Fix message about absent SID in local schemeshard (#14458)

author: flown4qqqq <igorkoshkarev4qqq@mail.ru> 2025-02-13 19:24:38 +0300
committer: GitHub <noreply@github.com> 2025-02-13 19:24:38 +0300
commit: 949287c321f80a780edb93591337cec733b2fbb7 (patch)
tree: 7f7512ee55655cf051bde145461f358e9de616da
parent: 51dd5e5c8dc5e5c037e7dc0b87f2812d92c30c4e (diff)
download: ydb-949287c321f80a780edb93591337cec733b2fbb7.tar.gz
4 files changed, 35 insertions, 4 deletions
diff --git a/ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp b/ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp
index b496705e6c..03e2eb85c5 100644
--- a/ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp
+++ b/ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp
@@ -17,6 +17,7 @@ public:
 
     THolder<TProposeResponse> Propose(const TString&, TOperationContext& context) override {
         const TTabletId ssId = context.SS->SelfTabletId();
+        const TString databaseName = CanonizePath(context.SS->RootPathElements);
 
         const TString& parentPathStr = Transaction.GetWorkingDir();
         const auto& op = Transaction.GetModifyACL();
@@ -62,7 +63,7 @@ public:
                 if (static_cast<NACLib::EDiffType>(diffACE.GetDiffType()) == NACLib::EDiffType::Add) {
                     if (!CheckSidExistsOrIsNonYdb(context.SS->LoginProvider.Sids, diffACE.GetACE().GetSID())) {
                         result->SetError(NKikimrScheme::StatusPreconditionFailed,
-                            TStringBuilder() << "SID " << diffACE.GetACE().GetSID() << " not found");
+                            TStringBuilder() << "SID " << diffACE.GetACE().GetSID() << " not found in database `" << databaseName << "`");
                         return result;
                     }
                 } // remove diff type is allowed in any case
@@ -71,7 +72,7 @@ public:
         if (owner && AppData()->FeatureFlags.GetEnableStrictAclCheck()) {
             if (!CheckSidExistsOrIsNonYdb(context.SS->LoginProvider.Sids, owner)) {
                 result->SetError(NKikimrScheme::StatusPreconditionFailed,
-                    TStringBuilder() << "Owner SID " << owner << " not found");
+                    TStringBuilder() << "Owner SID " << owner << " not found in database `" << databaseName << "`");
                 return result;
             }
         }
diff --git a/ydb/core/tx/schemeshard/ut_login/ut_login.cpp b/ydb/core/tx/schemeshard/ut_login/ut_login.cpp
index 3957bff01f..3866479280 100644
--- a/ydb/core/tx/schemeshard/ut_login/ut_login.cpp
+++ b/ydb/core/tx/schemeshard/ut_login/ut_login.cpp
@@ -451,10 +451,10 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
 
         if (StrictAclCheck) {
             AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", diffACL.SerializeAsString(), "");
-            TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "SID user1 not found"}});
+            TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "SID user1 not found in database `/MyRoot`"}});
 
             AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1");
-            TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "Owner SID user1 not found"}});
+            TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "Owner SID user1 not found in database `/MyRoot`"}});
         }
 
         CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
diff --git a/ydb/tests/functional/tenants/test_create_users_strict_acl_checks.py b/ydb/tests/functional/tenants/test_create_users_strict_acl_checks.py
new file mode 100644
index 0000000000..1313886199
--- /dev/null
+++ b/ydb/tests/functional/tenants/test_create_users_strict_acl_checks.py
@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+import logging
+
+from ydb.tests.oss.ydb_sdk_import import ydb
+
+logger = logging.getLogger(__name__)
+
+
+# local configuration for the ydb cluster (fetched by ydb_cluster_configuration fixture)
+CLUSTER_CONFIG = dict(
+    extra_feature_flags=['enable_strict_acl_check']
+)
+
+
+def test_create_user(ydb_client, ydb_root, ydb_database):
+    with ydb_client(ydb_root) as driver:
+        with ydb.QuerySessionPool(driver, size=1) as pool:
+            pool.execute_with_retries("CREATE USER user;")
+
+    with ydb_client(ydb_database) as driver:
+        with ydb.QuerySessionPool(driver, size=1) as pool:
+            finished = False
+            try:
+                pool.execute_with_retries(f"GRANT ALL ON `{ydb_database}` TO user;")
+                finished = True
+            except Exception as e:
+                assert f"SID user not found in database `{ydb_database}`" in str(e)
+
+            assert not finished
diff --git a/ydb/tests/functional/tenants/ya.make b/ydb/tests/functional/tenants/ya.make
index f9253cad72..9376d0b6d5 100644
--- a/ydb/tests/functional/tenants/ya.make
+++ b/ydb/tests/functional/tenants/ya.make
@@ -5,6 +5,7 @@ ENV(YDB_DRIVER_BINARY="ydb/apps/ydbd/ydbd")
 TEST_SRCS(
     conftest.py
     test_create_users.py
+    test_create_users_strict_acl_checks.py
     test_db_counters.py
     test_dynamic_tenants.py
     test_tenants.py
author	flown4qqqq <igorkoshkarev4qqq@mail.ru>	2025-02-13 19:24:38 +0300
committer	GitHub <noreply@github.com>	2025-02-13 19:24:38 +0300
commit	949287c321f80a780edb93591337cec733b2fbb7 (patch)
tree	7f7512ee55655cf051bde145461f358e9de616da
parent	51dd5e5c8dc5e5c037e7dc0b87f2812d92c30c4e (diff)
download	ydb-949287c321f80a780edb93591337cec733b2fbb7.tar.gz