Test for olap ACL (#12202)

1 files changed, 148 insertions, 0 deletions

diff --git a/ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp b/ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp
index 972ea1c87d..333e777105 100644
--- a/ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp
+++ b/ydb/core/kqp/ut/scheme/kqp_acl_ut.cpp
@@ -212,6 +212,154 @@ Y_UNIT_TEST_SUITE(KqpAcl) {
 
         driver.Stop(true);
     }
+
+    Y_UNIT_TEST_TWIN(AclForOltpAndOlap, isOlap) {
+        const TString query = Sprintf(R"(
+            CREATE TABLE `/Root/test_acl` (
+                id Int64 NOT NULL,
+                name String,
+                primary key (id)
+            ) WITH (STORE=%s);
+        )", isOlap ? "COLUMN" : "ROW");
+    
+        TKikimrRunner kikimr;
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("root@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            AssertSuccessResult(client.ExecuteQuery(query, NYdb::NQuery::TTxControl::NoTx()).ExtractValueSync());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions permissions("user0@builtin", {});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToString());
+            const auto expectedIssueMessage = "Cannot find table 'db.[/Root/test_acl]' because it does not exist or you do not have access permissions.";
+            UNIT_ASSERT_C(result.GetIssues().ToString().Contains(expectedIssueMessage), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+            UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.describe_schema"});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!result.IsSuccess(), result.GetIssues().ToString());
+            const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
+            UNIT_ASSERT_C(result.GetIssues().ToString().Contains(expectedIssueMessage), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+            UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.describe_schema", "ydb.deprecated.select_row"});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(!resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+            const auto expectedIssueMessage = "Failed to resolve table `/Root/test_acl` status: AccessDenied., code: 2028";
+            UNIT_ASSERT_C(resultWrite.GetIssues().ToString().Contains(expectedIssueMessage), resultWrite.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+
+        {
+            auto schemeClient = kikimr.GetSchemeClient();
+            NYdb::NScheme::TPermissions permissions("user0@builtin", {"ydb.deprecated.update_row"});
+            AssertSuccessResult(schemeClient.ModifyPermissions("/Root/test_acl",
+                    NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)
+                ).ExtractValueSync()
+            );
+        }
+
+        {
+            auto driverConfig = TDriverConfig()
+                .SetEndpoint(kikimr.GetEndpoint())
+                .SetAuthToken("user0@builtin");
+            auto driver = TDriver(driverConfig);
+            auto client = NYdb::NQuery::TQueryClient(driver);
+
+            auto result = client.ExecuteQuery(R"(
+                SELECT * FROM `/Root/test_acl`;
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+
+            auto resultWrite = client.ExecuteQuery(R"(
+                REPLACE INTO `/Root/test_acl` (id, name) VALUES (1, 'test');
+            )", NYdb::NQuery::TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(resultWrite.IsSuccess(), resultWrite.GetIssues().ToString());
+
+            driver.Stop(true);
+        }
+    }
 }
 
 } // namespace NKqp