HasUserToken()) {
-        recordForPrint.SetUserToken("***hide token***");
-    }
-    return recordForPrint;
-}
-
 bool TSchemeShard::ProcessOperationParts(
     const TVector<ISubOperation::TPtr>& parts,
     const TTxId& txId,
@@ -868,10 +860,6 @@ bool CreateDirs(const TTxTransaction& tx, const TPath& parentPath, TPath path, T
                 .NotResolved();
         }
 
-        if (checks) {
-            checks.IsValidLeafName();
-        }
-
         if (!checks) {
             result.Status = checks.GetStatus();
             result.Reason = checks.GetError();
@@ -964,10 +952,6 @@ TOperation::TSplitTransactionsResult TOperation::SplitIntoTransactions(const TTx
                     .NotResolved();
             }
 
-            if (checks && !exists) {
-                checks.IsValidLeafName();
-            }
-
             if (!checks) {
                 result.Status = checks.GetStatus();
                 result.Reason = checks.GetError();

ydb/core/tx/schemeshard/schemeshard__operation_alter_external_data_source.cpp

@@ -91,18 +91,13 @@ class TAlterExternalDataSource : public TSubOperation {
     }
 
     static bool IsDestinationPathValid(const THolder<TProposeResponse>& result,
-                                       const TPath& dstPath,
-                                       const TString& acl) {
+                                       const TPath& dstPath) {
         const auto checks = dstPath.Check();
         checks.IsAtLocalSchemeShard()
             .IsResolved()
             .NotUnderDeleting()
             .FailOnWrongType(TPathElement::EPathType::EPathTypeExternalDataSource)
-            .IsValidLeafName()
-            .DepthLimit()
-            .PathsLimit()
-            .DirChildrenLimit()
-            .IsValidACL(acl);
+            ;
 
         if (!checks) {
             result->SetError(checks.GetStatus(), checks.GetError());
@@ -179,15 +174,11 @@ class TAlterExternalDataSource : public TSubOperation {
         const TOperationContext& context,
         NIceDb::TNiceDb& db,
         const TPathElement::TPtr& externalDataSourcePath,
-        const TExternalDataSourceInfo::TPtr& externalDataSourceInfo,
-        const TString& acl) const {
+        const TExternalDataSourceInfo::TPtr& externalDataSourceInfo) const {
         const auto& externalDataSourcePathId = externalDataSourcePath->PathId;
 
         context.SS->ExternalDataSources[externalDataSourcePathId] = externalDataSourceInfo;
 
-        if (!acl.empty()) {
-            externalDataSourcePath->ApplyACL(acl);
-        }
         context.SS->PersistPath(db, externalDataSourcePathId);
 
         context.SS->PersistExternalDataSource(db,
@@ -226,10 +217,9 @@ class TAlterExternalDataSource : public TSubOperation {
         RETURN_RESULT_UNLESS(NExternalDataSource::IsParentPathValid(
             result, parentPath, Transaction, /* isCreate */ false));
 
-        const TString acl   = Transaction.GetModifyACL().GetDiffACL();
         const TPath dstPath = parentPath.Child(name);
 
-        RETURN_RESULT_UNLESS(IsDestinationPathValid(result, dstPath, acl));
+        RETURN_RESULT_UNLESS(IsDestinationPathValid(result, dstPath));
         RETURN_RESULT_UNLESS(IsApplyIfChecksPassed(result, context));
         RETURN_RESULT_UNLESS(IsDescriptionValid(result, externalDataSourceDescription, context.SS->ExternalSourceFactory));
 
@@ -271,7 +261,7 @@ class TAlterExternalDataSource : public TSubOperation {
         AdvanceTransactionStateToPropose(context, db);
 
         PersistExternalDataSource(
-            context, db, externalDataSource, externalDataSourceInfo, acl);
+            context, db, externalDataSource, externalDataSourceInfo);
 
         IncParentDirAlterVersionWithRepublishSafeWithUndo(OperationId,
                                                           dstPath,