diff options
| author | gvit <gvit@ydb.tech> | 2023-03-03 13:27:04 +0300 |
|---|---|---|
| committer | gvit <gvit@ydb.tech> | 2023-03-03 13:27:04 +0300 |
| commit | f8de1c2153896b5f9eac18e8e4442f59853bdae2 (patch) | |
| tree | 7f2ea6d2831fee9ef491b4d0284f82c096d146ca | |
| parent | 29ba77620624436e200a626685a92b1c3f9b9349 (diff) | |
| download | ydb-f8de1c2153896b5f9eac18e8e4442f59853bdae2.tar.gz | |
pass user token as intrusive ptr to session actor
69 files changed, 326 insertions, 255 deletions
diff --git a/ydb/core/base/ticket_parser.h b/ydb/core/base/ticket_parser.h index 3e5c14d92e..f715dec164 100644 --- a/ydb/core/base/ticket_parser.h +++ b/ydb/core/base/ticket_parser.h @@ -178,14 +178,15 @@ namespace NKikimr { struct TEvAuthorizeTicketResult : TEventLocal<TEvAuthorizeTicketResult, EvAuthorizeTicketResult> { TString Ticket; TError Error; - TIntrusivePtr<NACLib::TUserToken> Token; - TString SerializedToken; + TIntrusiveConstPtr<NACLib::TUserToken> Token; + const TString SerializedToken; - TEvAuthorizeTicketResult(const TString& ticket, const TIntrusivePtr<NACLib::TUserToken>& token, const TString& serializedToken) + TEvAuthorizeTicketResult(const TString& ticket, const TIntrusiveConstPtr<NACLib::TUserToken>& token) : Ticket(ticket) , Token(token) - , SerializedToken(serializedToken) - {} + , SerializedToken(token ? token->GetSerializedToken() : "") + { + } TEvAuthorizeTicketResult(const TString& ticket, const TError& error) : Ticket(ticket) diff --git a/ydb/core/client/server/msgbus_server_db.cpp b/ydb/core/client/server/msgbus_server_db.cpp index aa1eb540f5..05038bae14 100644 --- a/ydb/core/client/server/msgbus_server_db.cpp +++ b/ydb/core/client/server/msgbus_server_db.cpp @@ -249,7 +249,7 @@ protected: if (!result.Error.empty()) { //return TBase::HandleError(EResponseStatus::MSTATUS_ERROR, TEvTxUserProxy::TEvProposeTransactionStatus::EStatus::AccessDenied, result.Error, ctx); } else { - UserToken = result.SerializedToken; + UserToken = result.Token->GetSerializedToken(); } if (++Responses == Requests) { BuildAndRunProgram(ctx); @@ -729,7 +729,7 @@ protected: if (!result.Error.empty()) { //return TBase::HandleError(EResponseStatus::MSTATUS_ERROR, TEvTxUserProxy::TEvProposeTransactionStatus::EStatus::AccessDenied, result.Error, ctx); } else { - UserToken = result.SerializedToken; + UserToken = result.Token->GetSerializedToken(); } BuildRequests(ctx); } diff --git a/ydb/core/cms/console/console__remove_tenant.cpp b/ydb/core/cms/console/console__remove_tenant.cpp index 59dc4db430..8d8bd64fcf 100644 --- a/ydb/core/cms/console/console__remove_tenant.cpp +++ b/ydb/core/cms/console/console__remove_tenant.cpp @@ -102,7 +102,7 @@ public: Ydb::StatusIds::ABORTED, ctx); Self->ChangeTenantState(Tenant, TTenant::REMOVING_SUBDOMAIN, ctx); - Tenant->UserToken = Request->Get()->Record.GetUserToken(); + Tenant->UserToken = NACLib::TUserToken(Request->Get()->Record.GetUserToken()); Tenant->Worker = TActorId(); Self->ProcessTenantActions(Tenant, ctx); diff --git a/ydb/core/grpc_services/base/base.h b/ydb/core/grpc_services/base/base.h index 33eb0c4c94..a16444b08d 100644 --- a/ydb/core/grpc_services/base/base.h +++ b/ydb/core/grpc_services/base/base.h @@ -16,6 +16,7 @@ #include <ydb/library/yql/public/issue/yql_issue.h> #include <ydb/library/yql/public/issue/yql_issue_message.h> #include <ydb/library/yql/public/issue/yql_issue_manager.h> +#include <ydb/library/aclib/aclib.h> #include <ydb/core/grpc_services/counters/proxy_counters.h> #include <ydb/core/grpc_streaming/grpc_streaming.h> @@ -250,7 +251,9 @@ public: // Returns client provided database name virtual const TMaybe<TString> GetDatabaseName() const = 0; // Returns "internal" token (result of ticket parser authentication) - virtual const TString& GetInternalToken() const = 0; + virtual const TIntrusiveConstPtr<NACLib::TUserToken>& GetInternalToken() const = 0; + // Returns internal token as a serialized message. + virtual const TString& GetSerializedToken() const = 0; virtual bool IsClientLost() const = 0; }; @@ -352,7 +355,7 @@ public: // auth virtual const TMaybe<TString> GetYdbToken() const = 0; virtual void UpdateAuthState(NGrpc::TAuthState::EAuthState state) = 0; - virtual void SetInternalToken(const TString& token) = 0; + virtual void SetInternalToken(const TIntrusiveConstPtr<NACLib::TUserToken>& token) = 0; virtual const NGrpc::TAuthState& GetAuthState() const = 0; virtual void ReplyUnauthenticated(const TString& msg = "") = 0; virtual void ReplyUnavaliable() = 0; @@ -479,7 +482,7 @@ public: State_.State = state; } - void SetInternalToken(const TString& token) override { + void SetInternalToken(const TIntrusiveConstPtr<NACLib::TUserToken>& token) override { InternalToken_ = token; } @@ -495,10 +498,18 @@ public: return State_; } - const TString& GetInternalToken() const override { + const TIntrusiveConstPtr<NACLib::TUserToken>& GetInternalToken() const override { return InternalToken_; } + const TString& GetSerializedToken() const override { + if (InternalToken_) { + return InternalToken_->GetSerializedToken(); + } + + return EmptySerializedTokenMessage_; + } + TString GetPeerName() const override { return {}; } @@ -608,7 +619,8 @@ private: const TString Database_; const TActorId From_; NGrpc::TAuthState State_; - TString InternalToken_; + TIntrusiveConstPtr<NACLib::TUserToken> InternalToken_; + const TString EmptySerializedTokenMessage_; NYql::TIssueManager IssueManager_; }; @@ -726,7 +738,7 @@ public: IssueManager_.RaiseIssues(issues); } - void SetInternalToken(const TString& token) override { + void SetInternalToken(const TIntrusiveConstPtr<NACLib::TUserToken>& token) override { InternalToken_ = token; } @@ -738,10 +750,18 @@ public: return RlPath_; } - const TString& GetInternalToken() const override { + const TIntrusiveConstPtr<NACLib::TUserToken>& GetInternalToken() const override { return InternalToken_; } + const TString& GetSerializedToken() const override { + if (InternalToken_) { + return InternalToken_->GetSerializedToken(); + } + + return EmptySerializedTokenMessage_; + } + TString GetPeerName() const override { return Ctx_->GetPeerName(); } @@ -821,7 +841,8 @@ public: private: TIntrusivePtr<IStreamCtx> Ctx_; - TString InternalToken_; + TIntrusiveConstPtr<NACLib::TUserToken> InternalToken_; + const TString EmptySerializedTokenMessage_; NYql::TIssueManager IssueManager_; TMaybe<NRpcService::TRlPath> RlPath_; bool RlAllowed_; @@ -970,7 +991,7 @@ public: Ctx_->ReplyUnauthenticated(MakeAuthError(in, IssueManager)); } - void SetInternalToken(const TString& token) override { + void SetInternalToken(const TIntrusiveConstPtr<NACLib::TUserToken>& token) override { InternalToken_ = token; } @@ -983,10 +1004,18 @@ public: Ctx_->AddTrailingMetadata(NYdb::YDB_CONSUMED_UNITS_HEADER, IntToString<10>(ru)); } - const TString& GetInternalToken() const override { + const TIntrusiveConstPtr<NACLib::TUserToken>& GetInternalToken() const override { return InternalToken_; } + const TString& GetSerializedToken() const override { + if (InternalToken_) { + return InternalToken_->GetSerializedToken(); + } + + return EmptySerializedTokenMessage_; + } + const TMaybe<TString> GetPeerMetaValues(const TString& key) const override { return ToMaybe(Ctx_->GetPeerMetaValues(key)); } @@ -1189,7 +1218,8 @@ private: private: TIntrusivePtr<NGrpc::IRequestContextBase> Ctx_; - TString InternalToken_; + TIntrusiveConstPtr<NACLib::TUserToken> InternalToken_; + const TString EmptySerializedTokenMessage_; NYql::TIssueManager IssueManager; Ydb::CostInfo* CostInfo = nullptr; Ydb::QuotaExceeded* QuotaExceeded = nullptr; diff --git a/ydb/core/grpc_services/grpc_request_check_actor.h b/ydb/core/grpc_services/grpc_request_check_actor.h index d8625680bd..8db80367fc 100644 --- a/ydb/core/grpc_services/grpc_request_check_actor.h +++ b/ydb/core/grpc_services/grpc_request_check_actor.h @@ -209,7 +209,7 @@ public: ReplyUnavailableAndDie(issues); } else { GrpcRequestBaseCtx_->UpdateAuthState(NGrpc::TAuthState::AS_OK); - GrpcRequestBaseCtx_->SetInternalToken(TBase::GetSerializedToken()); + GrpcRequestBaseCtx_->SetInternalToken(TBase::GetParsedToken()); Continue(); } } @@ -450,7 +450,8 @@ private: } const ui32 access = NACLib::ConnectDatabase; - if (SecurityObject_->CheckAccess(access, TBase::GetSerializedToken())) { + const auto& parsedToken = TBase::GetParsedToken(); + if (parsedToken && SecurityObject_->CheckAccess(access, *parsedToken)) { return {false, std::nullopt}; } diff --git a/ydb/core/grpc_services/grpc_request_proxy.h b/ydb/core/grpc_services/grpc_request_proxy.h index e8182f4c2e..f217ce8850 100644 --- a/ydb/core/grpc_services/grpc_request_proxy.h +++ b/ydb/core/grpc_services/grpc_request_proxy.h @@ -36,11 +36,11 @@ public: struct TEvRefreshTokenResponse : public TEventLocal<TEvRefreshTokenResponse, EvRefreshTokenResponse> { bool Authenticated; - TString InternalToken; + TIntrusiveConstPtr<NACLib::TUserToken> InternalToken; bool Retryable; NYql::TIssues Issues; - TEvRefreshTokenResponse(bool ok, const TString& token, bool retryable, const NYql::TIssues& issues) + TEvRefreshTokenResponse(bool ok, const TIntrusiveConstPtr<NACLib::TUserToken>& token, bool retryable, const NYql::TIssues& issues) : Authenticated(ok) , InternalToken(token) , Retryable(retryable) diff --git a/ydb/core/grpc_services/local_rate_limiter.cpp b/ydb/core/grpc_services/local_rate_limiter.cpp index 5f4a9c7d1e..fffcbf6bcc 100644 --- a/ydb/core/grpc_services/local_rate_limiter.cpp +++ b/ydb/core/grpc_services/local_rate_limiter.cpp @@ -89,7 +89,7 @@ TActorId RateLimiterAcquireUseSameMailbox( return RateLimiterAcquireUseSameMailbox( std::move(request), reqCtx.GetDatabaseName().GetOrElse(""), - reqCtx.GetInternalToken(), + reqCtx.GetSerializedToken(), std::move(cb), ctx); } diff --git a/ydb/core/grpc_services/local_rpc/local_rpc.h b/ydb/core/grpc_services/local_rpc/local_rpc.h index 7be82d6a5c..8bee988b85 100644 --- a/ydb/core/grpc_services/local_rpc/local_rpc.h +++ b/ydb/core/grpc_services/local_rpc/local_rpc.h @@ -34,8 +34,9 @@ public: : Request(std::forward<TProto>(req)) , CbWrapper(std::forward<TCb>(cb)) , DatabaseName(databaseName) - , InternalToken(token) - {} + { + InternalToken = new NACLib::TUserToken(token); + } bool HasClientCapability(const TString&) const override { return false; @@ -47,10 +48,17 @@ public: return DatabaseName; } - const TString& GetInternalToken() const override { + const TIntrusiveConstPtr<NACLib::TUserToken>& GetInternalToken() const override { return InternalToken; } + const TString& GetSerializedToken() const override { + if (InternalToken) { + return InternalToken->GetSerializedToken(); + } + return EmptySerializedTokenMessage_; + } + const TMaybe<TString> GetPeerMetaValues(const TString&) const override { Y_FAIL("Unimplemented"); return TMaybe<TString>{}; @@ -214,7 +222,8 @@ private: typename TRpc::TRequest Request; TCbWrapper CbWrapper; const TString DatabaseName; - const TString InternalToken; + TIntrusiveConstPtr<NACLib::TUserToken> InternalToken; + const TString EmptySerializedTokenMessage_; NYql::TIssueManager IssueManager; google::protobuf::Arena Arena; diff --git a/ydb/core/grpc_services/rpc_alter_table.cpp b/ydb/core/grpc_services/rpc_alter_table.cpp index 647a3d0e2b..087b95991f 100644 --- a/ydb/core/grpc_services/rpc_alter_table.cpp +++ b/ydb/core/grpc_services/rpc_alter_table.cpp @@ -149,8 +149,8 @@ public: TBase::Bootstrap(ctx); const auto& req = GetProtoRequest(); - if (!Request_->GetInternalToken().empty()) { - UserToken = MakeHolder<NACLib::TUserToken>(Request_->GetInternalToken()); + if (!Request_->GetSerializedToken().empty()) { + UserToken = MakeHolder<NACLib::TUserToken>(Request_->GetSerializedToken()); } auto ops = GetOps(); diff --git a/ydb/core/grpc_services/rpc_calls.cpp b/ydb/core/grpc_services/rpc_calls.cpp index 0dae748213..0bb41f28b6 100644 --- a/ydb/core/grpc_services/rpc_calls.cpp +++ b/ydb/core/grpc_services/rpc_calls.cpp @@ -76,14 +76,14 @@ void RefreshToken(const TString& token, const TString& database, const TActorCon void TRefreshTokenImpl::ReplyUnauthenticated(const TString&) { TActivationContext::Send(new IEventHandle(From_, TActorId(), new TGRpcRequestProxy::TEvRefreshTokenResponse - { false, "", false, IssueManager_.GetIssues()})); + { false, nullptr, false, IssueManager_.GetIssues()})); } void TRefreshTokenImpl::ReplyUnavaliable() { const TActorContext& ctx = TActivationContext::AsActorContext(); ctx.Send(From_, new TGRpcRequestProxy::TEvRefreshTokenResponse - { false, "", true, IssueManager_.GetIssues()}); + { false, nullptr, true, IssueManager_.GetIssues()}); } } // namespace NGRpcService diff --git a/ydb/core/grpc_services/rpc_cms.cpp b/ydb/core/grpc_services/rpc_cms.cpp index 077ff50f3e..73f5f1ac52 100644 --- a/ydb/core/grpc_services/rpc_cms.cpp +++ b/ydb/core/grpc_services/rpc_cms.cpp @@ -73,7 +73,7 @@ private: && this->GetProtoRequest()->operation_params().operation_mode() == Ydb::Operations::OperationParams::SYNC) { auto request = MakeHolder<TEvConsole::TEvNotifyOperationCompletionRequest>(); request->Record.MutableRequest()->set_id(response.operation().id()); - request->Record.SetUserToken(this->Request_->GetInternalToken()); + request->Record.SetUserToken(this->Request_->GetSerializedToken()); NTabletPipe::SendData(ctx, CmsPipe, request.Release()); } else { @@ -139,7 +139,7 @@ private: { auto request = MakeHolder<TCmsRequest>(); request->Record.MutableRequest()->CopyFrom(*this->GetProtoRequest()); - request->Record.SetUserToken(this->Request_->GetInternalToken()); + request->Record.SetUserToken(this->Request_->GetSerializedToken()); NTabletPipe::SendData(ctx, CmsPipe, request.Release()); } }; diff --git a/ydb/core/grpc_services/rpc_common.h b/ydb/core/grpc_services/rpc_common.h index 697cf12324..3044bc5a1d 100644 --- a/ydb/core/grpc_services/rpc_common.h +++ b/ydb/core/grpc_services/rpc_common.h @@ -21,8 +21,8 @@ inline void SetRlPath(TEv& ev, const IRequestCtx& ctx) { template<typename TEv> inline void SetAuthToken(TEv& ev, const IRequestCtx& ctx) { - if (ctx.GetInternalToken()) { - ev->Record.SetUserToken(ctx.GetInternalToken()); + if (ctx.GetSerializedToken()) { + ev->Record.SetUserToken(ctx.GetSerializedToken()); } } diff --git a/ydb/core/grpc_services/rpc_create_session.cpp b/ydb/core/grpc_services/rpc_create_session.cpp index 29e3582248..d2eef86cf5 100644 --- a/ydb/core/grpc_services/rpc_create_session.cpp +++ b/ydb/core/grpc_services/rpc_create_session.cpp @@ -112,7 +112,7 @@ private: Ydb::Table::DeleteSessionResponse>; auto actorId = NRpcService::DoLocalRpcSameMailbox<TEvDeleteSessionRequest>( - std::move(request), std::move(cb), database, Request_->GetInternalToken(), ctx); + std::move(request), std::move(cb), database, Request_->GetSerializedToken(), ctx); LOG_NOTICE_S(*TlsActivationContext, NKikimrServices::GRPC_PROXY, SelfId() << " Client lost, session " << sessionId << " will be closed by " << actorId); diff --git a/ydb/core/grpc_services/rpc_fq.cpp b/ydb/core/grpc_services/rpc_fq.cpp index 1fcbe7ea34..35337e9733 100644 --- a/ydb/core/grpc_services/rpc_fq.cpp +++ b/ydb/core/grpc_services/rpc_fq.cpp @@ -92,7 +92,7 @@ public: return; } - const TString& internalToken = proxyCtx->GetInternalToken(); + const TString& internalToken = proxyCtx->GetSerializedToken(); TVector<TString> permissions; if (internalToken) { NACLib::TUserToken userToken(internalToken); diff --git a/ydb/core/grpc_services/rpc_fq_internal.cpp b/ydb/core/grpc_services/rpc_fq_internal.cpp index 43460de454..f6851bd7cf 100644 --- a/ydb/core/grpc_services/rpc_fq_internal.cpp +++ b/ydb/core/grpc_services/rpc_fq_internal.cpp @@ -46,7 +46,7 @@ public: auto proxyCtx = dynamic_cast<IRequestProxyCtx*>(request); Y_VERIFY(proxyCtx); TString user; - const TString& internalToken = proxyCtx->GetInternalToken(); + const TString& internalToken = proxyCtx->GetSerializedToken(); if (internalToken) { NACLib::TUserToken userToken(internalToken); user = userToken.GetUserSID(); diff --git a/ydb/core/grpc_services/rpc_get_operation.cpp b/ydb/core/grpc_services/rpc_get_operation.cpp index b7d95adce1..86d8c3e0ec 100644 --- a/ydb/core/grpc_services/rpc_get_operation.cpp +++ b/ydb/core/grpc_services/rpc_get_operation.cpp @@ -159,7 +159,7 @@ private: auto request = MakeHolder<NConsole::TEvConsole::TEvGetOperationRequest>(); request->Record.MutableRequest()->set_id(GetProtoRequest()->id()); - request->Record.SetUserToken(Request->GetInternalToken()); + request->Record.SetUserToken(Request->GetSerializedToken()); NTabletPipe::SendData(ctx, PipeActorId_, request.Release()); } diff --git a/ydb/core/grpc_services/rpc_get_shard_locations.cpp b/ydb/core/grpc_services/rpc_get_shard_locations.cpp index 23cff45695..351fd6a004 100644 --- a/ydb/core/grpc_services/rpc_get_shard_locations.cpp +++ b/ydb/core/grpc_services/rpc_get_shard_locations.cpp @@ -118,10 +118,10 @@ private: } bool CheckAccess(TString& errorMessage) { - if (Request->GetInternalToken().empty()) + if (Request->GetSerializedToken().empty()) return true; - NACLib::TUserToken userToken(Request->GetInternalToken()); + NACLib::TUserToken userToken(Request->GetSerializedToken()); // TODO: check describe rights for root? Y_UNUSED(errorMessage); diff --git a/ydb/core/grpc_services/rpc_kh_describe.cpp b/ydb/core/grpc_services/rpc_kh_describe.cpp index 1d9ef5ee41..4f2c59582a 100644 --- a/ydb/core/grpc_services/rpc_kh_describe.cpp +++ b/ydb/core/grpc_services/rpc_kh_describe.cpp @@ -92,7 +92,7 @@ private: auto path = ::NKikimr::SplitPath(table); TMaybe<ui64> tabletId = TryParseLocalDbPath(path); if (tabletId) { - if (Request->GetInternalToken().empty() || !IsSuperUser(NACLib::TUserToken(Request->GetInternalToken()), *AppData(ctx))) { + if (Request->GetSerializedToken().empty() || !IsSuperUser(NACLib::TUserToken(Request->GetSerializedToken()), *AppData(ctx))) { return ReplyWithError(Ydb::StatusIds::NOT_FOUND, "Invalid table path specified", ctx); } @@ -208,10 +208,10 @@ private: } bool CheckAccess(TString& errorMessage) { - if (Request->GetInternalToken().empty()) + if (Request->GetSerializedToken().empty()) return true; - NACLib::TUserToken userToken(Request->GetInternalToken()); + NACLib::TUserToken userToken(Request->GetSerializedToken()); const ui32 access = NACLib::EAccessRights::DescribeSchema; for (const NSchemeCache::TSchemeCacheNavigate::TEntry& entry : ResolveNamesResult->ResultSet) { diff --git a/ydb/core/grpc_services/rpc_kh_snapshots.cpp b/ydb/core/grpc_services/rpc_kh_snapshots.cpp index 433bde8919..818c79e77b 100644 --- a/ydb/core/grpc_services/rpc_kh_snapshots.cpp +++ b/ydb/core/grpc_services/rpc_kh_snapshots.cpp @@ -105,7 +105,7 @@ public: auto req = MakeHolder<TEvTxUserProxy::TEvProposeTransaction>(); req->Record.SetExecTimeoutPeriod(reqTimeout.MilliSeconds()); - auto token = Request_->GetInternalToken(); + auto token = Request_->GetSerializedToken(); if (!token.empty()) { req->Record.SetUserToken(token); } @@ -241,7 +241,7 @@ public: auto req = MakeHolder<TEvTxUserProxy::TEvProposeTransaction>(); req->Record.SetExecTimeoutPeriod(reqTimeout.MilliSeconds()); - auto token = Request_->GetInternalToken(); + auto token = Request_->GetSerializedToken(); if (!token.empty()) { req->Record.SetUserToken(token); } @@ -382,7 +382,7 @@ public: auto req = MakeHolder<TEvTxUserProxy::TEvProposeTransaction>(); req->Record.SetExecTimeoutPeriod(reqTimeout.MilliSeconds()); - auto token = Request_->GetInternalToken(); + auto token = Request_->GetSerializedToken(); if (!token.empty()) { req->Record.SetUserToken(token); } diff --git a/ydb/core/grpc_services/rpc_kqp_base.h b/ydb/core/grpc_services/rpc_kqp_base.h index 5af715dc68..fd3503ea8d 100644 --- a/ydb/core/grpc_services/rpc_kqp_base.h +++ b/ydb/core/grpc_services/rpc_kqp_base.h @@ -14,8 +14,8 @@ namespace NKikimr { namespace NGRpcService { inline void SetAuthToken(NKikimrKqp::TEvQueryRequest& req, const IRequestCtxMtSafe& ctx) { - if (ctx.GetInternalToken()) { - req.SetUserToken(ctx.GetInternalToken()); + if (ctx.GetSerializedToken()) { + req.SetUserToken(ctx.GetSerializedToken()); } } diff --git a/ydb/core/grpc_services/rpc_load_rows.cpp b/ydb/core/grpc_services/rpc_load_rows.cpp index 6e08d6d211..5145405589 100644 --- a/ydb/core/grpc_services/rpc_load_rows.cpp +++ b/ydb/core/grpc_services/rpc_load_rows.cpp @@ -390,10 +390,10 @@ private: } bool CheckAccess(TString& errorMessage) override { - if (Request->GetInternalToken().empty()) + if (Request->GetSerializedToken().empty()) return true; - NACLib::TUserToken userToken(Request->GetInternalToken()); + NACLib::TUserToken userToken(Request->GetSerializedToken()); const ui32 access = NACLib::EAccessRights::UpdateRow; auto resolveResult = GetResolveNameResult(); if (!resolveResult) { @@ -565,10 +565,10 @@ private: } bool CheckAccess(TString& errorMessage) override { - if (Request->GetInternalToken().empty()) + if (Request->GetSerializedToken().empty()) return true; - NACLib::TUserToken userToken(Request->GetInternalToken()); + NACLib::TUserToken userToken(Request->GetSerializedToken()); const ui32 access = NACLib::EAccessRights::UpdateRow; auto resolveResult = GetResolveNameResult(); if (!resolveResult) { diff --git a/ydb/core/grpc_services/rpc_long_tx.cpp b/ydb/core/grpc_services/rpc_long_tx.cpp index a19151fa2c..e511f837c3 100644 --- a/ydb/core/grpc_services/rpc_long_tx.cpp +++ b/ydb/core/grpc_services/rpc_long_tx.cpp @@ -710,7 +710,7 @@ public: explicit TLongTxWriteRPC(std::unique_ptr<IRequestOpCtx> request) : TBase(request->GetDatabaseName().GetOrElse(DatabaseFromDomain(AppData())), TEvLongTxWriteRequest::GetProtoRequest(request)->path(), - request->GetInternalToken(), + request->GetSerializedToken(), TLongTxId(), TEvLongTxWriteRequest::GetProtoRequest(request)->dedup_id()) , Request(std::move(request)) @@ -901,7 +901,7 @@ public: void Bootstrap() { const auto* req = TEvLongTxReadRequest::GetProtoRequest(Request); - if (const TString& internalToken = Request->GetInternalToken()) { + if (const TString& internalToken = Request->GetSerializedToken()) { UserToken.emplace(internalToken); } diff --git a/ydb/core/grpc_services/rpc_read_columns.cpp b/ydb/core/grpc_services/rpc_read_columns.cpp index 76b62e3c69..5f17fd72f0 100644 --- a/ydb/core/grpc_services/rpc_read_columns.cpp +++ b/ydb/core/grpc_services/rpc_read_columns.cpp @@ -141,7 +141,7 @@ private: auto path = ::NKikimr::SplitPath(table); TMaybe<ui64> tabletId = TryParseLocalDbPath(path); if (tabletId) { - if (Request->GetInternalToken().empty() || !IsSuperUser(Request->GetInternalToken(), *AppData(ctx))) { + if (Request->GetSerializedToken().empty() || !IsSuperUser(NACLib::TUserToken(Request->GetSerializedToken()), *AppData(ctx))) { return ReplyWithError(Ydb::StatusIds::NOT_FOUND, "Invalid table path specified", ctx); } @@ -459,10 +459,10 @@ private: } bool CheckAccess(TString& errorMessage) { - if (Request->GetInternalToken().empty()) + if (Request->GetSerializedToken().empty()) return true; - NACLib::TUserToken userToken(Request->GetInternalToken()); + NACLib::TUserToken userToken(Request->GetSerializedToken()); const ui32 access = NACLib::EAccessRights::SelectRow; for (const NSchemeCache::TSchemeCacheNavigate::TEntry& entry : ResolveNamesResult->ResultSet) { diff --git a/ydb/core/grpc_services/rpc_read_table.cpp b/ydb/core/grpc_services/rpc_read_table.cpp index ff38c4fab2..e4a68edbbf 100644 --- a/ydb/core/grpc_services/rpc_read_table.cpp +++ b/ydb/core/grpc_services/rpc_read_table.cpp @@ -500,8 +500,8 @@ private: NKikimr::NTxProxy::TReadTableSettings settings; - if (Request_->GetInternalToken()) { - settings.UserToken = Request_->GetInternalToken(); + if (Request_->GetSerializedToken()) { + settings.UserToken = Request_->GetSerializedToken(); } settings.DatabaseName = CanonizePath(Request_->GetDatabaseName().GetOrElse("")); diff --git a/ydb/core/grpc_services/rpc_request_base.h b/ydb/core/grpc_services/rpc_request_base.h index 71a4bc1cd7..cae948e947 100644 --- a/ydb/core/grpc_services/rpc_request_base.h +++ b/ydb/core/grpc_services/rpc_request_base.h @@ -130,7 +130,7 @@ public: : Request(ev) , DatabaseName(Request->GetDatabaseName().GetOrElse(DatabaseFromDomain(AppData()))) { - if (const auto& userToken = Request->GetInternalToken()) { + if (const auto& userToken = Request->GetSerializedToken()) { UserToken = MakeHolder<NACLib::TUserToken>(userToken); } } diff --git a/ydb/core/grpc_services/rpc_yq.cpp b/ydb/core/grpc_services/rpc_yq.cpp index 213108e544..9823d1028b 100644 --- a/ydb/core/grpc_services/rpc_yq.cpp +++ b/ydb/core/grpc_services/rpc_yq.cpp @@ -96,7 +96,7 @@ public: return; } - const TString& internalToken = proxyCtx->GetInternalToken(); + const TString& internalToken = proxyCtx->GetSerializedToken(); TVector<TString> permissions; if (internalToken) { NACLib::TUserToken userToken(internalToken); diff --git a/ydb/core/kqp/common/kqp.h b/ydb/core/kqp/common/kqp.h index 6140298401..9952808427 100644 --- a/ydb/core/kqp/common/kqp.h +++ b/ydb/core/kqp/common/kqp.h @@ -3,17 +3,17 @@ #include "kqp_event_ids.h" #include <library/cpp/lwtrace/shuttle.h> -#include <ydb/core/kqp/counters/kqp_counters.h> -#include <ydb/core/kqp/query_data/kqp_prepared_query.h> -#include <ydb/public/api/protos/ydb_status_codes.pb.h> -#include <ydb/public/api/protos/draft/ydb_query.pb.h> #include <ydb/core/grpc_services/base/base.h> #include <ydb/core/grpc_services/cancelation/cancelation.h> #include <ydb/core/grpc_services/cancelation/cancelation_event.h> - +#include <ydb/core/kqp/counters/kqp_counters.h> +#include <ydb/core/kqp/query_data/kqp_prepared_query.h> +#include <ydb/library/aclib/aclib.h> #include <ydb/library/yql/dq/actors/dq.h> #include <ydb/library/yql/public/issue/yql_issue.h> +#include <ydb/public/api/protos/ydb_status_codes.pb.h> +#include <ydb/public/api/protos/draft/ydb_query.pb.h> #include <util/generic/guid.h> #include <util/generic/ptr.h> @@ -399,12 +399,17 @@ struct TEvKqp { return Record.GetRequestType(); } - const TString& GetUserToken() const { + const TIntrusiveConstPtr<NACLib::TUserToken>& GetUserToken() const { if (RequestCtx && RequestCtx->GetInternalToken()) { return RequestCtx->GetInternalToken(); } - return Record.GetUserToken(); + if (Token_) { + return Token_; + } + + Token_ = new NACLib::TUserToken(Record.GetUserToken()); + return Token_; } const ::google::protobuf::Map<TProtoStringType, ::Ydb::TypedValue>& GetYdbParameters() const { @@ -490,6 +495,7 @@ struct TEvKqp { mutable std::shared_ptr<NGRpcService::IRequestCtxMtSafe> RequestCtx; mutable TString TraceId; mutable TString RequestType; + mutable TIntrusiveConstPtr<NACLib::TUserToken> Token_; TString Database; TString SessionId; TString YqlText; @@ -661,7 +667,7 @@ struct TEvKqp { NKikimrKqp::TEvPingSessionResponse, TKqpEvents::EvPingSessionResponse> {}; struct TEvCompileRequest : public TEventLocal<TEvCompileRequest, TKqpEvents::EvCompileRequest> { - TEvCompileRequest(const TString& userToken, const TMaybe<TString>& uid, TMaybe<TKqpQueryId>&& query, + TEvCompileRequest(const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TMaybe<TString>& uid, TMaybe<TKqpQueryId>&& query, bool keepInCache, TInstant deadline, TKqpDbCountersPtr dbCounters, NLWTrace::TOrbit orbit = {}) : UserToken(userToken) , Uid(uid) @@ -674,7 +680,7 @@ struct TEvKqp { Y_ENSURE(Uid.Defined() != Query.Defined()); } - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TMaybe<TString> Uid; TMaybe<TKqpQueryId> Query; bool KeepInCache = false; @@ -687,7 +693,7 @@ struct TEvKqp { }; struct TEvRecompileRequest : public TEventLocal<TEvRecompileRequest, TKqpEvents::EvRecompileRequest> { - TEvRecompileRequest(const TString& userToken, const TString& uid, const TMaybe<TKqpQueryId>& query, + TEvRecompileRequest(const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TString& uid, const TMaybe<TKqpQueryId>& query, TInstant deadline, TKqpDbCountersPtr dbCounters, NLWTrace::TOrbit orbit = {}) : UserToken(userToken) , Uid(uid) @@ -696,7 +702,7 @@ struct TEvKqp { , DbCounters(dbCounters) , Orbit(std::move(orbit)) {} - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TString Uid; TMaybe<TKqpQueryId> Query; diff --git a/ydb/core/kqp/common/kqp_event_impl.cpp b/ydb/core/kqp/common/kqp_event_impl.cpp index 89b8102373..6a2dd868cc 100644 --- a/ydb/core/kqp/common/kqp_event_impl.cpp +++ b/ydb/core/kqp/common/kqp_event_impl.cpp @@ -42,8 +42,8 @@ TEvKqp::TEvQueryRequest::TEvQueryRequest( void TEvKqp::TEvQueryRequest::PrepareRemote() const { if (RequestCtx) { - if (RequestCtx->GetInternalToken()) { - Record.SetUserToken(RequestCtx->GetInternalToken()); + if (RequestCtx->GetSerializedToken()) { + Record.SetUserToken(RequestCtx->GetSerializedToken()); } Record.MutableRequest()->SetDatabase(Database); diff --git a/ydb/core/kqp/compile_service/kqp_compile_actor.cpp b/ydb/core/kqp/compile_service/kqp_compile_actor.cpp index ce503ca9d9..2c688d08f7 100644 --- a/ydb/core/kqp/compile_service/kqp_compile_actor.cpp +++ b/ydb/core/kqp/compile_service/kqp_compile_actor.cpp @@ -42,7 +42,8 @@ public: TKqpCompileActor(const TActorId& owner, const TKqpSettings::TConstPtr& kqpSettings, const TTableServiceConfig& serviceConfig, TIntrusivePtr<TModuleResolverState> moduleResolverState, - TIntrusivePtr<TKqpCounters> counters, const TString& uid, const TKqpQueryId& query, const TString& userToken, + TIntrusivePtr<TKqpCounters> counters, const TString& uid, const TKqpQueryId& query, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpDbCountersPtr dbCounters, NWilson::TTraceId traceId) : Owner(owner) , ModuleResolverState(moduleResolverState) @@ -314,7 +315,7 @@ private: TIntrusivePtr<TKqpCounters> Counters; TString Uid; TKqpQueryId Query; - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TKqpDbCountersPtr DbCounters; TKikimrConfiguration::TPtr Config; TDuration CompilationTimeout; @@ -348,7 +349,7 @@ void ApplyServiceConfig(TKikimrConfiguration& kqpConfig, const TTableServiceConf IActor* CreateKqpCompileActor(const TActorId& owner, const TKqpSettings::TConstPtr& kqpSettings, const TTableServiceConfig& serviceConfig, TIntrusivePtr<TModuleResolverState> moduleResolverState, - TIntrusivePtr<TKqpCounters> counters, const TString& uid, const TKqpQueryId& query, const TString& userToken, + TIntrusivePtr<TKqpCounters> counters, const TString& uid, const TKqpQueryId& query, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpDbCountersPtr dbCounters, NWilson::TTraceId traceId) { return new TKqpCompileActor(owner, kqpSettings, serviceConfig, moduleResolverState, counters, uid, diff --git a/ydb/core/kqp/compile_service/kqp_compile_request.cpp b/ydb/core/kqp/compile_service/kqp_compile_request.cpp index d8d28b37f2..5e58e2bb2c 100644 --- a/ydb/core/kqp/compile_service/kqp_compile_request.cpp +++ b/ydb/core/kqp/compile_service/kqp_compile_request.cpp @@ -29,7 +29,7 @@ public: return NKikimrServices::TActivity::KQP_COMPILE_REQUEST; } - TKqpCompileRequestActor(const TActorId& owner, const TString& userToken, const TMaybe<TString>& uid, + TKqpCompileRequestActor(const TActorId& owner, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TMaybe<TString>& uid, TMaybe<TKqpQueryId>&& query, bool keepInCache, const TInstant& deadline, TKqpDbCountersPtr dbCounters, NLWTrace::TOrbit orbit, NWilson::TTraceId traceId) : Owner(owner) @@ -188,8 +188,8 @@ private: auto navigate = MakeHolder<TSchemeCacheNavigate>(); navigate->DatabaseName = database; - if (!UserToken.empty()) { - navigate->UserToken = new NACLib::TUserToken(UserToken); + if (UserToken && !UserToken->GetSerializedToken().empty()) { + navigate->UserToken = UserToken; } for (const auto& [tableId, _] : TableVersions) { @@ -306,7 +306,7 @@ private: private: TActorId Owner; - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TMaybe<TString> Uid; TMaybe<TKqpQueryId> Query; bool KeepInCache = false; @@ -314,13 +314,12 @@ private: TKqpDbCountersPtr DbCounters; THashMap<TTableId, ui64> TableVersions; THolder<TEvKqp::TEvCompileResponse> DeferredResponse; - NLWTrace::TOrbit Orbit; NWilson::TSpan CompileRequestSpan; }; -IActor* CreateKqpCompileRequestActor(const TActorId& owner, const TString& userToken, const TMaybe<TString>& uid, +IActor* CreateKqpCompileRequestActor(const TActorId& owner, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TMaybe<TString>& uid, TMaybe<TKqpQueryId>&& query, bool keepInCache, const TInstant& deadline, TKqpDbCountersPtr dbCounters, NLWTrace::TOrbit orbit, NWilson::TTraceId traceId) { diff --git a/ydb/core/kqp/compile_service/kqp_compile_service.cpp b/ydb/core/kqp/compile_service/kqp_compile_service.cpp index 1ebbade8db..943fcc90b2 100644 --- a/ydb/core/kqp/compile_service/kqp_compile_service.cpp +++ b/ydb/core/kqp/compile_service/kqp_compile_service.cpp @@ -177,7 +177,7 @@ private: struct TKqpCompileRequest { TKqpCompileRequest(const TActorId& sender, const TString& uid, TKqpQueryId query, bool keepInCache, - const TString& userToken, const TInstant& deadline, TKqpDbCountersPtr dbCounters, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TInstant& deadline, TKqpDbCountersPtr dbCounters, NLWTrace::TOrbit orbit = {}, NWilson::TSpan span = {}) : Sender(sender) , Query(std::move(query)) @@ -193,7 +193,7 @@ struct TKqpCompileRequest { TKqpQueryId Query; TString Uid; bool KeepInCache = false; - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TInstant Deadline; TKqpDbCountersPtr DbCounters; TActorId CompileActor; @@ -432,7 +432,7 @@ private: *Counters->CompileQueryCacheSize = QueryCache.Size(); *Counters->CompileQueryCacheBytes = QueryCache.Bytes(); - auto userSid = NACLib::TUserToken(request.UserToken).GetUserSID(); + auto userSid = request.UserToken->GetUserSID(); auto dbCounters = request.DbCounters; if (request.Uid) { diff --git a/ydb/core/kqp/compile_service/kqp_compile_service.h b/ydb/core/kqp/compile_service/kqp_compile_service.h index 2e10c4b6e5..cc5d1acb9c 100644 --- a/ydb/core/kqp/compile_service/kqp_compile_service.h +++ b/ydb/core/kqp/compile_service/kqp_compile_service.h @@ -12,10 +12,11 @@ IActor* CreateKqpCompileService(const NKikimrConfig::TTableServiceConfig& servic IActor* CreateKqpCompileActor(const TActorId& owner, const TKqpSettings::TConstPtr& kqpSettings, const NKikimrConfig::TTableServiceConfig& serviceConfig, TIntrusivePtr<TModuleResolverState> moduleResolverState, - TIntrusivePtr<TKqpCounters> counters, const TString& uid, const TKqpQueryId& query, const TString& userToken, + TIntrusivePtr<TKqpCounters> counters, const TString& uid, const TKqpQueryId& query, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpDbCountersPtr dbCounters, NWilson::TTraceId traceId = {}); -IActor* CreateKqpCompileRequestActor(const TActorId& owner, const TString& userToken, const TMaybe<TString>& uid, +IActor* CreateKqpCompileRequestActor(const TActorId& owner, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TMaybe<TString>& uid, TMaybe<TKqpQueryId>&& query, bool keepInCache, const TInstant& deadline, TKqpDbCountersPtr dbCounters, NLWTrace::TOrbit orbit = {}, NWilson::TTraceId = {}); diff --git a/ydb/core/kqp/executer_actor/kqp_data_executer.cpp b/ydb/core/kqp/executer_actor/kqp_data_executer.cpp index 96d07a145c..525eb24a11 100644 --- a/ydb/core/kqp/executer_actor/kqp_data_executer.cpp +++ b/ydb/core/kqp/executer_actor/kqp_data_executer.cpp @@ -123,7 +123,8 @@ public: return NKikimrServices::TActivity::KQP_DATA_EXECUTER_ACTOR; } - TKqpDataExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, const TMaybe<TString>& userToken, + TKqpDataExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, bool streamResult, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig) : TBase(std::move(request), database, userToken, counters, executerRetriesConfig, TWilsonKqp::DataExecuter, "DataExecuter") @@ -2176,7 +2177,7 @@ private: } Planner = CreateKqpPlanner(TxId, SelfId(), {}, std::move(tasksPerNode), Request.Snapshot, - Database, Nothing(), Deadline.GetOrElse(TInstant::Zero()), Request.StatsMode, + Database, UserToken, Deadline.GetOrElse(TInstant::Zero()), Request.StatsMode, Request.DisableLlvmForUdfStages, Request.LlvmEnabled, false, Nothing(), ExecuterSpan, {}, ExecuterRetriesConfig); Planner->ProcessTasksForDataExecuter(); @@ -2494,7 +2495,7 @@ private: } // namespace -IActor* CreateKqpDataExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, const TMaybe<TString>& userToken, +IActor* CreateKqpDataExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, bool streamResult, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig) { return new TKqpDataExecuter(std::move(request), database, userToken, counters, streamResult, executerRetriesConfig); diff --git a/ydb/core/kqp/executer_actor/kqp_executer.h b/ydb/core/kqp/executer_actor/kqp_executer.h index 62c087af63..3057d48236 100644 --- a/ydb/core/kqp/executer_actor/kqp_executer.h +++ b/ydb/core/kqp/executer_actor/kqp_executer.h @@ -84,7 +84,7 @@ struct TEvKqpExecuter { }; IActor* CreateKqpExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, - const TMaybe<TString>& userToken, TKqpRequestCounters::TPtr counters, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, const NKikimrConfig::TTableServiceConfig::TAggregationConfig& aggregation, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig); diff --git a/ydb/core/kqp/executer_actor/kqp_executer_impl.cpp b/ydb/core/kqp/executer_actor/kqp_executer_impl.cpp index 8fd996bb44..ee789ce294 100644 --- a/ydb/core/kqp/executer_actor/kqp_executer_impl.cpp +++ b/ydb/core/kqp/executer_actor/kqp_executer_impl.cpp @@ -131,7 +131,8 @@ TActorId ReportToRl(ui64 ru, const TString& database, const TString& userToken, //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// IActor* CreateKqpExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, - const TMaybe<TString>& userToken, TKqpRequestCounters::TPtr counters, const NKikimrConfig::TTableServiceConfig::TAggregationConfig& aggregation, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, + const NKikimrConfig::TTableServiceConfig::TAggregationConfig& aggregation, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig) { if (request.Transactions.empty()) { diff --git a/ydb/core/kqp/executer_actor/kqp_executer_impl.h b/ydb/core/kqp/executer_actor/kqp_executer_impl.h index 6446cde48b..173c166561 100644 --- a/ydb/core/kqp/executer_actor/kqp_executer_impl.h +++ b/ydb/core/kqp/executer_actor/kqp_executer_impl.h @@ -106,7 +106,8 @@ protected: }; public: - TKqpExecuterBase(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, const TMaybe<TString>& userToken, + TKqpExecuterBase(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig, ui64 spanVerbosity = 0, TString spanName = "no_name") @@ -617,8 +618,7 @@ protected: } if (Request.RlPath) { - auto actorId = ReportToRl(ru, Database, UserToken.GetOrElse(""), - Request.RlPath.GetRef()); + auto actorId = ReportToRl(ru, Database, UserToken->GetSerializedToken(), Request.RlPath.GetRef()); LOG_D("Resource usage for last stat interval: " << consumption << " ru: " << ru << " rl path: " << Request.RlPath.GetRef() @@ -1136,7 +1136,7 @@ protected: protected: IKqpGateway::TExecPhysicalRequest Request; const TString Database; - const TMaybe<TString> UserToken; + const TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TKqpRequestCounters::TPtr Counters; std::unique_ptr<TQueryExecutionStats> Stats; TInstant StartTime; @@ -1180,14 +1180,12 @@ private: //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -IActor* CreateKqpLiteralExecuter(IKqpGateway::TExecPhysicalRequest&& request, TKqpRequestCounters::TPtr counters); - IActor* CreateKqpDataExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, - const TMaybe<TString>& userToken, TKqpRequestCounters::TPtr counters, bool streamResult, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, bool streamResult, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig); IActor* CreateKqpScanExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, - const TMaybe<TString>& userToken, TKqpRequestCounters::TPtr counters, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, const NKikimrConfig::TTableServiceConfig::TAggregationConfig& aggregation, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig); diff --git a/ydb/core/kqp/executer_actor/kqp_planner.cpp b/ydb/core/kqp/executer_actor/kqp_planner.cpp index bdedcd082a..0080a0f090 100644 --- a/ydb/core/kqp/executer_actor/kqp_planner.cpp +++ b/ydb/core/kqp/executer_actor/kqp_planner.cpp @@ -25,7 +25,7 @@ constexpr ui32 MAX_NON_PARALLEL_TASKS_EXECUTION_LIMIT = 4; TKqpPlanner::TKqpPlanner(ui64 txId, const TActorId& executer, TVector<NDqProto::TDqTask>&& computeTasks, THashMap<ui64, TVector<NDqProto::TDqTask>>&& mainTasksPerNode, const IKqpGateway::TKqpSnapshot& snapshot, - const TString& database, const TMaybe<TString>& userToken, TInstant deadline, + const TString& database, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TInstant deadline, const Ydb::Table::QueryStatsCollection::Mode& statsMode, bool disableLlvmForUdfStages, bool enableLlvm, bool withSpilling, const TMaybe<NKikimrKqp::TRlPath>& rlPath, NWilson::TSpan& executerSpan, TVector<NKikimrKqp::TKqpNodeResources>&& resourcesSnapshot, @@ -373,7 +373,7 @@ void TKqpPlanner::PrepareKqpNodeRequest(NKikimrKqp::TEvStartKqpTasksRequest& req rlPath->SetResourcePath(RlPath->GetResourcePath()); rlPath->SetDatabase(Database); if (UserToken) - rlPath->SetToken(UserToken.GetRef()); + rlPath->SetToken(UserToken->GetSerializedToken()); } request.SetStartAllOrFail(true); @@ -461,7 +461,7 @@ void TKqpPlanner::AddSnapshotInfoToTaskInputs(NYql::NDqProto::TDqTask& task) { //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// std::unique_ptr<TKqpPlanner> CreateKqpPlanner(ui64 txId, const TActorId& executer, TVector<NYql::NDqProto::TDqTask>&& tasks, THashMap<ui64, TVector<NYql::NDqProto::TDqTask>>&& mainTasksPerNode, const IKqpGateway::TKqpSnapshot& snapshot, - const TString& database, const TMaybe<TString>& userToken, TInstant deadline, + const TString& database, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TInstant deadline, const Ydb::Table::QueryStatsCollection::Mode& statsMode, bool disableLlvmForUdfStages, bool enableLlvm, bool withSpilling, const TMaybe<NKikimrKqp::TRlPath>& rlPath, NWilson::TSpan& executerSpan, TVector<NKikimrKqp::TKqpNodeResources>&& resourcesSnapshot, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig) diff --git a/ydb/core/kqp/executer_actor/kqp_planner.h b/ydb/core/kqp/executer_actor/kqp_planner.h index 025a0dcbff..a7e452c0af 100644 --- a/ydb/core/kqp/executer_actor/kqp_planner.h +++ b/ydb/core/kqp/executer_actor/kqp_planner.h @@ -28,7 +28,7 @@ class TKqpPlanner { public: TKqpPlanner(ui64 txId, const TActorId& executer, TVector<NYql::NDqProto::TDqTask>&& tasks, THashMap<ui64, TVector<NYql::NDqProto::TDqTask>>&& scanTasks, const IKqpGateway::TKqpSnapshot& snapshot, - const TString& database, const TMaybe<TString>& userToken, TInstant deadline, + const TString& database, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TInstant deadline, const Ydb::Table::QueryStatsCollection::Mode& statsMode, bool disableLlvmForUdfStages, bool enableLlvm, bool withSpilling, const TMaybe<NKikimrKqp::TRlPath>& rlPath, NWilson::TSpan& ExecuterSpan, TVector<NKikimrKqp::TKqpNodeResources>&& resourcesSnapshot, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig); @@ -60,7 +60,7 @@ private: THashMap<ui64, TVector<NYql::NDqProto::TDqTask>> MainTasksPerNode; const IKqpGateway::TKqpSnapshot Snapshot; TString Database; - const TMaybe<TString> UserToken; + const TIntrusiveConstPtr<NACLib::TUserToken> UserToken; const TInstant Deadline; const Ydb::Table::QueryStatsCollection::Mode StatsMode; const bool DisableLlvmForUdfStages; @@ -78,7 +78,7 @@ private: std::unique_ptr<TKqpPlanner> CreateKqpPlanner(ui64 txId, const TActorId& executer, TVector<NYql::NDqProto::TDqTask>&& tasks, THashMap<ui64, TVector<NYql::NDqProto::TDqTask>>&& scanTasks, const IKqpGateway::TKqpSnapshot& snapshot, - const TString& database, const TMaybe<TString>& userToken, TInstant deadline, + const TString& database, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TInstant deadline, const Ydb::Table::QueryStatsCollection::Mode& statsMode, bool disableLlvmForUdfStages, bool enableLlvm, bool withSpilling, const TMaybe<NKikimrKqp::TRlPath>& rlPath, NWilson::TSpan& executerSpan, TVector<NKikimrKqp::TKqpNodeResources>&& resourcesSnapshot, diff --git a/ydb/core/kqp/executer_actor/kqp_scan_executer.cpp b/ydb/core/kqp/executer_actor/kqp_scan_executer.cpp index a774315008..84ba7866ab 100644 --- a/ydb/core/kqp/executer_actor/kqp_scan_executer.cpp +++ b/ydb/core/kqp/executer_actor/kqp_scan_executer.cpp @@ -68,7 +68,7 @@ public: } TKqpScanExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, - const TMaybe<TString>& userToken, TKqpRequestCounters::TPtr counters, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, const NKikimrConfig::TTableServiceConfig::TAggregationConfig& aggregation, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig) : TBase(std::move(request), database, userToken, counters, executerRetriesConfig, TWilsonKqp::ScanExecuter, "ScanExecuter") @@ -797,7 +797,7 @@ private: } // namespace IActor* CreateKqpScanExecuter(IKqpGateway::TExecPhysicalRequest&& request, const TString& database, - const TMaybe<TString>& userToken, TKqpRequestCounters::TPtr counters, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TKqpRequestCounters::TPtr counters, const NKikimrConfig::TTableServiceConfig::TAggregationConfig& aggregation, const NKikimrConfig::TTableServiceConfig::TExecuterRetriesConfig& executerRetriesConfig) { diff --git a/ydb/core/kqp/executer_actor/kqp_table_resolver.cpp b/ydb/core/kqp/executer_actor/kqp_table_resolver.cpp index f9dabdf25c..a743b17c28 100644 --- a/ydb/core/kqp/executer_actor/kqp_table_resolver.cpp +++ b/ydb/core/kqp/executer_actor/kqp_table_resolver.cpp @@ -25,7 +25,8 @@ public: return NKikimrServices::TActivity::KQP_TABLE_RESOLVER; } - TKqpTableResolver(const TActorId& owner, ui64 txId, TMaybe<TString> userToken, + TKqpTableResolver(const TActorId& owner, ui64 txId, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TVector<IKqpGateway::TPhysicalTxData>& transactions, TKqpTableKeys& tableKeys, TKqpTasksGraph& tasksGraph) : Owner(owner) @@ -268,8 +269,8 @@ private: auto requestNavigate = std::make_unique<NSchemeCache::TSchemeCacheNavigate>(); auto request = MakeHolder<NSchemeCache::TSchemeCacheRequest>(); request->ResultSet.reserve(TasksGraph.GetStagesInfo().size()); - if (UserToken) { - request->UserToken = new NACLib::TUserToken(*UserToken); + if (UserToken && !UserToken->GetSerializedToken().empty()) { + request->UserToken = UserToken; } for (auto& pair : TasksGraph.GetStagesInfo()) { @@ -370,7 +371,7 @@ private: private: const TActorId Owner; const ui64 TxId; - const TMaybe<TString> UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; const TVector<IKqpGateway::TPhysicalTxData>& Transactions; TKqpTableKeys& TableKeys; THashSet<TTableId> TableRequestIds; @@ -387,7 +388,8 @@ private: } // anonymous namespace -NActors::IActor* CreateKqpTableResolver(const TActorId& owner, ui64 txId, TMaybe<TString> userToken, +NActors::IActor* CreateKqpTableResolver(const TActorId& owner, ui64 txId, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TVector<IKqpGateway::TPhysicalTxData>& transactions, TKqpTableKeys& tableKeys, TKqpTasksGraph& tasksGraph) { return new TKqpTableResolver(owner, txId, userToken, transactions, tableKeys, tasksGraph); } diff --git a/ydb/core/kqp/executer_actor/kqp_table_resolver.h b/ydb/core/kqp/executer_actor/kqp_table_resolver.h index e9618cf41d..0fbb152a5b 100644 --- a/ydb/core/kqp/executer_actor/kqp_table_resolver.h +++ b/ydb/core/kqp/executer_actor/kqp_table_resolver.h @@ -4,7 +4,8 @@ namespace NKikimr::NKqp { -NActors::IActor* CreateKqpTableResolver(const TActorId& owner, ui64 txId, TMaybe<TString> userToken, +NActors::IActor* CreateKqpTableResolver(const TActorId& owner, ui64 txId, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, const TVector<IKqpGateway::TPhysicalTxData>& transactions, TKqpTableKeys& tableKeys, TKqpTasksGraph& tasksGraph); } // namespace NKikimr::NKqp diff --git a/ydb/core/kqp/gateway/kqp_ic_gateway.cpp b/ydb/core/kqp/gateway/kqp_ic_gateway.cpp index 542c2242b9..1219b2d378 100644 --- a/ydb/core/kqp/gateway/kqp_ic_gateway.cpp +++ b/ydb/core/kqp/gateway/kqp_ic_gateway.cpp @@ -748,14 +748,6 @@ namespace { class TKikimrIcGateway : public IKqpGateway { private: - struct TUserTokenData { - TString Serialized; - NACLib::TUserToken Data; - - TUserTokenData(const TString& serialized) - : Serialized(serialized) - , Data(serialized) {} - }; using TNavigate = NSchemeCache::TSchemeCacheNavigate; public: @@ -786,11 +778,9 @@ public: return {}; } - void SetToken(const TString& cluster, const TString& token) override { + void SetToken(const TString& cluster, const TIntrusiveConstPtr<NACLib::TUserToken>& token) override { YQL_ENSURE(cluster == Cluster); - if (!token.empty()) { - UserToken = TUserTokenData(token); - } + UserToken = token; } TVector<TString> GetCollectedSchemeData() override { @@ -798,7 +788,7 @@ public: } TString GetTokenCompat() const { - return UserToken ? UserToken->Serialized : TString(); + return UserToken ? UserToken->GetSerializedToken() : TString(); } TFuture<TListPathResult> ListPath(const TString& cluster, const TString &path) override { @@ -812,7 +802,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& describePath = *ev->Record.MutableDescribePath(); describePath.SetPath(CanonizePath(path)); @@ -847,11 +837,8 @@ public: if (!CheckCluster(cluster)) { return InvalidCluster<TTableMetadataResult>(cluster); } - if (UserToken) { - return MetadataLoader->LoadTableMetadata(cluster, table, settings, Database, UserToken->Data); - } else { - return MetadataLoader->LoadTableMetadata(cluster, table, settings, Database, Nothing()); - } + + return MetadataLoader->LoadTableMetadata(cluster, table, settings, Database, UserToken); } catch (yexception& e) { return MakeFuture(ResultFromException<TTableMetadataResult>(e)); @@ -907,7 +894,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -997,7 +984,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1054,7 +1041,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetOperationType(NKikimrSchemeOp::ESchemeOpMoveTable); @@ -1118,7 +1105,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1154,7 +1141,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1195,7 +1182,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1231,7 +1218,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1267,7 +1254,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1308,7 +1295,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); @@ -1342,7 +1329,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(database); @@ -1388,7 +1375,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(pathPair.first); @@ -1429,7 +1416,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(Database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); @@ -1463,7 +1450,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(database); @@ -1506,7 +1493,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(database); @@ -1546,12 +1533,8 @@ public: ui32 GetNodeId() const { return Owner.NodeId; } - TMaybe<NACLib::TUserToken> GetUserToken() const { - if (Owner.UserToken) { - return Owner.UserToken->Data; - } else { - return {}; - } + TIntrusiveConstPtr<NACLib::TUserToken> GetUserToken() const { + return Owner.UserToken; } public: IObjectModifier(TKikimrIcGateway& owner) @@ -1666,7 +1649,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(database); @@ -1716,7 +1699,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(database); @@ -1798,7 +1781,7 @@ public: auto ev = MakeHolder<TRequest>(); ev->Record.SetDatabaseName(database); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme(); schemeTx.SetWorkingDir(database); @@ -1865,7 +1848,7 @@ public: auto ev = MakeHolder<TRequest>(); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } ev->Record.MutableRequest()->SetDatabase(Database); @@ -1897,7 +1880,7 @@ public: auto ev = MakeHolder<TRequest>(); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } ev->Record.MutableRequest()->SetDatabase(Database); @@ -1932,7 +1915,7 @@ public: auto ev = MakeHolder<TRequest>(); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } ev->Record.MutableRequest()->SetDatabase(Database); @@ -1962,7 +1945,7 @@ public: auto ev = MakeHolder<TRequest>(); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } ev->Record.MutableRequest()->SetDatabase(Database); @@ -1990,7 +1973,7 @@ public: auto ev = MakeHolder<TRequest>(); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } ev->Record.MutableRequest()->SetDatabase(Database); @@ -2023,7 +2006,7 @@ public: auto ev = MakeHolder<TRequest>(); if (UserToken) { - ev->Record.SetUserToken(UserToken->Serialized); + ev->Record.SetUserToken(UserToken->GetSerializedToken()); } ev->Record.MutableRequest()->SetDatabase(Database); @@ -2634,7 +2617,7 @@ private: ui32 NodeId; TKqpRequestCounters::TPtr Counters; TAlignedPagePoolCounters AllocCounters; - TMaybe<TUserTokenData> UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; std::shared_ptr<IKqpTableMetadataLoader> MetadataLoader; }; diff --git a/ydb/core/kqp/gateway/kqp_metadata_loader.cpp b/ydb/core/kqp/gateway/kqp_metadata_loader.cpp index adadd1a857..58b896ecf2 100644 --- a/ydb/core/kqp/gateway/kqp_metadata_loader.cpp +++ b/ydb/core/kqp/gateway/kqp_metadata_loader.cpp @@ -220,7 +220,8 @@ void TKqpTableMetadataLoader::OnLoadedTableMetadata(TTableMetadataResult& loadTa NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadTableMetadata(const TString& cluster, const TString& table, - const NYql::IKikimrGateway::TLoadTableMetadataSettings& settings, const TString& database, const TMaybe<NACLib::TUserToken>& userToken) + const NYql::IKikimrGateway::TLoadTableMetadataSettings& settings, const TString& database, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken) { using TResult = TTableMetadataResult; @@ -258,7 +259,9 @@ NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadTableMeta } NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadIndexMetadata( - TTableMetadataResult& loadTableMetadataResult, const TString& database, const TMaybe<NACLib::TUserToken>& userToken) { + TTableMetadataResult& loadTableMetadataResult, const TString& database, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken) +{ auto tableMetadata = loadTableMetadataResult.Metadata; YQL_ENSURE(tableMetadata); @@ -333,7 +336,8 @@ NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadIndexMeta } NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadIndexMetadataByPathId( - const TString& cluster, const TIndexId& indexId, const TString& tableName, const TString& database, const TMaybe<NACLib::TUserToken>& userToken) + const TString& cluster, const TIndexId& indexId, const TString& tableName, const TString& database, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken) { using TResult = TTableMetadataResult; @@ -372,8 +376,10 @@ NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadIndexMeta // The type is TString or std::pair<TIndexId, TString> template<typename TPath> -NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadTableMetadataCache(const TString& cluster, const TPath& id, - TLoadTableMetadataSettings settings, const TString& database, const TMaybe<NACLib::TUserToken>& userToken) +NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadTableMetadataCache( + const TString& cluster, const TPath& id, + TLoadTableMetadataSettings settings, const TString& database, + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken) { using TRequest = TEvTxProxySchemeCache::TEvNavigateKeySet; using TResponse = TEvTxProxySchemeCache::TEvNavigateKeySetResult; @@ -391,8 +397,8 @@ NThreading::TFuture<TTableMetadataResult> TKqpTableMetadataLoader::LoadTableMeta const TString& table = entry.second; navigate->DatabaseName = database; - if (userToken) { - navigate->UserToken = new NACLib::TUserToken(*userToken); + if (userToken && !userToken->GetSerializedToken().empty()) { + navigate->UserToken = userToken; } auto ev = MakeHolder<TRequest>(navigate.Release()); diff --git a/ydb/core/kqp/gateway/kqp_metadata_loader.h b/ydb/core/kqp/gateway/kqp_metadata_loader.h index 25447f2825..8f6b1b4b06 100644 --- a/ydb/core/kqp/gateway/kqp_metadata_loader.h +++ b/ydb/core/kqp/gateway/kqp_metadata_loader.h @@ -21,7 +21,7 @@ public: NThreading::TFuture<NYql::IKikimrGateway::TTableMetadataResult> LoadTableMetadata( const TString& cluster, const TString& table, const NYql::IKikimrGateway::TLoadTableMetadataSettings& settings, const TString& database, - const TMaybe<NACLib::TUserToken>& userToken); + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken); TVector<TString> GetCollectedSchemeData(); @@ -37,15 +37,15 @@ private: template<typename TPath> NThreading::TFuture<NYql::IKikimrGateway::TTableMetadataResult> LoadTableMetadataCache( const TString& cluster, const TPath& id, NYql::IKikimrGateway::TLoadTableMetadataSettings settings, const TString& database, - const TMaybe<NACLib::TUserToken>& userToken); + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken); NThreading::TFuture<NYql::IKikimrGateway::TTableMetadataResult> LoadIndexMetadataByPathId( const TString& cluster, const NKikimr::TIndexId& indexId, const TString& tableName, const TString& database, - const TMaybe<NACLib::TUserToken>& userToken); + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken); NThreading::TFuture<NYql::IKikimrGateway::TTableMetadataResult> LoadIndexMetadata( NYql::IKikimrGateway::TTableMetadataResult& loadTableMetadataResult, const TString& database, - const TMaybe<NACLib::TUserToken>& userToken); + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken); void OnLoadedTableMetadata(NYql::IKikimrGateway::TTableMetadataResult& loadTableMetadataResult); diff --git a/ydb/core/kqp/provider/yql_kikimr_datasource.cpp b/ydb/core/kqp/provider/yql_kikimr_datasource.cpp index a7fa7d44dc..2cb1b0e38c 100644 --- a/ydb/core/kqp/provider/yql_kikimr_datasource.cpp +++ b/ydb/core/kqp/provider/yql_kikimr_datasource.cpp @@ -341,8 +341,9 @@ public: token = credential->Content; } + TIntrusiveConstPtr<NACLib::TUserToken> tokenPtr = new NACLib::TUserToken(token); if (!token.empty()) { - Gateway->SetToken(cluster, token); + Gateway->SetToken(cluster, tokenPtr); } } diff --git a/ydb/core/kqp/provider/yql_kikimr_gateway.h b/ydb/core/kqp/provider/yql_kikimr_gateway.h index 19820705fc..f46147b1d0 100644 --- a/ydb/core/kqp/provider/yql_kikimr_gateway.h +++ b/ydb/core/kqp/provider/yql_kikimr_gateway.h @@ -636,7 +636,7 @@ public: public: virtual NThreading::TFuture<TTableMetadataResult> LoadTableMetadata( const TString& cluster, const TString& table, const TLoadTableMetadataSettings& settings, const TString& database, - const TMaybe<NACLib::TUserToken>& userToken) = 0; + const TIntrusiveConstPtr<NACLib::TUserToken>& userToken) = 0; virtual TVector<TString> GetCollectedSchemeData() = 0; @@ -649,7 +649,7 @@ public: virtual TString GetDefaultCluster() = 0; virtual TMaybe<TString> GetSetting(const TString& cluster, const TString& name) = 0; - virtual void SetToken(const TString& cluster, const TString& token) = 0; + virtual void SetToken(const TString& cluster, const TIntrusiveConstPtr<NACLib::TUserToken>& token) = 0; virtual NThreading::TFuture<TListPathResult> ListPath(const TString& cluster, const TString& path) = 0; diff --git a/ydb/core/kqp/session_actor/kqp_session_actor.cpp b/ydb/core/kqp/session_actor/kqp_session_actor.cpp index 8d738d35a4..00b9c4dfc5 100644 --- a/ydb/core/kqp/session_actor/kqp_session_actor.cpp +++ b/ydb/core/kqp/session_actor/kqp_session_actor.cpp @@ -89,7 +89,7 @@ struct TKqpQueryState { NKqpProto::TKqpStatsQuery Stats; bool KeepSession = false; - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; NLWTrace::TOrbit Orbit; NWilson::TSpan KqpSessionSpan; @@ -601,7 +601,7 @@ public: navigate->DatabaseName = CanonizePath(QueryState->GetDatabase()); QueryState->TopicOperations.FillSchemeCacheNavigate(*navigate, std::move(consumer)); - navigate->UserToken = new NACLib::TUserToken(QueryState->UserToken); + navigate->UserToken = QueryState->UserToken; Become(&TKqpSessionActor::TopicOpsState); ctx.Send(MakeSchemeCacheID(), new TEvTxProxySchemeCache::TEvNavigateKeySet(navigate.release())); @@ -1296,8 +1296,8 @@ public: LOG_D("Sending to Executer TraceId: " << request.TraceId.GetTraceId() << " " << request.TraceId.GetSpanIdSize()); auto executerActor = CreateKqpExecuter(std::move(request), Settings.Database, - (QueryState && QueryState->UserToken) ? TMaybe<TString>(QueryState->UserToken) : Nothing(), - RequestCounters, Settings.Service.GetAggregationConfig(), Settings.Service.GetExecuterRetriesConfig()); + QueryState ? QueryState->UserToken : TIntrusiveConstPtr<NACLib::TUserToken>(), + RequestCounters, Settings.Service.GetAggregationConfig(), Settings.Service.GetExecuterRetriesConfig()); auto exId = RegisterWithSameMailbox(executerActor); LOG_D("Created new KQP executer: " << exId << " isRollback: " << isRollback); @@ -1469,7 +1469,7 @@ public: case NKikimrKqp::QUERY_TYPE_FEDERATED_QUERY: { TString text = QueryState->ExtractQueryText(); if (IsQueryAllowedToLog(text)) { - auto userSID = NACLib::TUserToken(QueryState->UserToken).GetUserSID(); + auto userSID = QueryState->UserToken->GetUserSID(); NSysView::CollectQueryStats(TlsActivationContext->AsActorContext(), stats, queryDuration, text, userSID, QueryState->ParametersSize, database, type, requestUnits); } @@ -2226,8 +2226,6 @@ private: bool denied = false; TStringBuilder builder; - NACLib::TUserToken token(QueryState->UserToken); - builder << "Access for topic(s)"; for (auto& result : response.ResultSet) { if (result.Status != NSchemeCache::TSchemeCacheNavigate::EStatus::Ok) { @@ -2235,15 +2233,14 @@ private: } auto rights = NACLib::EAccessRights::ReadAttributes | NACLib::EAccessRights::WriteAttributes; - if (result.SecurityObject && !result.SecurityObject->CheckAccess(rights, token)) { + if (result.SecurityObject && !result.SecurityObject->CheckAccess(rights, *QueryState->UserToken)) { builder << " '" << JoinPath(result.Path) << "'"; denied = true; } } if (denied) { - builder << " is denied for subject '" << token.GetUserSID() << "'"; - + builder << " is denied for subject '" << QueryState->UserToken->GetUserSID() << "'"; message = std::move(builder); } diff --git a/ydb/core/kqp/session_actor/kqp_worker_actor.cpp b/ydb/core/kqp/session_actor/kqp_worker_actor.cpp index 1be1327762..0e63e5ad0a 100644 --- a/ydb/core/kqp/session_actor/kqp_worker_actor.cpp +++ b/ydb/core/kqp/session_actor/kqp_worker_actor.cpp @@ -55,7 +55,7 @@ struct TKqpQueryState { TString TraceId; TString RequestType; ui64 ParametersSize = 0; - TString UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TActorId RequestActorId; TInstant StartTime; TDuration CpuTime; @@ -203,7 +203,7 @@ public: QueryState->RequestType = event.GetRequestType(); QueryState->StartTime = now; QueryState->ReplyFlags = queryRequest.GetReplyFlags(); - QueryState->UserToken = event.GetUserToken(); + QueryState->UserToken = new NACLib::TUserToken(event.GetUserToken()); QueryState->RequestActorId = ActorIdFromProto(event.GetRequestActorId()); if (GetStatsMode(queryRequest, EKikimrStatsMode::None) > EKikimrStatsMode::Basic) { @@ -902,7 +902,7 @@ private: case NKikimrKqp::QUERY_TYPE_SQL_SCRIPT_STREAMING: { TString text = ExtractQueryText(); if (IsQueryAllowedToLog(text)) { - auto userSID = NACLib::TUserToken(QueryState->UserToken).GetUserSID(); + auto userSID = QueryState->UserToken->GetUserSID(); NSysView::CollectQueryStats(ctx, stats, queryDuration, text, userSID, QueryState->ParametersSize, database, type, requestUnits); } diff --git a/ydb/core/kqp/session_actor/kqp_worker_common.cpp b/ydb/core/kqp/session_actor/kqp_worker_common.cpp index 0b0d580105..23e204005f 100644 --- a/ydb/core/kqp/session_actor/kqp_worker_common.cpp +++ b/ydb/core/kqp/session_actor/kqp_worker_common.cpp @@ -81,7 +81,7 @@ TKikimrQueryLimits GetQueryLimits(const TKqpWorkerSettings& settings) { } void SlowLogQuery(const TActorContext &ctx, const TKikimrConfiguration* config, const TKqpRequestInfo& requestInfo, - const TDuration& duration, Ydb::StatusIds::StatusCode status, const TString& userToken, ui64 parametersSize, + const TDuration& duration, Ydb::StatusIds::StatusCode status, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, ui64 parametersSize, NKikimrKqp::TEvQueryResponse *record, const std::function<TString()> extractQueryText) { auto logSettings = ctx.LoggerSettings(); @@ -106,7 +106,7 @@ void SlowLogQuery(const TActorContext &ctx, const TKikimrConfiguration* config, } if (duration >= TDuration::MilliSeconds(thresholdMs)) { - auto username = NACLib::TUserToken(userToken).GetUserSID(); + auto username = userToken->GetUserSID(); if (username.empty()) { username = "UNAUTHENTICATED"; } diff --git a/ydb/core/kqp/session_actor/kqp_worker_common.h b/ydb/core/kqp/session_actor/kqp_worker_common.h index 84b1bc0d8f..507256a315 100644 --- a/ydb/core/kqp/session_actor/kqp_worker_common.h +++ b/ydb/core/kqp/session_actor/kqp_worker_common.h @@ -123,7 +123,7 @@ inline ETableReadType ExtractMostHeavyReadType(const TString& queryPlan) { } void SlowLogQuery(const TActorContext &ctx, const NYql::TKikimrConfiguration* config, const TKqpRequestInfo& requestInfo, - const TDuration& duration, Ydb::StatusIds::StatusCode status, const TString& userToken, ui64 parametersSize, + const TDuration& duration, Ydb::StatusIds::StatusCode status, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, ui64 parametersSize, NKikimrKqp::TEvQueryResponse *record, const std::function<TString()> extractQueryText); NYql::TKikimrQueryLimits GetQueryLimits(const TKqpWorkerSettings& settings); diff --git a/ydb/core/mon/mon.cpp b/ydb/core/mon/mon.cpp index 5268f93372..b32266d911 100644 --- a/ydb/core/mon/mon.cpp +++ b/ydb/core/mon/mon.cpp @@ -55,7 +55,7 @@ NActors::IEventHandle* TMon::DefaultAuthorizer(const NActors::TActorId& owner, N return new NActors::IEventHandle( owner, owner, - new NKikimr::TEvTicketParser::TEvAuthorizeTicketResult(TString(), token, token->SerializeAsString()) + new NKikimr::TEvTicketParser::TEvAuthorizeTicketResult(TString(), token) ); } else { return nullptr; diff --git a/ydb/core/security/secure_request.h b/ydb/core/security/secure_request.h index 04e276a897..c18c83d4b0 100644 --- a/ydb/core/security/secure_request.h +++ b/ydb/core/security/secure_request.h @@ -102,10 +102,17 @@ public: return SecurityToken; } + TIntrusiveConstPtr<NACLib::TUserToken> GetParsedToken() const { + if (AuthorizeTicketResult) { + return AuthorizeTicketResult->Token; + } + return nullptr; + } + TString GetSerializedToken() const { if (AuthorizeTicketResult) { - if (AuthorizeTicketResult->SerializedToken) { - return AuthorizeTicketResult->SerializedToken; + if (AuthorizeTicketResult->Token) { + return AuthorizeTicketResult->Token->GetSerializedToken(); } } return TString(); @@ -140,7 +147,7 @@ public: if (SecurityToken.empty()) { if (!GetDefaultUserSIDs().empty()) { TIntrusivePtr<NACLib::TUserToken> userToken = new NACLib::TUserToken(GetDefaultUserSIDs()); - THolder<TEvTicketParser::TEvAuthorizeTicketResult> AuthorizeTicketResult = MakeHolder<TEvTicketParser::TEvAuthorizeTicketResult>(TString(), userToken, userToken->SerializeAsString()); + THolder<TEvTicketParser::TEvAuthorizeTicketResult> AuthorizeTicketResult = MakeHolder<TEvTicketParser::TEvAuthorizeTicketResult>(TString(), userToken); ctx.Send(ctx.SelfID, AuthorizeTicketResult.Release()); } else { return static_cast<TBootstrap*>(this)->Bootstrap(ctx); diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h index 392a7243c5..852ae10677 100644 --- a/ydb/core/security/ticket_parser_impl.h +++ b/ydb/core/security/ticket_parser_impl.h @@ -369,7 +369,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> { if (record.IsTokenReady()) { // token already have built record.AccessTime = now; - Send(sender, new TEvTicketParser::TEvAuthorizeTicketResult(ev->Get()->Ticket, record.Token, record.SerializedToken), 0, cookie); + Send(sender, new TEvTicketParser::TEvAuthorizeTicketResult(ev->Get()->Ticket, record.GetToken()), 0, cookie); } else if (record.Error) { // token stores information about previous error record.AccessTime = now; @@ -407,7 +407,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> { } if (record.IsTokenReady()) { // offline check ready - Send(sender, new TEvTicketParser::TEvAuthorizeTicketResult(ev->Get()->Ticket, record.Token, record.SerializedToken), 0, cookie); + Send(sender, new TEvTicketParser::TEvAuthorizeTicketResult(ev->Get()->Ticket, record.GetToken()), 0, cookie); return; } record.AuthorizeRequests.emplace_back(ev.Release()); @@ -857,7 +857,10 @@ protected: return TDerived::ETokenType::Unknown; } - struct TTokenRecordBase { + class TTokenRecordBase { + private: + TIntrusiveConstPtr<NACLib::TUserToken> Token; + public: TTokenRecordBase(const TTokenRecordBase&) = delete; TTokenRecordBase& operator =(const TTokenRecordBase&) = delete; @@ -867,8 +870,6 @@ protected: THashMap<TString, TPermissionRecord> Permissions; TString Subject; // login TEvTicketParser::TError Error; - TIntrusivePtr<NACLib::TUserToken> Token; - TString SerializedToken; TDeque<THolder<TEventHandle<TEvTicketParser::TEvAuthorizeTicket>>> AuthorizeRequests; ui64 ResponsesLeft = 0; TInstant InitTime; @@ -885,6 +886,20 @@ protected: : Ticket(ticket) {} + void SetToken(const TIntrusivePtr<NACLib::TUserToken>& token) { + // saving serialization info into the token instance. + token->SaveSerializationInfo(); + Token = token; + } + + const TIntrusiveConstPtr<NACLib::TUserToken> GetToken() const { + return Token; + } + + void UnsetToken() { + Token = nullptr; + } + TString GetAttributeValue(const TString& permission, const TString& key) const { if (auto it = Permissions.find(permission); it != Permissions.end()) { for (const auto& pr : it->second.Attributes) { @@ -965,13 +980,13 @@ protected: return key.Before(':'); } - void EnrichUserTokenWithBuiltins(const TTokenRecordBase& record) { + void EnrichUserTokenWithBuiltins(const TTokenRecordBase& record, TIntrusivePtr<NACLib::TUserToken>& token) { const TString& allAuthenticatedUsers = AppData()->AllAuthenticatedUsers; if (!allAuthenticatedUsers.empty()) { - record.Token->AddGroupSID(allAuthenticatedUsers); + token->AddGroupSID(allAuthenticatedUsers); } for (const TString& sid : record.AdditionalSIDs) { - record.Token->AddGroupSID(sid); + token->AddGroupSID(sid); } if (!record.Permissions.empty()) { TString subject; @@ -990,7 +1005,7 @@ protected: } for (const TString& group : groups) { - record.Token->AddGroupSID(group); + token->AddGroupSID(group); } } } @@ -1048,12 +1063,11 @@ protected: void SetToken(const TString& key, TTokenRecord& record, TIntrusivePtr<NACLib::TUserToken> token) { TInstant now = TlsActivationContext->Now(); record.Error.clear(); - record.Token = token; - EnrichUserTokenWithBuiltins(record); + EnrichUserTokenWithBuiltins(record, token); + record.SetToken(token); if (!token->GetUserSID().empty()) { record.Subject = token->GetUserSID(); } - record.SerializedToken = token->SerializeAsString(); if (!record.ExpireTime) { record.ExpireTime = GetExpireTime(now); } @@ -1080,8 +1094,7 @@ protected: BLOG_D("Ticket " << MaskTicket(record.Ticket) << " (" << record.PeerName << ") has now retryable error message '" << error.Message << "'"); } else { - record.Token = nullptr; - record.SerializedToken.clear(); + record.UnsetToken(); record.SetOkRefreshTime(this, now); CounterTicketsErrorsPermanent->Inc(); BLOG_D("Ticket " << MaskTicket(record.Ticket) << " (" @@ -1094,7 +1107,7 @@ protected: void Respond(TTokenRecordBase& record) { if (record.IsTokenReady()) { for (const auto& request : record.AuthorizeRequests) { - Send(request->Sender, new TEvTicketParser::TEvAuthorizeTicketResult(record.Ticket, record.Token, record.SerializedToken), 0, request->Cookie); + Send(request->Sender, new TEvTicketParser::TEvAuthorizeTicketResult(record.Ticket, record.GetToken()), 0, request->Cookie); } } else { for (const auto& request : record.AuthorizeRequests) { @@ -1194,9 +1207,9 @@ protected: html << "<tr><td>Expire Time</td><td>" << record.ExpireTime << "</td></tr>"; html << "<tr><td>Access Time</td><td>" << record.AccessTime << "</td></tr>"; html << "<tr><td>Peer Name</td><td>" << record.PeerName << "</td></tr>"; - if (record.Token != nullptr) { - html << "<tr><td>User SID</td><td>" << record.Token->GetUserSID() << "</td></tr>"; - for (const TString& group : record.Token->GetGroupSIDs()) { + if (record.IsTokenReady()) { + html << "<tr><td>User SID</td><td>" << record.GetToken()->GetUserSID() << "</td></tr>"; + for (const TString& group : record.GetToken()->GetGroupSIDs()) { html << "<tr><td>Group SID</td><td>" << group << "</td></tr>"; } } @@ -1221,7 +1234,7 @@ protected: html << "<td>" << record.Database << "</td>"; html << "<td>" << record.Subject << "</td>"; html << "<td>" << record.Error << "</td>"; - html << "<td>" << "<a href='ticket_parser?token=" << MD5::Calc(key) << "'>" << HtmlBool(record.Token != nullptr) << "</a>" << "</td>"; + html << "<td>" << "<a href='ticket_parser?token=" << MD5::Calc(key) << "'>" << HtmlBool(record.IsTokenReady()) << "</a>" << "</td>"; html << "<td>" << record.AuthorizeRequests.size() << "</td>"; html << "<td>" << record.ResponsesLeft << "</td>"; html << "<td>" << record.RefreshTime << "</td>"; diff --git a/ydb/core/tx/scheme_cache/scheme_cache.h b/ydb/core/tx/scheme_cache/scheme_cache.h index fb67d89742..a7f76d4a11 100644 --- a/ydb/core/tx/scheme_cache/scheme_cache.h +++ b/ydb/core/tx/scheme_cache/scheme_cache.h @@ -278,7 +278,7 @@ struct TSchemeCacheNavigate { using TResultSet = TVector<TEntry>; TResultSet ResultSet; - TAutoPtr<const NACLib::TUserToken> UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TString DatabaseName; ui64 DomainOwnerId = 0; ui64 ErrorCount = 0; @@ -349,7 +349,7 @@ struct TSchemeCacheRequest { using TResultSet = TVector<TEntry>; TResultSet ResultSet; - TAutoPtr<const NACLib::TUserToken> UserToken; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken; TString DatabaseName; ui64 DomainOwnerId = 0; ui64 ErrorCount = 0; diff --git a/ydb/core/ymq/actor/action.h b/ydb/core/ymq/actor/action.h index b974384101..c507eb5b0e 100644 --- a/ydb/core/ymq/actor/action.h +++ b/ydb/core/ymq/actor/action.h @@ -747,7 +747,7 @@ protected: TString FolderId_; size_t SecurityCheckRequestsToWaitFor_ = 2; TIntrusivePtr<TSecurityObject> SecurityObject_; - TIntrusivePtr<NACLib::TUserToken> UserToken_; + TIntrusiveConstPtr<NACLib::TUserToken> UserToken_; TString UserSID_; // identifies the client who sent this request bool UserExists_ = false; bool QueueExists_ = false; diff --git a/ydb/library/aclib/aclib.cpp b/ydb/library/aclib/aclib.cpp index b04fcd0a9c..cdeb7dbb79 100644 --- a/ydb/library/aclib/aclib.cpp +++ b/ydb/library/aclib/aclib.cpp @@ -64,6 +64,11 @@ TUserToken::TUserToken(NACLibProto::TUserToken&& token) { TUserToken::TUserToken(const TString& token) { Y_VERIFY(ParseFromString(token)); + Serialized_ = token; +} + +const TString& TUserToken::GetSerializedToken() const { + return Serialized_; } bool TUserToken::IsExist(const TSID& someSID) const { @@ -103,6 +108,10 @@ TString TUserToken::SerializeAsString() const { return NACLibProto::TUserToken::SerializeAsString(); } +void TUserToken::SaveSerializationInfo() { + Serialized_ = SerializeAsString(); +} + TSID TUserToken::GetUserFromVector(const TVector<TSID>& userAndGroupSIDs) { return userAndGroupSIDs.empty() ? TSID() : userAndGroupSIDs.front(); } diff --git a/ydb/library/aclib/aclib.h b/ydb/library/aclib/aclib.h index a3bbba19e1..928f838ef4 100644 --- a/ydb/library/aclib/aclib.h +++ b/ydb/library/aclib/aclib.h @@ -87,14 +87,16 @@ public: TUserToken(const TString& originalUserToken, const TSID& userSID, const TVector<TSID>& groupSIDs); TUserToken(const NACLibProto::TUserToken& token); TUserToken(NACLibProto::TUserToken&& token); - TUserToken(const TString& token); + explicit TUserToken(const TString& token); bool IsExist(const TSID& someSID) const; // check for presence of SID specified in the token TSID GetUserSID() const; TVector<TSID> GetGroupSIDs() const; TString GetOriginalUserToken() const; TString SerializeAsString() const; + void SaveSerializationInfo(); void AddGroupSID(const TSID& groupSID); bool IsSystemUser() const; + const TString& GetSerializedToken() const; using NACLibProto::TUserToken::ShortDebugString; @@ -102,6 +104,8 @@ protected: static TSID GetUserFromVector(const TVector<TSID>& userAndGroupSIDs); static TVector<TSID> GetGroupsFromVector(const TVector<TSID>& userAndGroupSIDs); void SetGroupSIDs(const TVector<TString>& groupSIDs); +private: + TString Serialized_; }; class TACL : public NACLibProto::TACL { diff --git a/ydb/services/datastreams/datastreams_proxy.cpp b/ydb/services/datastreams/datastreams_proxy.cpp index bb553fb1d4..57b427db02 100644 --- a/ydb/services/datastreams/datastreams_proxy.cpp +++ b/ydb/services/datastreams/datastreams_proxy.cpp @@ -778,7 +778,7 @@ namespace NKikimr::NDataStreams::V1 { "Request without dabase is forbiden", ctx); } - if (this->Request_->GetInternalToken().empty()) { + if (this->Request_->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { return ReplyWithError(Ydb::StatusIds::UNAUTHORIZED, NYds::EErrorCodes::BAD_REQUEST, "Unauthenticated access is forbidden, please provide credentials", ctx); @@ -837,8 +837,8 @@ namespace NKikimr::NDataStreams::V1 { NSchemeCache::TSchemeCacheNavigate::TEntry entry; entry.Path = NKikimr::SplitPath(path); - if (!this->Request_->GetInternalToken().empty()) { - schemeCacheRequest->UserToken = new NACLib::TUserToken(this->Request_->GetInternalToken()); + if (!this->Request_->GetSerializedToken().empty()) { + schemeCacheRequest->UserToken = new NACLib::TUserToken(this->Request_->GetSerializedToken()); } entry.Operation = NSchemeCache::TSchemeCacheNavigate::OpList; @@ -1257,7 +1257,7 @@ namespace NKikimr::NDataStreams::V1 { auto topicInfo = navigate->ResultSet.begin(); StreamName = NKikimr::CanonizePath(topicInfo->Path); if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { - NACLib::TUserToken token(this->Request_->GetInternalToken()); + NACLib::TUserToken token(this->Request_->GetSerializedToken()); if (!topicInfo->SecurityObject->CheckAccess(NACLib::EAccessRights::SelectRow, token)) { @@ -1423,7 +1423,7 @@ namespace NKikimr::NDataStreams::V1 { const auto response = result->ResultSet.front(); if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { - NACLib::TUserToken token(this->Request_->GetInternalToken()); + NACLib::TUserToken token(this->Request_->GetSerializedToken()); if (!response.SecurityObject->CheckAccess(NACLib::EAccessRights::SelectRow, token)) { @@ -1674,7 +1674,7 @@ namespace NKikimr::NDataStreams::V1 { const NSchemeCache::TSchemeCacheNavigate* navigate = ev->Get()->Request.Get(); auto topicInfo = navigate->ResultSet.front(); if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { - NACLib::TUserToken token(this->Request_->GetInternalToken()); + NACLib::TUserToken token(this->Request_->GetSerializedToken()); if (!topicInfo.SecurityObject->CheckAccess(NACLib::EAccessRights::SelectRow, token)) { diff --git a/ydb/services/datastreams/put_records_actor.h b/ydb/services/datastreams/put_records_actor.h index c8bb8ca970..4674a8a33e 100644 --- a/ydb/services/datastreams/put_records_actor.h +++ b/ydb/services/datastreams/put_records_actor.h @@ -279,7 +279,7 @@ namespace NKikimr::NDataStreams::V1 { error, ctx); } - if (this->Request_->GetInternalToken().empty()) { + if (this->Request_->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { return this->ReplyWithError(Ydb::StatusIds::UNAUTHORIZED, Ydb::PersQueue::ErrorCode::ACCESS_DENIED, @@ -288,7 +288,7 @@ namespace NKikimr::NDataStreams::V1 { << " is denied", ctx); } } - NACLib::TUserToken token(this->Request_->GetInternalToken()); + NACLib::TUserToken token(this->Request_->GetSerializedToken()); ShouldBeCharged = std::find( AppData(ctx)->PQConfig.GetNonChargeableUser().begin(), @@ -319,7 +319,7 @@ namespace NKikimr::NDataStreams::V1 { const NSchemeCache::TSchemeCacheNavigate* navigate = ev->Get()->Request.Get(); auto topicInfo = navigate->ResultSet.begin(); if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { - NACLib::TUserToken token(this->Request_->GetInternalToken()); + NACLib::TUserToken token(this->Request_->GetSerializedToken()); if (!topicInfo->SecurityObject->CheckAccess(NACLib::EAccessRights::UpdateRow, token)) { return this->ReplyWithError(Ydb::StatusIds::UNAUTHORIZED, Ydb::PersQueue::ErrorCode::ACCESS_DENIED, diff --git a/ydb/services/kesus/grpc_service.cpp b/ydb/services/kesus/grpc_service.cpp index 6a6134de02..c43156403d 100644 --- a/ydb/services/kesus/grpc_service.cpp +++ b/ydb/services/kesus/grpc_service.cpp @@ -105,7 +105,7 @@ private: private: void BeginAuth() { - if (const auto& token = RequestEvent->GetInternalToken()) { + if (const auto& token = RequestEvent->GetSerializedToken()) { UserToken.Reset(new TUserToken(token)); } ReadyToStart(); diff --git a/ydb/services/lib/actors/pq_schema_actor.h b/ydb/services/lib/actors/pq_schema_actor.h index d58f0da55b..6d1f6ee3d3 100644 --- a/ydb/services/lib/actors/pq_schema_actor.h +++ b/ydb/services/lib/actors/pq_schema_actor.h @@ -152,13 +152,13 @@ namespace NKikimr::NGRpcProxy::V1 { SetDatabase(proposal.get(), *this->Request_); - if (this->Request_->GetInternalToken().empty()) { + if (this->Request_->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { return ReplyWithError(Ydb::StatusIds::UNAUTHORIZED, Ydb::PersQueue::ErrorCode::ACCESS_DENIED, "Unauthenticated access is forbidden, please provide credentials", ctx); } } else { - proposal->Record.SetUserToken(this->Request_->GetInternalToken()); + proposal->Record.SetUserToken(this->Request_->GetSerializedToken()); } static_cast<TDerived*>(this)->FillProposeRequest(*proposal, ctx, workingDir, name); @@ -179,13 +179,13 @@ namespace NKikimr::NGRpcProxy::V1 { entry.Operation = NSchemeCache::TSchemeCacheNavigate::OpList; navigateRequest->ResultSet.emplace_back(entry); - if (this->Request_->GetInternalToken().empty()) { + if (this->Request_->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { return ReplyWithError(Ydb::StatusIds::UNAUTHORIZED, Ydb::PersQueue::ErrorCode::ACCESS_DENIED, "Unauthenticated access is forbidden, please provide credentials", ctx); } } else { - navigateRequest->UserToken = new NACLib::TUserToken(this->Request_->GetInternalToken()); + navigateRequest->UserToken = new NACLib::TUserToken(this->Request_->GetSerializedToken()); } if (!IsDead) { ctx.Send(MakeSchemeCacheID(), new TEvTxProxySchemeCache::TEvNavigateKeySet(navigateRequest.release())); diff --git a/ydb/services/persqueue_v1/actors/commit_offset_actor.cpp b/ydb/services/persqueue_v1/actors/commit_offset_actor.cpp index 755aa9dd3b..a06c054b56 100644 --- a/ydb/services/persqueue_v1/actors/commit_offset_actor.cpp +++ b/ydb/services/persqueue_v1/actors/commit_offset_actor.cpp @@ -43,13 +43,13 @@ void TCommitOffsetActor::Bootstrap(const TActorContext& ctx) { PartitionId = request->Getpartition_id(); TIntrusivePtr<NACLib::TUserToken> token; - if (Request_->GetInternalToken().empty()) { + if (Request_->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { AnswerError("Unauthenticated access is forbidden, please provide credentials", PersQueue::ErrorCode::ACCESS_DENIED, ctx); return; } } else { - token = new NACLib::TUserToken(Request_->GetInternalToken()); + token = new NACLib::TUserToken(Request_->GetSerializedToken()); } THashSet<TString> topicsToResolve; diff --git a/ydb/services/persqueue_v1/actors/read_info_actor.cpp b/ydb/services/persqueue_v1/actors/read_info_actor.cpp index 1147c9f989..6cfe69b348 100644 --- a/ydb/services/persqueue_v1/actors/read_info_actor.cpp +++ b/ydb/services/persqueue_v1/actors/read_info_actor.cpp @@ -44,13 +44,13 @@ void TReadInfoActor::Bootstrap(const TActorContext& ctx) { bool readOnlyLocal = request->get_only_original(); TIntrusivePtr<NACLib::TUserToken> token; - if (Request_->GetInternalToken().empty()) { + if (Request_->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { AnswerError("Unauthenticated access is forbidden, please provide credentials", PersQueue::ErrorCode::ACCESS_DENIED, ctx); return; } } else { - token = new NACLib::TUserToken(Request_->GetInternalToken()); + token = new NACLib::TUserToken(Request_->GetSerializedToken()); } THashSet<TString> topicsToResolve; diff --git a/ydb/services/persqueue_v1/actors/read_init_auth_actor.cpp b/ydb/services/persqueue_v1/actors/read_init_auth_actor.cpp index 72f6946c18..ac70a562ee 100644 --- a/ydb/services/persqueue_v1/actors/read_init_auth_actor.cpp +++ b/ydb/services/persqueue_v1/actors/read_init_auth_actor.cpp @@ -12,7 +12,7 @@ namespace NKikimr::NGRpcProxy::V1 { TReadInitAndAuthActor::TReadInitAndAuthActor( const TActorContext& ctx, const TActorId& parentId, const TString& clientId, const ui64 cookie, const TString& session, const NActors::TActorId& metaCache, const NActors::TActorId& newSchemeCache, - TIntrusivePtr<::NMonitoring::TDynamicCounters> counters, TIntrusivePtr<NACLib::TUserToken> token, + TIntrusivePtr<::NMonitoring::TDynamicCounters> counters, TIntrusiveConstPtr<NACLib::TUserToken> token, const NPersQueue::TTopicsToConverter& topics, const TString& localCluster ) : ParentId(parentId) diff --git a/ydb/services/persqueue_v1/actors/read_init_auth_actor.h b/ydb/services/persqueue_v1/actors/read_init_auth_actor.h index 2891c8ff1f..23245cc494 100644 --- a/ydb/services/persqueue_v1/actors/read_init_auth_actor.h +++ b/ydb/services/persqueue_v1/actors/read_init_auth_actor.h @@ -21,7 +21,7 @@ class TReadInitAndAuthActor : public NActors::TActorBootstrapped<TReadInitAndAut public: TReadInitAndAuthActor(const TActorContext& ctx, const TActorId& parentId, const TString& clientId, const ui64 cookie, const TString& session, const NActors::TActorId& schemeCache, const NActors::TActorId& newSchemeCache, - TIntrusivePtr<::NMonitoring::TDynamicCounters> counters, TIntrusivePtr<NACLib::TUserToken> token, + TIntrusivePtr<::NMonitoring::TDynamicCounters> counters, TIntrusiveConstPtr<NACLib::TUserToken> token, const NPersQueue::TTopicsToConverter& topics, const TString& localCluster); ~TReadInitAndAuthActor(); @@ -72,7 +72,7 @@ private: const TString ClientId; const TString ClientPath; - TIntrusivePtr<NACLib::TUserToken> Token; + TIntrusiveConstPtr<NACLib::TUserToken> Token; THashMap<TString, TTopicHolder> Topics; // topic -> info diff --git a/ydb/services/persqueue_v1/actors/read_session_actor.h b/ydb/services/persqueue_v1/actors/read_session_actor.h index 8dde6b616f..a402a7e5bb 100644 --- a/ydb/services/persqueue_v1/actors/read_session_actor.h +++ b/ydb/services/persqueue_v1/actors/read_session_actor.h @@ -303,7 +303,7 @@ private: TActorId NewSchemeCache; TActorId AuthInitActor; - TIntrusivePtr<NACLib::TUserToken> Token; + TIntrusiveConstPtr<NACLib::TUserToken> Token; TString ClientId; TString ClientPath; diff --git a/ydb/services/persqueue_v1/actors/read_session_actor.ipp b/ydb/services/persqueue_v1/actors/read_session_actor.ipp index 8e99ad2e34..5ad404ab13 100644 --- a/ydb/services/persqueue_v1/actors/read_session_actor.ipp +++ b/ydb/services/persqueue_v1/actors/read_session_actor.ipp @@ -677,7 +677,7 @@ void TReadSessionActor<UseMigrationProtocol>::Handle(typename TEvReadInit::TPtr& TopicsToResolve.insert(path); } - if (Request->GetInternalToken().empty()) { + if (Request->GetSerializedToken().empty()) { if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { return CloseSession(PersQueue::ErrorCode::ACCESS_DENIED, "unauthenticated access is forbidden, please provide credentials", ctx); @@ -685,7 +685,7 @@ void TReadSessionActor<UseMigrationProtocol>::Handle(typename TEvReadInit::TPtr& } else { Y_VERIFY(Request->GetYdbToken()); Auth = *(Request->GetYdbToken()); - Token = new NACLib::TUserToken(Request->GetInternalToken()); + Token = new NACLib::TUserToken(Request->GetSerializedToken()); } TopicsList = TopicsHandler.GetReadTopicsList(TopicsToResolve, ReadOnlyLocal, @@ -1402,8 +1402,8 @@ void TReadSessionActor<UseMigrationProtocol>::ProcessBalancerDead(ui64 tabletId, template <bool UseMigrationProtocol> void TReadSessionActor<UseMigrationProtocol>::Handle(NGRpcService::TGRpcRequestProxy::TEvRefreshTokenResponse::TPtr& ev , const TActorContext& ctx) { - if (ev->Get()->Authenticated && !ev->Get()->InternalToken.empty()) { - Token = new NACLib::TUserToken(ev->Get()->InternalToken); + if (ev->Get()->Authenticated && ev->Get()->InternalToken && !ev->Get()->InternalToken->GetSerializedToken().empty()) { + Token = ev->Get()->InternalToken; ForceACLCheck = true; if constexpr (!UseMigrationProtocol) { diff --git a/ydb/services/persqueue_v1/actors/write_session_actor.h b/ydb/services/persqueue_v1/actors/write_session_actor.h index c2ef61c8f3..c52a40da55 100644 --- a/ydb/services/persqueue_v1/actors/write_session_actor.h +++ b/ydb/services/persqueue_v1/actors/write_session_actor.h @@ -267,7 +267,7 @@ private: NKikimr::NPQ::TMultiCounter Errors; std::vector<NKikimr::NPQ::TMultiCounter> CodecCounters; - TIntrusivePtr<NACLib::TUserToken> Token; + TIntrusiveConstPtr<NACLib::TUserToken> Token; TString Auth; // Got 'update_token_request', authentication or authorization in progress, // or 'update_token_response' is not sent yet. diff --git a/ydb/services/persqueue_v1/actors/write_session_actor.ipp b/ydb/services/persqueue_v1/actors/write_session_actor.ipp index 262cd162b6..a04686af3e 100644 --- a/ydb/services/persqueue_v1/actors/write_session_actor.ipp +++ b/ydb/services/persqueue_v1/actors/write_session_actor.ipp @@ -445,7 +445,7 @@ void TWriteSessionActor<UseMigrationProtocol>::Handle(typename TEvWriteInit::TPt UserAgent = "pqv1 server"; LogSession(ctx); - if (Request->GetInternalToken().empty()) { // session without auth + if (Request->GetSerializedToken().empty()) { // session without auth if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { Request->ReplyUnauthenticated("Unauthenticated access is forbidden, please provide credentials"); Die(ctx); @@ -607,7 +607,7 @@ void TWriteSessionActor<UseMigrationProtocol>::Handle(TEvDescribeTopicsResponse: SetMeteringMode(meteringMode); - if (Request->GetInternalToken().empty()) { // session without auth + if (Request->GetSerializedToken().empty()) { // session without auth if (AppData(ctx)->PQConfig.GetRequireCredentialsInNewProtocol()) { Request->ReplyUnauthenticated("Unauthenticated access is forbidden, please provide credentials"); Die(ctx); @@ -619,7 +619,7 @@ void TWriteSessionActor<UseMigrationProtocol>::Handle(TEvDescribeTopicsResponse: } else { Y_VERIFY(Request->GetYdbToken()); Auth = *Request->GetYdbToken(); - Token = new NACLib::TUserToken(Request->GetInternalToken()); + Token = new NACLib::TUserToken(Request->GetSerializedToken()); if (FirstACLCheck && IsQuotaRequired()) { Y_VERIFY(MaybeRequestQuota(1, EWakeupTag::RlInit, ctx)); @@ -1395,8 +1395,8 @@ void TWriteSessionActor<UseMigrationProtocol>::Handle(NGRpcService::TGRpcRequest Y_UNUSED(ctx); LOG_INFO_S(ctx, NKikimrServices::PQ_WRITE_PROXY, "updating token"); - if (ev->Get()->Authenticated && !ev->Get()->InternalToken.empty()) { - Token = new NACLib::TUserToken(ev->Get()->InternalToken); + if (ev->Get()->Authenticated && ev->Get()->InternalToken && !ev->Get()->InternalToken->GetSerializedToken().empty()) { + Token = ev->Get()->InternalToken; Request->SetInternalToken(ev->Get()->InternalToken); UpdateTokenAuthenticated = true; if (!ACLCheckInProgress) { |