YDB: specify IAM endpoint when using SA credentials (#223)

* Debugging SA auth in YDB * Add iam_endpoint to server config * Specify IAM endpoint * Specify IAM default endpoint
ydb-platform · Dec 18, 2024 · 5cd13fc · 5cd13fc
1 parent a93a3b2
commit 5cd13fc
Show file tree

Hide file tree

Showing 7 changed files with 193 additions and 145 deletions.
diff --git a/app/config/server.pb.go b/app/config/server.pb.go
diff --git a/app/config/server.proto b/app/config/server.proto
@@ -233,6 +233,10 @@ message TYdbConfig {
     // this credentials to access the database.
     string service_account_key_file_credentials = 5;
 
+    // One should provide IAM endpoint to authenticate service account
+    // if service_account_key_file_credentials is set.
+    NYql.TGenericEndpoint iam_endpoint = 6;
+
     TExponentialBackoffConfig exponential_backoff = 10;
 }
 

diff --git a/app/server/config/config.go b/app/server/config/config.go
@@ -171,6 +171,15 @@ func fillYdbConfigDefaults(c *config.TYdbConfig) {
 	if c.ExponentialBackoff == nil {
 		c.ExponentialBackoff = makeDefaultExponentialBackoffConfig()
 	}
+
+	if c.ServiceAccountKeyFileCredentials != "" {
+		if c.IamEndpoint == nil {
+			c.IamEndpoint = &api_common.TGenericEndpoint{
+				Host: "iam.api.cloud.yandex.net",
+				Port: 443,
+			}
+		}
+	}
 }
 
 func validateServerConfig(c *config.TServerConfig) error {
@@ -341,6 +350,24 @@ func validateYdbConfig(c *config.TYdbConfig) error {
 		return fmt.Errorf("invalid `mode` value: %v", c.Mode)
 	}
 
+	if c.ServiceAccountKeyFileCredentials != "" {
+		if err := fileMustExist(c.ServiceAccountKeyFileCredentials); err != nil {
+			return fmt.Errorf("invalid value of field `service_account_key_file_credentials`: %w", err)
+		}
+
+		if c.IamEndpoint == nil {
+			return fmt.Errorf("you must set `iam_endpoint` if `service_account_key_file_credentials` is set")
+		}
+
+		if c.IamEndpoint.Host == "" {
+			return fmt.Errorf("invalid value of field `iam_endpoint.host`: %v", c.IamEndpoint.Host)
+		}
+
+		if c.IamEndpoint.Port == 0 {
+			return fmt.Errorf("invalid value of field `iam_endpoint.port`: %v", c.IamEndpoint.Port)
+		}
+	}
+
 	if err := validateExponentialBackoff(c.ExponentialBackoff); err != nil {
 		return fmt.Errorf("validate `exponential_backoff`: %v", err)
 	}

diff --git a/app/server/conversion/converters_unsafe.go b/app/server/conversion/converters_unsafe.go
@@ -27,11 +27,7 @@ type dateToStringConverterUnsafe struct{}
 
 func (dateToStringConverterUnsafe) Convert(in *time.Time) (string, error) {
 	buf := make([]byte, 0, 11)
-
-	// We used to call the unexported method *Time.date() directly before,
-	// but since Go 1.23 it's restricted to use go:linkname,
-	// so now we spend 3x more time here:
-	year, month, day := in.Year(), in.Month(), in.Day()
+	year, month, day := in.Date()
 
 	if year < 0 {
 		buf = append(buf, byte('-'))

diff --git a/app/server/datasource/rdbms/ydb/connection_database_sql.go b/app/server/datasource/rdbms/ydb/connection_database_sql.go
@@ -113,7 +113,7 @@ func newConnectionDatabaseSQL(
 
 	conn := sql.OpenDB(ydbConn)
 
-	logger.Debug("Pinging database")
+	logger.Debug("pinging database")
 
 	pingCtx, pingCtxCancel := context.WithTimeout(ctx, common.MustDurationFromString(cfg.PingConnectionTimeout))
 	defer pingCtxCancel()

diff --git a/app/server/datasource/rdbms/ydb/connection_manager.go b/app/server/datasource/rdbms/ydb/connection_manager.go
@@ -41,9 +41,15 @@ func (c *connectionManager) Make(
 	var cred ydb_sdk.Option
 
 	if c.cfg.ServiceAccountKeyFileCredentials != "" {
-		logger.Debug("connector will use service account key file credentials for authorization")
-
-		cred = yc.WithServiceAccountKeyFileCredentials(c.cfg.ServiceAccountKeyFileCredentials)
+		logger.Debug(
+			"connector will use service account key file credentials for authorization",
+			zap.String("path", c.cfg.ServiceAccountKeyFileCredentials),
+		)
+
+		cred = yc.WithServiceAccountKeyFileCredentials(
+			c.cfg.ServiceAccountKeyFileCredentials,
+			yc.WithEndpoint(common.EndpointToString(c.cfg.IamEndpoint)),
+		)
 	} else if dsi.Credentials.GetToken() != nil {
 		logger.Debug("connector will use token for authorization")
 
@@ -105,7 +111,7 @@ func (c *connectionManager) Make(
 		return nil, fmt.Errorf("new connection: %w", err)
 	}
 
-	logger.Debug("Connection is ready")
+	logger.Debug("connection is ready")
 
 	return ydbConn, nil
 }

diff --git a/app/server/datasource/rdbms/ydb/schema_provider.go b/app/server/datasource/rdbms/ydb/schema_provider.go
@@ -34,7 +34,7 @@ func (f *schemaProvider) GetSchema(
 		return nil, fmt.Errorf("get prefix: %w", err)
 	}
 
-	logger.Debug("Obtaining table metadata", zap.String("prefix", prefix))
+	logger.Debug("obtaining table metadata", zap.String("prefix", prefix))
 
 	err = db.Table().Do(
 		ctx,