Skip to content

25-1: security: improve database admin access check #15189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ijon merged 5 commits into from
Mar 3, 2025
Merged

25-1: security: improve database admin access check #15189

ijon merged 5 commits into from
Mar 3, 2025

Conversation

@ijon
Copy link
Collaborator

@ijon ijon commented Feb 28, 2025
edited
Loading

Merge from main:

Improvements for enable_strict_user_management+enable_database_admin+domain_login_only mode:

  • database admin must have the same access to sysviews (in its own database) as cluster admin
  • database admin must not be able to administer database admins

ijon and others added 4 commits February 28, 2025 13:50
@ijon
sysview: add access for database admins (ydb-platform#15098)
c148134 
Give database admins the same unlimited rights to view system views about users, groups, and their permissions as cluster admins have.

For the ordinary users:
- `.sys/auth_groups` and `.sys/auth_group_members` are closed
- `.sys/auth_users` is filtered to show only the user himself

Cluster admins and now database admins do not have those restrictions.
@kungasc @ijon
Test tenant access to auth sys views (ydb-platform#15121)
c11c293
@ijon
tests: support testenv setup in non-anonymous mode (ydb-platform#15130)
1baa1a8 
Add support for fully authenticated setup operations to `tests/library/`.
Before that library could only execute cluster setup, configuration and database manipulation in anonymous mode or in the mode when every user is a cluster admin.
Now `tests/library/` can operate when `administration_allowed_lists` is not empty and `enforce_user_token_requirement=True`.
@kungasc @ijon
SysView Auth Uncomment database admin test cases (ydb-platform#15180)
5941790
@github-actions

This comment was marked as outdated.

Sign in to view
@github-actions

This comment was marked as outdated.

Sign in to view
@ijon ijon changed the title security: improve database admin access check 25-1: security: improve database admin access check Feb 28, 2025
@github-actions
Copy link

github-actions bot commented Mar 3, 2025
edited
Loading

2025-03-03 10:45:13 UTC Pre-commit check linux-x86_64-relwithdebinfo for 675afe0 has started.
2025-03-03 10:45:27 UTC Artifacts will be uploaded here
2025-03-03 10:48:38 UTC ya make is running...
🟡 2025-03-03 12:29:59 UTC Some tests failed, follow the links below. Going to retry failed tests...

Details

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
28401 25797 0 7 2463 134

2025-03-03 12:32:31 UTC ya make is running... (failed tests rerun, try 2)
🟢 2025-03-03 12:52:57 UTC Tests successful.

Test history | Ya make output | Test bloat | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
216 (only retried tests) 81 0 0 5 130

🟢 2025-03-03 12:53:04 UTC Build successful.
🟢 2025-03-03 12:53:23 UTC ydbd size 2.1 GiB changed* by +83.3 KiB, which is < 100.0 KiB vs stable-25-1: OK

ydbd size dash stable-25-1: f1d2097 merge: 675afe0 diff diff %
ydbd size 2 241 771 696 Bytes 2 241 856 976 Bytes +83.3 KiB +0.004%
ydbd stripped size 474 818 744 Bytes 474 829 880 Bytes +10.9 KiB +0.002%

*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation

@github-actions
Copy link

github-actions bot commented Mar 3, 2025
edited
Loading

2025-03-03 10:46:02 UTC Pre-commit check linux-x86_64-release-asan for 675afe0 has started.
2025-03-03 10:46:17 UTC Artifacts will be uploaded here
2025-03-03 10:49:38 UTC ya make is running...
🟡 2025-03-03 12:38:41 UTC Some tests failed, follow the links below. This fail is not in blocking policy yet Going to retry failed tests...

Details

Test history | Ya make output | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
14143 14029 0 63 11 40

2025-03-03 12:40:08 UTC ya make is running... (failed tests rerun, try 2)
🟢 2025-03-03 13:01:17 UTC Tests successful.

Test history | Ya make output | Test bloat | Test bloat

TESTS PASSED ERRORS FAILED SKIPPED MUTED?
164 (only retried tests) 128 0 0 0 36

🟢 2025-03-03 13:01:24 UTC Build successful.
🟡 2025-03-03 13:01:51 UTC ydbd size 3.6 GiB changed* by +178.1 KiB, which is >= 100.0 KiB vs stable-25-1: Warning

ydbd size dash stable-25-1: f1d2097 merge: 675afe0 diff diff %
ydbd size 3 899 536 608 Bytes 3 899 719 024 Bytes +178.1 KiB +0.005%
ydbd stripped size 1 364 882 512 Bytes 1 364 926 608 Bytes +43.1 KiB +0.003%

*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation

@ijon ijon marked this pull request as ready for review March 3, 2025 18:21
@ijon ijon requested a review from a team as a code owner March 3, 2025 18:21
@ijon ijon merged commit c2c5f12 into ydb-platform:stable-25-1 Mar 3, 2025
12 checks passed
@ijon ijon deleted the merge/25-1/security-database-admin-access-bundle branch March 3, 2025 18:24
@StekPerepolnen StekPerepolnen mentioned this pull request Sep 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fomichev3000 fomichev3000 fomichev3000 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ijon @fomichev3000 @kungasc