ydb-platform
diff --git a/‎ydb/docs/en/core/concepts/_includes/secondary_indexes.md
Lines changed: 1 addition & 1 deletion b/‎ydb/docs/en/core/concepts/_includes/secondary_indexes.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎ydb/docs/en/core/dev/query-plans-optimization.md
Lines changed: 2 additions & 2 deletions b/‎ydb/docs/en/core/dev/query-plans-optimization.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎ydb/docs/en/core/devops/manual/node-authorization.md
Lines changed: 93 additions & 0 deletions b/‎ydb/docs/en/core/devops/manual/node-authorization.md
Lines changed: 93 additions & 0 deletions
diff --git a/‎ydb/docs/en/core/devops/manual/toc_p.yaml
Lines changed: 2 additions & 0 deletions b/‎ydb/docs/en/core/devops/manual/toc_p.yaml
Lines changed: 2 additions & 0 deletions
diff --git a/‎ydb/docs/en/core/downloads/yandex-enterprise-database.md
Lines changed: 1 addition & 1 deletion b/‎ydb/docs/en/core/downloads/yandex-enterprise-database.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎ydb/docs/en/core/downloads/ydb-ansible.md
Lines changed: 2 additions & 2 deletions b/‎ydb/docs/en/core/downloads/ydb-ansible.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎ydb/docs/en/core/reference/configuration/client_certificate_authorization.md
Lines changed: 71 additions & 0 deletions b/‎ydb/docs/en/core/reference/configuration/client_certificate_authorization.md
Lines changed: 71 additions & 0 deletions
diff --git a/‎ydb/docs/en/core/reference/configuration/toc_p.yaml
Lines changed: 3 additions & 1 deletion b/‎ydb/docs/en/core/reference/configuration/toc_p.yaml
Lines changed: 3 additions & 1 deletion
diff --git a/‎ydb/docs/en/core/reference/observability/tracing/setup.md
Lines changed: 2 additions & 2 deletions b/‎ydb/docs/en/core/reference/observability/tracing/setup.md
Lines changed: 2 additions & 2 deletions
@@ -15,7 +15,7 @@ A synchronous index is updated simultaneously with the table that it indexes. Th
 
 ## Asynchronous secondary index {#async}
 
-Unlike a synchronous index, an asynchronous index doesn't use distributed transactions. Instead, it receives changes from an indexed table in the background. Write transactions to a table using this index are performed with no planning overheads due to reduced guarantees: an asynchronous index provides [eventual consistency](https://en.wikipedia.org/wiki/Eventual_consistency), but no strict consistency. You can only use asynchronous indexes in read transactions in [Stale Read Only](transactions.md#modes) mode.
+Unlike a synchronous index, an asynchronous index doesn't use distributed transactions. Instead, it receives changes from an indexed table in the background. Write transactions to a table using this index are performed with no planning overheads due to reduced guarantees: an asynchronous index provides [eventual consistency](https://en.wikipedia.org/wiki/Eventual_consistency), but no strict consistency. You can only use asynchronous indexes in read transactions in [Stale Read Only](../transactions.md#modes) mode.
 
 ## Covering secondary index {#covering}
 
 
@@ -20,7 +20,7 @@ Let's build a plan for this query. You can do this via either UI or {{ ydb-short
 
 - {{ ydb-short-name }} CLI
 
-  You can build a query plan via {{ ydb-short-name }} [CLI](../reference/ydb-cli/_includes/index.md) using the following command:
+  You can build a query plan via {{ ydb-short-name }} [CLI](../reference/ydb-cli/commands/explain-plan.md) using the following command:
 
   ```bash
   ydb -p <profile_name> table query explain \
@@ -63,7 +63,7 @@ ALTER TABLE episodes
   ADD INDEX title_index GLOBAL ON (title)
 ```
 
-Please note that this example uses [synchronous secondary index](../concepts/_includes/secondary_indexes.md#sync). Building an index in {{ ydb-short-name }} is an asynchronous operation. Even if the index creation query is successful, it is advisable to wait for some time because the index may not be ready for use immediately. You can manage asynchronous operations through the [CLI](../reference/ydb-cli/commands/_includes/secondary_index.md#add).
+Please note that this example uses [synchronous secondary index](../concepts/secondary_indexes.md#sync). Building an index in {{ ydb-short-name }} is an asynchronous operation. Even if the index creation query is successful, it is advisable to wait for some time because the index may not be ready for use immediately. You can manage asynchronous operations through the [CLI](../reference/ydb-cli/commands/secondary_index.md#add).
 
 Let's build the query plan using the secondary index `title_index`. Secondary indexes to be used need to be explicitly specified in the `VIEW` clause.
 
 
@@ -0,0 +1,93 @@
+# Database node authentication and authorization
+
+Node authentication in the {{ ydb-short-name }} cluster ensures that database nodes are authenticated when making service requests to other nodes via the gRPC protocol. Node authorization ensures that the privileges required by the service requests are checked and granted during request processing. These service calls include database node registration within the cluster and access to [dynamic configuration](../../maintenance/manual/dynamic-config.md) information. The use of node authorization is recommended for all {{ ydb-short-name }} clusters, as it helps prevent unauthorized access to data by adding nodes controlled by an attacker to the cluster.
+
+Database node authentication and authorization are performed in the following order:
+
+1. The database node being started opens a gRPC connection to one of the cluster storage nodes specified in the `--node-broker` command-line option. The connection uses the TLS protocol, and the certificate of the running node is used as the client certificate for the connection.
+2. The storage node and the database node perform mutual authentication checks using the TLS protocol: the certificate trust chain is checked, and the hostname is matched against the value of the "Subject Name" field of the certificate.
+3. The storage node checks the "Subject" field of the certificate for compliance with the requirements [set up through settings](../../reference/configuration/client_certificate_authorization.md) in the static configuration.
+4. If the above checks are successful, the connection from the database node is considered authenticated, and it is assigned a security identifier - [SID](../../concepts/glossary.md#access-sid), which is determined by the settings.
+5. The database node uses the established gRPC connection to register with the cluster through the corresponding service request. When registering, the database node sends its network address intended to be used for communication with other cluster nodes.
+6. The storage node checks whether the SID assigned to the gRPC connection is in the list of acceptable ones. If this check is successful, the storage node registers the database node within the cluster, saving the association between the network address of the registered node and its identifier.
+7. The database node joins the cluster by connecting via its network address and providing the node ID it received during registration. Attempts to join the cluster by nodes with unknown network addresses or IDs are blocked by other nodes.
+
+Below are the steps required to enable the node authentication and authorization feature.
+
+## Configuration prerequisites
+
+1. The deployed {{ ydb-short-name }} cluster must have [gRPC traffic encryption](../../reference/configuration/tls.md#grpc) configured to use the TLS protocol.
+1. When preparing node certificates for a cluster where you plan to use the node authorization feature, uniform rules must be used for populating the "Subject" field of the certificates. This allows the identification of certificates issued for the cluster nodes. For more information, see the [certificate verification rules documentation](../../reference/configuration/client_certificate_authorization.md).
+
+    {% note info %}
+
+    The proposed [example script](https://github.com/ydb-platform/ydb/blob/main/ydb/deploy/tls_cert_gen/) generates self-signed certificates for {{ ydb-short-name }} nodes and ensures that the "Subject" field is populated with the value `O=YDB` for all node certificates. The configuration examples provided below are prepared for certificates with this specific "Subject" field configuration, but feel free to use your real organization name instead.
+
+    {% endnote %}
+
+1. The command-line parameters for [starting database nodes](../../devops/manual/initial-deployment.md#start-dynnode) must include options that specify the paths to the trusted CA certificate, the node certificate, and the node key files. The required additional command-line options are shown in the table below.
+
+    | **Command-line option** | **Description** |
+    |-------------------------|-----------------|
+    | `--grpc-ca`             | Path to the trusted certification authority file `ca.crt` |
+    | `--grpc-cert`           | Path to the node certificate file `node.crt` |
+    | `--grpc-key`            | Path to the node secret key file `node.key` |
+
+    Below is an example of the complete command to start the database node, including the extra options for gRPC TLS key and certificate files:
+
+    ```bash
+    /opt/ydb/bin/ydbd server --yaml-config  /opt/ydb/cfg/config.yaml --tenant /Root/testdb \
+        --grpcs-port 2136 --grpc-ca /opt/ydb/certs/ca.crt \
+        --grpc-cert /opt/ydb/certs/node.crt --grpc-key /opt/ydb/certs/node.key \
+        --ic-port 19002 --ca /opt/ydb/certs/ca.crt \
+        --mon-port 8766 --mon-cert /opt/ydb/certs/web.pem \
+        --node-broker grpcs://<ydb1>:2135 \
+        --node-broker grpcs://<ydb2>:2135 \
+        --node-broker grpcs://<ydb3>:2135
+    ```
+
+## Enabling database node authentication and authorization
+
+To enable mandatory database node authorization, add the following configuration blocks to the [static cluster configuration](../../reference/configuration/index.md) file:
+
+1. At the root level, add the `client_certificate_authorization` block to define the requirements for the "Subject" field of trusted node certificates. For example:
+
+    ```yaml
+    client_certificate_authorization:
+      request_client_certificate: true
+      client_certificate_definitions:
+        - member_groups: ["registerNode@cert"]
+          subject_terms:
+          - short_name: "O"
+            values: ["YDB"]
+    ```
+
+    Add other certificate validation settings [as defined in the documentation](../../reference/configuration/client_certificate_authorization.md), if required.
+
+    If the certificate is successfully verified and the components of the "Subject" field comply with the requirements defined in the `subject_terms` sub-block, the connection will be assigned the access subjects listed in the `member_groups` parameter. To distinguish these subjects from other user groups and accounts, their names typically have the `@cert` suffix.
+
+1. Add the `register_dynamic_node_allowed_sids` element to the cluster authentication settings `security_config` block, and list the subjects permitted for database node registration. For internal technical reasons, the list must include the `root@builtin` element. Example:
+
+    ```yaml
+    domains_config:
+        ...
+        security_config:
+            enforce_user_token_requirement: true
+            monitoring_allowed_sids:
+            ...
+            administration_allowed_sids:
+            ...
+            viewer_allowed_sids:
+            ...
+            register_dynamic_node_allowed_sids:
+            - "root@builtin" # required for internal technical reasons
+            - "registerNode@cert"
+    ```
+
+    For more detailed information on configuring cluster authentication parameters, see the [relevant documentation section](../../reference/configuration/index.md#security-access-levels).
+
+1. Deploy the static configuration files on all cluster nodes either manually, or [using the Ansible playbook action](../ansible/update-config.md).
+
+1. Perform the rolling restart of storage nodes by [using ydbops](../../reference/ydbops/scenarios.md) or [Ansible playbook action](../ansible/restart.md).
+
+1. Perform the rolling restart of database nodes through ydbops or Ansible playbooks.
@@ -21,6 +21,8 @@ items:
   href: system-views.md
 - name: Maintenance without downtime
   href: maintenance-without-downtime.md
+- name: Node authentication and authorization
+  href: node-authorization.md
 - name: Federated queries
   href: federated-queries/index.md
   include:
 
@@ -95,6 +95,6 @@ Yandex Enterprise Database distributions are available for download via the link
 || **v23.4** |  |  |  |  ||
 || v.23.4.11 | 14.05.24 | `cr.yandex/crptqonuodf51kdj7a7d/ydb:23.4.11` | [See list](../changelog-server.md#23-4) ||
 || **v23.3** |  |  |  |  ||
-|| v.23.3.17 | 14.12.23 | `cr.yandex/crptqonuodf51kdj7a7d/ydb:23.3.17` | [See list](../changelog-server-23.md#23-3-17) ||
+|| v.23.3.17 | 14.12.23 | `cr.yandex/crptqonuodf51kdj7a7d/ydb:23.3.17` | [See list](../changelog-server.md#23-3-17) ||
 || v.23.3.13 | 12.10.23 | `cr.yandex/crptqonuodf51kdj7a7d/ydb:23.3.13` | [See list](../changelog-server.md#23-3) ||
 |#
@@ -1,11 +1,11 @@
 # Download Ansible Playbooks for {{ ydb-short-name }}
 
-A set of automated playbooks for installing and maintaining the server side of [open-source {{ ydb-short-name }}](ydb-oss-server.md) or [Yandex Enterprise Database](yandex-enterprise-database.md) using [Ansible](https://docs.ansible.com/) is available for download via the links below. Their source code is published [on GitHub](https://github.com/ydb-platform/ydb-ansible) under Apache 2.0 license.
+A set of automated playbooks for installing and maintaining the server side of [open-source {{ ydb-short-name }}](./ydb-open-source-database.md) or [Yandex Enterprise Database](yandex-enterprise-database.md) using [Ansible](https://docs.ansible.com/) is available for download via the links below. Their source code is published [on GitHub](https://github.com/ydb-platform/ydb-ansible) under Apache 2.0 license.
 
 | Version | Release date | Download | Checksums |
 | ------ | ------------ | ------- | ----------------- |
 | v0.14   | 30.11.2024   | [ydb-ansible-0.14.zip](https://binaries.ясубд.рф/ansible/ydb-ansible-0.14.zip) | [ydb-ansible-0.14.txt](https://binaries.ясубд.рф/ansible/ydb-ansible-0.14.txt) |
 | v0.10   | 01.08.2024   | [ydb-ansible-0.10.zip](https://binaries.ясубд.рф/ansible/ydb-ansible-0.10.zip) | [ydb-ansible-0.10.txt](https://binaries.ясубд.рф/ansible/ydb-ansible-0.10.txt) |
 | v0.9   | 20.07.2024   | [ydb-ansible-0.9.zip](https://binaries.ясубд.рф/ansible/ydb-ansible-0.9.zip) | [ydb-ansible-0.9.txt](https://binaries.ясубд.рф/ansible/ydb-ansible-0.9.txt) |
 | v0.8   | 10.07.2024   | [ydb-ansible-0.8.zip](https://binaries.ясубд.рф/ansible/ydb-ansible-0.8.zip) | [ydb-ansible-0.7.txt](https://binaries.ясубд.рф/ansible/ydb-ansible-0.8.txt) |
-| v0.7   | 03.05.2024   | [ydb-ansible-0.7.zip](https://binaries.ясубд.рф/ansible/ydb-ansible-0.7.zip) | [ydb-ansible-0.7.txt](https://binaries.ясубд.рф/ansible/ydb-ansible-0.7.txt) |
+| v0.7   | 03.05.2024   | [ydb-ansible-0.7.zip](https://binaries.ясубд.рф/ansible/ydb-ansible-0.7.zip) | [ydb-ansible-0.7.txt](https://binaries.ясубд.рф/ansible/ydb-ansible-0.7.txt) |
@@ -0,0 +1,71 @@
+# `client_certificate_authorization` configuration section
+
+Database node authentication within the {{ ydb-short-name }} cluster ensures that service connections between cluster nodes are assigned the correct security identifiers, or [SIDs](../../concepts/glossary.md#access-sid). The process of database node authentication applies to connections that use the gRPC protocol and provide functions for registering nodes in the cluster, as well as for accessing configuration information. SIDs assigned to connections are considered when checking the authorization rules that apply to the corresponding gRPC service calls.
+
+Node authentication settings are configured within the [static configuration](./index.md) of the cluster.
+
+The `client_certificate_authorization` section specifies the authentication settings for database node connections by defining the requirements for the content of the "Subject" and "Subject Alternative Name" fields in node certificates, as well as the list of [SID](../../concepts/glossary.md#access-sid) values assigned to the connections.
+
+The "Subject" field of the node certificate may contain multiple components (such as `O` – organization, `OU` – organizational unit, `C` – country, `CN` – common name), and checks can be configured against one or more of these components.
+
+The "Subject Alternative Name" field of the node certificate is a list of the node's network names or IP addresses. Checks can be configured to match the names specified in the certificate against the expected values.
+
+## Syntax
+
+```yaml
+client_certificate_authorization:
+  request_client_certificate: Bool
+  default_group: <default SID>
+  client_certificate_definitions:
+    - member_groups: <SID array>
+      require_same_issuer: Bool
+      subject_dns:
+      - suffixes: <array of allowed suffixes>
+        values: <array of allowed values>
+      subject_terms:
+      - short_name: <Subject Name component>
+        suffixes: <array of allowed suffixes>
+        values: <array of allowed values>
+    - member_groups: <SID array>
+    ...
+```
+
+Key  | Description
+---- | ---
+`request_client_certificate` | Request a valid client certificate for node connections.<br/>Allowed values:<br/><ul><li>`false` — A certificate is not required (used by default if the parameter is omitted).</li><li>`true` — A certificate is required for all node connections.</li></ul>
+`default_group` | SID assigned to all connections providing a trusted client certificate when no explicit settings are provided in the `client_certificate_definitions` section.
+`client_certificate_definitions` | Section defining the requirements for database node certificates.
+`member_groups` | SIDs assigned to connections that conform to the requirements of the current configuration block.
+`require_same_issuer` | Require that the value of the "Issuer" field (typically containing the Certification Authority name) is the same for both client (database node) and server (storage node) certificates. <br/>Allowed values:<br/><ul><li>`true` — The values must be the same (used by default if the parameter is omitted).</li><li>`false` — The values can be different (allowing client and server certificates to be issued by different Certification Authorities).</li></ul>
+`subject_dns` | Allowed values for the "Subject Alternative Name" field, specified as either full values (using the `values` sub-key) or suffixes (using the `suffixes` sub-key). The check is successful if the actual value matches any full name or any suffix specified.
+`subject_terms` | Requirements for the "Subject" field value. Contains the component name (in the `short_name` sub-key) and a list of full values (using the `values` sub-key) or suffixes (using the `suffixes` sub-key). The check is successful if the actual value of each component matches either an allowed full value or an allowed suffix.
+
+## Examples
+
+The following configuration fragment enables node authentication and requires the "Subject" field to include the component `O=YDB`. Upon successful authentication, the connection is assigned the `registerNode@cert` SID.
+
+```yaml
+client_certificate_authorization:
+  request_client_certificate: true
+  client_certificate_definitions:
+    - member_groups: ["registerNode@cert"]
+      subject_terms:
+      - short_name: "O"
+        values: ["YDB"]
+```
+
+The next configuration fragment enables node authentication, and requires "Subject" field to include both `OU=cluster1` and `O=YDB` components. In addition "Subject Alternative Name" field should contain the network name ending with the `.cluster1.ydb.company.net` suffix. Upon successful authentication, the connection will be assigned the `registerNode@cert` SID.
+
+```yaml
+client_certificate_authorization:
+  request_client_certificate: true
+  client_certificate_definitions:
+    - member_groups: ["registerNode@cert"]
+      subject_dns:
+      - suffixes: [".cluster1.ydb.company.net"]
+      subject_terms:
+      - short_name: "OU"
+        values: ["cluster1"]
+      - short_name: "O"
+        values: ["YDB"]
+```
@@ -1,3 +1,5 @@
 items:
 - name: TLS
-  href: tls.md
+  href: tls.md
+- name: client_certificate_authorization
+  href: client_certificate_authorization.md
@@ -255,7 +255,7 @@ The limits on the number of traced requests are local to the cluster node. For e
 
 As with [logs](../../../reference/embedded-ui/logs.md), diagnosing most system issues does not require the most detailed trace. Therefore, in {{ ydb-short-name }}, each span has its own level described by an integer from 0 to 15 inclusive. Each rule in the `sampling` section must include the detail level of the generated trace (`level`); spans with a level less than or equal to `level` will be included in it.
 
-The [{{ ydb-short-name }} architecture](../../../concepts/_includes/index/how_it_works.md#ydb-architecture) section describes the system's division into 5 layers:
+The [{{ ydb-short-name }} architecture](../../../concepts/index.md#ydb-architecture) section describes the system's division into 5 layers:
 
 | Layer | Components |
 | ---- | --------- |
@@ -348,4 +348,4 @@ With a sufficiently low flow of requests to the `/Root/db1` database, the follow
 With a sufficiently high flow of requests to the `/Root/db1` database, the following will be sampled:
 
 * 5 requests per minute with a detail level of 15
-* between 95 and 100 requests per minute with a detail level of 5
+* between 95 and 100 requests per minute with a detail level of 5