ydb-platform
diff --git a/‎ydb/core/protos/auth.proto‎
Lines changed: 11 additions & 0 deletions b/‎ydb/core/protos/auth.proto‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎ydb/core/tx/schemeshard/schemeshard_impl.cpp‎
Lines changed: 50 additions & 5 deletions b/‎ydb/core/tx/schemeshard/schemeshard_impl.cpp‎
Lines changed: 50 additions & 5 deletions
diff --git a/‎ydb/core/tx/schemeshard/schemeshard_impl.h‎
Lines changed: 6 additions & 0 deletions b/‎ydb/core/tx/schemeshard/schemeshard_impl.h‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎ydb/core/tx/schemeshard/ut_login/ut_login.cpp‎
Lines changed: 140 additions & 0 deletions b/‎ydb/core/tx/schemeshard/ut_login/ut_login.cpp‎
Lines changed: 140 additions & 0 deletions
@@ -56,6 +56,7 @@ message TAuthConfig {
  optional string CertificateAuthenticationDomain = 80 [default = "cert"];
  optional bool EnableLoginAuthentication = 81 [default = true];
  optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];
+ optional TPasswordCheckerParameters PasswordCheckerParameters = 83;
 }
 
 message TUserRegistryConfig {
@@ -122,3 +123,13 @@ message TLdapAuthentication {
  optional string Scheme = 11 [default = "ldap"];
  optional TExtendedSettings ExtendedSettings = 12;
 }
+
+message TPasswordCheckerParameters {
+ optional uint32 MinimumLength = 1 [default = 0];
+ optional uint32 MaximumLength = 2 [default = 4294967295];
+ optional bool RestrictLower = 3;
+ optional bool RestrictUpper = 4;
+ optional bool RestrictNumbers = 5;
+ optional bool RestrictSpecial = 6;
+ optional string SpecialChars = 7 [default = "!@#$%^&*()_+{}|<>?="];
+}
@@ -11,13 +11,15 @@
 #include <ydb/core/base/appdata.h>
 #include <ydb/core/base/tx_processing.h>
 #include <ydb/core/protos/feature_flags.pb.h>
+#include <ydb/core/protos/auth.pb.h>
 #include <ydb/core/engine/mkql_proto.h>
 #include <ydb/core/sys_view/partition_stats/partition_stats.h>
 #include <ydb/core/statistics/events.h>
 #include <ydb/core/statistics/service/service.h>
 #include <ydb/core/scheme/scheme_types_proto.h>
 #include <ydb/core/tx/columnshard/bg_tasks/events/events.h>
 #include <ydb/core/tx/scheme_board/events_schemeshard.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 #include <yql/essentials/minikql/mkql_type_ops.h>
 #include <yql/essentials/providers/common/proto/gateways_config.pb.h>
 #include <util/random/random.h>
@@ -4432,6 +4434,16 @@ TSchemeShard::TSchemeShard(const TActorId &tablet, TTabletStorageInfo *info)
  COUNTER_PQ_STATS_WRITTEN,
  COUNTER_PQ_STATS_BATCH_LATENCY)
  , AllowDataColumnForIndexTable(0, 0, 1)
+ , PasswordCheckParameters({
+ .MinPasswordLength = AppData()->AuthConfig.GetPasswordCheckerParameters().GetMinimumLength(),
+ .MaxPasswordLength = AppData()->AuthConfig.GetPasswordCheckerParameters().GetMaximumLength(),
+ .NeedLowerCase = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictLower(),
+ .NeedUpperCase = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictUpper(),
+ .NeedNumbers = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictNumbers(),
+ .NeedSpecialSymbols = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictSpecial(),
+ .SpecialSymbols = AppData()->AuthConfig.GetPasswordCheckerParameters().GetSpecialChars()
+ })
+ , LoginProvider(PasswordCheckParameters)
 {
  TabletCountersPtr.Reset(new TProtobufTabletCounters<
  ESimpleCounters_descriptor,
@@ -7117,6 +7129,10 @@ void TSchemeShard::ApplyConsoleConfigs(const NKikimrConfig::TAppConfig& appConfi
  );
  }
 
+ if (appConfig.HasAuthConfig()) {
+ ConfigureLoginProvider(appConfig.GetAuthConfig(), ctx);
+ }
+
  if (IsSchemeShardConfigured()) {
  StartStopCompactionQueues();
  if (BackgroundCleaningQueue) {
@@ -7310,6 +7326,35 @@ void TSchemeShard::ConfigureBackgroundCleaningQueue(
  << ", InflightLimit# " << cleaningConfig.InflightLimit);
 }
 
+void TSchemeShard::ConfigureLoginProvider(
+ const ::NKikimrProto::TAuthConfig& config,
+ const TActorContext &ctx)
+{
+ const auto& passwordCheckParameters = config.GetPasswordCheckerParameters();
+ PasswordCheckParameters.SetMinPasswordLength(passwordCheckParameters.GetMinimumLength());
+ PasswordCheckParameters.SetMaxPasswordLength(passwordCheckParameters.GetMaximumLength());
+ PasswordCheckParameters.SetLowerCaseUse(passwordCheckParameters.GetRestrictLower());
+ PasswordCheckParameters.SetUpperCaseUse(passwordCheckParameters.GetRestrictUpper());
+ PasswordCheckParameters.SetNumbersUse(passwordCheckParameters.GetRestrictNumbers());
+ PasswordCheckParameters.SetSpecialSymbolsUse(passwordCheckParameters.GetRestrictSpecial());
+ PasswordCheckParameters.SetSpecialSymbols(passwordCheckParameters.GetSpecialChars());
+
+ LoginProvider.UpdatePasswordCheckParameters(PasswordCheckParameters);
+
+ auto printBool = [] (bool flag) -> TString {
+ return (flag ? "true" : "false");
+ };
+
+ LOG_NOTICE_S(ctx, NKikimrServices::FLAT_TX_SCHEMESHARD,
+ "LoginProvider configured: MinPasswordLength# " << PasswordCheckParameters.GetMinPasswordLength()
+ << ", MaxPasswordLength# " << PasswordCheckParameters.GetMaxPasswordLength()
+ << ", NeedLowerCase# " << printBool(PasswordCheckParameters.NeedLowerCaseUse())
+ << ", NeedUpperCase# " << printBool(PasswordCheckParameters.NeedUpperCaseUse())
+ << ", NeedNumbers# " << printBool(PasswordCheckParameters.NeedNumbersUse())
+ << ", NeedSpecialSymbols# " << printBool(PasswordCheckParameters.NeedSpecialSymbolsUse())
+ << ", SpecialSymbols# " << passwordCheckParameters.GetSpecialChars());
+}
+
 void TSchemeShard::StartStopCompactionQueues() {
  // note, that we don't need to check current state of compaction queue
  if (IsServerlessDomain(TPath::Init(RootPathId(), this))) {
@@ -7477,19 +7522,19 @@ void TSchemeShard::ResolveSA() {
  StatisticsAggregatorId = subDomainInfo->GetTenantStatisticsAggregatorID();
  LOG_DEBUG_S(TlsActivationContext->AsActorContext(), NKikimrServices::STATISTICS,
  "ResolveSA(), StatisticsAggregatorId=" << StatisticsAggregatorId
- << ", at schemeshard: " << TabletID()); 
+ << ", at schemeshard: " << TabletID());
  ConnectToSA();
  }
 }
 
 void TSchemeShard::ConnectToSA() {
  if (!EnableStatistics)
  return;
- 
+
  if (!StatisticsAggregatorId) {
  LOG_DEBUG_S(TlsActivationContext->AsActorContext(), NKikimrServices::STATISTICS,
  "ConnectToSA(), no StatisticsAggregatorId"
- << ", at schemeshard: " << TabletID()); 
+ << ", at schemeshard: " << TabletID());
  return;
  }
  auto policy = NTabletPipe::TClientRetryPolicy::WithRetries();
@@ -7606,8 +7651,8 @@ TDuration TSchemeShard::SendBaseStatsToSA() {
  << ", path count: " << count
  << ", at schemeshard: " << TabletID());
 
- return TDuration::Seconds(SendStatsIntervalMinSeconds 
- + RandomNumber<ui64>(SendStatsIntervalMaxSeconds - SendStatsIntervalMinSeconds)); 
+ return TDuration::Seconds(SendStatsIntervalMinSeconds
+ + RandomNumber<ui64>(SendStatsIntervalMaxSeconds - SendStatsIntervalMinSeconds));
 }
 
 } // namespace NSchemeShard
 
@@ -64,6 +64,7 @@
 #include <ydb/core/blob_depot/events.h>
 
 #include <ydb/library/login/login.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 
 #include <util/generic/ptr.h>
 
@@ -496,6 +497,10 @@ class TSchemeShard
  const NKikimrConfig::TBackgroundCleaningConfig& config,
  const TActorContext &ctx);
 
+ void ConfigureLoginProvider(
+ const ::NKikimrProto::TAuthConfig& config,
+ const TActorContext &ctx);
+
  void StartStopCompactionQueues();
 
  void WaitForTableProfiles(ui64 importId, ui32 itemIdx);
@@ -1455,6 +1460,7 @@ class TSchemeShard
  void ChangeDiskSpaceSoftQuotaBytes(i64 delta) override;
  void AddDiskSpaceSoftQuotaBytes(EUserFacingStorageType storageType, ui64 addend) override;
 
+ NLogin::TPasswordCheckParameters PasswordCheckParameters;
  NLogin::TLoginProvider LoginProvider;
 
 private:
 
@@ -1,6 +1,7 @@
 #include <util/string/join.h>
 
 #include <ydb/library/login/login.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 #include <ydb/library/actors/http/http_proxy.h>
 #include <ydb/library/testlib/service_mocks/ldap_mock/ldap_simple_server.h>
 #include <ydb/core/tx/schemeshard/ut_helpers/helpers.h>
@@ -27,6 +28,23 @@ void TestCreateAlterLoginCreateUser(TTestActorRuntime& runtime, ui64 txId, const
  TestModificationResults(runtime, txId, expectedResults);
 }
 
+void SetPasswordCheckerParameters(TTestActorRuntime &runtime, ui64 schemeShard, const NLogin::TPasswordCheckParameters::TInitializer& parameters) {
+ auto request = MakeHolder<NConsole::TEvConsole::TEvConfigNotificationRequest>();
+
+ ::NKikimrProto::TPasswordCheckerParameters passwordCheckParameters;
+ passwordCheckParameters.SetMinimumLength(parameters.MinPasswordLength);
+ passwordCheckParameters.SetMaximumLength(parameters.MaxPasswordLength);
+ passwordCheckParameters.SetRestrictLower(parameters.NeedLowerCase);
+ passwordCheckParameters.SetRestrictUpper(parameters.NeedUpperCase);
+ passwordCheckParameters.SetRestrictNumbers(parameters.NeedNumbers);
+ passwordCheckParameters.SetRestrictSpecial(parameters.NeedSpecialSymbols);
+ passwordCheckParameters.SetSpecialChars(parameters.SpecialSymbols);
+ *request->Record.MutableConfig()->MutableAuthConfig()->MutablePasswordCheckerParameters() = passwordCheckParameters;
+ SetConfig(runtime, schemeShard, std::move(request));
+}
+
+const TString VALID_SPECIAL_SYMBOLS = "!@#$%^&*()_+{}|<>?=";
+
 } // namespace NSchemeShardUT_Private
 
 Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
@@ -66,6 +84,128 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
  UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
  UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0);
  }
+
+ Y_UNIT_TEST(ChangeAcceptablePasswordParameters) {
+ TTestBasicRuntime runtime;
+ TTestEnv env(runtime);
+ ui64 txId = 100;
+ // Password parameters:
+ // length 0 - 4294967295
+ // optional: lower case, upper case, numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1", {{NKikimrScheme::StatusSuccess}});
+ auto resultLogin = Login(runtime, "user1", "password1");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
+ UNIT_ASSERT(describe.HasPathDescription());
+ UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
+ UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
+ UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0);
+
+ // Accept password without lower case symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "PASSWORDU2", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user2", "PASSWORDU2");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 0 - 4294967295
+ // optional: upper case, numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.NeedLowerCase = true, .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user3", "PASSWORDU3", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Add lower case symbols to password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user3", "PASswORDu3", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user3", "PASswORDu3");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept password without upper case symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user4", "passwordu4", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user4", "passwordu4");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 0 - 4294967295
+ // optional: numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case, upper case
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.NeedLowerCase = true, .NeedUpperCase = true, .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user5", "passwordu5", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Add upper case symbols to password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user5", "PASswORDu5", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user5", "PASswORDu5");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept short and long passwords
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user6", "pasSWu6", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user6", "pasSWu6");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user7", "pasSW12345Word!*&u7", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user7", "pasSW12345Word!*&u7");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // optional: numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case, upper case
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8, .MaxPasswordLength = 15, .NeedLowerCase = true, .NeedUpperCase = true, .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ // Too short password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user8", "pasSWu8", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Too long password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user8", "pasSW12345Word!*&u8", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Password has correct length
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user8", "PASswORDu8", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user8", "PASswORDu8");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept password without numbers
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user9", "passWorDunine", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user9", "passWorDunine");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // optional: special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case, upper case, numbers
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8,
+ .MaxPasswordLength = 15,
+ .NeedLowerCase = true,
+ .NeedUpperCase = true,
+ .NeedNumbers = true,
+ .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user10", "passWorDuten", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Password with numbers
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user10", "PASswORDu10", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user10", "PASswORDu10");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept password without special symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user11", "passWorDu11", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user11", "passWorDu11");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // required: lower case, upper case, numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8,
+ .MaxPasswordLength = 15,
+ .NeedLowerCase = true,
+ .NeedUpperCase = true,
+ .NeedNumbers = true,
+ .NeedSpecialSymbols = true,
+ .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user12", "passWorDu12", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Password with special symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user12", "PASswORDu12*&%#", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user12", "PASswORDu12*&%#");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // required: lower case, upper case, numbers, special symbols from list *#
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8,
+ .MaxPasswordLength = 15,
+ .NeedLowerCase = true,
+ .NeedUpperCase = true,
+ .NeedNumbers = true,
+ .NeedSpecialSymbols = true,
+ .SpecialSymbols = "*#"}); // Only 2 special symbols are valid
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user13", "PASswORDu13*&%#", {{NKikimrScheme::StatusPreconditionFailed}});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user13", "PASswORDu12*#", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user13", "PASswORDu12*#");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ }
 }
 
 namespace NSchemeShardUT_Private {