Skip to content

Commit cc87125

Browse files
committed
make @System auth domain more distinct from @Builtin
1 parent 37ee29e commit cc87125

File tree

6 files changed

+21
-19
lines changed

6 files changed

+21
-19
lines changed

ydb/core/kqp/workload_service/ut/common/kqp_workload_service_ut_common.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -338,7 +338,7 @@ class TWorkloadServiceYdbSetup : public IYdbSetup {
338338
.SetEndpoint(TStringBuilder() << "localhost:" << grpcPort)
339339
.SetDatabase(TStringBuilder() << "/" << Settings_.DomainName_));
340340

341-
TableClient_ = std::make_unique<NYdb::NTable::TTableClient>(*YdbDriver_, NYdb::NTable::TClientSettings().AuthToken("user@" BUILTIN_SYSTEM_DOMAIN));
341+
TableClient_ = std::make_unique<NYdb::NTable::TTableClient>(*YdbDriver_, NYdb::NTable::TClientSettings().AuthToken("user@" AUTH_DOMAIN_SYSTEM));
342342
TableClientSession_ = std::make_unique<NYdb::NTable::TSession>(TableClient_->CreateSession().GetValueSync().GetSession());
343343

344344
Tenants_ = std::make_unique<TTenants>(Server_);

ydb/core/kqp/workload_service/ut/common/kqp_workload_service_ut_common.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ struct TQueryRunnerSettings {
2727
// Query settings
2828
FLUENT_SETTING_DEFAULT(ui32, NodeIndex, 0);
2929
FLUENT_SETTING_DEFAULT(std::optional<TString>, PoolId, std::nullopt);
30-
FLUENT_SETTING_DEFAULT(TString, UserSID, "user@" BUILTIN_SYSTEM_DOMAIN);
30+
FLUENT_SETTING_DEFAULT(TString, UserSID, "user@" AUTH_DOMAIN_SYSTEM);
3131
FLUENT_SETTING_DEFAULT(TVector<TString>, GroupSIDs, {});
3232
FLUENT_SETTING_DEFAULT(TString, Database, "");
3333

ydb/core/kqp/workload_service/ut/kqp_workload_service_actors_ut.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ namespace {
1212
using namespace NWorkload;
1313

1414

15-
TEvPrivate::TEvFetchPoolResponse::TPtr FetchPool(TIntrusivePtr<IYdbSetup> ydb, const TString& poolId = "", const TString& userSID = "user@" BUILTIN_SYSTEM_DOMAIN) {
15+
TEvPrivate::TEvFetchPoolResponse::TPtr FetchPool(TIntrusivePtr<IYdbSetup> ydb, const TString& poolId = "", const TString& userSID = "user@" AUTH_DOMAIN_SYSTEM) {
1616
const auto& settings = ydb->GetSettings();
1717
auto runtime = ydb->GetRuntime();
1818
const auto& edgeActor = runtime->AllocateEdgeActor();

ydb/core/security/ticket_parser_impl.h

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -680,16 +680,22 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
680680
return true;
681681
}
682682

683-
if (record.Ticket.EndsWith("@" BUILTIN_ERROR_DOMAIN)) {
683+
if (record.Ticket.EndsWith("@" AUTH_DOMAIN_ERROR)) {
684684
record.TokenType = TDerived::ETokenType::Builtin;
685685
SetError(key, record, { .Message = "Builtin error simulation" });
686686
CounterTicketsBuiltin->Inc();
687687
return true;
688688
}
689+
}
690+
return false;
691+
}
689692

690-
if (record.Ticket.EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
693+
template <typename TTokenRecord>
694+
bool CanInitSystemToken(const TString& key, TTokenRecord& record) {
695+
if (record.TokenType == TDerived::ETokenType::Unknown || record.TokenType == TDerived::ETokenType::Builtin) {
696+
if (record.Ticket.EndsWith("@" AUTH_DOMAIN_ERROR)) {
691697
record.TokenType = TDerived::ETokenType::Builtin;
692-
SetError(key, record, { .Message = "System domain not available for user usage", .Retryable = false });
698+
SetError(key, record, { .Message = "System auth domain not available for user usage", .Retryable = false });
693699
CounterTicketsBuiltin->Inc();
694700
return true;
695701
}
@@ -1747,9 +1753,10 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
17471753
return;
17481754
}
17491755

1750-
if (CanInitBuiltinToken(key, record) ||
1751-
CanInitLoginToken(key, record) ||
1752-
CanInitTokenFromCertificate(key, record)) {
1756+
if (CanInitBuiltinToken(key, record)
1757+
|| CanInitSystemToken(key, record)
1758+
|| CanInitLoginToken(key, record)
1759+
|| CanInitTokenFromCertificate(key, record)) {
17531760
return;
17541761
}
17551762

ydb/library/aclib/aclib.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ void TUserToken::AddGroupSID(const TSID& groupSID) {
135135
}
136136

137137
bool TUserToken::IsSystemUser() const {
138-
return GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN);
138+
return GetUserSID().EndsWith("@" AUTH_DOMAIN_SYSTEM);
139139
}
140140

141141
TSecurityObject::TSecurityObject(const NACLibProto::TSecurityObject& protoSecObj, bool isContainer)

ydb/library/aclib/aclib.h

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,11 @@ namespace NACLib {
88

99
#define BUILTIN_ACL_DOMAIN "builtin"
1010
#define BUILTIN_ACL_ROOT "root@" BUILTIN_ACL_DOMAIN
11-
#define BUILTIN_ERROR_DOMAIN "error"
12-
#define BUILTIN_SYSTEM_DOMAIN "system"
11+
#define AUTH_DOMAIN_ERROR "error"
12+
#define AUTH_DOMAIN_SYSTEM "system"
1313

14-
#define BUILTIN_ACL_METADATA "metadata@" BUILTIN_SYSTEM_DOMAIN
15-
#define BUILTIN_ACL_TMP "tmp@" BUILTIN_SYSTEM_DOMAIN
14+
#define BUILTIN_ACL_METADATA "metadata@" AUTH_DOMAIN_SYSTEM
15+
#define BUILTIN_ACL_TMP "tmp@" AUTH_DOMAIN_SYSTEM
1616

1717
class TUserToken;
1818
class TSystemUsers {
@@ -173,9 +173,4 @@ class TSecurityObject : public NACLibProto::TSecurityObject {
173173
bool IsContainer;
174174
};
175175

176-
177-
178-
179-
180-
181176
}

0 commit comments

Comments
 (0)