diff options
| author | Oleg Doronin <[email protected]> | 2024-08-08 14:44:23 +0300 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-08-08 14:44:23 +0300 |
| commit | f010ee3321a68bdf28891cc26f0ebde179794cf0 (patch) | |
| tree | 884c09250b891ebfb97cf7feac0e116d64b55958 | |
| parent | a08fe025ce9ba1ad357efc8b6bda1f6368e2a1dd (diff) | |
secrets have been fixed (#7409)
4 files changed, 65 insertions, 36 deletions
diff --git a/ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp b/ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp index e8ac5cc5ef3..fe8df83ebd6 100644 --- a/ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp +++ b/ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp @@ -436,6 +436,7 @@ private: request.Get()->Get()->YDBClient = Client; request.Get()->Get()->ComputeDatabase = ComputeDatabase; + request.Get()->Get()->Scope = Scope; Register(NFq::NPrivate::MakeCreateConnectionActor( SelfId(), @@ -465,6 +466,7 @@ private: request.Get()->Get()->YDBClient = Client; request.Get()->Get()->ComputeDatabase = ComputeDatabase; + request.Get()->Get()->Scope = Scope; auto it = Connections.find(binding.second.content().connection_id()); if (it == Connections.end()) { diff --git a/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp b/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp index 1a781f37420..c69f279be3e 100644 --- a/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp +++ b/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp @@ -11,6 +11,14 @@ namespace NFq { namespace NPrivate { +namespace { + +TString MakeSecretKeyName(const TString& prefix, const TString& folderId, const TString& name) { + return TStringBuilder{} << prefix << "_" << folderId << "_" << name; +} + +} + TString MakeCreateExternalDataTableQuery(const FederatedQuery::BindingContent& content, const TString& connectionName, bool replaceIfExists) { @@ -94,7 +102,8 @@ TString SignAccountId(const TString& id, const TSigner::TPtr& signer) { TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& setting, const TString& name, - const TSigner::TPtr& signer) { + const TSigner::TPtr& signer, + const TString& folderId) { using namespace fmt::literals; TString secretObjects; auto serviceAccountId = ExtractServiceAccountId(setting); @@ -103,7 +112,7 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& R"( UPSERT OBJECT {sa_secret_name} (TYPE SECRET) WITH value={signature}; )", - "sa_secret_name"_a = EncloseAndEscapeString("k1" + name, '`'), + "sa_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f1", folderId, name), '`'), "signature"_a = EncloseSecret(EncloseAndEscapeString(SignAccountId(serviceAccountId, signer), '"'))) : std::string{}; } @@ -113,7 +122,7 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& R"( UPSERT OBJECT {password_secret_name} (TYPE SECRET) WITH value={password}; )", - "password_secret_name"_a = EncloseAndEscapeString("k2" + name, '`'), + "password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '`'), "password"_a = EncloseSecret(EncloseAndEscapeString(*password, '"'))); } @@ -122,7 +131,8 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting, const TString& name, - const TSigner::TPtr& signer) { + const TSigner::TPtr& signer, + const TString& folderId) { using namespace fmt::literals; auto authMethod = GetYdbComputeAuthMethod(setting); switch (authMethod) { @@ -139,7 +149,7 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting, )", "auth_method"_a = ToString(authMethod), "service_account_id"_a = EncloseAndEscapeString(ExtractServiceAccountId(setting), '"'), - "sa_secret_name"_a = EncloseAndEscapeString(signer ? "k1" + name : TString{}, '"')); + "sa_secret_name"_a = EncloseAndEscapeString(signer ? MakeSecretKeyName("f1", folderId, name) : TString{}, '"')); case EYdbComputeAuth::BASIC: return fmt::format( R"(, @@ -149,7 +159,7 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting, )", "auth_method"_a = ToString(authMethod), "login"_a = EncloseAndEscapeString(GetLogin(setting).GetOrElse({}), '"'), - "password_secret_name"_a = EncloseAndEscapeString("k2" + name, '"')); + "password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '"')); case EYdbComputeAuth::MDB_BASIC: return fmt::format( R"(, @@ -161,9 +171,9 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting, )", "auth_method"_a = ToString(authMethod), "service_account_id"_a = EncloseAndEscapeString(ExtractServiceAccountId(setting), '"'), - "sa_secret_name"_a = EncloseAndEscapeString(signer ? "k1" + name : TString{}, '"'), + "sa_secret_name"_a = EncloseAndEscapeString(signer ? MakeSecretKeyName("f1", folderId, name) : TString{}, '"'), "login"_a = EncloseAndEscapeString(GetLogin(setting).GetOrElse({}), '"'), - "password_secret_name"_a = EncloseAndEscapeString("k2" + name, '"')); + "password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '"')); } } @@ -171,7 +181,8 @@ TString MakeCreateExternalDataSourceQuery( const FederatedQuery::ConnectionContent& connectionContent, const TSigner::TPtr& signer, const NConfig::TCommonConfig& common, - bool replaceIfExists) { + bool replaceIfExists, + const TString& folderId) { using namespace fmt::literals; TString properties; @@ -278,20 +289,25 @@ TString MakeCreateExternalDataSourceQuery( "auth_params"_a = CreateAuthParamsQuery(connectionContent.setting(), connectionContent.name(), - signer)); + signer, + folderId)); } -TMaybe<TString> DropSecretObjectQuery(const TString& name) { +TMaybe<TString> DropSecretObjectQuery(const TString& name, const TString& folderId) { using namespace fmt::literals; return fmt::format( R"( DROP OBJECT {secret_name1} (TYPE SECRET); DROP OBJECT {secret_name2} (TYPE SECRET); DROP OBJECT {secret_name3} (TYPE SECRET); -- for backward compatibility + DROP OBJECT {secret_name4} (TYPE SECRET); -- for backward compatibility + DROP OBJECT {secret_name5} (TYPE SECRET); -- for backward compatibility )", - "secret_name1"_a = EncloseAndEscapeString("k1" + name, '`'), - "secret_name2"_a = EncloseAndEscapeString("k2" + name, '`'), - "secret_name3"_a = EncloseAndEscapeString(name, '`')); + "secret_name1"_a = EncloseAndEscapeString(MakeSecretKeyName("f1", folderId, name), '`'), + "secret_name2"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '`'), + "secret_name3"_a = EncloseAndEscapeString(TStringBuilder{} << "k1" << name, '`'), + "secret_name4"_a = EncloseAndEscapeString(TStringBuilder{} << "k2" << name, '`'), + "secret_name5"_a = EncloseAndEscapeString(name, '`')); } TString MakeDeleteExternalDataTableQuery(const TString& tableName) { diff --git a/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h b/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h index ebfe43b5e22..92ed74341c4 100644 --- a/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h +++ b/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h @@ -10,15 +10,17 @@ namespace NPrivate { TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& setting, const TString& name, - const TSigner::TPtr& signer); + const TSigner::TPtr& signer, + const TString& folderId); -TMaybe<TString> DropSecretObjectQuery(const TString& name); +TMaybe<TString> DropSecretObjectQuery(const TString& name, const TString& folderId); TString MakeCreateExternalDataSourceQuery( const FederatedQuery::ConnectionContent& connectionContent, const TSigner::TPtr& signer, const NConfig::TCommonConfig& common, - bool replaceIfExists); + bool replaceIfExists, + const TString& folderId); TString MakeDeleteExternalDataSourceQuery(const TString& sourceName); diff --git a/ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp b/ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp index 2854598fabe..26eae1ef767 100644 --- a/ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp +++ b/ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp @@ -9,6 +9,7 @@ #include <ydb/core/fq/libs/control_plane_proxy/events/events.h> #include <ydb/core/fq/libs/control_plane_storage/control_plane_storage.h> #include <ydb/public/api/protos/draft/fq.pb.h> +#include <ydb/public/lib/fq/scope.h> #include <ydb/public/sdk/cpp/client/ydb_table/table.h> namespace NFq::NPrivate { @@ -418,7 +419,7 @@ public: event->IsExactNameMatch = true; - TBase::Send(NFq::ControlPlaneStorageServiceActorId(), event); + TBase::Send(::NFq::ControlPlaneStorageServiceActorId(), event); } STRICT_STFUNC(StateFunc, cFunc(NActors::TEvents::TSystem::Wakeup, TBase::HandleTimeout); @@ -493,7 +494,7 @@ public: event->IsExactNameMatch = true; - TBase::Send(NFq::ControlPlaneStorageServiceActorId(), event); + TBase::Send(::NFq::ControlPlaneStorageServiceActorId(), event); } STRICT_STFUNC(StateFunc, cFunc(NActors::TEvents::TSystem::Wakeup, TBase::HandleTimeout); @@ -543,7 +544,7 @@ IActor* MakeCreateConnectionActor( TCounters& counters, TPermissions permissions, const TCommonConfig& commonConfig, - const NFq::TComputeConfig& computeConfig, + const ::NFq::TComputeConfig& computeConfig, TSigner::TPtr signer, bool withoutRollback, TMaybe<TString> connectionId) { @@ -557,10 +558,13 @@ IActor* MakeCreateConnectionActor( computeConfig](const TEvControlPlaneProxy::TEvCreateConnectionRequest::TPtr& req) -> std::vector<TSchemaQueryTask> { auto& connectionContent = req->Get()->Request.content(); + const auto& scope = req->Get()->Scope; + const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder(); auto createSecretStatement = CreateSecretObjectQuery(connectionContent.setting(), connectionContent.name(), - signer); + signer, + folderId); std::vector<TSchemaQueryTask> statements; if (createSecretStatement) { @@ -603,7 +607,7 @@ IActor* MakeCreateConnectionActor( statements.push_back(TSchemaQueryTask{ .SQL = MakeCreateExternalDataSourceQuery( connectionContent, signer, commonConfig, - computeConfig.IsReplaceIfExistsSyntaxSupported()), + computeConfig.IsReplaceIfExistsSyntaxSupported(), folderId), .ScheduleErrorRecoverySQLGeneration = withoutRollback ? NoRecoverySQLGeneration() @@ -647,7 +651,7 @@ IActor* MakeModifyConnectionActor( TDuration requestTimeout, TCounters& counters, const TCommonConfig& commonConfig, - const NFq::TComputeConfig& computeConfig, + const ::NFq::TComputeConfig& computeConfig, TSigner::TPtr signer) { auto queryFactoryMethod = [signer = std::move(signer), @@ -659,13 +663,16 @@ IActor* MakeModifyConnectionActor( auto& oldConnectionContent = (*request->Get()->OldConnectionContent); auto& oldBindings = request->Get()->OldBindingContents; auto& newConnectionContent = request->Get()->Request.content(); + const auto& scope = request->Get()->Scope; + const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder(); auto dropOldSecret = - DropSecretObjectQuery(oldConnectionContent.name()); + DropSecretObjectQuery(oldConnectionContent.name(), folderId); auto createNewSecret = CreateSecretObjectQuery(newConnectionContent.setting(), newConnectionContent.name(), - signer); + signer, + folderId); bool replaceSupported = computeConfig.IsReplaceIfExistsSyntaxSupported(); if (replaceSupported && @@ -673,7 +680,7 @@ IActor* MakeModifyConnectionActor( // CREATE OR REPLACE auto createSecretStatement = CreateSecretObjectQuery(newConnectionContent.setting(), - newConnectionContent.name(), signer); + newConnectionContent.name(), signer, folderId); std::vector<TSchemaQueryTask> statements; if (createSecretStatement) { @@ -683,7 +690,7 @@ IActor* MakeModifyConnectionActor( statements.push_back(TSchemaQueryTask{ .SQL = MakeCreateExternalDataSourceQuery( - newConnectionContent, signer, commonConfig, replaceSupported)}); + newConnectionContent, signer, commonConfig, replaceSupported, folderId)}); return statements; } @@ -712,7 +719,7 @@ IActor* MakeModifyConnectionActor( statements.push_back(TSchemaQueryTask{ .SQL = TString{MakeDeleteExternalDataSourceQuery(oldConnectionContent.name())}, .RollbackSQL = TString{MakeCreateExternalDataSourceQuery( - oldConnectionContent, signer, commonConfig, false)}, + oldConnectionContent, signer, commonConfig, false, folderId)}, .ShouldSkipStepOnError = IsPathDoesNotExistIssue}); if (dropOldSecret) { @@ -720,18 +727,18 @@ IActor* MakeModifyConnectionActor( .SQL = *dropOldSecret, .RollbackSQL = CreateSecretObjectQuery(oldConnectionContent.setting(), oldConnectionContent.name(), - signer), + signer, folderId), .ShouldSkipStepOnError = IsPathDoesNotExistIssue}); } if (createNewSecret) { statements.push_back(TSchemaQueryTask{.SQL = *createNewSecret, .RollbackSQL = DropSecretObjectQuery( - newConnectionContent.name())}); + newConnectionContent.name(), folderId)}); } statements.push_back( TSchemaQueryTask{.SQL = TString{MakeCreateExternalDataSourceQuery( - newConnectionContent, signer, commonConfig, false)}, + newConnectionContent, signer, commonConfig, false, folderId)}, .RollbackSQL = TString{MakeDeleteExternalDataSourceQuery( newConnectionContent.name())}}); @@ -787,15 +794,17 @@ IActor* MakeDeleteConnectionActor( const TEvControlPlaneProxy::TEvDeleteConnectionRequest::TPtr& request) -> std::vector<TSchemaQueryTask> { auto& connectionContent = *request->Get()->ConnectionContent; + const auto& scope = request->Get()->Scope; + const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder(); auto dropSecret = - DropSecretObjectQuery(connectionContent.name()); + DropSecretObjectQuery(connectionContent.name(), folderId); std::vector statements = { TSchemaQueryTask{.SQL = TString{MakeDeleteExternalDataSourceQuery( connectionContent.name())}, .RollbackSQL = MakeCreateExternalDataSourceQuery( - connectionContent, signer, commonConfig, false), + connectionContent, signer, commonConfig, false, folderId), .ShouldSkipStepOnError = IsPathDoesNotExistIssue}}; if (dropSecret) { statements.push_back( @@ -803,7 +812,7 @@ IActor* MakeDeleteConnectionActor( .RollbackSQL = CreateSecretObjectQuery(connectionContent.setting(), connectionContent.name(), - signer), + signer, folderId), .ShouldSkipStepOnError = IsPathDoesNotExistIssue}); } return statements; @@ -832,7 +841,7 @@ IActor* MakeCreateBindingActor(const TActorId& proxyActorId, TDuration requestTimeout, TCounters& counters, TPermissions permissions, - const NFq::TComputeConfig& computeConfig,bool withoutRollback, + const ::NFq::TComputeConfig& computeConfig,bool withoutRollback, TMaybe<TString> bindingId) { auto queryFactoryMethod = [requestTimeout, &counters, permissions, withoutRollback, computeConfig]( @@ -916,7 +925,7 @@ IActor* MakeModifyBindingActor(const TActorId& proxyActorId, TEvControlPlaneProxy::TEvModifyBindingRequest::TPtr request, TDuration requestTimeout, TCounters& counters, - const NFq::TComputeConfig& computeConfig) { + const ::NFq::TComputeConfig& computeConfig) { auto queryFactoryMethod = [computeConfig](const TEvControlPlaneProxy::TEvModifyBindingRequest::TPtr& request) -> std::vector<TSchemaQueryTask> { |