Skip to content

Commit ebd95e6

Browse files
maximyurchukmaximyurchuk
authored
Merge pull request ydb-platform#9700 from uzhastik/24_3_merge_2
q 24 3 merge fresh fixes
2 parents 4adbae4 + 23afa03 commit ebd95e6

File tree

146 files changed

+9095
-705
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

146 files changed

+9095
-705
lines changed

.github/config/muted_ya.txt

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,6 @@ ydb/tests/fq/yds *
109109
ydb/tests/fq/control_plane_storage *
110110
ydb/tests/functional/audit *
111111
ydb/tests/functional/blobstorage test_replication.py.TestReplicationAfterNodesRestart.test_replication*
112-
ydb/tests/functional/clickbench test.py.test_plans[column]
113112
ydb/tests/functional/kqp/kqp_indexes ConsistentIndexRead.InteractiveTx
114113
ydb/tests/functional/kqp/kqp_query_session KqpQuerySession.NoLocalAttach
115114
ydb/tests/functional/restarts test_restarts.py.*

ydb/core/client/server/msgbus_server_pq_metarequest_ut.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ class TMessageBusServerPersQueueRequestTestBase: public TTestBase {
169169
static int version = 0;
170170
++version;
171171

172-
THolder<TEvPersQueue::TEvUpdateConfig> request(new TEvPersQueue::TEvUpdateConfig());
172+
auto request = MakeHolder<TEvPersQueue::TEvUpdateConfigBuilder>();
173173
for (size_t i : partitions) {
174174
request->Record.MutableTabletConfig()->AddPartitionIds(i);
175175
}

ydb/core/config/init/init.cpp

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -228,6 +228,7 @@ class TDefaultNodeBrokerClient
228228
const TGrpcSslSettings& grpcSettings,
229229
const TString addr,
230230
const NYdb::NDiscovery::TNodeRegistrationSettings& settings,
231+
const TString& nodeRegistrationToken,
231232
const IEnv& env)
232233
{
233234
TCommandConfig::TServerEndpoint endpoint = TCommandConfig::ParseServerAddress(addr);
@@ -242,7 +243,9 @@ class TDefaultNodeBrokerClient
242243
config.UseClientCertificate(certificate.c_str(), privateKey.c_str());
243244
}
244245
}
245-
config.SetAuthToken(BUILTIN_ACL_ROOT);
246+
if (nodeRegistrationToken) {
247+
config.SetAuthToken(nodeRegistrationToken);
248+
}
246249
config.SetEndpoint(endpoint.Address);
247250
auto connection = NYdb::TDriver(config);
248251

@@ -313,6 +316,7 @@ class TDefaultNodeBrokerClient
313316
const TGrpcSslSettings& grpcSettings,
314317
const TVector<TString>& addrs,
315318
const NYdb::NDiscovery::TNodeRegistrationSettings& settings,
319+
const TString& nodeRegistrationToken,
316320
const IEnv& env,
317321
IInitLogger& logger)
318322
{
@@ -326,6 +330,7 @@ class TDefaultNodeBrokerClient
326330
grpcSettings,
327331
addr,
328332
settings,
333+
nodeRegistrationToken,
329334
env);
330335
if (result.IsSuccess()) {
331336
logger.Out() << "Success. Registered via discovery service as " << result.GetNodeId() << Endl;
@@ -387,6 +392,7 @@ class TDefaultNodeBrokerClient
387392
grpcSettings,
388393
addrs,
389394
newRegSettings,
395+
regSettings.NodeRegistrationToken,
390396
env,
391397
logger);
392398

ydb/core/config/init/init.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,7 @@ struct TNodeRegistrationSettings {
118118
bool FixedNodeID;
119119
ui32 InterconnectPort;
120120
NActors::TNodeLocation Location;
121+
TString NodeRegistrationToken;
121122
};
122123

123124
class INodeRegistrationResult {

ydb/core/config/init/init_impl.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1247,6 +1247,7 @@ class TInitialConfiguratorImpl
12471247
cf.FixedNodeID,
12481248
cf.InterconnectPort,
12491249
cf.CreateNodeLocation(),
1250+
AppConfig.GetAuthConfig().GetNodeRegistrationToken(),
12501251
};
12511252

12521253
auto result = NodeBrokerClient.RegisterDynamicNode(cf.GrpcSslSettings, addrs, settings, Env, Logger);

ydb/core/driver_lib/run/kikimr_services_initializers.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1646,7 +1646,7 @@ void TSecurityServicesInitializer::InitializeServices(NActors::TActorSystemSetup
16461646
.AuthConfig = Config.GetAuthConfig(),
16471647
.CertificateAuthValues = {
16481648
.ClientCertificateAuthorization = Config.GetClientCertificateAuthorization(),
1649-
.ServerCertificateFilePath = grpcConfig.GetCert(),
1649+
.ServerCertificateFilePath = grpcConfig.HasPathToCertificateFile() ? grpcConfig.GetPathToCertificateFile() : grpcConfig.GetCert(),
16501650
.Domain = Config.GetAuthConfig().GetCertificateAuthenticationDomain()
16511651
}
16521652
};

ydb/core/grpc_services/grpc_request_proxy.cpp

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -420,9 +420,22 @@ void TGRpcRequestProxyImpl::HandleUndelivery(TEvents::TEvUndelivered::TPtr& ev)
420420

421421
bool TGRpcRequestProxyImpl::IsAuthStateOK(const IRequestProxyCtx& ctx) {
422422
const auto& state = ctx.GetAuthState();
423-
return state.State == NYdbGrpc::TAuthState::AS_OK ||
424-
state.State == NYdbGrpc::TAuthState::AS_FAIL && state.NeedAuth == false ||
425-
state.NeedAuth == false && !ctx.GetYdbToken();
423+
if (state.State == NYdbGrpc::TAuthState::AS_OK) {
424+
return true;
425+
}
426+
427+
const bool authorizationParamsAreSet = ctx.GetYdbToken() || !ctx.FindClientCertPropertyValues().empty();
428+
if (!state.NeedAuth && !authorizationParamsAreSet) {
429+
return true;
430+
}
431+
432+
if (!state.NeedAuth && state.State == NYdbGrpc::TAuthState::AS_FAIL) {
433+
if (AppData()->EnforceUserTokenCheckRequirement && authorizationParamsAreSet) {
434+
return false;
435+
}
436+
return true;
437+
}
438+
return false;
426439
}
427440

428441
void TGRpcRequestProxyImpl::MaybeStartTracing(IRequestProxyCtx& ctx) {

ydb/core/grpc_services/grpc_request_proxy_simple.cpp

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -172,9 +172,22 @@ void TGRpcRequestProxySimple::HandleUndelivery(TEvents::TEvUndelivered::TPtr& ev
172172

173173
bool TGRpcRequestProxySimple::IsAuthStateOK(const IRequestProxyCtx& ctx) {
174174
const auto& state = ctx.GetAuthState();
175-
return state.State == NYdbGrpc::TAuthState::AS_OK ||
176-
state.State == NYdbGrpc::TAuthState::AS_FAIL && state.NeedAuth == false ||
177-
state.NeedAuth == false && !ctx.GetYdbToken();
175+
if (state.State == NYdbGrpc::TAuthState::AS_OK) {
176+
return true;
177+
}
178+
179+
const bool authorizationParamsAreSet = ctx.GetYdbToken() || !ctx.FindClientCertPropertyValues().empty();
180+
if (!state.NeedAuth && !authorizationParamsAreSet) {
181+
return true;
182+
}
183+
184+
if (!state.NeedAuth && state.State == NYdbGrpc::TAuthState::AS_FAIL) {
185+
if (AppData()->EnforceUserTokenCheckRequirement && authorizationParamsAreSet) {
186+
return false;
187+
}
188+
return true;
189+
}
190+
return false;
178191
}
179192

180193
template<typename TEvent>

ydb/core/grpc_services/rpc_whoami.cpp

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -21,24 +21,29 @@ class TWhoAmIRPC : public TActorBootstrapped<TWhoAmIRPC> {
2121
: Request(request)
2222
{}
2323

24-
void Bootstrap(const TActorContext& ctx) {
24+
void Bootstrap() {
2525
//TODO: Do we realy realy need to make call to the ticket parser here???
2626
//we have done it already in grpc_request_proxy
2727
auto req = dynamic_cast<TEvWhoAmIRequest*>(Request.get());
2828
Y_ABORT_UNLESS(req, "Unexpected request type for TWhoAmIRPC");
29-
TMaybe<TString> authToken = req->GetYdbToken();
30-
if (authToken) {
31-
TMaybe<TString> database = Request->GetDatabaseName();
32-
ctx.Send(MakeTicketParserID(), new TEvTicketParser::TEvAuthorizeTicket({
33-
.Database = database ? database.GetRef() : TString(),
34-
.Ticket = authToken.GetRef(),
35-
.PeerName = Request->GetPeerName()
36-
}));
37-
Become(&TThis::StateWaitForTicket);
29+
TString ticket;
30+
if (TMaybe<TString> authToken = req->GetYdbToken()) {
31+
ticket = authToken.GetRef();
32+
} else if (TVector<TStringBuf> clientCert = Request->FindClientCert(); !clientCert.empty()) {
33+
ticket = TString(clientCert.front());
3834
} else {
3935
ReplyError("No token provided");
4036
PassAway();
37+
return;
4138
}
39+
40+
TMaybe<TString> database = Request->GetDatabaseName();
41+
Send(MakeTicketParserID(), new TEvTicketParser::TEvAuthorizeTicket({
42+
.Database = database ? database.GetRef() : TString(),
43+
.Ticket = ticket,
44+
.PeerName = Request->GetPeerName()
45+
}));
46+
Become(&TThis::StateWaitForTicket);
4247
}
4348

4449
STFUNC(StateWaitForTicket) {

ydb/core/kqp/common/kqp_yql.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ constexpr TStringBuf KqpTableSinkName = "KqpTableSinkName";
4848

4949
static constexpr std::string_view TKqpStreamLookupStrategyName = "LookupRows"sv;
5050
static constexpr std::string_view TKqpStreamLookupJoinStrategyName = "LookupJoinRows"sv;
51+
static constexpr std::string_view TKqpStreamLookupSemiJoinStrategyName = "LookupSemiJoinRows"sv;
5152

5253
struct TKqpReadTableSettings {
5354
static constexpr TStringBuf SkipNullKeysSettingName = "SkipNullKeys";

0 commit comments

Comments
 (0)