Add account_type parameter for audit logs (ydb-platform#13269)

ydb/core/grpc_services/audit_logins.cpp

@@ -11,10 +11,13 @@
 namespace NKikimr {
 namespace NGRpcService {
 
-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken)
+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request,
+                   const Ydb::Auth::LoginResponse& response, const TString& errorDetails,
+                   const TString& sanitizedToken, bool isAdmin)
 {
     static const TString GrpcLoginComponentName = "grpc-login";
     static const TString LoginOperationName = "LOGIN";
+    static const TString AdminAccountType = "admin";
 
     //NOTE: EmptyValue couldn't be an empty string as AUDIT_PART() skips parts with an empty values
     static const TString EmptyValue = "{none}";
@@ -50,6 +53,7 @@ void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::Log
         // Login
         AUDIT_PART("login_user", (!request.user().empty() ? request.user() : EmptyValue))
         AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
+        AUDIT_PART("account_type", AdminAccountType, (isAdmin && status == Ydb::StatusIds::SUCCESS))
 
         //TODO: (?) it is possible to show masked version of the resulting token here
     );

ydb/core/grpc_services/audit_logins.h

@@ -13,6 +13,8 @@ namespace NKikimr::NGRpcService {
 class IAuditCtx;
 
 // logins log
-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken);
+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request,
+                   const Ydb::Auth::LoginResponse& response, const TString& errorDetails,
+                   const TString& sanitizedToken, bool isAdmin = false);
 
 } // namespace NKikimr::NGRpcService

ydb/core/grpc_services/rpc_login.cpp

@@ -12,6 +12,9 @@
 #include <ydb/core/security/ldap_auth_provider/ldap_auth_provider.h>
 #include <ydb/core/security/login_shared_func.h>
 
+#include <ydb/library/aclib/aclib.h>
+#include <ydb/library/login/login.h>
+
 #include <ydb/public/api/protos/ydb_auth.pb.h>
 
 namespace NKikimr {
@@ -88,7 +91,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             ReplyErrorAndPassAway(Ydb::StatusIds::INTERNAL_ERROR, "Failed to produce a token");
         } else {
             // success = token + no errors
-            ReplyAndPassAway(loginResult.GetToken(), loginResult.GetSanitizedToken());
+            ReplyAndPassAway(loginResult);
         }
     }
 
@@ -113,9 +116,12 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
         }
     }
 
-    void ReplyAndPassAway(const TString& resultToken, const TString& sanitizedToken) {
-        TResponse response;
+    void ReplyAndPassAway(const NKikimrScheme::TEvLoginResult& loginResult) {
+        const auto& resultToken = loginResult.GetToken();
+        const auto& sanitizedToken = loginResult.GetSanitizedToken();
+        const auto& isAdmin = loginResult.GetIsAdmin();
 
+        TResponse response;
         Ydb::Operations::Operation& operation = *response.mutable_operation();
         operation.set_ready(true);
         operation.set_status(Ydb::StatusIds::SUCCESS);
@@ -126,7 +132,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             operation.mutable_result()->PackFrom(result);
         }
 
-        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, /* errorDetails */ TString(), sanitizedToken);
+        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, /* errorDetails */ TString(), sanitizedToken, isAdmin);
 
         return CleanupAndReply(response);
     }

ydb/core/protos/flat_tx_scheme.proto

@@ -154,6 +154,7 @@ message TEvLoginResult {
     optional string Error = 1;
     optional string Token = 2;  // signed jwt token
     optional string SanitizedToken = 3;  // sanitized token without signature
+    optional bool IsAdmin = 4;
 }
 
 // Sending actor registers itself to be notified when tx completes

ydb/core/tx/schemeshard/schemeshard__login.cpp

@@ -87,6 +87,22 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
     }
 
 private:
+    bool IsAdmin() const {
+        const auto& adminSids = AppData()->AdministrationAllowedSIDs;
+        if (adminSids.empty()) {
+            return true;
+        }
+
+        const auto& user = Request->Get()->Record.GetUser();
+        const auto providerGroups = Self->LoginProvider.GetGroupsMembership(user);
+        const TVector<NACLib::TSID> groups(providerGroups.begin(), providerGroups.end());
+        const auto userToken = NACLib::TUserToken(user, groups);
+        auto hasSid = [&userToken](const TString& sid) -> bool {
+            return userToken.IsExist(sid);
+        };
+        return std::find_if(adminSids.begin(), adminSids.end(), hasSid) != adminSids.end();
+    }
+
     bool LoginAttempt(NIceDb::TNiceDb& db, const TActorContext& ctx) {
         const auto& loginRequest = GetLoginRequest();
         if (!loginRequest.ExternalAuth && !AppData(ctx)->AuthConfig.GetEnableLoginAuthentication()) {
@@ -105,6 +121,7 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
         case NLogin::TLoginProvider::TLoginUserResponse::EStatus::SUCCESS: {
             Result->Record.SetToken(loginResponse.Token);
             Result->Record.SetSanitizedToken(loginResponse.SanitizedToken);
+            Result->Record.SetIsAdmin(IsAdmin());
             break;
         }
         case NLogin::TLoginProvider::TLoginUserResponse::EStatus::INVALID_PASSWORD:
@@ -145,6 +162,7 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
             HandleLoginAuthSuccess(loginRequest, loginResponse, db);
             Result->Record.SetToken(loginResponse.Token);
             Result->Record.SetSanitizedToken(loginResponse.SanitizedToken);
+            Result->Record.SetIsAdmin(IsAdmin());
             break;
         }
         case NLogin::TLoginProvider::TLoginUserResponse::EStatus::INVALID_PASSWORD: {

ydb/core/tx/schemeshard/ut_login/ut_login.cpp

@@ -923,9 +923,7 @@ NHttp::THttpIncomingRequestPtr MakeLogoutRequest(const TString& cookieName, cons
 }
 
 Y_UNIT_TEST_SUITE(TWebLoginService) {
-
-    Y_UNIT_TEST(AuditLogLoginSuccess) {
-        TTestBasicRuntime runtime;
+    void AuditLogLoginTest(TTestBasicRuntime& runtime, bool isUserAdmin) {
         std::vector<std::string> lines;
         runtime.AuditLogBackends = std::move(CreateTestAuditLogBackends(lines));
         TTestEnv env(runtime);
@@ -965,6 +963,33 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1");
         UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");
         UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);
+
+        if (isUserAdmin) {
+            UNIT_ASSERT_STRING_CONTAINS(last, "account_type=admin");
+        } else {
+            UNIT_ASSERT(!last.contains("account_type=admin"));
+        }
+    }
+
+    Y_UNIT_TEST(AuditLogEmptySIDsLoginSuccess) {
+        TTestBasicRuntime runtime;
+        AuditLogLoginTest(runtime, true);
+    }
+
+    Y_UNIT_TEST(AuditLogAdminLoginSuccess) {
+        TTestBasicRuntime runtime;
+        runtime.AddAppDataInit([](ui32, NKikimr::TAppData& appData){
+            appData.AdministrationAllowedSIDs.emplace_back("user1");
+        });
+        AuditLogLoginTest(runtime, true);
+    }
+
+    Y_UNIT_TEST(AuditLogLoginSuccess) {
+        TTestBasicRuntime runtime;
+        runtime.AddAppDataInit([](ui32, NKikimr::TAppData& appData){
+            appData.AdministrationAllowedSIDs.emplace_back("user2");
+        });
+        AuditLogLoginTest(runtime, false);
     }
 
     Y_UNIT_TEST(AuditLogLoginBadPassword) {