SystemView Auth Owners (#13248)

ydb/core/sys_view/auth/auth_scan_base.h

@@ -14,9 +14,15 @@ using namespace NSchemeShard;
 using namespace NActors;
 using namespace NSchemeCache;
 using TNavigate = NSchemeCache::TSchemeCacheNavigate;
+using TPath = TVector<TString>;
 
 template <typename TDerived>
 class TAuthScanBase : public TScanActorBase<TDerived> {
+    struct TTraversingChildren {
+        TNavigate::TEntry Entry;
+        size_t Index = 0;
+    };
+
 public:
     using TBase = TScanActorBase<TDerived>;
 
@@ -47,16 +53,7 @@ class TAuthScanBase : public TScanActorBase<TDerived> {
 protected:
     void ProceedToScan() override {
         TBase::Become(&TAuthScanBase::StateScan);
-        if (TBase::AckReceived) {
-            StartScan();
-        }
-    }
 
-    void Handle(NKqp::TEvKqpCompute::TEvScanDataAck::TPtr&) {
-        StartScan();
-    }
-
-    void StartScan() {
         // TODO: support TableRange filter
         if (auto cellsFrom = TBase::TableRange.From.GetCells(); cellsFrom.size() > 0 && !cellsFrom[0].IsNull()) {
             TBase::ReplyErrorAndDie(Ydb::StatusIds::INTERNAL_ERROR, TStringBuilder() << "TableRange.From filter is not supported");
@@ -67,26 +64,72 @@ class TAuthScanBase : public TScanActorBase<TDerived> {
             return;
         }
 
-        NavigatePath(TBase::TenantName);
+        auto& last = DeepFirstSearchStack.emplace_back();
+        last.Index = Max<size_t>(); // tenant root
+
+        if (TBase::AckReceived) {
+            ContinueScan();
+        }
+    }
+
+    void Handle(NKqp::TEvKqpCompute::TEvScanDataAck::TPtr&) {
+        ContinueScan();
+    }
+
+    void ContinueScan() {
+        while (DeepFirstSearchStack) {
+            auto& last = DeepFirstSearchStack.back();
+
+            if (last.Index == Max<size_t>()) { // tenant root
+                NavigatePath(SplitPath(TBase::TenantName));
+                DeepFirstSearchStack.pop_back();
+                return;
+            }
+
+            auto& children = last.Entry.ListNodeEntry->Children;
+            if (last.Index < children.size()) {
+                auto& child = children.at(last.Index++);
+
+                if (child.Kind == TSchemeCacheNavigate::KindExtSubdomain || child.Kind == TSchemeCacheNavigate::KindSubdomain) {
+                    continue;
+                }
+
+                last.Entry.Path.push_back(child.Name);
+                NavigatePath(last.Entry.Path);
+                last.Entry.Path.pop_back();
+                return;
+            } else {
+                DeepFirstSearchStack.pop_back();
+            }
+        }
+
+        TBase::ReplyEmptyAndDie();
     }
 
     void Handle(TEvTxProxySchemeCache::TEvNavigateKeySetResult::TPtr& ev, const TActorContext& ctx) {
         THolder<NSchemeCache::TSchemeCacheNavigate> request(ev->Get()->Request.Release());
+
+        Y_ABORT_UNLESS(request->ResultSet.size() == 1);
+        auto& entry = request->ResultSet.back();
 
-        for (const auto& entry : request->ResultSet) {
-            if (entry.Status != TNavigate::EStatus::Ok) {
-                TBase::ReplyErrorAndDie(Ydb::StatusIds::INTERNAL_ERROR, TStringBuilder() << 
-                    "Failed to navigate " << CanonizePath(entry.Path) << ": " << entry.Status);
-                return;
-            }
+        if (entry.Status != TNavigate::EStatus::Ok) {
+            TBase::ReplyErrorAndDie(Ydb::StatusIds::INTERNAL_ERROR, TStringBuilder() << 
+                "Failed to navigate " << CanonizePath(entry.Path) << ": " << entry.Status);
+            return;
         }
 
         LOG_TRACE_S(ctx, NKikimrServices::SYSTEM_VIEWS,
             "Got navigate: " << request->ToString(*AppData()->TypeRegistry));
 
         auto batch = MakeHolder<NKqp::TEvKqpCompute::TEvScanData>(TBase::ScanId);
 
-        FillBatch(*batch, request->ResultSet);
+        FillBatch(*batch, entry);
+
+        if (!batch->Finished && entry.ListNodeEntry) {
+            DeepFirstSearchStack.emplace_back(std::move(entry));
+        }
+
+        batch->Finished = DeepFirstSearchStack.empty();
 
         TBase::SendBatch(std::move(batch));
     }
@@ -99,23 +142,25 @@ class TAuthScanBase : public TScanActorBase<TDerived> {
         TBase::PassAway();
     }
 
-    void NavigatePath(TString path) {
+    void NavigatePath(TPath path) {
         auto request = MakeHolder<NSchemeCache::TSchemeCacheNavigate>();
 
         auto& entry = request->ResultSet.emplace_back();
         entry.RequestType = TSchemeCacheNavigate::TEntry::ERequestType::ByPath;
-        entry.Path = SplitPath(path);
-        entry.Operation = TSchemeCacheNavigate::OpPath;
+        entry.Path = std::move(path);
+        entry.Operation = TSchemeCacheNavigate::OpList;
         entry.RedirectRequired = false;
 
         LOG_TRACE_S(TlsActivationContext->AsActorContext(), NKikimrServices::SYSTEM_VIEWS,
-            "Navigate " << path << ": " << request->ToString(*AppData()->TypeRegistry));
+            "Navigate " << request->ToString(*AppData()->TypeRegistry));
 
         TBase::Send(MakeSchemeCacheID(), new TEvTxProxySchemeCache::TEvNavigateKeySet(request.Release()));
     }
 
-    virtual void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TResultSet& resultSet) = 0;
+    virtual void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TEntry& entry) = 0;
 
+private:
+    TVector<TTraversingChildren> DeepFirstSearchStack;
 };
 
 }

ydb/core/sys_view/auth/group_members.cpp

@@ -26,9 +26,7 @@ class TGroupMembersScan : public TAuthScanBase<TGroupMembersScan> {
     }
 
 protected:
-    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TResultSet& resultSet) override {
-        Y_ABORT_UNLESS(resultSet.size() == 1);
-        auto& entry = resultSet.back();
+    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TEntry& entry) override {
         Y_ABORT_UNLESS(entry.Status == TNavigate::EStatus::Ok);
         Y_ABORT_UNLESS(CanonizePath(entry.Path) == TBase::TenantName);
 

ydb/core/sys_view/auth/groups.cpp

@@ -26,9 +26,7 @@ class TGroupsScan : public TAuthScanBase<TGroupsScan> {
     }
 
 protected:
-    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TResultSet& resultSet) override {
-        Y_ABORT_UNLESS(resultSet.size() == 1);
-        auto& entry = resultSet.back();
+    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TEntry& entry) override {
         Y_ABORT_UNLESS(entry.Status == TNavigate::EStatus::Ok);
         Y_ABORT_UNLESS(CanonizePath(entry.Path) == TBase::TenantName);
 

ydb/core/sys_view/auth/owners.cpp

@@ -0,0 +1,66 @@
+#include "auth_scan_base.h"
+#include "owners.h"
+
+#include <ydb/core/sys_view/common/events.h>
+#include <ydb/core/sys_view/common/schema.h>
+#include <ydb/core/sys_view/common/scan_actor_base_impl.h>
+#include <ydb/core/base/tablet_pipecache.h>
+#include <ydb/library/login/protos/login.pb.h>
+
+#include <ydb/library/actors/core/hfunc.h>
+
+namespace NKikimr::NSysView::NAuth {
+
+using namespace NSchemeShard;
+using namespace NActors;
+
+class TOwnersScan : public TAuthScanBase<TOwnersScan> {
+public:
+    using TScanBase = TScanActorBase<TOwnersScan>;
+    using TAuthBase = TAuthScanBase<TOwnersScan>;
+
+    TOwnersScan(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
+        const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns)
+        : TAuthBase(ownerId, scanId, tableId, tableRange, columns)
+    {
+    }
+
+protected:
+    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TEntry& entry) override {
+        Y_ABORT_UNLESS(entry.Status == TNavigate::EStatus::Ok);
+
+        TVector<TCell> cells(::Reserve(Columns.size()));
+
+        // TODO: add rows according to request's sender user rights
+
+        auto entryPath = CanonizePath(entry.Path);
+        auto entryOwner = entry.Self->Info.GetOwner();
+
+        for (auto& column : Columns) {
+            switch (column.Tag) {
+            case Schema::AuthOwners::Path::ColumnId:
+                cells.push_back(TCell(entryPath.data(), entryPath.size()));
+                break;
+            case Schema::AuthOwners::Sid::ColumnId:
+                cells.push_back(TCell(entryOwner.data(), entryOwner.size()));
+                break;
+            default:
+                cells.emplace_back();
+            }
+        }
+
+        TArrayRef<const TCell> ref(cells);
+        batch.Rows.emplace_back(TOwnedCellVec::Make(ref));
+        cells.clear();
+
+        batch.Finished = false;
+    }
+};
+
+THolder<NActors::IActor> CreateOwnersScan(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
+    const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns)
+{
+    return MakeHolder<TOwnersScan>(ownerId, scanId, tableId, tableRange, columns);
+}
+
+}

ydb/core/sys_view/auth/owners.h

@@ -0,0 +1,13 @@
+#pragma once
+
+#include <ydb/core/kqp/runtime/kqp_compute.h>
+
+#include <ydb/library/actors/core/actor.h>
+#include <ydb/library/actors/core/actorid.h>
+
+namespace NKikimr::NSysView::NAuth {
+
+THolder<NActors::IActor> CreateOwnersScan(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
+    const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns);
+
+}

ydb/core/sys_view/auth/users.cpp

@@ -26,9 +26,7 @@ class TUsersScan : public TAuthScanBase<TUsersScan> {
     }
 
 protected:
-    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TResultSet& resultSet) override {
-        Y_ABORT_UNLESS(resultSet.size() == 1);
-        auto& entry = resultSet.back();
+    void FillBatch(NKqp::TEvKqpCompute::TEvScanData& batch, const TNavigate::TEntry& entry) override {
         Y_ABORT_UNLESS(entry.Status == TNavigate::EStatus::Ok);
         Y_ABORT_UNLESS(CanonizePath(entry.Path) == TBase::TenantName);
 

ydb/core/sys_view/auth/ya.make

@@ -1,12 +1,14 @@
 LIBRARY()
 
 SRCS(
-    group_members.h
     group_members.cpp
-    users.h
-    users.cpp
-    groups.h
+    group_members.h
     groups.cpp
+    groups.h
+    owners.cpp
+    owners.h
+    users.cpp
+    users.h
 )
 
 PEERDIR(

ydb/core/sys_view/common/schema.cpp

@@ -292,6 +292,7 @@ class TSystemViewResolver : public ISystemViewResolver {
             RegisterSystemView<Schema::AuthUsers>(UsersName);
             RegisterSystemView<Schema::AuthGroups>(NAuth::GroupsName);
             RegisterSystemView<Schema::AuthGroupMembers>(GroupMembersName);
+            RegisterSystemView<Schema::AuthOwners>(OwnersName);
         }
     }
 

ydb/core/sys_view/common/schema.h

@@ -53,6 +53,7 @@ namespace NAuth {
     constexpr TStringBuf UsersName = "auth_users";
     constexpr TStringBuf GroupsName = "auth_groups";
     constexpr TStringBuf GroupMembersName = "auth_group_members";
+    constexpr TStringBuf OwnersName = "auth_owners";
 }
 
 
@@ -646,6 +647,17 @@ struct Schema : NIceDb::Schema {
         >;
     };
 
+    struct AuthOwners : Table<18> {
+        struct Path: Column<1, NScheme::NTypeIds::Utf8> {};
+        struct Sid: Column<2, NScheme::NTypeIds::Utf8> {};
+
+        using TKey = TableKey<Path, Sid>;
+        using TColumns = TableColumns<
+            Path,
+            Sid
+        >;
+    };
+
     struct PgColumn {
         NIceDb::TColumnId _ColumnId;
         NScheme::TTypeInfo _ColumnTypeInfo;

ydb/core/sys_view/scan.cpp

@@ -2,6 +2,7 @@
 
 #include <ydb/core/kqp/compute_actor/kqp_compute_events.h>
 
+#include <ydb/core/sys_view/auth/owners.h>
 #include <ydb/core/sys_view/auth/users.h>
 #include <ydb/core/sys_view/auth/groups.h>
 #include <ydb/core/sys_view/auth/group_members.h>
@@ -252,6 +253,9 @@ THolder<NActors::IActor> CreateSystemViewScan(
         if (tableId.SysViewInfo == GroupMembersName) {
             return NAuth::CreateGroupMembersScan(ownerId, scanId, tableId, tableRange, columns);
         }
+        if (tableId.SysViewInfo == OwnersName) {
+            return NAuth::CreateOwnersScan(ownerId, scanId, tableId, tableRange, columns);
+        }
     }
 
     return {};