default user initialization for special secret id format

author: ivanmorozov <ivanmorozov@yandex-team.com> 2023-01-13 15:38:46 +0300
committer: ivanmorozov <ivanmorozov@yandex-team.com> 2023-01-13 15:38:46 +0300
commit: eacb9b0020f9a5db51c7fb7e0ca5751cce720965 (patch)
tree: 44aba10a22c8d1e8afe264c932b283633ae53c29
parent: 0162c1a99a12ff7a7a194ba027e7f0789285e8dd (diff)
download: ydb-eacb9b0020f9a5db51c7fb7e0ca5751cce720965.tar.gz
5 files changed, 110 insertions, 29 deletions
diff --git a/ydb/core/tx/tiering/tier/manager.cpp b/ydb/core/tx/tiering/tier/manager.cpp
index 3939a18663..ac7c494dc8 100644
--- a/ydb/core/tx/tiering/tier/manager.cpp
+++ b/ydb/core/tx/tiering/tier/manager.cpp
@@ -6,7 +6,7 @@ namespace NKikimr::NColumnShard::NTiers {
 
 NMetadata::NModifications::TOperationParsingResult TTiersManager::DoBuildPatchFromSettings(
     const NYql::TObjectSettingsImpl& settings,
-    const NMetadata::NModifications::IOperationsManager::TModificationContext& /*context*/) const
+    const NMetadata::NModifications::IOperationsManager::TModificationContext& context) const
 {
     NMetadata::NInternal::TTableRecord result;
     result.SetColumn(TTierConfig::TDecoder::TierName, NMetadata::NInternal::TYDBValue::Bytes(settings.GetObjectId()));
@@ -17,7 +17,21 @@ NMetadata::NModifications::TOperationParsingResult TTiersManager::DoBuildPatchFr
             if (!::google::protobuf::TextFormat::ParseFromString(it->second, &proto)) {
                 return "incorrect proto format";
             } else {
-                result.SetColumn(TTierConfig::TDecoder::TierConfig, NMetadata::NInternal::TYDBValue::Bytes(it->second));
+                TString defaultUserId;
+                if (context.GetUserToken()) {
+                    defaultUserId = context.GetUserToken()->GetUserSID();
+                }
+                auto accessKey = NMetadata::NSecret::TSecretIdOrValue::DeserializeFromString(proto.GetObjectStorage().GetAccessKey(), defaultUserId);
+                if (!accessKey) {
+                    return "AccessKey is incorrect";
+                }
+                *proto.MutableObjectStorage()->MutableAccessKey() = accessKey->SerializeToString();
+                auto secretKey = NMetadata::NSecret::TSecretIdOrValue::DeserializeFromString(proto.GetObjectStorage().GetSecretKey(), defaultUserId);
+                if (!secretKey) {
+                    return "SecretKey is incorrect";
+                }
+                *proto.MutableObjectStorage()->MutableSecretKey() = secretKey->SerializeToString();
+                result.SetColumn(TTierConfig::TDecoder::TierConfig, NMetadata::NInternal::TYDBValue::Bytes(proto.DebugString()));
             }
         }
     }
diff --git a/ydb/core/tx/tiering/ut/ut_tiers.cpp b/ydb/core/tx/tiering/ut/ut_tiers.cpp
index 6376bbec21..fa099d423f 100644
--- a/ydb/core/tx/tiering/ut/ut_tiers.cpp
+++ b/ydb/core/tx/tiering/ut/ut_tiers.cpp
@@ -412,7 +412,7 @@ Y_UNIT_TEST_SUITE(ColumnShardTiers) {
             VerifySSL: false
             Endpoint: "storage.cloud-preprod.yandex.net"
             Bucket: "tiering-test-01"
-            AccessKey: "USId:root@builtin:secretAccessKey"
+            AccessKey: "SId:secretAccessKey"
             SecretKey: "USId:root@builtin:secretSecretKey"
             ProxyHost: "localhost"
             ProxyPort: 8080
@@ -428,7 +428,7 @@ Y_UNIT_TEST_SUITE(ColumnShardTiers) {
             Endpoint: "fake"
             Bucket: "fake"
             AccessKey: "USId:root@builtin:secretAccessKey"
-            SecretKey: "USId:root@builtin:secretSecretKey"
+            SecretKey: "SId:secretSecretKey"
         }
     )";
     const TString TierEndpoint = "fake";
diff --git a/ydb/services/metadata/secret/secret.cpp b/ydb/services/metadata/secret/secret.cpp
index 4b12175f96..5e42f4e8e5 100644
--- a/ydb/services/metadata/secret/secret.cpp
+++ b/ydb/services/metadata/secret/secret.cpp
@@ -37,21 +37,4 @@ TString TSecretId::SerializeToString() const {
     return sb;
 }
 
-bool TSecretId::DeserializeFromString(const TString& info) {
-    static const TString prefix = "USId:";
-    if (!info.StartsWith(prefix)) {
-        return false;
-    }
-    TStringBuf sb(info.data(), info.size());
-    sb.Skip(prefix.size());
-    TStringBuf uId;
-    TStringBuf sId;
-    if (!sb.TrySplit(':', uId, sId)) {
-        return false;
-    }
-    OwnerUserId = uId;
-    SecretId = sId;
-    return true;
-}
-
 }
diff --git a/ydb/services/metadata/secret/secret.h b/ydb/services/metadata/secret/secret.h
index 8edbc4c575..54a8437361 100644
--- a/ydb/services/metadata/secret/secret.h
+++ b/ydb/services/metadata/secret/secret.h
@@ -16,13 +16,25 @@ public:
     TSecretId() = default;
     TSecretId(const TString& ownerUserId, const TString& secretId)
         : OwnerUserId(ownerUserId)
-        , SecretId(secretId)
-    {
+        , SecretId(secretId) {
+    }
+
+    TSecretId(const TStringBuf ownerUserId, const TStringBuf secretId)
+        : OwnerUserId(ownerUserId)
+        , SecretId(secretId) {
     }
 
-    bool DeserializeFromString(const TString& info);
     TString SerializeToString() const;
 
+    template <class TProto>
+    TString BuildSecretAccessString(const TProto& proto, const TString& defaultOwnerId) {
+        if (proto.HasValue()) {
+            return proto.GetValue();
+        } else {
+            return TStringBuilder() << "USId:" << (proto.GetSecretOwnerId() ? proto.GetSecretOwnerId() : defaultOwnerId) << ":" << SecretId;
+        }
+    }
+
     bool operator<(const TSecretId& item) const {
         return std::tie(OwnerUserId, SecretId) < std::tie(item.OwnerUserId, item.SecretId);
     }
@@ -31,6 +43,70 @@ public:
     }
 };
 
+class TSecretIdOrValue {
+private:
+    YDB_READONLY_DEF(std::optional<TSecretId>, SecretId);
+    YDB_READONLY_DEF(std::optional<TString>, Value);
+    TSecretIdOrValue() = default;
+
+    bool DeserializeFromStringImpl(const TString& info, const TString& defaultUserId) {
+        static const TString prefixWithUser = "USId:";
+        static const TString prefixNoUser = "SId:";
+        if (info.StartsWith(prefixWithUser)) {
+            TStringBuf sb(info.data(), info.size());
+            sb.Skip(prefixWithUser.size());
+            TStringBuf uId;
+            TStringBuf sId;
+            if (!sb.TrySplit(':', uId, sId)) {
+                return false;
+            }
+            if (!uId || !sId) {
+                return false;
+            }
+            SecretId = TSecretId(uId, sId);
+        } else if (info.StartsWith(prefixNoUser)) {
+            TStringBuf sb(info.data(), info.size());
+            sb.Skip(prefixNoUser.size());
+            SecretId = TSecretId(defaultUserId, TString(sb));
+            if (!sb || !defaultUserId) {
+                return false;
+            }
+        } else {
+            Value = info;
+        }
+        return true;
+    }
+public:
+    TSecretIdOrValue(const TSecretId& id)
+        : SecretId(id) {
+
+    }
+
+    TSecretIdOrValue(const TString& value)
+        : Value(value) {
+
+    }
+
+    static std::optional<TSecretIdOrValue> DeserializeFromString(const TString& info, const TString& defaultOwnerId = Default<TString>()) {
+        TSecretIdOrValue result;
+        if (!result.DeserializeFromStringImpl(info, defaultOwnerId)) {
+            return {};
+        } else {
+            return result;
+        }
+    }
+
+    TString SerializeToString() const {
+        if (SecretId) {
+            return SecretId->SerializeToString();
+        } else if (Value) {
+            return *Value;
+        }
+        Y_VERIFY(false);
+        return "";
+    }
+};
+
 class TSecret: public TSecretId, public NModifications::TObject<TSecret> {
 private:
     using TBase = TSecretId;
diff --git a/ydb/services/metadata/secret/snapshot.cpp b/ydb/services/metadata/secret/snapshot.cpp
index 8c2e8eeb5c..6cb42d9a3a 100644
--- a/ydb/services/metadata/secret/snapshot.cpp
+++ b/ydb/services/metadata/secret/snapshot.cpp
@@ -23,11 +23,14 @@ TString TSnapshot::DoSerializeToString() const {
 }
 
 bool TSnapshot::PatchString(TString& stringForPath) const {
-    TSecretId sId;
-    if (!sId.DeserializeFromString(stringForPath)) {
+    std::optional<TSecretIdOrValue> sId = TSecretIdOrValue::DeserializeFromString(stringForPath);
+    if (!sId) {
         return false;
     }
-    auto it = Secrets.find(sId);
+    if (sId->GetValue()) {
+        return true;
+    }
+    auto it = Secrets.find(*sId->GetSecretId());
     if (it == Secrets.end()) {
         return false;
     }
@@ -39,10 +42,15 @@ bool TSnapshot::CheckSecretAccess(const TString& secretableString, const std::op
     if (!userToken) {
         return true;
     }
-    TSecretId sId;
-    if (!sId.DeserializeFromString(secretableString)) {
+    std::optional<TSecretIdOrValue> sIdOrValue = TSecretIdOrValue::DeserializeFromString(secretableString);
+    if (!sIdOrValue) {
+        return false;
+    } else if (sIdOrValue->GetValue()) {
         return true;
+    } else if (!sIdOrValue->GetSecretId()) {
+        return false;
     }
+    const auto sId = *sIdOrValue->GetSecretId();
     auto it = Secrets.find(sId);
     if (it == Secrets.end()) {
         return false;
author	ivanmorozov <ivanmorozov@yandex-team.com>	2023-01-13 15:38:46 +0300
committer	ivanmorozov <ivanmorozov@yandex-team.com>	2023-01-13 15:38:46 +0300
commit	eacb9b0020f9a5db51c7fb7e0ca5751cce720965 (patch)
tree	44aba10a22c8d1e8afe264c932b283633ae53c29
parent	0162c1a99a12ff7a7a194ba027e7f0789285e8dd (diff)
download	ydb-eacb9b0020f9a5db51c7fb7e0ca5751cce720965.tar.gz