system usage metadata@system

author: ivanmorozov <ivanmorozov@yandex-team.com> 2022-11-30 15:56:33 +0300
committer: ivanmorozov <ivanmorozov@yandex-team.com> 2022-11-30 15:56:33 +0300
commit: a8f566e1db4827fefcd4a9003b9d7894aacd9a4c (patch)
tree: aafe214267b5a3bbbfad56d2309dd06aaa38eede
parent: c31be11d81d8c2ade5fe8088e7ce7f87f617703e (diff)
download: ydb-a8f566e1db4827fefcd4a9003b9d7894aacd9a4c.tar.gz
3 files changed, 25 insertions, 2 deletions
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
index bfc042da49..03dfaf1af2 100644
--- a/ydb/core/security/ticket_parser_impl.h
+++ b/ydb/core/security/ticket_parser_impl.h
@@ -228,9 +228,16 @@ protected:
                 return true;
             }
 
-            if(record.Ticket.EndsWith("@" BUILTIN_ERROR_DOMAIN)) {
+            if (record.Ticket.EndsWith("@" BUILTIN_ERROR_DOMAIN)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
-                SetError(key, record, {"Builtin error simulation"}, ctx);
+                SetError(key, record, { "Builtin error simulation" }, ctx);
+                CounterTicketsBuiltin->Inc();
+                return true;
+            }
+
+            if (record.Ticket.EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
+                record.TokenType = TDerived::ETokenType::Builtin;
+                SetError(key, record, { "System domain not available for user usage", false }, ctx);
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
diff --git a/ydb/library/aclib/aclib.cpp b/ydb/library/aclib/aclib.cpp
index d1fa5a1a92..8f8f216da2 100644
--- a/ydb/library/aclib/aclib.cpp
+++ b/ydb/library/aclib/aclib.cpp
@@ -161,6 +161,9 @@ ui32 TSecurityObject::GetEffectiveAccessRights(const TUserToken& user) const {
 }
 
 bool TSecurityObject::CheckAccess(ui32 access, const TUserToken& user) const {
+    if (user.GetUserSID().EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
+        return true;
+    }
     if (HasOwnerSID() && user.IsExist(GetOwnerSID()))
         return true; // the owner always has access
     if (HasACL()) {
@@ -750,4 +753,9 @@ TString AccessRightsToString(ui32 accessRights) {
     return result;
 }
 
+const NACLib::TUserToken& TSystemUsers::Metadata() {
+    static TUserToken GlobalMetadataUser = TUserToken(BUILTIN_ACL_METADATA, {});
+    return GlobalMetadataUser;
+}
+
 }
diff --git a/ydb/library/aclib/aclib.h b/ydb/library/aclib/aclib.h
index 655ca4b669..0cd4ed9793 100644
--- a/ydb/library/aclib/aclib.h
+++ b/ydb/library/aclib/aclib.h
@@ -9,6 +9,14 @@ namespace NACLib {
 #define BUILTIN_ACL_DOMAIN "builtin"
 #define BUILTIN_ACL_ROOT "root@" BUILTIN_ACL_DOMAIN
 #define BUILTIN_ERROR_DOMAIN "error"
+#define BUILTIN_SYSTEM_DOMAIN "system"
+
+#define BUILTIN_ACL_METADATA "metadata@" BUILTIN_SYSTEM_DOMAIN
+class TUserToken;
+class TSystemUsers {
+public:
+    static const TUserToken& Metadata();
+};
 
 enum EAccessRights : ui32 { // bitmask
     NoAccess = 0x00000000,
author	ivanmorozov <ivanmorozov@yandex-team.com>	2022-11-30 15:56:33 +0300
committer	ivanmorozov <ivanmorozov@yandex-team.com>	2022-11-30 15:56:33 +0300
commit	a8f566e1db4827fefcd4a9003b9d7894aacd9a4c (patch)
tree	aafe214267b5a3bbbfad56d2309dd06aaa38eede
parent	c31be11d81d8c2ade5fe8088e7ce7f87f617703e (diff)
download	ydb-a8f566e1db4827fefcd4a9003b9d7894aacd9a4c.tar.gz