[Filestore] allow for some actions to ignore auth (#2009)

allow for some actions to ignore auth
ydb-platform · Sep 12, 2024 · 3d84737 · 3d84737
1 parent 8764d22
commit 3d84737
Show file tree

Hide file tree

Showing 10 changed files with 60 additions and 13 deletions.
diff --git a/cloud/filestore/config/server.proto b/cloud/filestore/config/server.proto
@@ -52,6 +52,9 @@ message TServerConfig
     // Unix-socket details.
     optional string UnixSocketPath = 17;
     optional uint32 UnixSocketBacklog = 18;
+
+    // List of actions served by the server without authorization.
+    repeated string ActionsNoAuth = 19;
 }
 
 ////////////////////////////////////////////////////////////////////////////////

diff --git a/cloud/filestore/libs/daemon/server/bootstrap.cpp b/cloud/filestore/libs/daemon/server/bootstrap.cpp
@@ -141,7 +141,8 @@ void TBootstrapServer::InitKikimrService()
 
     Service = CreateAuthService(
         std::move(Service),
-        CreateKikimrAuthProvider(ActorSystem));
+        CreateKikimrAuthProvider(ActorSystem),
+        Configs->ServerConfig->GetActionsNoAuth());
 
     STORAGE_INFO("AuthService initialized");
 }

diff --git a/cloud/filestore/libs/endpoint/service_auth.cpp b/cloud/filestore/libs/endpoint/service_auth.cpp
@@ -72,7 +72,7 @@ class TAuthService final
     {
         const auto& headers = request->GetHeaders();
         const auto& internal = headers.GetInternal();
-        auto permissions = GetRequestPermissions(*request);
+        auto permissions = GetRequestPermissions(*request, {});
 
         bool needAuth = AuthProvider->NeedAuth(
             internal.GetRequestSource(),

diff --git a/cloud/filestore/libs/server/config.cpp b/cloud/filestore/libs/server/config.cpp
@@ -36,6 +36,8 @@ constexpr TDuration Seconds(int s)
     xxx(Certs,                       TVector<TCertificate>,     {}            )\
     xxx(UnixSocketPath,              TString,                   {}            )\
     xxx(UnixSocketBacklog,           ui32,                      16            )\
+                                                                               \
+    xxx(ActionsNoAuth,               TVector<TString>,          {}            )\
 // FILESTORE_SERVER_CONFIG
 
 #define FILESTORE_SERVER_DECLARE_CONFIG(name, type, value)                     \
@@ -71,6 +73,17 @@ TVector<TCertificate> ConvertValue(
     return v;
 }
 
+template <>
+TVector<TString> ConvertValue(
+    const google::protobuf::RepeatedPtrField<TString>& value)
+{
+    TVector<TString> v;
+    for (const auto& x : value) {
+        v.push_back(x);
+    }
+    return v;
+}
+
 template <typename T>
 bool IsEmpty(const T& t)
 {
@@ -105,6 +118,17 @@ void DumpImpl(const TVector<TCertificate>& value, IOutputStream& os)
     }
 }
 
+template <>
+void DumpImpl(const TVector<TString>& value, IOutputStream& os)
+{
+    for (size_t i = 0; i < value.size(); ++i) {
+        if (i) {
+            os << ",";
+        }
+        os << value[i];
+    }
+}
+
 }   // namespace
 
 ////////////////////////////////////////////////////////////////////////////////

diff --git a/cloud/filestore/libs/server/config.h b/cloud/filestore/libs/server/config.h
@@ -55,6 +55,8 @@ class TServerConfig
     TString GetUnixSocketPath() const;
     ui32 GetUnixSocketBacklog() const;
 
+    TVector<TString> GetActionsNoAuth() const;
+
     const NProto::TServerConfig& GetProto() const
     {
         return ProtoConfig;

diff --git a/cloud/filestore/libs/service/auth_scheme.cpp b/cloud/filestore/libs/service/auth_scheme.cpp
@@ -99,7 +99,8 @@ TPermissionList GetRequestPermissions(EFileStoreRequest requestType)
 }
 
 TPermissionList GetRequestPermissions(
-    const NProto::TExecuteActionRequest& request)
+    const NProto::TExecuteActionRequest& request,
+    const TVector<TString>& actionsNoAuth)
 {
     TString action = request.GetAction();
     action.to_lower();
@@ -108,6 +109,10 @@ TPermissionList GetRequestPermissions(
         return std::pair {name, std::move(lst)};
     };
 
+    if (!!FindPtr(actionsNoAuth, action)) {
+        return TPermissionList();
+    }
+
     static const THashMap<TString, TPermissionList> actions = {
         // Get
         perms("getstorageconfigfields", CreatePermissionList({EPermission::Get})),

diff --git a/cloud/filestore/libs/service/auth_scheme.h b/cloud/filestore/libs/service/auth_scheme.h
@@ -14,13 +14,15 @@ namespace NCloud::NFileStore {
 TPermissionList GetRequestPermissions(EFileStoreRequest requestType);
 
 template <typename T>
-TPermissionList GetRequestPermissions(const T& request)
+TPermissionList GetRequestPermissions(
+    const T& request,
+    const TVector<TString>& actionsNoAuth)
 {
-    Y_UNUSED(request);
+    Y_UNUSED(request, actionsNoAuth);
     return GetRequestPermissions(GetFileStoreRequest<T>());
 }
 
 TPermissionList GetRequestPermissions(
-    const NProto::TExecuteActionRequest& request);
+    const NProto::TExecuteActionRequest& request, const TVector<TString>& actionsNoAuth);
 
 }   // namespace NCloud::NFileStore
diff --git a/cloud/filestore/libs/service/service_auth.cpp b/cloud/filestore/libs/service/service_auth.cpp
@@ -22,13 +22,16 @@ class TAuthService final
 private:
     const IFileStoreServicePtr Service;
     const IAuthProviderPtr AuthProvider;
+    const TVector<TString> ActionsNoAuth;
 
 public:
     TAuthService(
             IFileStoreServicePtr service,
-            IAuthProviderPtr authProvider)
+            IAuthProviderPtr authProvider,
+            TVector<TString> actionsNoAuth)
         : Service(std::move(service))
         , AuthProvider(std::move(authProvider))
+        , ActionsNoAuth(std::move(actionsNoAuth))
     {}
 
     void Start() override
@@ -78,7 +81,7 @@ class TAuthService final
     {
         const auto& headers = request->GetHeaders();
         const auto& internal = headers.GetInternal();
-        auto permissions = GetRequestPermissions(*request);
+        auto permissions = GetRequestPermissions(*request, ActionsNoAuth);
 
         bool needAuth = AuthProvider->NeedAuth(
             internal.GetRequestSource(),
@@ -149,11 +152,13 @@ class TAuthService final
 
 IFileStoreServicePtr CreateAuthService(
     IFileStoreServicePtr service,
-    IAuthProviderPtr authProvider)
+    IAuthProviderPtr authProvider,
+    const TVector<TString>& actionsNoAuth)
 {
     return std::make_shared<TAuthService>(
         std::move(service),
-        std::move(authProvider));
+        std::move(authProvider),
+        actionsNoAuth);
 }
 
 }   // namespace NCloud::NFileStore
diff --git a/cloud/filestore/libs/service/service_auth.h b/cloud/filestore/libs/service/service_auth.h
@@ -2,12 +2,15 @@
 
 #include "public.h"
 
+#include <util/generic/vector.h>
+
 namespace NCloud::NFileStore {
 
 ////////////////////////////////////////////////////////////////////////////////
 
 IFileStoreServicePtr CreateAuthService(
     IFileStoreServicePtr service,
-    IAuthProviderPtr authProvider);
+    IAuthProviderPtr authProvider,
+    const TVector<TString>& actionsNoAuth);
 
 }   // namespace NCloud::NFileStore
diff --git a/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp b/cloud/filestore/libs/service_kikimr/auth_provider_kikimr_ut.cpp
@@ -101,7 +101,8 @@ Y_UNIT_TEST_SUITE(TKikimrAuthProviderTest)
 
         auto service = CreateAuthService(
             testService,
-            CreateKikimrAuthProvider(actorSystem));
+            CreateKikimrAuthProvider(actorSystem),
+            {});
 
         // When requiring authorization and failing it, we fail the request.
         {
@@ -185,7 +186,8 @@ Y_UNIT_TEST_SUITE(TKikimrAuthProviderTest)
 
         auto service = CreateAuthService(
             std::make_shared<TFileStoreTest>(),
-            CreateKikimrAuthProvider(actorSystem));
+            CreateKikimrAuthProvider(actorSystem),
+            {});
 
         auto request = std::make_shared<NProto::TCreateFileStoreRequest>();
         auto& headers = *request->MutableHeaders();