diff options
| author | ivanmorozov <ivanmorozov@yandex-team.com> | 2022-11-30 19:55:57 +0300 |
|---|---|---|
| committer | ivanmorozov <ivanmorozov@yandex-team.com> | 2022-11-30 19:55:57 +0300 |
| commit | 5941cbae8a1b816d4743f50c20c7a5631af4e8e1 (patch) | |
| tree | f26c8bbca86a91283038716529dd069627dcf156 | |
| parent | 4afdcdb812e78e27ec1c8242060c714a3deb92d9 (diff) | |
| download | ydb-5941cbae8a1b816d4743f50c20c7a5631af4e8e1.tar.gz | |
provide access for system user permissions in GetEffectiveAccessRights method too
| -rw-r--r-- | ydb/library/aclib/aclib.cpp | 11 | ||||
| -rw-r--r-- | ydb/library/aclib/aclib.h | 1 |
2 files changed, 10 insertions, 2 deletions
diff --git a/ydb/library/aclib/aclib.cpp b/ydb/library/aclib/aclib.cpp index 8f8f216da2..c7e95b4215 100644 --- a/ydb/library/aclib/aclib.cpp +++ b/ydb/library/aclib/aclib.cpp @@ -125,6 +125,10 @@ void TUserToken::AddGroupSID(const TSID& groupSID) { bucket.AddValues(groupSID); } +bool TUserToken::IsSystemUser() const { + return GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN); +} + TSecurityObject::TSecurityObject(const NACLibProto::TSecurityObject& protoSecObj, bool isContainer) : NACLibProto::TSecurityObject(protoSecObj) , IsContainer(isContainer) @@ -137,6 +141,9 @@ TSecurityObject::TSecurityObject(const TSID& owner, bool isContainer) } ui32 TSecurityObject::GetEffectiveAccessRights(const TUserToken& user) const { + if (user.IsSystemUser()) { + return EAccessRights::GenericFull; // the system always has access + } if (HasOwnerSID() && user.IsExist(GetOwnerSID())) return EAccessRights::GenericFull; // the owner always has access ui32 deniedAccessRights = EAccessRights::NoAccess; @@ -161,8 +168,8 @@ ui32 TSecurityObject::GetEffectiveAccessRights(const TUserToken& user) const { } bool TSecurityObject::CheckAccess(ui32 access, const TUserToken& user) const { - if (user.GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) { - return true; + if (user.IsSystemUser()) { + return true; // the system alway has access } if (HasOwnerSID() && user.IsExist(GetOwnerSID())) return true; // the owner always has access diff --git a/ydb/library/aclib/aclib.h b/ydb/library/aclib/aclib.h index 0cd4ed9793..d82ebbb80b 100644 --- a/ydb/library/aclib/aclib.h +++ b/ydb/library/aclib/aclib.h @@ -91,6 +91,7 @@ public: TString GetOriginalUserToken() const; TString SerializeAsString() const; void AddGroupSID(const TSID& groupSID); + bool IsSystemUser() const; using NACLibProto::TUserToken::ShortDebugString; |