Add static credentials options parsing to ydbd

3 files changed, 78 insertions, 0 deletions

diff --git a/ydb/core/driver_lib/cli_base/cli_cmds.h b/ydb/core/driver_lib/cli_base/cli_cmds.h
index 4909636e43..c43100f616 100644
--- a/ydb/core/driver_lib/cli_base/cli_cmds.h
+++ b/ydb/core/driver_lib/cli_base/cli_cmds.h
@@ -18,6 +18,7 @@ public:
     TClientCommandRootKikimrBase(const TString& name);
     void Config(TConfig& config) override;
     void Parse(TConfig& config) override;
+    void ParseCredentials(TConfig& config) override;
 
 protected:
     bool GetProfileVariable(const TString& name, TString& value);
@@ -27,6 +28,9 @@ private:
 
     THolder<TProfileConfig> ProfileConfig;
     TString LocalProfileName;
+    TString UserName;
+    TString PasswordFile;
+    bool DoNotAskForPassword = false;
     bool DumpRequests = false;
 };
 
diff --git a/ydb/core/driver_lib/cli_base/cli_cmds_root.cpp b/ydb/core/driver_lib/cli_base/cli_cmds_root.cpp
index 9a76fa7457..db2e802f8f 100644
--- a/ydb/core/driver_lib/cli_base/cli_cmds_root.cpp
+++ b/ydb/core/driver_lib/cli_base/cli_cmds_root.cpp
@@ -36,6 +36,23 @@ void TClientCommandRootKikimrBase::Config(TConfig& config) {
         << "    3. Default profile file \"" << defaultProfileFile << "\" file";
     opts.AddLongOption("profile", profileHelp).RequiredArgument("NAME").StoreResult(&LocalProfileName);
 
+    // Static credentials
+    TStringBuilder userHelp;
+    userHelp << "User name to authenticate with" << Endl
+        << "  User name search order:" << Endl
+        << "    1. This option" << Endl
+        << "    2. \"YDB_USER\" environment variable" << Endl;
+    opts.AddLongOption("user", userHelp).RequiredArgument("STR").StoreResult(&UserName);
+
+    TStringBuilder passwordHelp;
+    passwordHelp << "File with password to authenticate with" << Endl
+        << "  Password search order:" << Endl
+        << "    1. This option" << Endl
+        << "    2. \"YDB_PASSWORD\" environment variable" << Endl;
+    opts.AddLongOption("password-file", passwordHelp).RequiredArgument("PATH").StoreResult(&PasswordFile);
+
+    opts.AddLongOption("no-password", "Do not ask for user password (if empty)").Optional().StoreTrue(&DoNotAskForPassword);
+
     TStringStream stream;
     NColorizer::TColors colors = NColorizer::AutoColors(Cout);
     stream << " -s <[protocol://]host[:port]> [options] <subcommand>" << Endl << Endl
@@ -73,6 +90,60 @@ bool TClientCommandRootKikimrBase::GetProfileVariable(const TString& name, TStri
     return ProfileConfig->GetVariable(name, value);
 }
 
+void TClientCommandRootKikimrBase::ParseCredentials(TConfig& config) {
+    if (!Token.empty()) {
+        config.SecurityToken = Token;
+        return;
+    }
+    // 1. command line options
+    if (TokenFile) {
+        if (UserName) {
+            throw TMisuseException() << "Both TokenFile and User options are used. Use only one of them";
+        }
+        Token = ReadFromFile(TokenFile, "token");
+        config.SecurityToken = Token;
+        return;
+    }
+    if (UserName) {
+        config.StaticCredentials.User = UserName;
+        if (PasswordFile) {
+            config.StaticCredentials.Password = ReadFromFile(PasswordFile, "password", true);
+        } else if (!DoNotAskForPassword) {
+            Cout << "Enter password for user " << UserName << ": ";
+            config.StaticCredentials.Password = InputPassword();
+        }
+        return;
+    } else if (PasswordFile) {
+        throw TMisuseException() << "PasswordFile option used without User option";
+    }
+
+    // 2. Environment variables
+    TString ydbToken = GetEnv("YDB_TOKEN");
+    if (!ydbToken.empty()) {
+        Token = ydbToken;
+        config.SecurityToken = Token;
+        return;
+    }
+
+    TString envUser = GetEnv("YDB_USER");
+    if (!envUser.empty()) {
+        config.StaticCredentials.User = envUser;
+        TString envPassword = GetEnv("YDB_PASSWORD");
+        if (!envPassword.empty()) {
+            config.StaticCredentials.Password = envPassword;
+        } else if (!DoNotAskForPassword) {
+            Cout << "Enter password for user " << envUser << ": ";
+            config.StaticCredentials.Password = InputPassword();
+        }
+        return;
+    }
+
+    // 3. Default token file
+    TokenFile = defaultTokenFile;
+    ReadFromFileIfExists(TokenFile, "default token", Token);
+    config.SecurityToken = Token;
+}
+
 class TClientCommandRootLite : public TClientCommandRootKikimrBase {
 public:
     TClientCommandRootLite()
diff --git a/ydb/core/driver_lib/run/main.cpp b/ydb/core/driver_lib/run/main.cpp
index 907bedbca0..8dce0f34a2 100644
--- a/ydb/core/driver_lib/run/main.cpp
+++ b/ydb/core/driver_lib/run/main.cpp
@@ -77,6 +77,9 @@ int MainRun(const TKikimrRunConfig& runConfig, std::shared_ptr<TModuleFactories>
         opts.AddLongOption('s', "server", "Server address to connect (default $KIKIMR_SERVER)").RequiredArgument("ADDR[:NUM]");
         opts.AddLongOption('k', "token", "Security token").RequiredArgument("TOKEN");
         opts.AddLongOption('f', "token-file", "Security token file").RequiredArgument("PATH");
+        opts.AddLongOption("user", "User name to authenticate with").RequiredArgument("STR");
+        opts.AddLongOption("password-file", "File with password to authenticate with").RequiredArgument("PATH");
+        opts.AddLongOption("no-password", "Do not ask for user password (if empty)").NoArgument();
         opts.AddLongOption('d', "dump", "Dump requests to error log").NoArgument();
         opts.AddLongOption('t', "time", "Show request execution time").NoArgument();
         opts.AddLongOption('o', "progress", "Show progress of long requests").NoArgument();