diff options
| author | Bulat <brgayazov@yandex-team.ru> | 2025-02-21 21:05:40 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-02-21 21:05:40 +0300 |
| commit | ca757b2705774020ea7e90f456b2e0d8063ce370 (patch) | |
| tree | 302e5452a7e9d6ca08e10ff7b01f701b219e3943 | |
| parent | 6c53efdf3dcfe8c9dbc836293b87eab745157c0d (diff) | |
| download | ydb-ca757b2705774020ea7e90f456b2e0d8063ce370.tar.gz | |
Add CredentialsProvider for system service account (SSA) in C++ SDK (#14861)
9 files changed, 116 insertions, 13 deletions
diff --git a/ydb/public/api/client/yc_private/iam/iam_token_service.proto b/ydb/public/api/client/yc_private/iam/iam_token_service.proto index 74c03d778b..bb5a8634a2 100644 --- a/ydb/public/api/client/yc_private/iam/iam_token_service.proto +++ b/ydb/public/api/client/yc_private/iam/iam_token_service.proto @@ -18,6 +18,9 @@ service IamTokenService { // create iam token for service account rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse); + // create iam token for service + rpc CreateForService (CreateIamTokenForServiceRequest) returns (CreateIamTokenResponse); + // create iam token for compute instance rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse); @@ -50,6 +53,14 @@ message CreateIamTokenForServiceAccountRequest { string service_account_id = 1; } +message CreateIamTokenForServiceRequest { + string service_id = 1; + string microservice_id = 2; + string resource_id = 3; + string resource_type = 4; + string target_service_account_id = 5; +} + message CreateIamTokenForComputeInstanceRequest { string service_account_id = 1; string instance_id = 2; diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h new file mode 100644 index 0000000000..f7f070671e --- /dev/null +++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h @@ -0,0 +1,15 @@ +#pragma once + +#include <ydb-cpp-sdk/client/iam/common/types.h> + +namespace NYdb::inline V3 { + +struct TIamServiceParams : TIamEndpoint { + std::string ServiceId; + std::string MicroserviceId; + std::string ResourceId; + std::string ResourceType; + std::string TargetServiceAccountId; +}; + +} diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make new file mode 100644 index 0000000000..e8c2e25fc7 --- /dev/null +++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make @@ -0,0 +1,13 @@ +LIBRARY(client-iam-private-common-include) + +INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc) + +SRCS( + types.h +) + +PEERDIR( + ydb/public/sdk/cpp/src/client/iam/common +) + +END() diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h index c4373c9478..48dd5ae61c 100644 --- a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h +++ b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h @@ -1,5 +1,7 @@ #pragma once +#include "common/types.h" + #include <ydb-cpp-sdk/client/iam/common/types.h> namespace NYdb::inline V3 { @@ -10,4 +12,7 @@ TCredentialsProviderFactoryPtr CreateIamJwtFileCredentialsProviderFactoryPrivate /// Acquire an IAM token using JSON Web Token (JWT) contents. TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPrivate(const TIamJwtContent& param); +/// Acquire an IAM token for system service account (SSA). +TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params); + } // namespace NYdb diff --git a/ydb/public/sdk/cpp/src/client/iam/common/iam.h b/ydb/public/sdk/cpp/src/client/iam/common/iam.h index c7f7742c5a..22bd10e5fc 100644 --- a/ydb/public/sdk/cpp/src/client/iam/common/iam.h +++ b/ydb/public/sdk/cpp/src/client/iam/common/iam.h @@ -19,12 +19,19 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider { protected: using TRequestFiller = std::function<void(TRequest&)>; + using TSimpleRpc = + typename NYdbGrpc::TSimpleRequestProcessor< + typename TService::Stub, + TRequest, + TResponse>::TAsyncRequest; + private: class TImpl : public std::enable_shared_from_this<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>::TImpl> { public: - TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller) + TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc) : Client(std::make_unique<NYdbGrpc::TGRpcClientLow>()) , Connection_(nullptr) + , Rpc_(rpc) , Ticket_("") , NextTicketUpdate_(TInstant::Zero()) , IamEndpoint_(iamEndpoint) @@ -67,7 +74,7 @@ private: Connection_->template DoRequest<TRequest, TResponse>( std::move(req), std::move(cb), - &TService::Stub::AsyncCreate, + Rpc_, { {}, {}, IamEndpoint_.RequestTimeout } ); @@ -142,9 +149,9 @@ private: } private: - std::unique_ptr<NYdbGrpc::TGRpcClientLow> Client; std::unique_ptr<NYdbGrpc::TServiceConnection<TService>> Connection_; + TSimpleRpc Rpc_; std::string Ticket_; TInstant NextTicketUpdate_; const TIamEndpoint IamEndpoint_; @@ -157,8 +164,8 @@ private: }; public: - TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller) - : Impl_(std::make_shared<TImpl>(endpoint, requestFiller)) + TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc) + : Impl_(std::make_shared<TImpl>(endpoint, requestFiller, rpc)) { Impl_->UpdateTicket(true); } @@ -186,7 +193,7 @@ public: : TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params, [jwtParams = params.JwtParams](TRequest& req) { req.set_jwt(MakeSignedJwt(jwtParams)); - }) {} + }, &TService::Stub::AsyncCreate) {} }; template<typename TRequest, typename TResponse, typename TService> @@ -196,7 +203,7 @@ public: : TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params, [token = params.OAuthToken](TRequest& req) { req.set_yandex_passport_oauth_token(TStringType{token}); - }) {} + }, &TService::Stub::AsyncCreate) {} }; template<typename TRequest, typename TResponse, typename TService> diff --git a/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h b/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h new file mode 100644 index 0000000000..bbc09b0d34 --- /dev/null +++ b/ydb/public/sdk/cpp/src/client/iam_private/common/iam.h @@ -0,0 +1,28 @@ +#include <ydb-cpp-sdk/client/iam_private/common/types.h> + +#include <src/client/iam/common/iam.h> + +namespace NYdb::inline V3 { + +template<typename TRequest, typename TResponse, typename TService> + +class TIamServiceCredentialsProviderFactory : public ICredentialsProviderFactory { +public: + TIamServiceCredentialsProviderFactory(const TIamServiceParams& params) : Params_(params) {} + + TCredentialsProviderPtr CreateProvider() const final { + return std::make_shared<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>>(Params_, + [params = Params_](TRequest& req) { + req.set_service_id(params.ServiceId); + req.set_microservice_id(params.MicroserviceId); + req.set_resource_id(params.ResourceId); + req.set_resource_type(params.ResourceType); + req.set_target_service_account_id(params.TargetServiceAccountId); + }, &TService::Stub::AsyncCreateForService); + } + +private: + TIamServiceParams Params_; +}; + +} diff --git a/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make b/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make new file mode 100644 index 0000000000..a2990e6345 --- /dev/null +++ b/ydb/public/sdk/cpp/src/client/iam_private/common/ya.make @@ -0,0 +1,14 @@ +LIBRARY() + +INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc) + +SRCS( + iam.h +) + +PEERDIR( + ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common + ydb/public/sdk/cpp/src/client/iam/common +) + +END() diff --git a/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp b/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp index 09d7e56683..67268c942c 100644 --- a/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp +++ b/ydb/public/sdk/cpp/src/client/iam_private/iam.cpp @@ -1,17 +1,19 @@ -#include <ydb-cpp-sdk/client/iam_private/iam.h> +#include "common/iam.h" -#include <src/client/iam/common/iam.h> +#include <ydb-cpp-sdk/client/iam_private/iam.h> #include <ydb/public/api/client/yc_private/iam/iam_token_service.pb.h> #include <ydb/public/api/client/yc_private/iam/iam_token_service.grpc.pb.h> +using namespace yandex::cloud::priv::iam::v1; + namespace NYdb::inline V3 { TCredentialsProviderFactoryPtr CreateIamJwtCredentialsProviderFactoryImplPrivate(TIamJwtParams&& jwtParams) { return std::make_shared<TIamJwtCredentialsProviderFactory< - yandex::cloud::priv::iam::v1::CreateIamTokenRequest, - yandex::cloud::priv::iam::v1::CreateIamTokenResponse, - yandex::cloud::priv::iam::v1::IamTokenService + CreateIamTokenRequest, + CreateIamTokenResponse, + IamTokenService >>(std::move(jwtParams)); } @@ -25,4 +27,12 @@ TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPriva return CreateIamJwtCredentialsProviderFactoryImplPrivate(std::move(jwtParams)); } +TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params) { + return std::make_shared<TIamServiceCredentialsProviderFactory< + CreateIamTokenForServiceRequest, + CreateIamTokenResponse, + IamTokenService + >>(std::move(params)); +} + } diff --git a/ydb/public/sdk/cpp/src/client/iam_private/ya.make b/ydb/public/sdk/cpp/src/client/iam_private/ya.make index 251d348307..ce4b7a5129 100644 --- a/ydb/public/sdk/cpp/src/client/iam_private/ya.make +++ b/ydb/public/sdk/cpp/src/client/iam_private/ya.make @@ -8,7 +8,7 @@ SRCS( PEERDIR( ydb/public/api/client/yc_private/iam - ydb/public/sdk/cpp/src/client/iam/common + ydb/public/sdk/cpp/src/client/iam_private/common ) END() |