Extented permissions in whoami

azevaykin · azevaykin · commit e6c9d813a428 · 2026-01-28T14:40:45.000Z
diff --git a/ydb/core/grpc_services/rpc_whoami.cpp b/ydb/core/grpc_services/rpc_whoami.cpp
@@ -3,6 +3,8 @@
 #include <ydb/core/grpc_services/base/base.h>
 #include <ydb/library/actors/core/actor_bootstrapped.h>
 #include <ydb/core/security/ticket_parser.h>
+#include <ydb/core/base/appdata.h>
+#include <ydb/core/base/auth.h>
 #include <ydb/public/api/protos/ydb_discovery.pb.h>
 
 namespace NKikimr {
@@ -39,6 +41,18 @@ class TWhoAmIRPC : public TActorBootstrapped<TWhoAmIRPC> {
             for (const auto& group : userToken.GetGroupSIDs()) {
                 response->add_groups(group);
             }
+
+            // Add permission information
+            const auto* appData = AppData();
+            response->set_is_token_required(appData->EnforceUserTokenRequirement);
+            bool isAdministrationAllowed = IsTokenAllowed(&userToken, appData->DomainsConfig.GetSecurityConfig().GetAdministrationAllowedSIDs());
+            bool isMonitoringAllowed = isAdministrationAllowed || IsTokenAllowed(&userToken, appData->DomainsConfig.GetSecurityConfig().GetMonitoringAllowedSIDs());
+            bool isViewerAllowed = isMonitoringAllowed || IsTokenAllowed(&userToken, appData->DomainsConfig.GetSecurityConfig().GetViewerAllowedSIDs());
+            bool isDatabaseAllowed = isViewerAllowed || IsTokenAllowed(&userToken, appData->DomainsConfig.GetSecurityConfig().GetDatabaseAllowedSIDs());
+            response->set_is_administration_allowed(isAdministrationAllowed);
+            response->set_is_monitoring_allowed(isMonitoringAllowed);
+            response->set_is_viewer_allowed(isViewerAllowed);
+            response->set_is_database_allowed(isDatabaseAllowed);
         }
 
         Request->SendResult(*response, Ydb::StatusIds::SUCCESS);
diff --git a/ydb/public/api/protos/ydb_discovery.proto b/ydb/public/api/protos/ydb_discovery.proto
@@ -63,6 +63,16 @@ message WhoAmIResult {
     string user = 1;
     // List of group SIDs (Security IDs) for the user
     repeated string groups = 2;
+    // Whether user token is required for authentication
+    bool is_token_required = 3;
+    // Whether user is allowed to perform administration operations
+    bool is_administration_allowed = 4;
+    // Whether user is allowed to perform monitoring operations
+    bool is_monitoring_allowed = 5;
+    // Whether user is allowed to view data
+    bool is_viewer_allowed = 6;
+    // Whether user is allowed to access database
+    bool is_database_allowed = 7;
 }
 
 message WhoAmIResponse {
diff --git a/ydb/public/lib/ydb_cli/commands/ydb_service_discovery.cpp b/ydb/public/lib/ydb_cli/commands/ydb_service_discovery.cpp
@@ -100,6 +100,13 @@ void TCommandWhoAmI::PrintResponse(NDiscovery::TWhoAmIResult& result) {
             } else {
                 Cout << Endl << "User has no groups" << Endl;
             }
+
+            Cout << Endl << "Effective permissions:" << Endl;
+            Cout << "  Token required: " << (result.IsTokenRequired() ? "true" : "false") << Endl;
+            Cout << "  Database access allowed: " << (result.IsDatabaseAllowed() ? "true" : "false") << Endl;
+            Cout << "  Viewer access allowed: " << (result.IsViewerAllowed() ? "true" : "false") << Endl;
+            Cout << "  Monitoring access allowed: " << (result.IsMonitoringAllowed() ? "true" : "false") << Endl;
+            Cout << "  Administration access allowed: " << (result.IsAdministrationAllowed() ? "true" : "false") << Endl;
         }
     }
 }
diff --git a/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/discovery/discovery.h b/ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/discovery/discovery.h
@@ -90,9 +90,19 @@ class TWhoAmIResult : public TStatus {
     TWhoAmIResult(TStatus&& status, const Ydb::Discovery::WhoAmIResult& proto);
     const std::string& GetUserName() const;
     const std::vector<std::string>& GetGroups() const;
+    bool IsTokenRequired() const;
+    bool IsAdministrationAllowed() const;
+    bool IsMonitoringAllowed() const;
+    bool IsViewerAllowed() const;
+    bool IsDatabaseAllowed() const;
 private:
     std::string UserName_;
     std::vector<std::string> Groups_;
+    bool IsTokenRequired_ = false;
+    bool IsAdministrationAllowed_ = false;
+    bool IsMonitoringAllowed_ = false;
+    bool IsViewerAllowed_ = false;
+    bool IsDatabaseAllowed_ = false;
 };
 
 using TAsyncWhoAmIResult = NThreading::TFuture<TWhoAmIResult>;
diff --git a/ydb/public/sdk/cpp/src/client/discovery/discovery.cpp b/ydb/public/sdk/cpp/src/client/discovery/discovery.cpp
@@ -60,6 +60,11 @@ TWhoAmIResult::TWhoAmIResult(TStatus&& status, const Ydb::Discovery::WhoAmIResul
     for (const auto& group : groups) {
         Groups_.emplace_back(group);
     }
+    IsTokenRequired_ = proto.is_token_required();
+    IsAdministrationAllowed_ = proto.is_administration_allowed();
+    IsMonitoringAllowed_ = proto.is_monitoring_allowed();
+    IsViewerAllowed_ = proto.is_viewer_allowed();
+    IsDatabaseAllowed_ = proto.is_database_allowed();
 }
 
 const std::string& TWhoAmIResult::GetUserName() const {
@@ -70,6 +75,26 @@ const std::vector<std::string>& TWhoAmIResult::GetGroups() const {
     return Groups_;
 }
 
+bool TWhoAmIResult::IsTokenRequired() const {
+    return IsTokenRequired_;
+}
+
+bool TWhoAmIResult::IsAdministrationAllowed() const {
+    return IsAdministrationAllowed_;
+}
+
+bool TWhoAmIResult::IsMonitoringAllowed() const {
+    return IsMonitoringAllowed_;
+}
+
+bool TWhoAmIResult::IsViewerAllowed() const {
+    return IsViewerAllowed_;
+}
+
+bool TWhoAmIResult::IsDatabaseAllowed() const {
+    return IsDatabaseAllowed_;
+}
+
 TNodeLocation::TNodeLocation(const Ydb::Discovery::NodeLocation& location)
     : DataCenterNum(location.has_data_center_num() ? std::make_optional(location.data_center_num()) : std::nullopt)
     , RoomNum(location.has_room_num() ? std::make_optional(location.room_num()) : std::nullopt)
diff --git a/ydb/services/ydb/ut/ya.make b/ydb/services/ydb/ut/ya.make
@@ -29,6 +29,7 @@ SRCS(
     ydb_ldap_login_ut.cpp
     ydb_login_ut.cpp
     ydb_object_storage_ut.cpp
+    ydb_whoami_ut.cpp
 )
 
 PEERDIR(
@@ -51,6 +52,7 @@ PEERDIR(
     ydb/public/lib/yson_value
     ydb/public/lib/ut_helpers
     ydb/public/lib/ydb_cli/commands
+    ydb/public/sdk/cpp/src/client/discovery
     ydb/public/sdk/cpp/src/client/draft
     ydb/public/sdk/cpp/src/client/coordination
     ydb/public/sdk/cpp/src/client/export
diff --git a/ydb/services/ydb/ydb_whoami_ut.cpp b/ydb/services/ydb/ydb_whoami_ut.cpp
@@ -0,0 +1,255 @@
+#include <library/cpp/testing/unittest/tests_data.h>
+#include <library/cpp/testing/unittest/registar.h>
+
+#include <ydb/core/base/storage_pools.h>
+#include <ydb/core/testlib/test_client.h>
+
+#include <ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/discovery/discovery.h>
+
+#include "ydb_common_ut.h"
+
+namespace NKikimr {
+
+using namespace Tests;
+using namespace NYdb;
+
+namespace {
+
+struct TServerInitialization {
+    bool EnforceUserToken = true;
+    std::vector<TString> AdministrationAllowedSids = {};
+    std::vector<TString> MonitoringAllowedSids = {};
+    std::vector<TString> ViewerAllowedSids = {};
+    std::vector<TString> DatabaseAllowedSids = {};
+};
+
+NKikimrConfig::TAppConfig GetWhoAmIAppConfig(const TServerInitialization& serverInitialization) {
+    auto config = NKikimrConfig::TAppConfig();
+
+    auto& securityConfig = *config.MutableDomainsConfig()->MutableSecurityConfig();
+    securityConfig.SetEnforceUserTokenRequirement(serverInitialization.EnforceUserToken);
+
+    for (const auto& sid : serverInitialization.AdministrationAllowedSids) {
+        securityConfig.AddAdministrationAllowedSIDs(sid);
+    }
+    for (const auto& sid : serverInitialization.MonitoringAllowedSids) {
+        securityConfig.AddMonitoringAllowedSIDs(sid);
+    }
+    for (const auto& sid : serverInitialization.ViewerAllowedSids) {
+        securityConfig.AddViewerAllowedSIDs(sid);
+    }
+    for (const auto& sid : serverInitialization.DatabaseAllowedSids) {
+        securityConfig.AddDatabaseAllowedSIDs(sid);
+    }
+
+    return config;
+}
+
+NDiscovery::TWhoAmIResult WhoAmI(ui16 grpc, const TString& token, bool withGroups) {
+    TString location = TStringBuilder() << "localhost:" << grpc;
+    TDriverConfig config;
+    config.SetEndpoint(location);
+    config.SetAuthToken(token);
+    config.SetDatabase("/Root");
+    auto connection = NYdb::TDriver(config);
+    NYdb::NDiscovery::TDiscoveryClient discoveryClient = NYdb::NDiscovery::TDiscoveryClient(connection);
+    auto settings = NDiscovery::TWhoAmISettings().WithGroups(withGroups);
+    auto result = discoveryClient.WhoAmI(settings).GetValueSync();
+    connection.Stop(true);
+    return result;
+}
+
+} // namespace
+
+Y_UNIT_TEST_SUITE(TWhoAmI) {
+
+    Y_UNIT_TEST(WhoAmIBasic) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", false);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+    }
+
+    Y_UNIT_TEST(WhoAmIWithGroups) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        // Check that we got groups (even if empty, the call should succeed)
+        auto groups = result.GetGroups();
+        // User might have groups or not, depending on setup
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_NoPermissions) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .AdministrationAllowedSids = {},
+            .MonitoringAllowedSids = {},
+            .ViewerAllowedSids = {},
+            .DatabaseAllowedSids = {}
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), false);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_DatabaseAllowed) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .DatabaseAllowedSids = {"user1@builtin"}
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), true);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_ViewerAllowed) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .ViewerAllowedSids = {"user1@builtin"}
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), true);
+        // Viewer implies database access
+        UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), true);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_MonitoringAllowed) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .MonitoringAllowedSids = {"user1@builtin"}
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), true);
+        // Monitoring implies viewer and database access
+        UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), true);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_AdministrationAllowed) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .AdministrationAllowedSids = {"user1@builtin"}
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), true);
+        // Administration implies all other permissions
+        UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), true);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), true);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_TokenNotRequired) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = false
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", true);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), false);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithoutGroups_NoPermissions) {
+        // When withGroups is false, permission fields should not be populated
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .AdministrationAllowedSids = {"user1@builtin"}
+        }));
+        ui16 grpc = server.GetPort();
+
+        auto result = WhoAmI(grpc, "user1@builtin", false);
+        UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+        UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "user1@builtin");
+        // Without groups flag, permissions should not be populated (all false)
+        UNIT_ASSERT_VALUES_EQUAL(result.IsTokenRequired(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), false);
+        UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), false);
+    }
+
+    Y_UNIT_TEST(WhoAmIWithPermissions_DifferentUser) {
+        TBasicKikimrWithGrpcAndRootSchema<TKikimrTestWithAuth> server(GetWhoAmIAppConfig({
+            .EnforceUserToken = true,
+            .AdministrationAllowedSids = {"admin@builtin"},
+            .ViewerAllowedSids = {"viewer@builtin"}
+        }));
+        ui16 grpc = server.GetPort();
+
+        // Test admin user
+        {
+            auto result = WhoAmI(grpc, "admin@builtin", true);
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+            UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "admin@builtin");
+            UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), true);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), true);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), true);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), true);
+        }
+
+        // Test viewer user
+        {
+            auto result = WhoAmI(grpc, "viewer@builtin", true);
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+            UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "viewer@builtin");
+            UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), false);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), true);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), true);
+        }
+
+        // Test regular user
+        {
+            auto result = WhoAmI(grpc, "regular@builtin", true);
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToOneLineString());
+            UNIT_ASSERT_STRINGS_EQUAL(result.GetUserName(), "regular@builtin");
+            UNIT_ASSERT_VALUES_EQUAL(result.IsAdministrationAllowed(), false);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsMonitoringAllowed(), false);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsViewerAllowed(), false);
+            UNIT_ASSERT_VALUES_EQUAL(result.IsDatabaseAllowed(), false);
+        }
+    }
+}
+
+} // namespace NKikimr

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,13 @@ void TCommandWhoAmI::PrintResponse(NDiscovery::TWhoAmIResult& result) {`
`100`	`100`	`} else {`
`101`	`101`	`Cout << Endl << "User has no groups" << Endl;`
`102`	`102`	`}`
	`103`	`+`
	`104`	`+ Cout << Endl << "Effective permissions:" << Endl;`
	`105`	`+ Cout << " Token required: " << (result.IsTokenRequired() ? "true" : "false") << Endl;`
	`106`	`+ Cout << " Database access allowed: " << (result.IsDatabaseAllowed() ? "true" : "false") << Endl;`
	`107`	`+ Cout << " Viewer access allowed: " << (result.IsViewerAllowed() ? "true" : "false") << Endl;`
	`108`	`+ Cout << " Monitoring access allowed: " << (result.IsMonitoringAllowed() ? "true" : "false") << Endl;`
	`109`	`+ Cout << " Administration access allowed: " << (result.IsAdministrationAllowed() ? "true" : "false") << Endl;`
`103`	`110`	`}`
`104`	`111`	`}`
`105`	`112`	`}`