make @System auth domain more distinct from @Builtin

ijon · ijon · commit cc87125ad711 · 2025-06-11T19:25:19.000+03:00
diff --git a/ydb/core/kqp/workload_service/ut/common/kqp_workload_service_ut_common.cpp b/ydb/core/kqp/workload_service/ut/common/kqp_workload_service_ut_common.cpp
@@ -338,7 +338,7 @@ class TWorkloadServiceYdbSetup : public IYdbSetup {
             .SetEndpoint(TStringBuilder() << "localhost:" << grpcPort)
             .SetDatabase(TStringBuilder() << "/" << Settings_.DomainName_));
 
-        TableClient_ = std::make_unique<NYdb::NTable::TTableClient>(*YdbDriver_, NYdb::NTable::TClientSettings().AuthToken("user@" BUILTIN_SYSTEM_DOMAIN));
+        TableClient_ = std::make_unique<NYdb::NTable::TTableClient>(*YdbDriver_, NYdb::NTable::TClientSettings().AuthToken("user@" AUTH_DOMAIN_SYSTEM));
         TableClientSession_ = std::make_unique<NYdb::NTable::TSession>(TableClient_->CreateSession().GetValueSync().GetSession());
 
         Tenants_ = std::make_unique<TTenants>(Server_);
diff --git a/ydb/core/kqp/workload_service/ut/common/kqp_workload_service_ut_common.h b/ydb/core/kqp/workload_service/ut/common/kqp_workload_service_ut_common.h
@@ -27,7 +27,7 @@ struct TQueryRunnerSettings {
     // Query settings
     FLUENT_SETTING_DEFAULT(ui32, NodeIndex, 0);
     FLUENT_SETTING_DEFAULT(std::optional<TString>, PoolId, std::nullopt);
-    FLUENT_SETTING_DEFAULT(TString, UserSID, "user@" BUILTIN_SYSTEM_DOMAIN);
+    FLUENT_SETTING_DEFAULT(TString, UserSID, "user@" AUTH_DOMAIN_SYSTEM);
     FLUENT_SETTING_DEFAULT(TVector<TString>, GroupSIDs, {});
     FLUENT_SETTING_DEFAULT(TString, Database, "");
 
diff --git a/ydb/core/kqp/workload_service/ut/kqp_workload_service_actors_ut.cpp b/ydb/core/kqp/workload_service/ut/kqp_workload_service_actors_ut.cpp
@@ -12,7 +12,7 @@ namespace {
 using namespace NWorkload;
 
 
-TEvPrivate::TEvFetchPoolResponse::TPtr FetchPool(TIntrusivePtr<IYdbSetup> ydb, const TString& poolId = "", const TString& userSID = "user@" BUILTIN_SYSTEM_DOMAIN) {
+TEvPrivate::TEvFetchPoolResponse::TPtr FetchPool(TIntrusivePtr<IYdbSetup> ydb, const TString& poolId = "", const TString& userSID = "user@" AUTH_DOMAIN_SYSTEM) {
     const auto& settings = ydb->GetSettings();
     auto runtime = ydb->GetRuntime();
     const auto& edgeActor = runtime->AllocateEdgeActor();
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
@@ -680,16 +680,22 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                 return true;
             }
 
-            if (record.Ticket.EndsWith("@" BUILTIN_ERROR_DOMAIN)) {
+            if (record.Ticket.EndsWith("@" AUTH_DOMAIN_ERROR)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
                 SetError(key, record, { .Message = "Builtin error simulation" });
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
+        }
+        return false;
+    }
 
-            if (record.Ticket.EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
+    template <typename TTokenRecord>
+    bool CanInitSystemToken(const TString& key, TTokenRecord& record) {
+        if (record.TokenType == TDerived::ETokenType::Unknown || record.TokenType == TDerived::ETokenType::Builtin) {
+            if (record.Ticket.EndsWith("@" AUTH_DOMAIN_ERROR)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
-                SetError(key, record, { .Message = "System domain not available for user usage", .Retryable = false });
+                SetError(key, record, { .Message = "System auth domain not available for user usage", .Retryable = false });
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
@@ -1747,9 +1753,10 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             return;
         }
 
-        if (CanInitBuiltinToken(key, record) ||
-            CanInitLoginToken(key, record) ||
-            CanInitTokenFromCertificate(key, record)) {
+        if (CanInitBuiltinToken(key, record)
+            || CanInitSystemToken(key, record)
+            || CanInitLoginToken(key, record)
+            || CanInitTokenFromCertificate(key, record)) {
             return;
         }
 
diff --git a/ydb/library/aclib/aclib.cpp b/ydb/library/aclib/aclib.cpp
@@ -135,7 +135,7 @@ void TUserToken::AddGroupSID(const TSID& groupSID) {
 }
 
 bool TUserToken::IsSystemUser() const {
-    return GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN);
+    return GetUserSID().EndsWith("@" AUTH_DOMAIN_SYSTEM);
 }
 
 TSecurityObject::TSecurityObject(const NACLibProto::TSecurityObject& protoSecObj, bool isContainer)
diff --git a/ydb/library/aclib/aclib.h b/ydb/library/aclib/aclib.h
@@ -8,11 +8,11 @@ namespace NACLib {
 
 #define BUILTIN_ACL_DOMAIN "builtin"
 #define BUILTIN_ACL_ROOT "root@" BUILTIN_ACL_DOMAIN
-#define BUILTIN_ERROR_DOMAIN "error"
-#define BUILTIN_SYSTEM_DOMAIN "system"
+#define AUTH_DOMAIN_ERROR "error"
+#define AUTH_DOMAIN_SYSTEM "system"
 
-#define BUILTIN_ACL_METADATA "metadata@" BUILTIN_SYSTEM_DOMAIN
-#define BUILTIN_ACL_TMP "tmp@" BUILTIN_SYSTEM_DOMAIN
+#define BUILTIN_ACL_METADATA "metadata@" AUTH_DOMAIN_SYSTEM
+#define BUILTIN_ACL_TMP "tmp@" AUTH_DOMAIN_SYSTEM
 
 class TUserToken;
 class TSystemUsers {
@@ -173,9 +173,4 @@ class TSecurityObject : public NACLibProto::TSecurityObject {
     bool IsContainer;
 };
 
-
-
-
-
-
 }

Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ void TUserToken::AddGroupSID(const TSID& groupSID) {`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`bool TUserToken::IsSystemUser() const {`
`138`		`- return GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN);`
	`138`	`+ return GetUserSID().EndsWith("@" AUTH_DOMAIN_SYSTEM);`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`TSecurityObject::TSecurityObject(const NACLibProto::TSecurityObject& protoSecObj, bool isContainer)`