Skip to content

Commit

Permalink
secrets have been fixed (ydb-platform#7409)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dorooleg
dorooleg authored and Oleg Doronin committed Aug 8, 2024
1 parent c7dd98e commit 33f042d
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 36 deletions.
2 changes: 2 additions & 0 deletions ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,7 @@ class TSynchronizeScopeActor : public NActors::TActorBootstrapped<TSynchronizeSc

request.Get()->Get()->YDBClient = Client;
request.Get()->Get()->ComputeDatabase = ComputeDatabase;
request.Get()->Get()->Scope = Scope;

Register(NFq::NPrivate::MakeCreateConnectionActor(
SelfId(),
Expand Down Expand Up @@ -425,6 +426,7 @@ class TSynchronizeScopeActor : public NActors::TActorBootstrapped<TSynchronizeSc

request.Get()->Get()->YDBClient = Client;
request.Get()->Get()->ComputeDatabase = ComputeDatabase;
request.Get()->Get()->Scope = Scope;

auto it = Connections.find(binding.second.content().connection_id());
if (it == Connections.end()) {
Expand Down
44 changes: 30 additions & 14 deletions ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@
namespace NFq {
namespace NPrivate {

namespace {

TString MakeSecretKeyName(const TString& prefix, const TString& folderId, const TString& name) {
return TStringBuilder{} << prefix << "_" << folderId << "_" << name;
}

}

TString MakeCreateExternalDataTableQuery(const FederatedQuery::BindingContent& content,
const TString& connectionName,
bool replaceIfExists) {
Expand Down Expand Up @@ -94,7 +102,8 @@ TString SignAccountId(const TString& id, const TSigner::TPtr& signer) {

TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& setting,
const TString& name,
const TSigner::TPtr& signer) {
const TSigner::TPtr& signer,
const TString& folderId) {
using namespace fmt::literals;
TString secretObjects;
auto serviceAccountId = ExtractServiceAccountId(setting);
Expand All @@ -103,7 +112,7 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting&
R"(
UPSERT OBJECT {sa_secret_name} (TYPE SECRET) WITH value={signature};
)",
"sa_secret_name"_a = EncloseAndEscapeString("k1" + name, '`'),
"sa_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f1", folderId, name), '`'),
"signature"_a = EncloseSecret(EncloseAndEscapeString(SignAccountId(serviceAccountId, signer), '"'))) : std::string{};
}

Expand All @@ -113,7 +122,7 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting&
R"(
UPSERT OBJECT {password_secret_name} (TYPE SECRET) WITH value={password};
)",
"password_secret_name"_a = EncloseAndEscapeString("k2" + name, '`'),
"password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '`'),
"password"_a = EncloseSecret(EncloseAndEscapeString(*password, '"')));
}

Expand All @@ -122,7 +131,8 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting&

TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
const TString& name,
const TSigner::TPtr& signer) {
const TSigner::TPtr& signer,
const TString& folderId) {
using namespace fmt::literals;
auto authMethod = GetYdbComputeAuthMethod(setting);
switch (authMethod) {
Expand All @@ -139,7 +149,7 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
)",
"auth_method"_a = ToString(authMethod),
"service_account_id"_a = EncloseAndEscapeString(ExtractServiceAccountId(setting), '"'),
"sa_secret_name"_a = EncloseAndEscapeString(signer ? "k1" + name : TString{}, '"'));
"sa_secret_name"_a = EncloseAndEscapeString(signer ? MakeSecretKeyName("f1", folderId, name) : TString{}, '"'));
case EYdbComputeAuth::BASIC:
return fmt::format(
R"(,
Expand All @@ -149,7 +159,7 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
)",
"auth_method"_a = ToString(authMethod),
"login"_a = EncloseAndEscapeString(GetLogin(setting).GetOrElse({}), '"'),
"password_secret_name"_a = EncloseAndEscapeString("k2" + name, '"'));
"password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '"'));
case EYdbComputeAuth::MDB_BASIC:
return fmt::format(
R"(,
Expand All @@ -161,17 +171,18 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
)",
"auth_method"_a = ToString(authMethod),
"service_account_id"_a = EncloseAndEscapeString(ExtractServiceAccountId(setting), '"'),
"sa_secret_name"_a = EncloseAndEscapeString(signer ? "k1" + name : TString{}, '"'),
"sa_secret_name"_a = EncloseAndEscapeString(signer ? MakeSecretKeyName("f1", folderId, name) : TString{}, '"'),
"login"_a = EncloseAndEscapeString(GetLogin(setting).GetOrElse({}), '"'),
"password_secret_name"_a = EncloseAndEscapeString("k2" + name, '"'));
"password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '"'));
}
}

TString MakeCreateExternalDataSourceQuery(
const FederatedQuery::ConnectionContent& connectionContent,
const TSigner::TPtr& signer,
const NConfig::TCommonConfig& common,
bool replaceIfExists) {
bool replaceIfExists,
const TString& folderId) {
using namespace fmt::literals;

TString properties;
Expand Down Expand Up @@ -278,20 +289,25 @@ TString MakeCreateExternalDataSourceQuery(
"auth_params"_a =
CreateAuthParamsQuery(connectionContent.setting(),
connectionContent.name(),
signer));
signer,
folderId));
}

TMaybe<TString> DropSecretObjectQuery(const TString& name) {
TMaybe<TString> DropSecretObjectQuery(const TString& name, const TString& folderId) {
using namespace fmt::literals;
return fmt::format(
R"(
DROP OBJECT {secret_name1} (TYPE SECRET);
DROP OBJECT {secret_name2} (TYPE SECRET);
DROP OBJECT {secret_name3} (TYPE SECRET); -- for backward compatibility
DROP OBJECT {secret_name4} (TYPE SECRET); -- for backward compatibility
DROP OBJECT {secret_name5} (TYPE SECRET); -- for backward compatibility
)",
"secret_name1"_a = EncloseAndEscapeString("k1" + name, '`'),
"secret_name2"_a = EncloseAndEscapeString("k2" + name, '`'),
"secret_name3"_a = EncloseAndEscapeString(name, '`'));
"secret_name1"_a = EncloseAndEscapeString(MakeSecretKeyName("f1", folderId, name), '`'),
"secret_name2"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '`'),
"secret_name3"_a = EncloseAndEscapeString(TStringBuilder{} << "k1" << name, '`'),
"secret_name4"_a = EncloseAndEscapeString(TStringBuilder{} << "k2" << name, '`'),
"secret_name5"_a = EncloseAndEscapeString(name, '`'));
}

TString MakeDeleteExternalDataTableQuery(const TString& tableName) {
Expand Down
8 changes: 5 additions & 3 deletions ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,17 @@ namespace NPrivate {

TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& setting,
const TString& name,
const TSigner::TPtr& signer);
const TSigner::TPtr& signer,
const TString& folderId);

TMaybe<TString> DropSecretObjectQuery(const TString& name);
TMaybe<TString> DropSecretObjectQuery(const TString& name, const TString& folderId);

TString MakeCreateExternalDataSourceQuery(
const FederatedQuery::ConnectionContent& connectionContent,
const TSigner::TPtr& signer,
const NConfig::TCommonConfig& common,
bool replaceIfExists);
bool replaceIfExists,
const TString& folderId);

TString MakeDeleteExternalDataSourceQuery(const TString& sourceName);

Expand Down
47 changes: 28 additions & 19 deletions ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
#include <ydb/core/fq/libs/control_plane_proxy/events/events.h>
#include <ydb/core/fq/libs/control_plane_storage/control_plane_storage.h>
#include <ydb/public/api/protos/draft/fq.pb.h>
#include <ydb/public/lib/fq/scope.h>
#include <ydb/public/sdk/cpp/client/ydb_table/table.h>

namespace NFq::NPrivate {
Expand Down Expand Up @@ -418,7 +419,7 @@ class TGenerateRecoverySQLIfExternalDataSourceAlreadyExistsActor :

event->IsExactNameMatch = true;

TBase::Send(NFq::ControlPlaneStorageServiceActorId(), event);
TBase::Send(::NFq::ControlPlaneStorageServiceActorId(), event);
}

STRICT_STFUNC(StateFunc, cFunc(NActors::TEvents::TSystem::Wakeup, TBase::HandleTimeout);
Expand Down Expand Up @@ -493,7 +494,7 @@ class TGenerateRecoverySQLIfExternalDataTableAlreadyExistsActor :

event->IsExactNameMatch = true;

TBase::Send(NFq::ControlPlaneStorageServiceActorId(), event);
TBase::Send(::NFq::ControlPlaneStorageServiceActorId(), event);
}

STRICT_STFUNC(StateFunc, cFunc(NActors::TEvents::TSystem::Wakeup, TBase::HandleTimeout);
Expand Down Expand Up @@ -543,7 +544,7 @@ IActor* MakeCreateConnectionActor(
TCounters& counters,
TPermissions permissions,
const TCommonConfig& commonConfig,
const NFq::TComputeConfig& computeConfig,
const ::NFq::TComputeConfig& computeConfig,
TSigner::TPtr signer,
bool withoutRollback,
TMaybe<TString> connectionId) {
Expand All @@ -557,10 +558,13 @@ IActor* MakeCreateConnectionActor(
computeConfig](const TEvControlPlaneProxy::TEvCreateConnectionRequest::TPtr& req)
-> std::vector<TSchemaQueryTask> {
auto& connectionContent = req->Get()->Request.content();
const auto& scope = req->Get()->Scope;
const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder();

auto createSecretStatement = CreateSecretObjectQuery(connectionContent.setting(),
connectionContent.name(),
signer);
signer,
folderId);

std::vector<TSchemaQueryTask> statements;
if (createSecretStatement) {
Expand Down Expand Up @@ -603,7 +607,7 @@ IActor* MakeCreateConnectionActor(
statements.push_back(TSchemaQueryTask{
.SQL = MakeCreateExternalDataSourceQuery(
connectionContent, signer, commonConfig,
computeConfig.IsReplaceIfExistsSyntaxSupported()),
computeConfig.IsReplaceIfExistsSyntaxSupported(), folderId),
.ScheduleErrorRecoverySQLGeneration =
withoutRollback
? NoRecoverySQLGeneration()
Expand Down Expand Up @@ -647,7 +651,7 @@ IActor* MakeModifyConnectionActor(
TDuration requestTimeout,
TCounters& counters,
const TCommonConfig& commonConfig,
const NFq::TComputeConfig& computeConfig,
const ::NFq::TComputeConfig& computeConfig,
TSigner::TPtr signer) {
auto queryFactoryMethod =
[signer = std::move(signer),
Expand All @@ -659,21 +663,24 @@ IActor* MakeModifyConnectionActor(
auto& oldConnectionContent = (*request->Get()->OldConnectionContent);
auto& oldBindings = request->Get()->OldBindingContents;
auto& newConnectionContent = request->Get()->Request.content();
const auto& scope = request->Get()->Scope;
const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder();

auto dropOldSecret =
DropSecretObjectQuery(oldConnectionContent.name());
DropSecretObjectQuery(oldConnectionContent.name(), folderId);
auto createNewSecret =
CreateSecretObjectQuery(newConnectionContent.setting(),
newConnectionContent.name(),
signer);
signer,
folderId);

bool replaceSupported = computeConfig.IsReplaceIfExistsSyntaxSupported();
if (replaceSupported &&
oldConnectionContent.name() == newConnectionContent.name()) {
// CREATE OR REPLACE
auto createSecretStatement =
CreateSecretObjectQuery(newConnectionContent.setting(),
newConnectionContent.name(), signer);
newConnectionContent.name(), signer, folderId);

std::vector<TSchemaQueryTask> statements;
if (createSecretStatement) {
Expand All @@ -683,7 +690,7 @@ IActor* MakeModifyConnectionActor(

statements.push_back(TSchemaQueryTask{
.SQL = MakeCreateExternalDataSourceQuery(
newConnectionContent, signer, commonConfig, replaceSupported)});
newConnectionContent, signer, commonConfig, replaceSupported, folderId)});
return statements;
}

Expand Down Expand Up @@ -712,26 +719,26 @@ IActor* MakeModifyConnectionActor(
statements.push_back(TSchemaQueryTask{
.SQL = TString{MakeDeleteExternalDataSourceQuery(oldConnectionContent.name())},
.RollbackSQL = TString{MakeCreateExternalDataSourceQuery(
oldConnectionContent, signer, commonConfig, false)},
oldConnectionContent, signer, commonConfig, false, folderId)},
.ShouldSkipStepOnError = IsPathDoesNotExistIssue});

if (dropOldSecret) {
statements.push_back(TSchemaQueryTask{
.SQL = *dropOldSecret,
.RollbackSQL = CreateSecretObjectQuery(oldConnectionContent.setting(),
oldConnectionContent.name(),
signer),
signer, folderId),
.ShouldSkipStepOnError = IsPathDoesNotExistIssue});
}
if (createNewSecret) {
statements.push_back(TSchemaQueryTask{.SQL = *createNewSecret,
.RollbackSQL = DropSecretObjectQuery(
newConnectionContent.name())});
newConnectionContent.name(), folderId)});
}

statements.push_back(
TSchemaQueryTask{.SQL = TString{MakeCreateExternalDataSourceQuery(
newConnectionContent, signer, commonConfig, false)},
newConnectionContent, signer, commonConfig, false, folderId)},
.RollbackSQL = TString{MakeDeleteExternalDataSourceQuery(
newConnectionContent.name())}});

Expand Down Expand Up @@ -787,23 +794,25 @@ IActor* MakeDeleteConnectionActor(
const TEvControlPlaneProxy::TEvDeleteConnectionRequest::TPtr& request)
-> std::vector<TSchemaQueryTask> {
auto& connectionContent = *request->Get()->ConnectionContent;
const auto& scope = request->Get()->Scope;
const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder();

auto dropSecret =
DropSecretObjectQuery(connectionContent.name());
DropSecretObjectQuery(connectionContent.name(), folderId);

std::vector statements = {
TSchemaQueryTask{.SQL = TString{MakeDeleteExternalDataSourceQuery(
connectionContent.name())},
.RollbackSQL = MakeCreateExternalDataSourceQuery(
connectionContent, signer, commonConfig, false),
connectionContent, signer, commonConfig, false, folderId),
.ShouldSkipStepOnError = IsPathDoesNotExistIssue}};
if (dropSecret) {
statements.push_back(
TSchemaQueryTask{.SQL = *dropSecret,
.RollbackSQL =
CreateSecretObjectQuery(connectionContent.setting(),
connectionContent.name(),
signer),
signer, folderId),
.ShouldSkipStepOnError = IsPathDoesNotExistIssue});
}
return statements;
Expand Down Expand Up @@ -832,7 +841,7 @@ IActor* MakeCreateBindingActor(const TActorId& proxyActorId,
TDuration requestTimeout,
TCounters& counters,
TPermissions permissions,
const NFq::TComputeConfig& computeConfig,bool withoutRollback,
const ::NFq::TComputeConfig& computeConfig,bool withoutRollback,
TMaybe<TString> bindingId) {
auto queryFactoryMethod =
[requestTimeout, &counters, permissions, withoutRollback, computeConfig](
Expand Down Expand Up @@ -916,7 +925,7 @@ IActor* MakeModifyBindingActor(const TActorId& proxyActorId,
TEvControlPlaneProxy::TEvModifyBindingRequest::TPtr request,
TDuration requestTimeout,
TCounters& counters,
const NFq::TComputeConfig& computeConfig) {
const ::NFq::TComputeConfig& computeConfig) {
auto queryFactoryMethod =
[computeConfig](const TEvControlPlaneProxy::TEvModifyBindingRequest::TPtr& request)
-> std::vector<TSchemaQueryTask> {
Expand Down

0 comments on commit 33f042d

Please sign in to comment.