ytsaurus icon indicating copy to clipboard operation
ytsaurus copied to clipboard
verified publisher icon ytsaurus

Add require_administer_for_password_set option

Open achulkov2 opened this issue 5 months ago • 7 comments

Useful for restricting usage of passwords by non-admins/in non-special circumstances in favor of SSO authentication.

  • Changelog entry Type: feature Component: proxy

Add require_administer_for_password_set option to allow forcing the administer permission requirement for running set-user-password.

achulkov2 avatar Jul 15 '25 18:07 achulkov2

15.07.2025, 18:26:54 PR autocheck started. Watch workflow progress here. 15.07.2025, 18:28:44 PR autocheck finished. Statuses: Strawberry controller: skipped CMake build: skipped Ya-make build: skipped Tests: skipped

github-actions[bot] avatar Jul 15 '25 18:07 github-actions[bot]

15.07.2025, 18:30:21 PR autocheck started. Watch workflow progress here. 16.07.2025, 02:15:29 Integration tests are started. 16.07.2025, 05:23:57 Tests finished.

Total

Total Failed Ok Skipped Not launched
2633 22 2390 221 0

ci-viewer/16301315928/size_s (returncode 10)

Total Failed Ok Skipped Not launched
2633 22 2390 221 0

Failed suites

16.07.2025, 05:24:06 PR autocheck finished. Statuses: Strawberry controller: success CMake build: success Ya-make build: success Tests: success

github-actions[bot] avatar Jul 15 '25 18:07 github-actions[bot]

We are waiting for @dim-an, he will watch PR in a week.

ilyaibraev avatar Aug 02 '25 14:08 ilyaibraev

I'm sorry for delay. I'll take a look at this PR this week.

dim-an avatar Aug 26 '25 14:08 dim-an

If I understand correctly you want to patch your static configuration for http proxies. It looks to me that the better place would be some dynconfig that is checked inside SetPassword.

Dynamic config would work automatically when rpc is implemented and there would be single place for this behaviour configuration.

dim-an avatar Aug 28 '25 08:08 dim-an

What do you think about putting an option into TConnectionDynamicConfig?

dim-an avatar Sep 08 '25 15:09 dim-an

What do you think about putting an option into TConnectionDynamicConfig?

The reason that I placed the new option into the static config was that there already is a similar option right nearby — require_password_in_authentication_commands. I do agree with you in principle that it is a somewhat weird place for both of these options, but our initial reasoning for this change was to comply with some audit requirements, so taking the path of least resistance was the way to go.

If that is what you want, I will take another look and relocate these two knobs, but not earlier than next quarter, since this one has more pressing issues.

achulkov2 avatar Sep 08 '25 16:09 achulkov2

Closing for now, can be reopened after rework.

dim-an avatar Nov 22 '25 12:11 dim-an