Replace name 'deprecated' by 'granular' in ydb access rights

author: molotkov-and <molotkov-and@ydb.tech> 2023-03-16 15:34:09 +0300
committer: molotkov-and <molotkov-and@ydb.tech> 2023-03-16 15:34:09 +0300
commit: 15058e189776d010764409f87717212d7c1d88c7 (patch)
tree: bb772b7608f852fb0521d6121392f8dc79626e19
parent: c38d54beb445caeabcb76bd1b5faea7c0ef40068 (diff)
download: ydb-15058e189776d010764409f87717212d7c1d88c7.tar.gz
2 files changed, 212 insertions, 12 deletions
diff --git a/ydb/core/ydb_convert/ydb_convert.cpp b/ydb/core/ydb_convert/ydb_convert.cpp
index 662cf036ff9..e73475c1c0e 100644
--- a/ydb/core/ydb_convert/ydb_convert.cpp
+++ b/ydb/core/ydb_convert/ydb_convert.cpp
@@ -738,6 +738,40 @@ void ConvertAclToYdb(const TString& owner, const TString& acl, bool isContainer,
 
 using namespace NACLib;
 
+namespace {
+
+const TString YDB_GRANULAR_SELECT_ROW = "ydb.granular.select_row";
+const TString YDB_GRANULAR_UPDATE_ROW = "ydb.granular.update_row";
+const TString YDB_GRANULAR_ERASE_ROW = "ydb.granular.erase_row";
+const TString YDB_GRANULAR_READ_ATTRIBUTES = "ydb.granular.read_attributes";
+const TString YDB_GRANULAR_WRITE_ATTRIBUTES = "ydb.granular.write_attributes";
+const TString YDB_GRANULAR_CREATE_DIRECTORY = "ydb.granular.create_directory";
+const TString YDB_GRANULAR_CREATE_TABLE = "ydb.granular.create_table";
+const TString YDB_GRANULAR_CREATE_QUEUE = "ydb.granular.create_queue";
+const TString YDB_GRANULAR_REMOVE_SCHEMA = "ydb.granular.remove_schema";
+const TString YDB_GRANULAR_DESCRIBE_SCHEMA = "ydb.granular.describe_schema";
+const TString YDB_GRANULAR_ALTER_SCHEMA = "ydb.granular.alter_schema";
+
+const TString& GetAclName(const TString& name) {
+    static const THashMap<TString, TString> GranularNamesMap_ = {
+        { "ydb.deprecated.select_row", YDB_GRANULAR_SELECT_ROW },
+        { "ydb.deprecated.update_row", YDB_GRANULAR_UPDATE_ROW },
+        { "ydb.deprecated.erase_row", YDB_GRANULAR_ERASE_ROW },
+        { "ydb.deprecated.read_attributes", YDB_GRANULAR_READ_ATTRIBUTES },
+        { "ydb.deprecated.write_attributes", YDB_GRANULAR_WRITE_ATTRIBUTES },
+        { "ydb.deprecated.create_directory", YDB_GRANULAR_CREATE_DIRECTORY },
+        { "ydb.deprecated.create_table", YDB_GRANULAR_CREATE_TABLE },
+        { "ydb.deprecated.create_queue", YDB_GRANULAR_CREATE_QUEUE },
+        { "ydb.deprecated.remove_schema", YDB_GRANULAR_REMOVE_SCHEMA },
+        { "ydb.deprecated.describe_schema", YDB_GRANULAR_DESCRIBE_SCHEMA },
+        { "ydb.deprecated.alter_schema", YDB_GRANULAR_ALTER_SCHEMA }
+    };
+    auto it = GranularNamesMap_.find(name);
+    return it != GranularNamesMap_.cend() ? it->second : name;
+}
+
+} // namespace
+
 const THashMap<TString, TACLAttrs> AccessMap_  = {
     { "ydb.database.connect", TACLAttrs(EAccessRights::ConnectDatabase, EInheritanceType::InheritNone) },
     { "ydb.tables.modify", TACLAttrs(EAccessRights(UpdateRow | EraseRow)) },
@@ -753,17 +787,17 @@ const THashMap<TString, TACLAttrs> AccessMap_  = {
     { "ydb.database.create", EAccessRights::CreateDatabase },
     { "ydb.database.drop", EAccessRights::DropDatabase },
     { "ydb.access.grant", EAccessRights::GrantAccessRights },
-    { "ydb.deprecated.select_row", EAccessRights::SelectRow },
-    { "ydb.deprecated.update_row", EAccessRights::UpdateRow },
-    { "ydb.deprecated.erase_row", EAccessRights::EraseRow },
-    { "ydb.deprecated.read_attributes", EAccessRights::ReadAttributes },
-    { "ydb.deprecated.write_attributes", EAccessRights::WriteAttributes },
-    { "ydb.deprecated.create_directory", EAccessRights::CreateDirectory },
-    { "ydb.deprecated.create_table", EAccessRights::CreateTable },
-    { "ydb.deprecated.create_queue", EAccessRights::CreateQueue },
-    { "ydb.deprecated.remove_schema", EAccessRights::RemoveSchema },
-    { "ydb.deprecated.describe_schema", EAccessRights::DescribeSchema },
-    { "ydb.deprecated.alter_schema", EAccessRights::AlterSchema }
+    { YDB_GRANULAR_SELECT_ROW, EAccessRights::SelectRow },
+    { YDB_GRANULAR_UPDATE_ROW, EAccessRights::UpdateRow },
+    { YDB_GRANULAR_ERASE_ROW, EAccessRights::EraseRow },
+    { YDB_GRANULAR_READ_ATTRIBUTES, EAccessRights::ReadAttributes },
+    { YDB_GRANULAR_WRITE_ATTRIBUTES, EAccessRights::WriteAttributes },
+    { YDB_GRANULAR_CREATE_DIRECTORY, EAccessRights::CreateDirectory },
+    { YDB_GRANULAR_CREATE_TABLE, EAccessRights::CreateTable },
+    { YDB_GRANULAR_CREATE_QUEUE, EAccessRights::CreateQueue },
+    { YDB_GRANULAR_REMOVE_SCHEMA, EAccessRights::RemoveSchema },
+    { YDB_GRANULAR_DESCRIBE_SCHEMA, EAccessRights::DescribeSchema },
+    { YDB_GRANULAR_ALTER_SCHEMA, EAccessRights::AlterSchema }
 
 };
 
@@ -792,7 +826,7 @@ static TVector<std::pair<ui32, TString>> CalcMaskByPower() {
 }
 
 TACLAttrs ConvertYdbPermissionNameToACLAttrs(const TString& name) {
-    auto it = AccessMap_.find(name);
+    auto it = AccessMap_.find(GetAclName(name));
     if (it == AccessMap_.end()) {
         throw NYql::TErrorException(NKikimrIssues::TIssuesIds::DEFAULT_ERROR)
             << "Unknown permission name: " << name;
diff --git a/ydb/core/ydb_convert/ydb_convert_ut.cpp b/ydb/core/ydb_convert/ydb_convert_ut.cpp
index 911e972735f..9a78f33dc83 100644
--- a/ydb/core/ydb_convert/ydb_convert_ut.cpp
+++ b/ydb/core/ydb_convert/ydb_convert_ut.cpp
@@ -5,6 +5,8 @@
 #include <library/cpp/testing/unittest/tests_data.h>
 #include <library/cpp/testing/unittest/registar.h>
 
+#include <ydb/library/aclib/aclib.h>
+
 namespace NKikimr {
 
 static void TestConvertTypeToYdb(const TString& input, const TString& expected) {
@@ -1044,4 +1046,168 @@ variant_index: 3435973836
 
 } // ConvertYdbValueToMiniKQLValueTest
 
+Y_UNIT_TEST_SUITE(ConvertYdbPermissionNameToACLAttrs) {
+Y_UNIT_TEST(SimpleConvertGood) {
+    using namespace NACLib;
+    auto aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.database.connect");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::ConnectDatabase);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritNone);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.tables.modify");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights(UpdateRow | EraseRow));
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.tables.read");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights(SelectRow | ReadAttributes));
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.list");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericList);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.read");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericRead);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.write");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericWrite);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.use_legacy");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericUseLegacy);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.use");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericUse);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.manage");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericManage);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.full_legacy");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericFullLegacy);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.generic.full");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GenericFull);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.database.create");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::CreateDatabase);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.database.drop");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::DropDatabase);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.access.grant");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::GrantAccessRights);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.select_row");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::SelectRow);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.update_row");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::UpdateRow);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.erase_row");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::EraseRow);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.read_attributes");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::ReadAttributes);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.write_attributes");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::WriteAttributes);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.create_directory");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::CreateDirectory);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.create_table");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::CreateTable);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.create_queue");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::CreateQueue);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.remove_schema");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::RemoveSchema);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.describe_schema");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::DescribeSchema);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.alter_schema");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::AlterSchema);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+}
+
+Y_UNIT_TEST(TestEqualGranularAndDeprecatedAcl) {
+    using namespace NACLib;
+    auto deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.select_row");
+    auto granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.select_row");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.update_row");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.update_row");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.erase_row");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.erase_row");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.read_attributes");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.read_attributes");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.write_attributes");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.write_attributes");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.create_directory");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.create_directory");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.create_table");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.create_table");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.create_queue");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.create_queue");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.remove_schema");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.remove_schema");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.describe_schema");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.describe_schema");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+
+    deprecatedAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.deprecated.alter_schema");
+    granularAclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.alter_schema");
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.AccessMask, granularAclAttr.AccessMask);
+    UNIT_ASSERT_EQUAL(deprecatedAclAttr.InheritanceType, granularAclAttr.InheritanceType);
+}
+
+} // ConvertYdbPermissionNameToACLAttrs
+
 } // namespace NKikimr
author	molotkov-and <molotkov-and@ydb.tech>	2023-03-16 15:34:09 +0300
committer	molotkov-and <molotkov-and@ydb.tech>	2023-03-16 15:34:09 +0300
commit	15058e189776d010764409f87717212d7c1d88c7 (patch)
tree	bb772b7608f852fb0521d6121392f8dc79626e19
parent	c38d54beb445caeabcb76bd1b5faea7c0ef40068 (diff)
download	ydb-15058e189776d010764409f87717212d7c1d88c7.tar.gz