diff options
| author | molotkov-and <molotkov-and@ydb.tech> | 2023-05-22 10:38:43 +0300 |
|---|---|---|
| committer | molotkov-and <molotkov-and@ydb.tech> | 2023-05-22 10:38:43 +0300 |
| commit | 827280d9061e237d8812532534b97430cd1e0f04 (patch) | |
| tree | c6f47a965d36ccb9268c3c5b090f60fb4df25391 | |
| parent | 54fd8a719ef2265cb25cd66535cea600f5ebf24c (diff) | |
| download | ydb-827280d9061e237d8812532534b97430cd1e0f04.tar.gz | |
Move grpc call RegistrationNode to public api. Move to Discovery service. Revert with fixes
45 files changed, 1139 insertions, 163 deletions
diff --git a/ydb/core/client/server/CMakeLists.darwin-x86_64.txt b/ydb/core/client/server/CMakeLists.darwin-x86_64.txt index 7a21a804543..b620712f4dd 100644 --- a/ydb/core/client/server/CMakeLists.darwin-x86_64.txt +++ b/ydb/core/client/server/CMakeLists.darwin-x86_64.txt @@ -31,6 +31,7 @@ target_link_libraries(core-client-server PUBLIC ydb-core-engine core-engine-minikql ydb-core-grpc_services + core-grpc_services-auth_processor core-grpc_services-base ydb-core-keyvalue core-kqp-common @@ -53,7 +54,6 @@ target_link_libraries(core-client-server PUBLIC cpp-deprecated-atomic ) target_sources(core-client-server PRIVATE - ${CMAKE_SOURCE_DIR}/ydb/core/client/server/dynamic_node_auth_processor.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/http_ping.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_blobstorage_config.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_bsadm.cpp diff --git a/ydb/core/client/server/CMakeLists.linux-aarch64.txt b/ydb/core/client/server/CMakeLists.linux-aarch64.txt index 19c69222682..36a40015b50 100644 --- a/ydb/core/client/server/CMakeLists.linux-aarch64.txt +++ b/ydb/core/client/server/CMakeLists.linux-aarch64.txt @@ -32,6 +32,7 @@ target_link_libraries(core-client-server PUBLIC ydb-core-engine core-engine-minikql ydb-core-grpc_services + core-grpc_services-auth_processor core-grpc_services-base ydb-core-keyvalue core-kqp-common @@ -54,7 +55,6 @@ target_link_libraries(core-client-server PUBLIC cpp-deprecated-atomic ) target_sources(core-client-server PRIVATE - ${CMAKE_SOURCE_DIR}/ydb/core/client/server/dynamic_node_auth_processor.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/http_ping.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_blobstorage_config.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_bsadm.cpp diff --git a/ydb/core/client/server/CMakeLists.linux-x86_64.txt b/ydb/core/client/server/CMakeLists.linux-x86_64.txt index 19c69222682..36a40015b50 100644 --- a/ydb/core/client/server/CMakeLists.linux-x86_64.txt +++ b/ydb/core/client/server/CMakeLists.linux-x86_64.txt @@ -32,6 +32,7 @@ target_link_libraries(core-client-server PUBLIC ydb-core-engine core-engine-minikql ydb-core-grpc_services + core-grpc_services-auth_processor core-grpc_services-base ydb-core-keyvalue core-kqp-common @@ -54,7 +55,6 @@ target_link_libraries(core-client-server PUBLIC cpp-deprecated-atomic ) target_sources(core-client-server PRIVATE - ${CMAKE_SOURCE_DIR}/ydb/core/client/server/dynamic_node_auth_processor.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/http_ping.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_blobstorage_config.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_bsadm.cpp diff --git a/ydb/core/client/server/CMakeLists.windows-x86_64.txt b/ydb/core/client/server/CMakeLists.windows-x86_64.txt index 7a21a804543..b620712f4dd 100644 --- a/ydb/core/client/server/CMakeLists.windows-x86_64.txt +++ b/ydb/core/client/server/CMakeLists.windows-x86_64.txt @@ -31,6 +31,7 @@ target_link_libraries(core-client-server PUBLIC ydb-core-engine core-engine-minikql ydb-core-grpc_services + core-grpc_services-auth_processor core-grpc_services-base ydb-core-keyvalue core-kqp-common @@ -53,7 +54,6 @@ target_link_libraries(core-client-server PUBLIC cpp-deprecated-atomic ) target_sources(core-client-server PRIVATE - ${CMAKE_SOURCE_DIR}/ydb/core/client/server/dynamic_node_auth_processor.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/http_ping.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_blobstorage_config.cpp ${CMAKE_SOURCE_DIR}/ydb/core/client/server/msgbus_bsadm.cpp diff --git a/ydb/core/client/server/grpc_server.h b/ydb/core/client/server/grpc_server.h index 7f1a4b9ea71..267de686f5a 100644 --- a/ydb/core/client/server/grpc_server.h +++ b/ydb/core/client/server/grpc_server.h @@ -1,5 +1,5 @@ #pragma once -#include "dynamic_node_auth_processor.h" +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> #include <ydb/core/protos/grpc.grpc.pb.h> diff --git a/ydb/core/client/server/msgbus_server.h b/ydb/core/client/server/msgbus_server.h index 0e6da0ecbb3..df4ad2da596 100644 --- a/ydb/core/client/server/msgbus_server.h +++ b/ydb/core/client/server/msgbus_server.h @@ -1,5 +1,5 @@ #pragma once -#include "dynamic_node_auth_processor.h" +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> #include <library/cpp/actors/core/actorsystem.h> #include <library/cpp/actors/core/actor_bootstrapped.h> #include <ydb/public/lib/base/defs.h> diff --git a/ydb/core/client/server/msgbus_server_node_registration.cpp b/ydb/core/client/server/msgbus_server_node_registration.cpp index e19f2c0524f..ac87b12bd59 100644 --- a/ydb/core/client/server/msgbus_server_node_registration.cpp +++ b/ydb/core/client/server/msgbus_server_node_registration.cpp @@ -23,7 +23,7 @@ class TNodeRegistrationActor : public TActorBootstrapped<TNodeRegistrationActor> struct TNodeAuthorizationResult { bool IsAuthorized = false; - bool IsCertififateUsed = false; + bool IsCertificateUsed = false; operator bool() const { return IsAuthorized; @@ -88,7 +88,7 @@ public: if (Request.HasPath()) { request->Record.SetPath(Request.GetPath()); } - request->Record.SetAuthorizedByCertificate(nodeAuthorizationResult.IsCertififateUsed); + request->Record.SetAuthorizedByCertificate(nodeAuthorizationResult.IsCertificateUsed); NTabletPipe::SendData(ctx, NodeBrokerPipe, request.Release()); @@ -185,7 +185,7 @@ public: private: TNodeAuthorizationResult IsNodeAuthorized() { - TNodeAuthorizationResult result {.IsAuthorized = false, .IsCertififateUsed = false}; + TNodeAuthorizationResult result {.IsAuthorized = false, .IsCertificateUsed = false}; auto* appdata = AppData(); if (appdata && appdata->FeatureFlags.GetEnableDynamicNodeAuthorization() && DynamicNodeAuthorizationParams) { const auto& nodeAuthValues = FindClientCert(); @@ -212,7 +212,7 @@ private: Response.MutableStatus()->SetReason("Cannot authorize node with host: " + host); return result; } - result.IsCertififateUsed = true; + result.IsCertificateUsed = true; } result.IsAuthorized = true; return result;; diff --git a/ydb/core/driver_lib/cli_utils/CMakeLists.darwin-x86_64.txt b/ydb/core/driver_lib/cli_utils/CMakeLists.darwin-x86_64.txt index 2e8256f0ccd..9283d5e78f1 100644 --- a/ydb/core/driver_lib/cli_utils/CMakeLists.darwin-x86_64.txt +++ b/ydb/core/driver_lib/cli_utils/CMakeLists.darwin-x86_64.txt @@ -37,6 +37,8 @@ target_link_libraries(cli_utils PUBLIC api-grpc-draft lib-deprecated-client common + cpp-client-ydb_discovery + cpp-client-ydb_driver ) target_sources(cli_utils PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/driver_lib/cli_utils/cli.cpp diff --git a/ydb/core/driver_lib/cli_utils/CMakeLists.linux-aarch64.txt b/ydb/core/driver_lib/cli_utils/CMakeLists.linux-aarch64.txt index e54a367187b..21aefec97bb 100644 --- a/ydb/core/driver_lib/cli_utils/CMakeLists.linux-aarch64.txt +++ b/ydb/core/driver_lib/cli_utils/CMakeLists.linux-aarch64.txt @@ -38,6 +38,8 @@ target_link_libraries(cli_utils PUBLIC api-grpc-draft lib-deprecated-client common + cpp-client-ydb_discovery + cpp-client-ydb_driver ) target_sources(cli_utils PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/driver_lib/cli_utils/cli.cpp diff --git a/ydb/core/driver_lib/cli_utils/CMakeLists.linux-x86_64.txt b/ydb/core/driver_lib/cli_utils/CMakeLists.linux-x86_64.txt index e54a367187b..21aefec97bb 100644 --- a/ydb/core/driver_lib/cli_utils/CMakeLists.linux-x86_64.txt +++ b/ydb/core/driver_lib/cli_utils/CMakeLists.linux-x86_64.txt @@ -38,6 +38,8 @@ target_link_libraries(cli_utils PUBLIC api-grpc-draft lib-deprecated-client common + cpp-client-ydb_discovery + cpp-client-ydb_driver ) target_sources(cli_utils PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/driver_lib/cli_utils/cli.cpp diff --git a/ydb/core/driver_lib/cli_utils/CMakeLists.windows-x86_64.txt b/ydb/core/driver_lib/cli_utils/CMakeLists.windows-x86_64.txt index 2e8256f0ccd..9283d5e78f1 100644 --- a/ydb/core/driver_lib/cli_utils/CMakeLists.windows-x86_64.txt +++ b/ydb/core/driver_lib/cli_utils/CMakeLists.windows-x86_64.txt @@ -37,6 +37,8 @@ target_link_libraries(cli_utils PUBLIC api-grpc-draft lib-deprecated-client common + cpp-client-ydb_discovery + cpp-client-ydb_driver ) target_sources(cli_utils PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/driver_lib/cli_utils/cli.cpp diff --git a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp index b7be0a6ff28..1153b5c6c1b 100644 --- a/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp +++ b/ydb/core/driver_lib/cli_utils/cli_cmds_server.cpp @@ -14,6 +14,9 @@ #include <util/system/hostname.h> #include <google/protobuf/text_format.h> +#include <ydb/public/sdk/cpp/client/ydb_discovery/discovery.h> +#include <ydb/public/sdk/cpp/client/ydb_driver/driver.h> + extern TAutoPtr<NKikimrConfig::TActorSystemConfig> DummyActorSystemConfig(); extern TAutoPtr<NKikimrConfig::TAllocatorConfig> DummyAllocatorConfig(); @@ -924,16 +927,25 @@ protected: } } - THolder<NClient::TRegistrationResult> TryToRegisterDynamicNode( - const TString &addr, - const TString &domainName, - const TString &nodeHost, - const TString &nodeAddress, - const TString &nodeResolveHost, - const TMaybe<TString>& path) { - NClient::TKikimr kikimr(GetKikimr(addr)); - auto registrant = kikimr.GetNodeRegistrant(); + void MaybeRegisterAndLoadConfigs() + { + // static node + if (NodeBrokerAddresses.empty() && !NodeBrokerPort) { + if (!NodeId) { + ythrow yexception() << "Either --node [NUM|'static'] or --node-broker[-port] should be specified"; + } + if (!HierarchicalCfg && RunConfig.PathToConfigCacheFile) + LoadCachedConfigsForStaticNode(); + return; + } + + RegisterDynamicNode(); + if (!HierarchicalCfg && !IgnoreCmsConfigs) + LoadConfigForDynamicNode(); + } + + TNodeLocation CreateNodeLocation() { NActorsInterconnect::TNodeLocation location; location.SetDataCenter(DataCenter); location.SetRack(Rack); @@ -946,8 +958,75 @@ protected: legacy.SetRackNum(RackFromString(Rack)); legacy.SetBodyNum(Body); loc.InheritLegacyValue(TNodeLocation(legacy)); + return loc; + } - Cout << "Trying to register at " << addr << Endl; + NYdb::NDiscovery::TNodeRegistrationSettings GetNodeRegistrationSettings(const TString &domainName, + const TString &nodeHost, + const TString &nodeAddress, + const TString &nodeResolveHost, + const TMaybe<TString>& path) { + NYdb::NDiscovery::TNodeRegistrationSettings settings; + settings.Host(nodeHost); + settings.Port(InterconnectPort); + settings.ResolveHost(nodeResolveHost); + settings.Address(nodeAddress); + settings.DomainPath(domainName); + settings.FixedNodeId(FixedNodeID); + if (path) { + settings.Path(*path); + } + + auto loc = CreateNodeLocation(); + NActorsInterconnect::TNodeLocation tmpLocation; + loc.Serialize(&tmpLocation, false); + + NYdb::NDiscovery::TNodeLocation settingLocation; + CopyNodeLocation(&settingLocation, tmpLocation); + settings.Location(settingLocation); + return settings; + } + + NYdb::NDiscovery::TNodeRegistrationResult TryToRegisterDynamicNodeViaDiscoveryService( + const TString &addr, + const TString &domainName, + const TString &nodeHost, + const TString &nodeAddress, + const TString &nodeResolveHost, + const TMaybe<TString>& path) { + TCommandConfig::TServerEndpoint endpoint = TCommandConfig::ParseServerAddress(addr); + NYdb::TDriverConfig config; + if (endpoint.EnableSsl.Defined()) { + if (PathToGrpcCaFile) { + config.UseSecureConnection(ReadFromFile(PathToGrpcCaFile, "CA certificates").c_str()); + } + if (PathToGrpcCertFile && PathToGrpcPrivateKeyFile) { + auto certificate = ReadFromFile(PathToGrpcCertFile, "Client certificates"); + auto privateKey = ReadFromFile(PathToGrpcPrivateKeyFile, "Client certificates key"); + config.UseClientCertificate(certificate.c_str(), privateKey.c_str()); + } + } + config.SetAuthToken(BUILTIN_ACL_ROOT); + config.SetEndpoint(endpoint.Address); + auto connection = NYdb::TDriver(config); + + auto client = NYdb::NDiscovery::TDiscoveryClient(connection); + NYdb::NDiscovery::TNodeRegistrationResult result = client.NodeRegistration(GetNodeRegistrationSettings(domainName, nodeHost, nodeAddress, nodeResolveHost, path)).GetValueSync(); + connection.Stop(true); + return result; + } + + THolder<NClient::TRegistrationResult> TryToRegisterDynamicNodeViaLegacyService( + const TString &addr, + const TString &domainName, + const TString &nodeHost, + const TString &nodeAddress, + const TString &nodeResolveHost, + const TMaybe<TString>& path) { + NClient::TKikimr kikimr(GetKikimr(addr)); + auto registrant = kikimr.GetNodeRegistrant(); + + auto loc = CreateNodeLocation(); return MakeHolder<NClient::TRegistrationResult> (registrant.SyncRegisterNode(ToString(domainName), @@ -991,31 +1070,131 @@ protected: return {}; } - void RegisterDynamicNode() { - TVector<TString> addrs; - auto &dnConfig = *RunConfig.AppConfig.MutableDynamicNodeConfig(); + NYdb::NDiscovery::TNodeRegistrationResult RegisterDynamicNodeViaDiscoveryService(const TVector<TString>& addrs, const TString& domainName) { + NYdb::NDiscovery::TNodeRegistrationResult result; + const size_t maxNumberRecivedCallUnimplemented = 5; + size_t currentNumberRecivedCallUnimplemented = 0; + while (!result.IsSuccess() && currentNumberRecivedCallUnimplemented < maxNumberRecivedCallUnimplemented) { + for (const auto& addr : addrs) { + result = TryToRegisterDynamicNodeViaDiscoveryService(addr, domainName, NodeHost, NodeAddress, NodeResolveHost, GetSchemePath()); + if (result.IsSuccess()) { + Cout << "Success. Registered via discovery service as " << result.GetNodeId() << Endl; + break; + } + Cerr << "Registration error: " << static_cast<NYdb::TStatus>(result) << Endl; + } + if (!result.IsSuccess()) { + Sleep(TDuration::Seconds(1)); + if (result.GetStatus() == NYdb::EStatus::CLIENT_CALL_UNIMPLEMENTED) { + currentNumberRecivedCallUnimplemented++; + } + } + } + return result; + } - FillClusterEndpoints(addrs); + void ProcessRegistrationDynamicNodeResult(const NYdb::NDiscovery::TNodeRegistrationResult& result) { + RunConfig.NodeId = result.GetNodeId(); + NActors::TScopeId scopeId; + if (result.HasScopeTabletId() && result.HasScopePathId()) { + scopeId.first = result.GetScopeTabletId(); + scopeId.second = result.GetScopePathId(); + } + RunConfig.ScopeId = TKikimrScopeId(scopeId); - if (!InterconnectPort) - ythrow yexception() << "Either --node or --ic-port should be specified"; + auto &nsConfig = *RunConfig.AppConfig.MutableNameserviceConfig(); + nsConfig.ClearNode(); - if (addrs.empty()) { - ythrow yexception() << "List of Node Broker end-points is empty"; + auto &dnConfig = *RunConfig.AppConfig.MutableDynamicNodeConfig(); + for (auto &node : result.GetNodes()) { + if (node.NodeId == result.GetNodeId()) { + auto nodeInfo = dnConfig.MutableNodeInfo(); + nodeInfo->SetNodeId(node.NodeId); + nodeInfo->SetHost(node.Host); + nodeInfo->SetPort(node.Port); + nodeInfo->SetResolveHost(node.ResolveHost); + nodeInfo->SetAddress(node.Address); + nodeInfo->SetExpire(node.Expire); + CopyNodeLocation(nodeInfo->MutableLocation(), node.Location); + } else { + auto &info = *nsConfig.AddNode(); + info.SetNodeId(node.NodeId); + info.SetAddress(node.Address); + info.SetPort(node.Port); + info.SetHost(node.Host); + info.SetInterconnectHost(node.ResolveHost); + CopyNodeLocation(info.MutableLocation(), node.Location); + } } + } - TString domainName = DeduceNodeDomain(); - if (!NodeHost) - NodeHost = FQDNHostName(); - if (!NodeResolveHost) - NodeResolveHost = NodeHost; + static void CopyNodeLocation(NActorsInterconnect::TNodeLocation* dst, const NYdb::NDiscovery::TNodeLocation& src) { + if (src.DataCenterNum) { + dst->SetDataCenterNum(src.DataCenterNum.value()); + } + if (src.RoomNum) { + dst->SetRoomNum(src.RoomNum.value()); + } + if (src.RackNum) { + dst->SetRackNum(src.RackNum.value()); + } + if (src.BodyNum) { + dst->SetBodyNum(src.BodyNum.value()); + } + if (src.Body) { + dst->SetBody(src.Body.value()); + } + if (src.DataCenter) { + dst->SetDataCenter(src.DataCenter.value()); + } + if (src.Module) { + dst->SetModule(src.Module.value()); + } + if (src.Rack) { + dst->SetRack(src.Rack.value()); + } + if (src.Unit) { + dst->SetUnit(src.Unit.value()); + } + } + static void CopyNodeLocation(NYdb::NDiscovery::TNodeLocation* dst, const NActorsInterconnect::TNodeLocation& src) { + if (src.HasDataCenterNum()) { + dst->DataCenterNum = src.GetDataCenterNum(); + } + if (src.HasRoomNum()) { + dst->RoomNum = src.GetRoomNum(); + } + if (src.HasRackNum()) { + dst->RackNum = src.GetRackNum(); + } + if (src.HasBodyNum()) { + dst->BodyNum = src.GetBodyNum(); + } + if (src.HasBody()) { + dst->Body = src.GetBody(); + } + if (src.HasDataCenter()) { + dst->DataCenter = src.GetDataCenter(); + } + if (src.HasModule()) { + dst->Module = src.GetModule(); + } + if (src.HasRack()) { + dst->Rack = src.GetRack(); + } + if (src.HasUnit()) { + dst->Unit = src.GetUnit(); + } + } + + THolder<NClient::TRegistrationResult> RegisterDynamicNodeViaLegacyService(const TVector<TString>& addrs, const TString& domainName) { THolder<NClient::TRegistrationResult> result; while (!result || !result->IsSuccess()) { - for (auto addr : addrs) { - result = TryToRegisterDynamicNode(addr, domainName, NodeHost, NodeAddress, NodeResolveHost, GetSchemePath()); + for (const auto& addr : addrs) { + result = TryToRegisterDynamicNodeViaLegacyService(addr, domainName, NodeHost, NodeAddress, NodeResolveHost, GetSchemePath()); if (result->IsSuccess()) { - Cout << "Success. Registered as " << result->GetNodeId() << Endl; + Cout << "Success. Registered via legacy service as " << result->GetNodeId() << Endl; break; } Cerr << "Registration error: " << result->GetErrorMessage() << Endl; @@ -1028,12 +1207,17 @@ protected: if (!result->IsSuccess()) ythrow yexception() << "Cannot register dynamic node: " << result->GetErrorMessage(); + return result; + } + + void ProcessRegistrationDynamicNodeResult(const THolder<NClient::TRegistrationResult>& result) { RunConfig.NodeId = result->GetNodeId(); RunConfig.ScopeId = TKikimrScopeId(result->GetScopeId()); - auto &nsConfig = *RunConfig.AppConfig.MutableNameserviceConfig(); + auto &nsConfig = *RunConfig.AppConfig.MutableNameserviceConfig(); nsConfig.ClearNode(); + auto &dnConfig = *RunConfig.AppConfig.MutableDynamicNodeConfig(); for (auto &node : result->Record().GetNodes()) { if (node.GetNodeId() == result->GetNodeId()) { dnConfig.MutableNodeInfo()->CopyFrom(node); @@ -1049,6 +1233,33 @@ protected: } } + void RegisterDynamicNode() { + TVector<TString> addrs; + + FillClusterEndpoints(addrs); + + if (!InterconnectPort) + ythrow yexception() << "Either --node or --ic-port should be specified"; + + if (addrs.empty()) { + ythrow yexception() << "List of Node Broker end-points is empty"; + } + + TString domainName = DeduceNodeDomain(); + if (!NodeHost) + NodeHost = FQDNHostName(); + if (!NodeResolveHost) + NodeResolveHost = NodeHost; + + NYdb::NDiscovery::TNodeRegistrationResult result = RegisterDynamicNodeViaDiscoveryService(addrs, domainName); + if (result.IsSuccess()) { + ProcessRegistrationDynamicNodeResult(result); + } else { + THolder<NClient::TRegistrationResult> result = RegisterDynamicNodeViaLegacyService(addrs, domainName); + ProcessRegistrationDynamicNodeResult(result); + } + } + void ApplyConfigForNode(NKikimrConfig::TAppConfig &appConfig) { AppConfig.Swap(&appConfig); // Dynamic node config is defined by options and Node Broker response. diff --git a/ydb/core/driver_lib/run/CMakeLists.darwin-x86_64.txt b/ydb/core/driver_lib/run/CMakeLists.darwin-x86_64.txt index 0d09ac280c9..e7bbabfbedf 100644 --- a/ydb/core/driver_lib/run/CMakeLists.darwin-x86_64.txt +++ b/ydb/core/driver_lib/run/CMakeLists.darwin-x86_64.txt @@ -59,6 +59,7 @@ target_link_libraries(run PUBLIC fq-libs-logs ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-health_check ydb-core-http_proxy core-kesus-proxy diff --git a/ydb/core/driver_lib/run/CMakeLists.linux-aarch64.txt b/ydb/core/driver_lib/run/CMakeLists.linux-aarch64.txt index a49f2149f3f..b1c4e4f1a30 100644 --- a/ydb/core/driver_lib/run/CMakeLists.linux-aarch64.txt +++ b/ydb/core/driver_lib/run/CMakeLists.linux-aarch64.txt @@ -60,6 +60,7 @@ target_link_libraries(run PUBLIC fq-libs-logs ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-health_check ydb-core-http_proxy core-kesus-proxy diff --git a/ydb/core/driver_lib/run/CMakeLists.linux-x86_64.txt b/ydb/core/driver_lib/run/CMakeLists.linux-x86_64.txt index a49f2149f3f..b1c4e4f1a30 100644 --- a/ydb/core/driver_lib/run/CMakeLists.linux-x86_64.txt +++ b/ydb/core/driver_lib/run/CMakeLists.linux-x86_64.txt @@ -60,6 +60,7 @@ target_link_libraries(run PUBLIC fq-libs-logs ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-health_check ydb-core-http_proxy core-kesus-proxy diff --git a/ydb/core/driver_lib/run/CMakeLists.windows-x86_64.txt b/ydb/core/driver_lib/run/CMakeLists.windows-x86_64.txt index 0d09ac280c9..e7bbabfbedf 100644 --- a/ydb/core/driver_lib/run/CMakeLists.windows-x86_64.txt +++ b/ydb/core/driver_lib/run/CMakeLists.windows-x86_64.txt @@ -59,6 +59,7 @@ target_link_libraries(run PUBLIC fq-libs-logs ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-health_check ydb-core-http_proxy core-kesus-proxy diff --git a/ydb/core/driver_lib/run/cert_auth_props.h b/ydb/core/driver_lib/run/cert_auth_props.h index 9415c229a25..2b69e6aaff9 100644 --- a/ydb/core/driver_lib/run/cert_auth_props.h +++ b/ydb/core/driver_lib/run/cert_auth_props.h @@ -1,6 +1,6 @@ #pragma once -#include <ydb/core/client/server/dynamic_node_auth_processor.h> +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> #include <ydb/core/protos/config.pb.h> #include <util/generic/string.h> diff --git a/ydb/core/driver_lib/run/run.cpp b/ydb/core/driver_lib/run/run.cpp index a830aefb9cd..357498e4aca 100644 --- a/ydb/core/driver_lib/run/run.cpp +++ b/ydb/core/driver_lib/run/run.cpp @@ -816,13 +816,19 @@ void TKikimrRunner::InitializeGRpc(const TKikimrRunConfig& runConfig) { } if (hasDiscovery) { - server.AddService(new NGRpcService::TGRpcDiscoveryService(ActorSystem.Get(), Counters, - grpcRequestProxies[0], hasDiscovery.IsRlAllowed())); + auto discoveryService = new NGRpcService::TGRpcDiscoveryService(ActorSystem.Get(), Counters,grpcRequestProxies[0], hasDiscovery.IsRlAllowed()); + if (!opts.SslData.Empty()) { + discoveryService->SetDynamicNodeAuthParams(GetDynamicNodeAuthorizationParams(appConfig.GetClientCertificateAuthorization())); + } + server.AddService(discoveryService); } if (hasLocalDiscovery) { - server.AddService(new NGRpcService::TGRpcLocalDiscoveryService(grpcConfig, ActorSystem.Get(), Counters, - grpcRequestProxies[0])); + auto localDiscoveryService = new NGRpcService::TGRpcLocalDiscoveryService(grpcConfig, ActorSystem.Get(), Counters, grpcRequestProxies[0]); + if (!opts.SslData.Empty()) { + localDiscoveryService->SetDynamicNodeAuthParams(GetDynamicNodeAuthorizationParams(appConfig.GetClientCertificateAuthorization())); + } + server.AddService(localDiscoveryService); } if (hasRateLimiter) { diff --git a/ydb/core/grpc_services/CMakeLists.darwin-x86_64.txt b/ydb/core/grpc_services/CMakeLists.darwin-x86_64.txt index bed8458eab7..d1e1087ee09 100644 --- a/ydb/core/grpc_services/CMakeLists.darwin-x86_64.txt +++ b/ydb/core/grpc_services/CMakeLists.darwin-x86_64.txt @@ -6,6 +6,7 @@ # original buildsystem will not be accepted. +add_subdirectory(auth_processor) add_subdirectory(base) add_subdirectory(cancelation) add_subdirectory(counters) @@ -34,6 +35,7 @@ target_link_libraries(ydb-core-grpc_services PUBLIC core-grpc_services-counters core-grpc_services-local_rpc core-grpc_services-cancelation + core-grpc_services-auth_processor ydb-core-health_check ydb-core-io_formats core-kesus-tablet @@ -111,6 +113,7 @@ target_sources(ydb-core-grpc_services PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_load_rows.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_log_store.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_long_tx.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_node_registration.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_make_directory.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_modify_permissions.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_monitoring.cpp diff --git a/ydb/core/grpc_services/CMakeLists.linux-aarch64.txt b/ydb/core/grpc_services/CMakeLists.linux-aarch64.txt index 11ee0e2eaba..591edc09801 100644 --- a/ydb/core/grpc_services/CMakeLists.linux-aarch64.txt +++ b/ydb/core/grpc_services/CMakeLists.linux-aarch64.txt @@ -6,6 +6,7 @@ # original buildsystem will not be accepted. +add_subdirectory(auth_processor) add_subdirectory(base) add_subdirectory(cancelation) add_subdirectory(counters) @@ -35,6 +36,7 @@ target_link_libraries(ydb-core-grpc_services PUBLIC core-grpc_services-counters core-grpc_services-local_rpc core-grpc_services-cancelation + core-grpc_services-auth_processor ydb-core-health_check ydb-core-io_formats core-kesus-tablet @@ -112,6 +114,7 @@ target_sources(ydb-core-grpc_services PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_load_rows.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_log_store.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_long_tx.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_node_registration.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_make_directory.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_modify_permissions.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_monitoring.cpp diff --git a/ydb/core/grpc_services/CMakeLists.linux-x86_64.txt b/ydb/core/grpc_services/CMakeLists.linux-x86_64.txt index 11ee0e2eaba..591edc09801 100644 --- a/ydb/core/grpc_services/CMakeLists.linux-x86_64.txt +++ b/ydb/core/grpc_services/CMakeLists.linux-x86_64.txt @@ -6,6 +6,7 @@ # original buildsystem will not be accepted. +add_subdirectory(auth_processor) add_subdirectory(base) add_subdirectory(cancelation) add_subdirectory(counters) @@ -35,6 +36,7 @@ target_link_libraries(ydb-core-grpc_services PUBLIC core-grpc_services-counters core-grpc_services-local_rpc core-grpc_services-cancelation + core-grpc_services-auth_processor ydb-core-health_check ydb-core-io_formats core-kesus-tablet @@ -112,6 +114,7 @@ target_sources(ydb-core-grpc_services PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_load_rows.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_log_store.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_long_tx.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_node_registration.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_make_directory.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_modify_permissions.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_monitoring.cpp diff --git a/ydb/core/grpc_services/CMakeLists.windows-x86_64.txt b/ydb/core/grpc_services/CMakeLists.windows-x86_64.txt index bed8458eab7..d1e1087ee09 100644 --- a/ydb/core/grpc_services/CMakeLists.windows-x86_64.txt +++ b/ydb/core/grpc_services/CMakeLists.windows-x86_64.txt @@ -6,6 +6,7 @@ # original buildsystem will not be accepted. +add_subdirectory(auth_processor) add_subdirectory(base) add_subdirectory(cancelation) add_subdirectory(counters) @@ -34,6 +35,7 @@ target_link_libraries(ydb-core-grpc_services PUBLIC core-grpc_services-counters core-grpc_services-local_rpc core-grpc_services-cancelation + core-grpc_services-auth_processor ydb-core-health_check ydb-core-io_formats core-kesus-tablet @@ -111,6 +113,7 @@ target_sources(ydb-core-grpc_services PRIVATE ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_load_rows.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_log_store.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_long_tx.cpp + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_node_registration.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_make_directory.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_modify_permissions.cpp ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/rpc_monitoring.cpp diff --git a/ydb/core/grpc_services/auth_processor/CMakeLists.darwin-x86_64.txt b/ydb/core/grpc_services/auth_processor/CMakeLists.darwin-x86_64.txt new file mode 100644 index 00000000000..0671197fd03 --- /dev/null +++ b/ydb/core/grpc_services/auth_processor/CMakeLists.darwin-x86_64.txt @@ -0,0 +1,19 @@ + +# This file was generated by the build system used internally in the Yandex monorepo. +# Only simple modifications are allowed (adding source-files to targets, adding simple properties +# like target_include_directories). These modifications will be ported to original +# ya.make files by maintainers. Any complex modifications which can't be ported back to the +# original buildsystem will not be accepted. + + +find_package(OpenSSL REQUIRED) + +add_library(core-grpc_services-auth_processor) +target_link_libraries(core-grpc_services-auth_processor PUBLIC + contrib-libs-cxxsupp + yutil + OpenSSL::OpenSSL +) +target_sources(core-grpc_services-auth_processor PRIVATE + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.cpp +) diff --git a/ydb/core/grpc_services/auth_processor/CMakeLists.linux-aarch64.txt b/ydb/core/grpc_services/auth_processor/CMakeLists.linux-aarch64.txt new file mode 100644 index 00000000000..2b3e17d3202 --- /dev/null +++ b/ydb/core/grpc_services/auth_processor/CMakeLists.linux-aarch64.txt @@ -0,0 +1,20 @@ + +# This file was generated by the build system used internally in the Yandex monorepo. +# Only simple modifications are allowed (adding source-files to targets, adding simple properties +# like target_include_directories). These modifications will be ported to original +# ya.make files by maintainers. Any complex modifications which can't be ported back to the +# original buildsystem will not be accepted. + + +find_package(OpenSSL REQUIRED) + +add_library(core-grpc_services-auth_processor) +target_link_libraries(core-grpc_services-auth_processor PUBLIC + contrib-libs-linux-headers + contrib-libs-cxxsupp + yutil + OpenSSL::OpenSSL +) +target_sources(core-grpc_services-auth_processor PRIVATE + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.cpp +) diff --git a/ydb/core/grpc_services/auth_processor/CMakeLists.linux-x86_64.txt b/ydb/core/grpc_services/auth_processor/CMakeLists.linux-x86_64.txt new file mode 100644 index 00000000000..2b3e17d3202 --- /dev/null +++ b/ydb/core/grpc_services/auth_processor/CMakeLists.linux-x86_64.txt @@ -0,0 +1,20 @@ + +# This file was generated by the build system used internally in the Yandex monorepo. +# Only simple modifications are allowed (adding source-files to targets, adding simple properties +# like target_include_directories). These modifications will be ported to original +# ya.make files by maintainers. Any complex modifications which can't be ported back to the +# original buildsystem will not be accepted. + + +find_package(OpenSSL REQUIRED) + +add_library(core-grpc_services-auth_processor) +target_link_libraries(core-grpc_services-auth_processor PUBLIC + contrib-libs-linux-headers + contrib-libs-cxxsupp + yutil + OpenSSL::OpenSSL +) +target_sources(core-grpc_services-auth_processor PRIVATE + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.cpp +) diff --git a/ydb/core/grpc_services/auth_processor/CMakeLists.txt b/ydb/core/grpc_services/auth_processor/CMakeLists.txt new file mode 100644 index 00000000000..f8b31df0c11 --- /dev/null +++ b/ydb/core/grpc_services/auth_processor/CMakeLists.txt @@ -0,0 +1,17 @@ + +# This file was generated by the build system used internally in the Yandex monorepo. +# Only simple modifications are allowed (adding source-files to targets, adding simple properties +# like target_include_directories). These modifications will be ported to original +# ya.make files by maintainers. Any complex modifications which can't be ported back to the +# original buildsystem will not be accepted. + + +if (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" AND NOT HAVE_CUDA) + include(CMakeLists.linux-aarch64.txt) +elseif (CMAKE_SYSTEM_NAME STREQUAL "Darwin" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64") + include(CMakeLists.darwin-x86_64.txt) +elseif (WIN32 AND CMAKE_SYSTEM_PROCESSOR STREQUAL "AMD64" AND NOT HAVE_CUDA) + include(CMakeLists.windows-x86_64.txt) +elseif (CMAKE_SYSTEM_NAME STREQUAL "Linux" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64" AND NOT HAVE_CUDA) + include(CMakeLists.linux-x86_64.txt) +endif() diff --git a/ydb/core/grpc_services/auth_processor/CMakeLists.windows-x86_64.txt b/ydb/core/grpc_services/auth_processor/CMakeLists.windows-x86_64.txt new file mode 100644 index 00000000000..0671197fd03 --- /dev/null +++ b/ydb/core/grpc_services/auth_processor/CMakeLists.windows-x86_64.txt @@ -0,0 +1,19 @@ + +# This file was generated by the build system used internally in the Yandex monorepo. +# Only simple modifications are allowed (adding source-files to targets, adding simple properties +# like target_include_directories). These modifications will be ported to original +# ya.make files by maintainers. Any complex modifications which can't be ported back to the +# original buildsystem will not be accepted. + + +find_package(OpenSSL REQUIRED) + +add_library(core-grpc_services-auth_processor) +target_link_libraries(core-grpc_services-auth_processor PUBLIC + contrib-libs-cxxsupp + yutil + OpenSSL::OpenSSL +) +target_sources(core-grpc_services-auth_processor PRIVATE + ${CMAKE_SOURCE_DIR}/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.cpp +) diff --git a/ydb/core/client/server/dynamic_node_auth_processor.cpp b/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.cpp index 394def2f52c..394def2f52c 100644 --- a/ydb/core/client/server/dynamic_node_auth_processor.cpp +++ b/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.cpp diff --git a/ydb/core/client/server/dynamic_node_auth_processor.h b/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h index bafd4855b68..bafd4855b68 100644 --- a/ydb/core/client/server/dynamic_node_auth_processor.h +++ b/ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h diff --git a/ydb/core/grpc_services/rpc_node_registration.cpp b/ydb/core/grpc_services/rpc_node_registration.cpp new file mode 100644 index 00000000000..1d2292407be --- /dev/null +++ b/ydb/core/grpc_services/rpc_node_registration.cpp @@ -0,0 +1,303 @@ +#include "service_discovery.h" + +#include <ydb/core/grpc_services/base/base.h> +#include <library/cpp/actors/core/actor_bootstrapped.h> +#include <library/cpp/actors/interconnect/interconnect.h> +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> +#include <ydb/core/base/tablet_pipe.h> +#include <ydb/core/base/appdata.h> +#include <ydb/core/mind/node_broker.h> +#include <ydb/core/protos/node_broker.pb.h> +#include <ydb/public/api/protos/ydb_discovery.pb.h> + +namespace NKikimr { +namespace NGRpcService { + +using namespace NKikimrNodeBroker; +using namespace NNodeBroker; + +using TEvNodeRegistrationRequest = TGrpcRequestOperationCall<Ydb::Discovery::NodeRegistrationRequest, + Ydb::Discovery::NodeRegistrationResponse>; + +class TNodeRegistrationRPC : public TActorBootstrapped<TNodeRegistrationRPC> { + using TActorBase = TActorBootstrapped<TNodeRegistrationRPC>; + + struct TNodeAuthorizationResult { + bool IsAuthorized = false; + bool IsCertificateUsed = false; + + operator bool() const { + return IsAuthorized; + } + }; + +public: + static constexpr NKikimrServices::TActivity::EType ActorActivityType() { + return NKikimrServices::TActivity::GRPC_REQ; + } + + TNodeRegistrationRPC(IRequestOpCtx* request, const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams) + : Request(request), DynamicNodeAuthorizationParams(dynamicNodeAuthorizationParams) + {} + + void Bootstrap(const TActorContext& ctx) { + auto req = dynamic_cast<TEvNodeRegistrationRequest*>(Request.get()); + Y_VERIFY(req, "Unexpected request type for TNodeRegistrationRPC"); + const TNodeAuthorizationResult nodeAuthorizationResult = IsNodeAuthorized(req->FindClientCert()); + if (!nodeAuthorizationResult.IsAuthorized) { + SendReplyAndDie(ctx); + } + + auto dinfo = AppData(ctx)->DomainsInfo; + ui32 group; + auto request = TEvNodeRegistrationRequest::GetProtoRequest(Request); + const TString& domainPath = request->domain_path(); + if (!domainPath.Empty()) { + auto *domain = dinfo->GetDomainByName(domainPath); + if (!domain) { + auto error = Sprintf("Unknown domain %s", domainPath.data()); + ReplyWithErrorAndDie(error, ctx); + return; + } + group = dinfo->GetDefaultStateStorageGroup(domain->DomainUid); + } else { + if (dinfo->Domains.size() > 1) { + auto error = "Ambiguous domain (specify DomainPath in request)"; + ReplyWithErrorAndDie(error, ctx); + return; + } + auto domain = dinfo->Domains.begin()->second; + group = dinfo->GetDefaultStateStorageGroup(domain->DomainUid); + } + + NTabletPipe::TClientConfig pipeConfig; + pipeConfig.RetryPolicy = {.RetryLimitCount = 10}; + auto pipe = NTabletPipe::CreateClient(SelfId(), MakeNodeBrokerID(group), pipeConfig); + NodeBrokerPipe = ctx.RegisterWithSameMailbox(pipe); + + TAutoPtr<TEvNodeBroker::TEvRegistrationRequest> nodeBrokerRequest + = new TEvNodeBroker::TEvRegistrationRequest; + + nodeBrokerRequest->Record.SetHost(request->host()); + nodeBrokerRequest->Record.SetPort(request->port()); + nodeBrokerRequest->Record.SetResolveHost(request->resolve_host()); + nodeBrokerRequest->Record.SetAddress(request->address()); + CopyNodeLocation(nodeBrokerRequest->Record.MutableLocation(), request->location()); + nodeBrokerRequest->Record.SetFixedNodeId(request->fixed_node_id()); + if (request->has_path()) { + nodeBrokerRequest->Record.SetPath(request->path()); + } + nodeBrokerRequest->Record.SetAuthorizedByCertificate(nodeAuthorizationResult.IsCertificateUsed); + + NTabletPipe::SendData(ctx, NodeBrokerPipe, nodeBrokerRequest.Release()); + + Become(&TNodeRegistrationRPC::MainState); + } + + void Handle(TEvNodeBroker::TEvRegistrationResponse::TPtr &ev, const TActorContext &ctx) { + auto &rec = ev->Get()->Record; + + if (rec.GetStatus().GetCode() != TStatus::OK) { + ReplyWithErrorAndDie(rec.GetStatus().GetReason(), ctx); + return; + } + + auto request = TEvNodeRegistrationRequest::GetProtoRequest(Request); + Result.set_node_id(rec.GetNode().GetNodeId()); + Result.set_expire(rec.GetNode().GetExpire()); + Result.set_domain_path(request->domain_path()); + CopyNodeInfo(Result.add_nodes(), rec.GetNode()); + + if (rec.HasScopeTabletId()) { + Result.set_scope_tablet_id(rec.GetScopeTabletId()); + } + if (rec.HasScopePathId()) { + Result.set_scope_path_id(rec.GetScopePathId()); + } + + const TActorId nameserviceId = GetNameserviceActorId(); + ctx.Send(nameserviceId, new TEvInterconnect::TEvListNodes()); + } + + void Handle(TEvInterconnect::TEvNodesInfo::TPtr &ev, const TActorContext &ctx) { + auto config = AppData()->DynamicNameserviceConfig; + + for (const auto &node : ev->Get()->Nodes) { + // Copy static nodes only. + if (!config || node.NodeId <= config->MaxStaticNodeId) { + auto &info = *Result.add_nodes(); + info.set_node_id(node.NodeId); + info.set_host(node.Host); + info.set_address(node.Address); + info.set_resolve_host(node.ResolveHost); + info.set_port(node.Port); + NActorsInterconnect::TNodeLocation location; + node.Location.Serialize(&location, true); + CopyNodeLocation(info.mutable_location(), location); + } + } + + Status = Ydb::StatusIds::SUCCESS; + SendReplyAndDie(ctx); + } + + void Undelivered(const TActorContext &ctx) { + ReplyWithErrorAndDie("Node Broker is unavailable", ctx); + } + + void Handle(TEvTabletPipe::TEvClientConnected::TPtr &ev, const TActorContext &ctx) noexcept + { + if (ev->Get()->Status != NKikimrProto::OK) + Undelivered(ctx); + } + + void Die(const TActorContext &ctx) + { + if (NodeBrokerPipe) { + NTabletPipe::CloseClient(ctx, NodeBrokerPipe); + } + TActorBase::Die(ctx); + } + + void SendReplyAndDie(const TActorContext &ctx) + { + Request->SendResult(Result, Status); + Die(ctx); + } + + void ReplyWithErrorAndDie(const TString &error, const TActorContext &ctx) + { + auto issue = NYql::TIssue(error); + Request->RaiseIssue(issue); + Status = Ydb::StatusIds::GENERIC_ERROR; + SendReplyAndDie(ctx); + } + + STFUNC(MainState) { + switch (ev->GetTypeRewrite()) { + CFunc(TEvents::TEvUndelivered::EventType, Undelivered); + HFunc(TEvNodeBroker::TEvRegistrationResponse, Handle); + HFunc(TEvInterconnect::TEvNodesInfo, Handle); + CFunc(TEvTabletPipe::EvClientDestroyed, Undelivered); + HFunc(TEvTabletPipe::TEvClientConnected, Handle); + } + } + +private: + TNodeAuthorizationResult IsNodeAuthorized(const TVector<TStringBuf>& nodeAuthValues) { + TNodeAuthorizationResult result {.IsAuthorized = false, .IsCertificateUsed = false}; + auto* appdata = AppData(); + if (appdata && appdata->FeatureFlags.GetEnableDynamicNodeAuthorization() && DynamicNodeAuthorizationParams) { + if (nodeAuthValues.empty()) { + Request->RaiseIssue(NYql::TIssue("Cannot authorize node. Node has not provided certificate")); + Status = Ydb::StatusIds::UNAUTHORIZED; + return result; + } + const auto& pemCert = nodeAuthValues.front(); + TMap<TString, TString> subjectDescription; + X509CertificateReader::X509Ptr x509cert = X509CertificateReader::ReadCertAsPEM(pemCert); + for(const auto& term: X509CertificateReader::ReadSubjectTerms(x509cert)) { + subjectDescription.insert(term); + } + + if (!DynamicNodeAuthorizationParams.IsSubjectDescriptionMatched(subjectDescription)) { + Status = Ydb::StatusIds::UNAUTHORIZED; + Request->RaiseIssue(NYql::TIssue("Cannot authorize node by certificate")); + return result; + } + auto request = TEvNodeRegistrationRequest::GetProtoRequest(Request); + const auto& host = request->host(); + if (!DynamicNodeAuthorizationParams.IsHostMatchAttributeCN(host)) { + Status = Ydb::StatusIds::UNAUTHORIZED; + Request->RaiseIssue(NYql::TIssue("Cannot authorize node with host: " + host)); + return result; + } + result.IsCertificateUsed = true; + } + result.IsAuthorized = true; + return result;; + } + + static void CopyNodeInfo(Ydb::Discovery::NodeInfo* dst, const NKikimrNodeBroker::TNodeInfo& src) { + dst->set_node_id(src.GetNodeId()); + dst->set_host(src.GetHost()); + dst->set_port(src.GetPort()); + dst->set_resolve_host(src.GetResolveHost()); + dst->set_address(src.GetAddress()); + CopyNodeLocation(dst->mutable_location(), src.GetLocation()); + dst->set_expire(src.GetExpire()); + } + + static void CopyNodeLocation(NActorsInterconnect::TNodeLocation* dst, const Ydb::Discovery::NodeLocation& src) { + if (src.has_data_center_num()) { + dst->SetDataCenterNum(src.data_center_num()); + } + if (src.has_room_num()) { + dst->SetRoomNum(src.room_num()); + } + if (src.has_rack_num()) { + dst->SetRackNum(src.rack_num()); + } + if (src.has_body_num()) { + dst->SetBodyNum(src.body_num()); + } + if (src.has_body()) { + dst->SetBody(src.body()); + } + if (src.has_data_center()) { + dst->SetDataCenter(src.data_center()); + } + if (src.has_module()) { + dst->SetModule(src.module()); + } + if (src.has_rack()) { + dst->SetRack(src.rack()); + } + if (src.has_unit()) { + dst->SetUnit(src.unit()); + } + } + + static void CopyNodeLocation(Ydb::Discovery::NodeLocation* dst, const NActorsInterconnect::TNodeLocation& src) { + if (src.HasDataCenterNum()) { + dst->set_data_center_num(src.GetDataCenterNum()); + } + if (src.HasRoomNum()) { + dst->set_room_num(src.GetRoomNum()); + } + if (src.HasRackNum()) { + dst->set_rack_num(src.GetRackNum()); + } + if (src.HasBodyNum()) { + dst->set_body_num(src.GetBodyNum()); + } + if (src.HasBody()) { + dst->set_body(src.GetBody()); + } + if (src.HasDataCenter()) { + dst->set_data_center(src.GetDataCenter()); + } + if (src.HasModule()) { + dst->set_module(src.GetModule()); + } + if (src.HasRack()) { + dst->set_rack(src.GetRack()); + } + if (src.HasUnit()) { + dst->set_unit(src.GetUnit()); + } + } + + std::unique_ptr<IRequestOpCtx> Request; + Ydb::Discovery::NodeRegistrationResult Result; + Ydb::StatusIds_StatusCode Status = Ydb::StatusIds::SUCCESS; + TActorId NodeBrokerPipe; + const TDynamicNodeAuthorizationParams DynamicNodeAuthorizationParams; +}; + +void DoNodeRegistrationRequest(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& f, const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams) { + f.RegisterActor(new TNodeRegistrationRPC(p.release(), dynamicNodeAuthorizationParams)); +} + +} // namespace NGRpcService +} // namespace NKikimr diff --git a/ydb/core/grpc_services/service_discovery.h b/ydb/core/grpc_services/service_discovery.h index 871d877f456..e47ad65c636 100644 --- a/ydb/core/grpc_services/service_discovery.h +++ b/ydb/core/grpc_services/service_discovery.h @@ -3,6 +3,9 @@ #include <memory> namespace NKikimr { + +struct TDynamicNodeAuthorizationParams; + namespace NGRpcService { class IRequestOpCtx; @@ -10,6 +13,7 @@ class IFacilityProvider; void DoListEndpointsRequest(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& f); void DoWhoAmIRequest(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& f); +void DoNodeRegistrationRequest(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& f, const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams); } } diff --git a/ydb/core/testlib/test_client.cpp b/ydb/core/testlib/test_client.cpp index 38172f02dc4..3a93133f463 100644 --- a/ydb/core/testlib/test_client.cpp +++ b/ydb/core/testlib/test_client.cpp @@ -364,7 +364,11 @@ namespace Tests { GRpcServer->AddService(new NGRpcService::TGRpcPQClusterDiscoveryService(system, counters, grpcRequestProxies[0])); GRpcServer->AddService(new NKesus::TKesusGRpcService(system, counters, grpcRequestProxies[0], true)); GRpcServer->AddService(new NGRpcService::TGRpcCmsService(system, counters, grpcRequestProxies[0], true)); - GRpcServer->AddService(new NGRpcService::TGRpcDiscoveryService(system, counters, grpcRequestProxies[0], true)); + auto discoveryService = new NGRpcService::TGRpcDiscoveryService(system, counters, grpcRequestProxies[0], true); + if (!options.SslData.Empty()) { + discoveryService->SetDynamicNodeAuthParams(NKikimr::GetDynamicNodeAuthorizationParams(Settings->AppConfig.GetClientCertificateAuthorization())); + } + GRpcServer->AddService(discoveryService); GRpcServer->AddService(new NGRpcService::TGRpcYdbClickhouseInternalService(system, counters, appData.InFlightLimiterRegistry, grpcRequestProxies[0], true)); GRpcServer->AddService(new NQuoter::TRateLimiterGRpcService(system, counters, grpcRequestProxies[0])); GRpcServer->AddService(new NGRpcService::TGRpcYdbLongTxService(system, counters, grpcRequestProxies[0], true)); diff --git a/ydb/public/api/grpc/ydb_discovery_v1.proto b/ydb/public/api/grpc/ydb_discovery_v1.proto index dc06a4f6788..7005b5b642e 100644 --- a/ydb/public/api/grpc/ydb_discovery_v1.proto +++ b/ydb/public/api/grpc/ydb_discovery_v1.proto @@ -8,4 +8,5 @@ import "ydb/public/api/protos/ydb_discovery.proto"; service DiscoveryService { rpc ListEndpoints(Ydb.Discovery.ListEndpointsRequest) returns (Ydb.Discovery.ListEndpointsResponse); rpc WhoAmI(Ydb.Discovery.WhoAmIRequest) returns (Ydb.Discovery.WhoAmIResponse); + rpc NodeRegistration(Ydb.Discovery.NodeRegistrationRequest) returns (Ydb.Discovery.NodeRegistrationResponse); } diff --git a/ydb/public/api/protos/ydb_discovery.proto b/ydb/public/api/protos/ydb_discovery.proto index 5577dafe36d..4c94372eb71 100644 --- a/ydb/public/api/protos/ydb_discovery.proto +++ b/ydb/public/api/protos/ydb_discovery.proto @@ -49,7 +49,7 @@ message WhoAmIRequest { // Include user groups in response bool include_groups = 1; } - + message WhoAmIResult { // User SID (Security ID) string user = 1; @@ -60,3 +60,51 @@ message WhoAmIResult { message WhoAmIResponse { Ydb.Operations.Operation operation = 1; } + +message NodeLocation { + // compatibility section -- will be removed in future versions + optional uint32 data_center_num = 1 [deprecated=true]; + optional uint32 room_num = 2 [deprecated=true]; + optional uint32 rack_num = 3 [deprecated=true]; + optional uint32 body_num = 4 [deprecated=true]; + optional uint32 body = 100500 [deprecated=true]; // for compatibility with WalleLocation + + optional string data_center = 10; + optional string module = 20; + optional string rack = 30; + optional string unit = 40; +} + +message NodeInfo { + optional uint32 node_id = 1; + optional string host = 2; + optional uint32 port = 3; + optional string resolve_host = 4; + optional string address = 5; + optional NodeLocation location = 6; + optional uint64 expire = 7; +} + +message NodeRegistrationRequest { + optional string host = 1; + optional uint32 port = 2; + optional string resolve_host = 3; + optional string address = 4; + optional NodeLocation location = 5; + optional string domain_path = 6; + optional bool fixed_node_id = 7; + optional string path = 8; +} + +message NodeRegistrationResult { + optional uint32 node_id = 1; + optional string domain_path = 2; + optional uint64 expire = 3; + repeated NodeInfo nodes = 4; + optional uint64 scope_tablet_id = 5; + optional uint64 scope_path_id = 6; +} + +message NodeRegistrationResponse { + Ydb.Operations.Operation operation = 1; +} diff --git a/ydb/public/sdk/cpp/client/ydb_discovery/discovery.cpp b/ydb/public/sdk/cpp/client/ydb_discovery/discovery.cpp index b502222fc25..20c71a20385 100644 --- a/ydb/public/sdk/cpp/client/ydb_discovery/discovery.cpp +++ b/ydb/public/sdk/cpp/client/ydb_discovery/discovery.cpp @@ -57,6 +57,75 @@ const TVector<TString>& TWhoAmIResult::GetGroups() const { return Groups_; } +TNodeLocation::TNodeLocation(const Ydb::Discovery::NodeLocation& location) + : DataCenterNum(location.has_data_center_num() ? std::make_optional(location.data_center_num()) : std::nullopt) + , RoomNum(location.has_room_num() ? std::make_optional(location.room_num()) : std::nullopt) + , RackNum(location.has_rack_num() ? std::make_optional(location.rack_num()) : std::nullopt) + , BodyNum(location.has_body_num() ? std::make_optional(location.body_num()) : std::nullopt) + , Body(location.has_body() ? std::make_optional(location.body()) : std::nullopt) + , DataCenter(location.has_data_center() ? std::make_optional(location.data_center()) : std::nullopt) + , Module(location.has_module() ? std::make_optional(location.module()) : std::nullopt) + , Rack(location.has_rack() ? std::make_optional(location.rack()) : std::nullopt) + , Unit(location.has_unit() ? std::make_optional(location.unit()) : std::nullopt) + {} + +TNodeInfo::TNodeInfo(const Ydb::Discovery::NodeInfo& info) + : NodeId(info.node_id()) + , Host(info.host()) + , Port(info.port()) + , ResolveHost(info.resolve_host()) + , Address(info.address()) + , Location(info.location()) + , Expire(info.expire()) + {} + +TNodeRegistrationResult::TNodeRegistrationResult(TStatus&& status, const Ydb::Discovery::NodeRegistrationResult& proto) + : TStatus(std::move(status)) + , NodeId_(proto.node_id()) + , DomainPath_(proto.domain_path()) + , Expire_(proto.expire()) + , ScopeTableId_(proto.has_scope_tablet_id() ? std::make_optional(proto.scope_tablet_id()) : std::nullopt) + , ScopePathId_(proto.has_scope_path_id() ? std::make_optional(proto.scope_path_id()) : std::nullopt) +{ + const auto& nodes = proto.nodes(); + Nodes_.reserve(nodes.size()); + for (const auto& node : nodes) { + Nodes_.emplace_back(node); + } +} + +const ui32& TNodeRegistrationResult::GetNodeId() const { + return NodeId_; +} + +const TString& TNodeRegistrationResult::GetDomainPath() const { + return DomainPath_; +} + +const ui64& TNodeRegistrationResult::GetExpire() const { + return Expire_; +} + +const ui64& TNodeRegistrationResult::GetScopeTabletId() const { + return ScopeTableId_.value(); +} + +bool TNodeRegistrationResult::HasScopeTabletId() const { + return ScopeTableId_.has_value(); +} + +const ui64& TNodeRegistrationResult::GetScopePathId() const { + return ScopePathId_.value(); +} + +bool TNodeRegistrationResult::HasScopePathId() const { + return ScopePathId_.value(); +} + +const TVector<TNodeInfo>& TNodeRegistrationResult::GetNodes() const { + return Nodes_; +} + class TDiscoveryClient::TImpl : public TClientImplCommon<TDiscoveryClient::TImpl> { public: TImpl(std::shared_ptr<TGRpcConnectionsImpl>&& connections, const TCommonClientSettings& settings) @@ -118,6 +187,72 @@ public: return promise.GetFuture(); } + + TAsyncNodeRegistrationResult NodeRegistration(const TNodeRegistrationSettings& settings) { + Ydb::Discovery::NodeRegistrationRequest request; + request.set_host(settings.Host_); + request.set_port(settings.Port_); + request.set_resolve_host(settings.ResolveHost_); + request.set_address(settings.Address_); + request.set_domain_path(settings.DomainPath_); + request.set_fixed_node_id(settings.FixedNodeId_); + if (!settings.Path_.Empty()) { + request.set_path(settings.Path_); + } + + auto requestLocation = request.mutable_location(); + const auto& location = settings.Location_; + + if (location.DataCenter) { + requestLocation->set_data_center(location.DataCenter.value()); + } + if (location.Module) { + requestLocation->set_module(location.Module.value()); + } + if (location.Rack) { + requestLocation->set_rack(location.Rack.value()); + } + if (location.Unit) { + requestLocation->set_unit(location.Unit.value()); + } + + if (location.DataCenterNum) { + requestLocation->set_data_center_num(location.DataCenterNum.value()); + } + if (location.RoomNum) { + requestLocation->set_room_num(location.RoomNum.value()); + } + if (location.RackNum) { + requestLocation->set_rack_num(location.RackNum.value()); + } + if (location.BodyNum) { + requestLocation->set_body_num(location.BodyNum.value()); + } + if (location.Body) { + requestLocation->set_body(location.Body.value()); + } + + auto promise = NThreading::NewPromise<TNodeRegistrationResult>(); + + auto extractor = [promise] (google::protobuf::Any* any, TPlainStatus status) mutable { + Ydb::Discovery::NodeRegistrationResult result; + if (any) { + any->UnpackTo(&result); + } + TNodeRegistrationResult val{TStatus(std::move(status)), result}; + promise.SetValue(std::move(val)); + }; + + Connections_->RunDeferred<Ydb::Discovery::V1::DiscoveryService, Ydb::Discovery::NodeRegistrationRequest, Ydb::Discovery::NodeRegistrationResponse>( + std::move(request), + extractor, + &Ydb::Discovery::V1::DiscoveryService::Stub::AsyncNodeRegistration, + DbDriverState_, + INITIAL_DEFERRED_CALL_DELAY, + TRpcRequestSettings::Make(settings)); + + return promise.GetFuture(); + } }; TDiscoveryClient::TDiscoveryClient(const TDriver& driver, const TCommonClientSettings& settings) @@ -132,5 +267,9 @@ TAsyncWhoAmIResult TDiscoveryClient::WhoAmI(const TWhoAmISettings& settings) { return Impl_->WhoAmI(settings); } +TAsyncNodeRegistrationResult TDiscoveryClient::NodeRegistration(const TNodeRegistrationSettings& settings) { + return Impl_->NodeRegistration(settings); +} + } // namespace NDiscovery } // namespace NYdb diff --git a/ydb/public/sdk/cpp/client/ydb_discovery/discovery.h b/ydb/public/sdk/cpp/client/ydb_discovery/discovery.h index bd84cdd592e..3e9c20717b5 100644 --- a/ydb/public/sdk/cpp/client/ydb_discovery/discovery.h +++ b/ydb/public/sdk/cpp/client/ydb_discovery/discovery.h @@ -6,6 +6,9 @@ namespace Ydb { namespace Discovery { class ListEndpointsResult; class WhoAmIResult; + class NodeRegistrationResult; + class NodeLocation; + class NodeInfo; } // namespace Discovery } // namespace Ydb @@ -20,6 +23,33 @@ struct TWhoAmISettings : public TSimpleRequestSettings<TWhoAmISettings> { FLUENT_SETTING_DEFAULT(bool, WithGroups, false); }; +struct TNodeLocation { + TNodeLocation() = default; + TNodeLocation(const Ydb::Discovery::NodeLocation& location); + + std::optional<ui32> DataCenterNum; + std::optional<ui32> RoomNum; + std::optional<ui32> RackNum; + std::optional<ui32> BodyNum; + std::optional<ui32> Body; + + std::optional<TString> DataCenter; + std::optional<TString> Module; + std::optional<TString> Rack; + std::optional<TString> Unit; +}; + +struct TNodeRegistrationSettings : public TSimpleRequestSettings<TNodeRegistrationSettings> { + FLUENT_SETTING(TString, Host); + FLUENT_SETTING(ui32, Port); + FLUENT_SETTING(TString, ResolveHost); + FLUENT_SETTING(TString, Address); + FLUENT_SETTING(TNodeLocation, Location); + FLUENT_SETTING(TString, DomainPath); + FLUENT_SETTING_DEFAULT(bool, FixedNodeId, false); + FLUENT_SETTING(TString, Path); +}; + struct TEndpointInfo { TString Address; ui32 Port = 0; @@ -55,6 +85,43 @@ private: using TAsyncWhoAmIResult = NThreading::TFuture<TWhoAmIResult>; +struct TNodeInfo { + TNodeInfo() = default; + TNodeInfo(const Ydb::Discovery::NodeInfo& info); + + ui32 NodeId; + TString Host; + ui32 Port; + TString ResolveHost; + TString Address; + TNodeLocation Location; + ui64 Expire; +}; + +class TNodeRegistrationResult : public TStatus { +public: + TNodeRegistrationResult() : TStatus(EStatus::GENERIC_ERROR, NYql::TIssues()) {} + TNodeRegistrationResult(TStatus&& status, const Ydb::Discovery::NodeRegistrationResult& proto); + const ui32& GetNodeId() const; + const TString& GetDomainPath() const; + const ui64& GetExpire() const; + const ui64& GetScopeTabletId() const; + bool HasScopeTabletId() const; + const ui64& GetScopePathId() const; + bool HasScopePathId() const; + const TVector<TNodeInfo>& GetNodes() const; + +private: + ui32 NodeId_; + TString DomainPath_; + ui64 Expire_; + std::optional<ui64> ScopeTableId_; + std::optional<ui64> ScopePathId_; + TVector<TNodeInfo> Nodes_; +}; + +using TAsyncNodeRegistrationResult = NThreading::TFuture<TNodeRegistrationResult>; + //////////////////////////////////////////////////////////////////////////////// class TDiscoveryClient { @@ -63,6 +130,7 @@ public: TAsyncListEndpointsResult ListEndpoints(const TListEndpointsSettings& settings = TListEndpointsSettings()); TAsyncWhoAmIResult WhoAmI(const TWhoAmISettings& settings = TWhoAmISettings()); + TAsyncNodeRegistrationResult NodeRegistration(const TNodeRegistrationSettings& settings = TNodeRegistrationSettings()); private: class TImpl; diff --git a/ydb/services/discovery/grpc_service.cpp b/ydb/services/discovery/grpc_service.cpp index 2ffebc9ff36..3c1e9a0d36a 100644 --- a/ydb/services/discovery/grpc_service.cpp +++ b/ydb/services/discovery/grpc_service.cpp @@ -16,6 +16,10 @@ static TString GetSdkBuildInfo(NGrpc::IRequestContextBase* reqCtx) { return TString{res[0]}; } +void TGRpcDiscoveryService::SetDynamicNodeAuthParams(const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams) { + DynamicNodeAuthorizationParams = dynamicNodeAuthorizationParams; +} + void TGRpcDiscoveryService::SetupIncomingRequests(NGrpc::TLoggerPtr logger) { auto getCounterBlock = CreateCounterCb(Counters_, ActorSystem_); using namespace Ydb; @@ -29,11 +33,15 @@ void TGRpcDiscoveryService::SetupIncomingRequests(NGrpc::TLoggerPtr logger) { NGRpcService::ReportGrpcReqToMon(*ActorSystem_, ctx->GetPeer(), GetSdkBuildInfo(ctx)); \ ActorSystem_->Send(GRpcRequestProxyId_, \ new TGrpcRequestOperationCall<Discovery::NAME##Request, Discovery::NAME##Response> \ - (ctx, &CB, TRequestAuxSettings{RLSWITCH(TRateLimiterMode::Rps), nullptr})); \ + (ctx, CB, TRequestAuxSettings{RLSWITCH(TRateLimiterMode::Rps), nullptr})); \ }, &Ydb::Discovery::V1::DiscoveryService::AsyncService::Request ## NAME, \ #NAME, logger, getCounterBlock("discovery", #NAME))->Run(); - ADD_REQUEST(WhoAmI, DoWhoAmIRequest) + ADD_REQUEST(WhoAmI, &DoWhoAmIRequest) + NodeRegistrationRequest = [authParams = this->DynamicNodeAuthorizationParams] (std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& f) { + DoNodeRegistrationRequest(std::move(p), f, authParams); + }; + ADD_REQUEST(NodeRegistration, NodeRegistrationRequest) #ifdef ADD_LEGACY_REQUEST #error macro already defined diff --git a/ydb/services/discovery/grpc_service.h b/ydb/services/discovery/grpc_service.h index 697f6e1c07b..1a18e0bcf18 100644 --- a/ydb/services/discovery/grpc_service.h +++ b/ydb/services/discovery/grpc_service.h @@ -7,20 +7,27 @@ #include <library/cpp/grpc/server/grpc_server.h> #include <ydb/core/grpc_services/base/base_service.h> +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> namespace NKikimr { namespace NGRpcService { + class IRequestOpCtx; + class IFacilityProvider; + class TGRpcDiscoveryService : public TGrpcServiceBase<Ydb::Discovery::V1::DiscoveryService> { public: using TGrpcServiceBase<Ydb::Discovery::V1::DiscoveryService>::TGrpcServiceBase; + void SetDynamicNodeAuthParams(const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams); + private: void SetupIncomingRequests(NGrpc::TLoggerPtr logger); - + TDynamicNodeAuthorizationParams DynamicNodeAuthorizationParams = {}; + std::function<void(std::unique_ptr<IRequestOpCtx>, const IFacilityProvider&)> NodeRegistrationRequest; }; } // namespace NGRpcService diff --git a/ydb/services/local_discovery/grpc_service.cpp b/ydb/services/local_discovery/grpc_service.cpp index d2c091c3304..0836cbf34f9 100644 --- a/ydb/services/local_discovery/grpc_service.cpp +++ b/ydb/services/local_discovery/grpc_service.cpp @@ -76,6 +76,10 @@ void TGRpcLocalDiscoveryService::DecRequest() { Y_ASSERT(Limiter_->GetCurrentInFlight() >= 0); } +void TGRpcLocalDiscoveryService::SetDynamicNodeAuthParams(const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams) { + DynamicNodeAuthorizationParams = dynamicNodeAuthorizationParams; +} + void TGRpcLocalDiscoveryService::SetupIncomingRequests(NGrpc::TLoggerPtr logger) { auto getCounterBlock = CreateCounterCb(Counters_, ActorSystem_); using namespace Ydb; @@ -90,11 +94,15 @@ void TGRpcLocalDiscoveryService::SetupIncomingRequests(NGrpc::TLoggerPtr logger) NGRpcService::ReportGrpcReqToMon(*ActorSystem_, ctx->GetPeer(), GetSdkBuildInfo(ctx)); \ ActorSystem_->Send(GRpcRequestProxyId_, \ new TGrpcRequestOperationCall<Discovery::NAME##Request, Discovery::NAME##Response> \ - (ctx, &CB, TRequestAuxSettings{TRateLimiterMode::Rps, nullptr})); \ + (ctx, CB, TRequestAuxSettings{TRateLimiterMode::Rps, nullptr})); \ }, &Ydb::Discovery::V1::DiscoveryService::AsyncService::Request ## NAME, \ #NAME, logger, getCounterBlock("discovery", #NAME))->Run(); - ADD_REQUEST(WhoAmI, DoWhoAmIRequest) + ADD_REQUEST(WhoAmI, &DoWhoAmIRequest) + NodeRegistrationRequest = [authParams = this->DynamicNodeAuthorizationParams] (std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& f) { + DoNodeRegistrationRequest(std::move(p), f, authParams); + }; + ADD_REQUEST(NodeRegistration, NodeRegistrationRequest) #undef ADD_REQUEST using namespace std::placeholders; diff --git a/ydb/services/local_discovery/grpc_service.h b/ydb/services/local_discovery/grpc_service.h index f58e81811c5..b2d6ad601aa 100644 --- a/ydb/services/local_discovery/grpc_service.h +++ b/ydb/services/local_discovery/grpc_service.h @@ -7,6 +7,7 @@ #include <library/cpp/grpc/server/grpc_server.h> #include <ydb/core/grpc_services/base/base_service.h> +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> namespace NKikimr { namespace NGRpcService { @@ -29,6 +30,8 @@ public: bool IncRequest(); void DecRequest(); + void SetDynamicNodeAuthParams(const TDynamicNodeAuthorizationParams& dynamicNodeAuthorizationParams); + private: void SetupIncomingRequests(NGrpc::TLoggerPtr logger); void DoListEndpointsRequest(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider& provider); @@ -40,6 +43,9 @@ private: TIntrusivePtr<::NMonitoring::TDynamicCounters> Counters_; NActors::TActorId GRpcRequestProxyId_; NGrpc::TGlobalLimiter* Limiter_ = nullptr; + + TDynamicNodeAuthorizationParams DynamicNodeAuthorizationParams = {}; + std::function<void(std::unique_ptr<IRequestOpCtx>, const IFacilityProvider&)> NodeRegistrationRequest; }; } // namespace NGRpcService diff --git a/ydb/services/ydb/CMakeLists.darwin-x86_64.txt b/ydb/services/ydb/CMakeLists.darwin-x86_64.txt index 813d577ed81..76c589603fb 100644 --- a/ydb/services/ydb/CMakeLists.darwin-x86_64.txt +++ b/ydb/services/ydb/CMakeLists.darwin-x86_64.txt @@ -24,6 +24,7 @@ target_link_libraries(ydb-services-ydb PUBLIC ydb-core-formats ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-grpc_streaming ydb-core-protos ydb-core-scheme diff --git a/ydb/services/ydb/CMakeLists.linux-aarch64.txt b/ydb/services/ydb/CMakeLists.linux-aarch64.txt index 2f77c61e3d3..e481961748d 100644 --- a/ydb/services/ydb/CMakeLists.linux-aarch64.txt +++ b/ydb/services/ydb/CMakeLists.linux-aarch64.txt @@ -25,6 +25,7 @@ target_link_libraries(ydb-services-ydb PUBLIC ydb-core-formats ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-grpc_streaming ydb-core-protos ydb-core-scheme diff --git a/ydb/services/ydb/CMakeLists.linux-x86_64.txt b/ydb/services/ydb/CMakeLists.linux-x86_64.txt index 2f77c61e3d3..e481961748d 100644 --- a/ydb/services/ydb/CMakeLists.linux-x86_64.txt +++ b/ydb/services/ydb/CMakeLists.linux-x86_64.txt @@ -25,6 +25,7 @@ target_link_libraries(ydb-services-ydb PUBLIC ydb-core-formats ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-grpc_streaming ydb-core-protos ydb-core-scheme diff --git a/ydb/services/ydb/CMakeLists.windows-x86_64.txt b/ydb/services/ydb/CMakeLists.windows-x86_64.txt index 813d577ed81..76c589603fb 100644 --- a/ydb/services/ydb/CMakeLists.windows-x86_64.txt +++ b/ydb/services/ydb/CMakeLists.windows-x86_64.txt @@ -24,6 +24,7 @@ target_link_libraries(ydb-services-ydb PUBLIC ydb-core-formats ydb-core-grpc_services core-grpc_services-base + core-grpc_services-auth_processor ydb-core-grpc_streaming ydb-core-protos ydb-core-scheme diff --git a/ydb/services/ydb/ydb_client_certs_ut.cpp b/ydb/services/ydb/ydb_client_certs_ut.cpp index 6fcc7a203a0..e82fae12ae2 100644 --- a/ydb/services/ydb/ydb_client_certs_ut.cpp +++ b/ydb/services/ydb/ydb_client_certs_ut.cpp @@ -10,7 +10,7 @@ #include <ydb/core/scheme/scheme_tablecell.h> #include <ydb/core/testlib/test_client.h> #include <ydb/core/driver_lib/cli_config_base/config_base.h> -#include <ydb/core/client/server/dynamic_node_auth_processor.h> +#include <ydb/core/grpc_services/auth_processor/dynamic_node_auth_processor.h> #include <ydb/public/api/grpc/ydb_scheme_v1.grpc.pb.h> #include <ydb/public/api/grpc/ydb_operation_v1.grpc.pb.h> @@ -30,6 +30,7 @@ #include <ydb/public/sdk/cpp/client/ydb_result/result.h> #include <ydb/public/sdk/cpp/client/ydb_scheme/scheme.h> #include <ydb/public/sdk/cpp/client/ydb_table/table.h> +#include <ydb/public/sdk/cpp/client/ydb_discovery/discovery.h> #include <ydb/public/sdk/cpp/client/resources/ydb_resources.h> #include <ydb/public/lib/deprecated/kicli/kicli.h> @@ -236,61 +237,153 @@ Y_UNIT_TEST(TestClientCertAuthorizationParamsMatch) { } } -Y_UNIT_TEST(TestAllCertIsOk) { +NDiscovery::TNodeRegistrationSettings GetNodeRegistrationSettings() { + NDiscovery::TNodeRegistrationSettings settings; + settings.Host("localhost"); + settings.Port(GetRandomPort()); + settings.ResolveHost("localhost"); + settings.Address("localhost"); + settings.DomainPath("Root"); + settings.FixedNodeId(false); + + NYdb::NDiscovery::TNodeLocation loc; + loc.DataCenterNum = DataCenterFromString("DataCenter"); + loc.RoomNum = 0; + loc.RackNum = RackFromString("Rack"); + loc.BodyNum = 2; + loc.DataCenter = "DataCenter"; + loc.Rack = "Rack"; + loc.Unit = "Body"; + + settings.Location(loc); + return settings; +} + +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientWithCorrectCerts) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; const NTest::TCertAndKey& caCert = TKikimrTestWithServerCert::GetCACertAndKey(); - const NTest::TCertAndKey& clientServerCert = NTest::GenerateSignedCert(caCert, NTest::TProps::AsClientServer()); + NTest::TCertAndKey clientServerCert = NTest::GenerateSignedCert(caCert, NTest::TProps::AsClientServer()); + + auto connection = NYdb::TDriver( + TDriverConfig() + .UseSecureConnection(caCert.Certificate.c_str()) + .UseClientCertificate(clientServerCert.Certificate.c_str(),clientServerCert.PrivateKey.c_str()) + .SetEndpoint(location)); + + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); + connection.Stop(true); + + UNIT_ASSERT_C(!result.IsTransportError(), result.GetIssues().ToOneLineString()); + UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString()); +} + +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientProvidesEmptyClientCerts) { + TKikimrServerWithCertVerification server; + ui16 grpc = server.GetPort(); + TString location = TStringBuilder() << "localhost:" << grpc; + + const NTest::TCertAndKey& caCert = TKikimrTestWithServerCert::GetCACertAndKey(); + NTest::TCertAndKey noCert; + + auto connection = NYdb::TDriver( + TDriverConfig() + .UseSecureConnection(caCert.Certificate.c_str()) + .UseClientCertificate(noCert.Certificate.c_str(),noCert.PrivateKey.c_str()) + .SetEndpoint(location)); + + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); + connection.Stop(true); + + UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToOneLineString()); + UNIT_ASSERT_STRINGS_EQUAL(result.GetIssues().ToOneLineString(), "{ <main>: Error: Cannot authorize node. Node has not provided certificate }"); +} + +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithoutCertVerification_ClientProvidesCorrectCerts) { + TKikimrServerWithOutCertVerification server; + ui16 grpc = server.GetPort(); + TString location = TStringBuilder() << "localhost:" << grpc; + + const NTest::TCertAndKey& caCert = TKikimrTestWithServerCert::GetCACertAndKey(); + NTest::TCertAndKey clientServerCert = NTest::GenerateSignedCert(caCert, NTest::TProps::AsClientServer()); auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) .UseClientCertificate(clientServerCert.Certificate.c_str(),clientServerCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(!sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - UNIT_ASSERT_EQUAL(sessionValue.GetStatus(), EStatus::SUCCESS); - }; + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); + connection.Stop(true); + + UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString()); +} + +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithoutCertVerification_ClientProvidesEmptyClientCerts) { + TKikimrServerWithOutCertVerification server; + ui16 grpc = server.GetPort(); + TString location = TStringBuilder() << "localhost:" << grpc; + + const NTest::TCertAndKey& caCert = TKikimrTestWithServerCert::GetCACertAndKey(); + NTest::TCertAndKey noCert; + + auto connection = NYdb::TDriver( + TDriverConfig() + .UseSecureConnection(caCert.Certificate.c_str()) + .UseClientCertificate(noCert.Certificate.c_str(),noCert.PrivateKey.c_str()) + .SetEndpoint(location)); - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestWrongCertIndentity) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientDoesNotProvideCorrectCerts) { TKikimrServerWithCertVerificationAndWrongIndentity server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; const NTest::TCertAndKey& caCert = TKikimrTestWithServerCert::GetCACertAndKey(); - const NTest::TCertAndKey& clientServerCert = NTest::GenerateSignedCert(caCert, NTest::TProps::AsClientServer()); + NTest::TCertAndKey clientServerCert = NTest::GenerateSignedCert(caCert, NTest::TProps::AsClientServer()); auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) - .UseClientCertificate(clientServerCert.Certificate.c_str(), clientServerCert.PrivateKey.c_str()) + .UseClientCertificate(clientServerCert.Certificate.c_str(),clientServerCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(!sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); // do not authorize table service through cert - UNIT_ASSERT_EQUAL(sessionValue.GetStatus(), EStatus::SUCCESS); - }; + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); + connection.Stop(true); + + UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToOneLineString()); + UNIT_ASSERT_STRINGS_EQUAL(result.GetIssues().ToOneLineString(), "{ <main>: Error: Cannot authorize node by certificate }"); +} - client.CreateSession().Apply(createSessionHandler).Wait(); +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientDoesNotProvideAnyCerts) { + TKikimrServerWithCertVerification server; + ui16 grpc = server.GetPort(); + TString location = TStringBuilder() << "localhost:" << grpc; + + auto connection = NYdb::TDriver( + TDriverConfig() + .SetEndpoint(location)); + + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsTransportError(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestIncorrectUsageClientCertFails) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientProvidesServerCerts) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -300,23 +393,18 @@ Y_UNIT_TEST(TestIncorrectUsageClientCertFails) { auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) - .UseClientCertificate(serverCert.Certificate.c_str(), serverCert.PrivateKey.c_str()) + .UseClientCertificate(serverCert.Certificate.c_str(),serverCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsTransportError(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestCorruptedCertFails) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientProvidesCorruptedCert) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -330,23 +418,18 @@ Y_UNIT_TEST(TestCorruptedCertFails) { } auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) .UseClientCertificate(clientServerCert.Certificate.c_str(), clientServerCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsTransportError(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestCorruptedKeyFails) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientProvidesCorruptedPrivatekey) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -360,23 +443,18 @@ Y_UNIT_TEST(TestCorruptedKeyFails) { } auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) .UseClientCertificate(clientServerCert.Certificate.c_str(), clientServerCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsTransportError(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestExpiredCertFails) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientProvidesExpiredCert) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -389,23 +467,18 @@ Y_UNIT_TEST(TestExpiredCertFails) { auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) .UseClientCertificate(clientServerCert.Certificate.c_str(), clientServerCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsTransportError(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestServerWithoutCertVerificationAndExpiredCertWorks) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithOutCertVerification_ClientProvidesExpiredCert) { TKikimrServerWithOutCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -418,24 +491,18 @@ Y_UNIT_TEST(TestServerWithoutCertVerificationAndExpiredCertWorks) { auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) .UseClientCertificate(clientServerCert.Certificate.c_str(), clientServerCert.PrivateKey.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(!sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - UNIT_ASSERT_EQUAL(sessionValue.GetStatus(), EStatus::SUCCESS); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString()); } -Y_UNIT_TEST(TestClientWithoutCertPassed) { +Y_UNIT_TEST(TestRegisterNodeViaDiscovery_ServerWithCertVerification_ClientDoesNotProvideClientCerts) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -444,20 +511,15 @@ Y_UNIT_TEST(TestClientWithoutCertPassed) { auto connection = NYdb::TDriver( TDriverConfig() - .SetAuthToken("test_user@builtin") .UseSecureConnection(caCert.Certificate.c_str()) .SetEndpoint(location)); - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(!sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - UNIT_ASSERT_EQUAL(sessionValue.GetStatus(), EStatus::SUCCESS); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); + NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection); + const auto result = discoveryClient.NodeRegistration(GetNodeRegistrationSettings()).GetValueSync(); connection.Stop(true); + + UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToOneLineString()); + UNIT_ASSERT_STRINGS_EQUAL(result.GetIssues().ToOneLineString(), "{ <main>: Error: Cannot authorize node. Node has not provided certificate }"); } NClient::TKikimr GetKikimr(const TString& addr, const NTest::TCertAndKey& caCert, const NTest::TCertAndKey& clientServerCert) { @@ -504,7 +566,7 @@ THolder<NClient::TRegistrationResult> TryToRegisterDynamicNode( false)); } -Y_UNIT_TEST(TestServerWithCertVerificationClientWithCertCallsRegisterNode) { +Y_UNIT_TEST(TestRegisterNodeViaLegacy_ServerWithCertVerification_ClientWithCorrectCerts) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -522,7 +584,7 @@ Y_UNIT_TEST(TestServerWithCertVerificationClientWithCertCallsRegisterNode) { Cerr << "Register node result " << resp->Record().ShortUtf8DebugString() << Endl; } -Y_UNIT_TEST(TestServerWithCertVerificationClientWithoutCertCallsRegisterNodeFails) { +Y_UNIT_TEST(TestRegisterNodeViaLegacy_ServerWithCertVerification_ClientProvidesEmptyClientCerts) { TKikimrServerWithCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -541,7 +603,7 @@ Y_UNIT_TEST(TestServerWithCertVerificationClientWithoutCertCallsRegisterNodeFail Cerr << "Register node result " << resp->Record().ShortUtf8DebugString() << Endl; } -Y_UNIT_TEST(TestServerWithoutCertVerificationClientWithCertCallsRegisterNode) { +Y_UNIT_TEST(TestRegisterNodeViaLegacy_ServerWithoutCertVerification_ClientProvidesCorrectCerts) { TKikimrServerWithOutCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -559,7 +621,7 @@ Y_UNIT_TEST(TestServerWithoutCertVerificationClientWithCertCallsRegisterNode) { Cerr << "Register node result " << resp->Record().ShortUtf8DebugString() << Endl; } -Y_UNIT_TEST(TestServerWithoutCertVerificationClientWithoutCertCallsRegisterNode) { +Y_UNIT_TEST(TestRegisterNodeViaLegacy_ServerWithoutCertVerification_ClientProvidesEmptyClientCerts) { TKikimrServerWithOutCertVerification server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -577,7 +639,7 @@ Y_UNIT_TEST(TestServerWithoutCertVerificationClientWithoutCertCallsRegisterNode) Cerr << "Register node result " << resp->Record().ShortUtf8DebugString() << Endl; } -Y_UNIT_TEST(TestServerWithWrongIndentityClientWithCertCallsRegisterNodeFails) { +Y_UNIT_TEST(TestRegisterNodeViaLegacy_ServerWithCertVerification_ClientDoesNotProvideCorrectCerts) { TKikimrServerWithCertVerificationAndWrongIndentity server; ui16 grpc = server.GetPort(); TString location = TStringBuilder() << "localhost:" << grpc; @@ -596,28 +658,6 @@ Y_UNIT_TEST(TestServerWithWrongIndentityClientWithCertCallsRegisterNodeFails) { Cerr << "Register node result " << resp->Record().ShortUtf8DebugString() << Endl; } -Y_UNIT_TEST(TestInsecureClient) { - TKikimrServerWithCertVerification server; - ui16 grpc = server.GetPort(); - TString location = TStringBuilder() << "localhost:" << grpc; - - auto connection = NYdb::TDriver( - TDriverConfig() - .SetAuthToken("test_user@builtin") - .SetEndpoint(location)); - - auto client = NYdb::NTable::TTableClient(connection); - std::function<void(const TAsyncCreateSessionResult& future)> createSessionHandler = - [client] (const TAsyncCreateSessionResult& future) mutable { - const auto& sessionValue = future.GetValue(); - UNIT_ASSERT_C(sessionValue.IsTransportError(), sessionValue.GetIssues().ToString()); - }; - - client.CreateSession().Apply(createSessionHandler).Wait(); - - connection.Stop(true); -} - } } // namespace NKikimr |