[stable-25-1] Distconf && New config api fixes (#15406)

Co-authored-by: mregrock <mregrock@ydb.tech>
Co-authored-by: Alexander Rutkovsky <alexvru@ydb.tech>

Author: 3 people

ydb/apps/ydb/CHANGELOG.md

@@ -1,3 +1,7 @@
+* Added support for dual configuration mode in the `ydb admin cluster config fetch` command, allowing it to handle separate cluster and storage config sections.
+* Add options for client certificates in SSL/TLS connections.
+* Add `ydb admin node config init` command to initialize directory with node config files.
+* Add `ydb admin cluster config generate` command to generate dynamic config from static config on cluster.
 * Fixed memory leak in tpcds generator.
 * Include external data sources and external tables in local backups (`ydb tools dump` and `ydb tools restore`). Both scheme objects are backed up as YQL creation queries saved in the `create_external_data_source.sql` and `create_external_table.sql` files respectively, which can be executed to recreate the original scheme objects.
 * Fixed a bug where `ydb auth get-token` command tried to authenticate twice: while listing andpoints and while executing actual token request.

ydb/core/cms/console/console_configs_manager.h

@@ -216,6 +216,24 @@ class TConfigsManager : public TActorBootstrapped<TConfigsManager> {
             HandleUnauthorized(ev, ctx);
         };
 
+        constexpr bool HasBypassAuth = std::is_same_v<
+            std::decay_t<T>, 
+            typename TEvConsole::TEvGetAllConfigsRequest::TPtr
+        > || std::is_same_v<
+            std::decay_t<T>,
+            typename TEvConsole::TEvReplaceYamlConfigRequest::TPtr
+        > || std::is_same_v<
+            std::decay_t<T>,
+            typename TEvConsole::TEvSetYamlConfigRequest::TPtr
+        >;
+
+        if constexpr (HasBypassAuth) {
+            if (ev->Get()->Record.HasBypassAuth() && ev->Get()->Record.GetBypassAuth()) {
+                Handle(ev, ctx);
+                return;
+            }
+        }
+
         if (IsAdministrator(AppData(ctx), ev->Get()->Record.GetUserToken())) {
             Handle(ev, ctx);
         } else {

ydb/core/cms/console/console_handshake.cpp

@@ -33,6 +33,7 @@ class TConfigsManager::TConsoleCommitActor : public TActorBootstrapped<TConsoleC
 
     void Bootstrap(const TActorId& consoleId) {
         auto executeRequest = [&](auto& request) {
+            request->Record.SetBypassAuth(true);
             request->Record.MutableRequest()->set_config(MainYamlConfig);
             request->Record.MutableRequest()->set_allow_unknown_fields(AllowUnknownFields);
             Send(consoleId, request.release());

ydb/core/config/init/init_impl.h

@@ -1075,11 +1075,11 @@ class TInitialConfiguratorImpl
             auto dir = fs::path(CommonAppOptions.ConfigDirPath.c_str());
 
             if (auto path = dir / STORAGE_CONFIG_NAME; fs::is_regular_file(path)) {
-                storageYamlConfigFile = path.c_str();
+                storageYamlConfigFile = path.string();
             }
 
             if (auto path = dir / CONFIG_NAME; fs::is_regular_file(path)) {
-                yamlConfigFile = path.c_str();
+                yamlConfigFile = path.string();
                 loadedFromStore = true;
             } else {
                 storageYamlConfigFile.clear();

ydb/core/grpc_services/rpc_config.cpp

@@ -11,6 +11,8 @@
 #include <ydb/core/protos/local.pb.h>
 #include <ydb/core/blobstorage/nodewarden/node_warden_events.h>
 #include <ydb/core/base/auth.h>
+#include <ydb/core/cms/console/console.h>
+#include <ydb/core/cms/console/configs_dispatcher.h>
 
 namespace NKikimr::NGRpcService {
 
@@ -136,10 +138,33 @@ void CopyFromConfigResponse(const NKikimrBlobStorage::TConfigResponse &from, Ydb
 
 class TReplaceStorageConfigRequest : public TBSConfigRequestGrpc<TReplaceStorageConfigRequest, TEvReplaceStorageConfigRequest,
     Ydb::Config::ReplaceConfigResult> {
-public:
     using TBase = TBSConfigRequestGrpc<TReplaceStorageConfigRequest, TEvReplaceStorageConfigRequest, Ydb::Config::ReplaceConfigResult>;
+    using TRpcBase = TRpcOperationRequestActor<TReplaceStorageConfigRequest, TEvReplaceStorageConfigRequest>;
+public:
     using TBase::TBase;
 
+    void Bootstrap(const TActorContext& ctx) {
+        TRpcBase::Bootstrap(ctx);
+        auto *self = Self();
+        self->OnBootstrap();
+        const auto& request = *GetProtoRequest();
+        auto shim = ConvertConfigReplaceRequest(request);
+        if (shim.MainConfig) {
+            if (NYamlConfig::IsDatabaseConfig(*shim.MainConfig)) {
+                DatabaseConfig = shim.MainConfig;
+                CheckDatabaseAuthorization();
+                return;
+            }
+        }
+        if (!NKikimr::IsAdministrator(AppData(), Request_->GetSerializedToken())) {
+            self->Reply(Ydb::StatusIds::UNAUTHORIZED, "User is not a cluster administrator.",
+                  NKikimrIssues::TIssuesIds::ACCESS_DENIED, self->ActorContext());
+            return;
+        }
+        self->Become(&TReplaceStorageConfigRequest::StateFunc);
+        self->Send(MakeBlobStorageNodeWardenID(ctx.SelfID.NodeId()), new TEvNodeWardenQueryStorageConfig(false)); 
+    }
+
     bool ValidateRequest(Ydb::StatusIds::StatusCode& status, NYql::TIssues& issues) override {
         const auto& request = *GetProtoRequest();
         if (request.dry_run()) {
@@ -207,13 +232,137 @@ class TReplaceStorageConfigRequest : public TBSConfigRequestGrpc<TReplaceStorage
             request->allow_unknown_fields() || request->bypass_checks(),
             request->bypass_checks());
     }
+
+private:
+    std::optional<TString> DatabaseConfig;
+    std::optional<TString> TargetDatabase;
+
+    void CheckDatabaseAuthorization() {
+        const auto& metadata = NYamlConfig::GetDatabaseMetadata(*DatabaseConfig);
+
+        if (metadata.Database) {
+            TargetDatabase = metadata.Database;
+        }
+        else {
+            Reply(Ydb::StatusIds::BAD_REQUEST, "No database name found in metadata", 
+                    NKikimrIssues::TIssuesIds::DEFAULT_ERROR, ActorContext());
+            return;
+        }
+
+        if (*TargetDatabase == ("/" + AppData()->DomainsInfo->Domain->Name) || 
+            *TargetDatabase == AppData()->DomainsInfo->Domain->Name) {
+            Reply(Ydb::StatusIds::BAD_REQUEST, "Provided database is a domain database.", 
+                    NKikimrIssues::TIssuesIds::DEFAULT_ERROR, ActorContext());
+            return;
+        }
+        bool isAdministrator = NKikimr::IsAdministrator(AppData(), Request_->GetSerializedToken());
+        if (!isAdministrator) {
+            auto request = std::make_unique<NSchemeCache::TSchemeCacheNavigate>();
+            request->DatabaseName = *TargetDatabase;
+
+            auto& entry = request->ResultSet.emplace_back();
+            entry.Operation = NSchemeCache::TSchemeCacheNavigate::OpPath;
+            entry.Path = NKikimr::SplitPath(*TargetDatabase);
+
+            auto* self = Self();
+            self->Send(MakeSchemeCacheID(), new TEvTxProxySchemeCache::TEvNavigateKeySet(request.release()));
+            self->Become(&TReplaceStorageConfigRequest::StateWaitResolveDatabase);
+            return;
+        }
+        SendRequestToConsole();
+    }
+
+    void SendRequestToConsole() {
+        NTabletPipe::TClientConfig pipeConfig;
+        pipeConfig.RetryPolicy = {
+            .RetryLimitCount = 10,
+        };
+        auto pipe = NTabletPipe::CreateClient(SelfId(), MakeConsoleID(), pipeConfig);
+        ConsolePipe = RegisterWithSameMailbox(pipe);
+        
+        auto PrepareAndSendRequest = [&](auto requestType) {
+            using TRequestType = decltype(requestType);
+            auto request = std::make_unique<TRequestType>();
+            request->Record.SetUserToken(Request_->GetSerializedToken());
+            request->Record.SetPeerName(Request_->GetPeerName());
+            request->Record.SetIngressDatabase(*TargetDatabase);
+            
+            auto& req = *request->Record.MutableRequest();
+            req.set_config(*DatabaseConfig);
+
+            request->Record.SetBypassAuth(true);
+            NTabletPipe::SendData(SelfId(), ConsolePipe, request.release());
+        };
+
+        if (GetProtoRequest()->bypass_checks()) {
+            PrepareAndSendRequest(NConsole::TEvConsole::TEvSetYamlConfigRequest());
+        } else {
+            PrepareAndSendRequest(NConsole::TEvConsole::TEvReplaceYamlConfigRequest());
+        }
+        Self()->Become(&TReplaceStorageConfigRequest::StateConsoleReplaceFunc);
+    }
+
+    STFUNC(StateWaitResolveDatabase) {
+        switch (ev->GetTypeRewrite()) {
+            hFunc(TEvTxProxySchemeCache::TEvNavigateKeySetResult, HandleResolveDatabase);
+            default:
+                return TBase::StateFuncBase(ev);
+        }
+    }
+
+    void HandleResolveDatabase(TEvTxProxySchemeCache::TEvNavigateKeySetResult::TPtr& ev) {
+        const NSchemeCache::TSchemeCacheNavigate& request = *ev->Get()->Request.Get();
+        auto *self = Self();
+        if (request.ResultSet.empty() || request.ErrorCount > 0) {
+            self->Reply(Ydb::StatusIds::SCHEME_ERROR, "Error resolving database",
+                  NKikimrIssues::TIssuesIds::GENERIC_RESOLVE_ERROR, self->ActorContext());
+            return;
+        }
+
+        const auto& entry = request.ResultSet.front();
+        const auto& databaseOwner = entry.Self->Info.GetOwner();
+
+        NACLibProto::TUserToken tokenPb;
+        if (!tokenPb.ParseFromString(Request_->GetSerializedToken())) {
+            tokenPb = NACLibProto::TUserToken();
+        }
+        const auto& parsedToken = NACLib::TUserToken(tokenPb);
+
+        bool isDatabaseAdmin = NKikimr::IsDatabaseAdministrator(&parsedToken, databaseOwner);
+        if (!isDatabaseAdmin) {
+            self->Reply(Ydb::StatusIds::UNAUTHORIZED, "User is not a database administrator.",
+                  NKikimrIssues::TIssuesIds::ACCESS_DENIED, self->ActorContext());
+            return;
+        }
+        SendRequestToConsole();
+    }
+
+    STFUNC(StateConsoleReplaceFunc) {
+        switch (ev->GetTypeRewrite()) {
+            hFunc(NConsole::TEvConsole::TEvReplaceYamlConfigResponse, Handle);
+            hFunc(NConsole::TEvConsole::TEvSetYamlConfigResponse, Handle);
+            default:
+                return StateConsoleFunc(ev);
+        }
+    }
+
+    void Handle(NConsole::TEvConsole::TEvReplaceYamlConfigResponse::TPtr& ev) {
+        auto* self = Self();
+        self->Reply(Ydb::StatusIds::SUCCESS, ev->Get()->Record.GetIssues(), self->ActorContext());
+    }
+
+    void Handle(NConsole::TEvConsole::TEvSetYamlConfigResponse::TPtr& ev) {
+        auto* self = Self();
+        self->Reply(Ydb::StatusIds::SUCCESS, ev->Get()->Record.GetIssues(), self->ActorContext());
+    }
 };
 
 class TFetchStorageConfigRequest : public TBSConfigRequestGrpc<TFetchStorageConfigRequest, TEvFetchStorageConfigRequest,
     Ydb::Config::FetchConfigResult> {
 public:
     using TBase = TBSConfigRequestGrpc<TFetchStorageConfigRequest, TEvFetchStorageConfigRequest, Ydb::Config::FetchConfigResult>;
     using TBase::TBase;
+    using TRpcBase = TRpcOperationRequestActor<TFetchStorageConfigRequest, TEvFetchStorageConfigRequest>;
 
     bool ValidateRequest(Ydb::StatusIds::StatusCode& status, NYql::TIssues& issues) override {
         const auto& request = *GetProtoRequest();
@@ -229,6 +378,20 @@ class TFetchStorageConfigRequest : public TBSConfigRequestGrpc<TFetchStorageConf
         return NACLib::GenericManage;
     }
 
+    void Bootstrap(const TActorContext &ctx) {
+        TRpcBase::Bootstrap(ctx);
+        auto *self = Self();
+        self->OnBootstrap();
+
+        if (self->Request_->GetDatabaseName()) {
+            SendRequestToConsole();
+            return;
+        }
+
+        self->Become(&TFetchStorageConfigRequest::StateFunc);
+        self->Send(MakeBlobStorageNodeWardenID(ctx.SelfID.NodeId()), new TEvNodeWardenQueryStorageConfig(false));
+    }
+
     void FillDistconfQuery(NStorage::TEvNodeConfigInvokeOnRoot& ev) const {
         auto *record = ev.Record.MutableFetchStorageConfig();
 
@@ -300,6 +463,39 @@ class TFetchStorageConfigRequest : public TBSConfigRequestGrpc<TFetchStorageConf
 
         return ev;
     }
+
+private:
+    void SendRequestToConsole() {
+        NTabletPipe::TClientConfig pipeConfig;
+        pipeConfig.RetryPolicy = {
+            .RetryLimitCount = 10,
+        };
+        auto pipe = NTabletPipe::CreateClient(SelfId(), MakeConsoleID(), pipeConfig);
+        ConsolePipe = RegisterWithSameMailbox(pipe);
+
+        auto request = std::make_unique<NConsole::TEvConsole::TEvGetAllConfigsRequest>();
+        request->Record.SetUserToken(Request_->GetSerializedToken());
+        request->Record.SetPeerName(Request_->GetPeerName());
+        if (Request_->GetDatabaseName()) {
+            request->Record.SetIngressDatabase(*Request_->GetDatabaseName());
+        }
+        request->Record.SetBypassAuth(true);
+
+        NTabletPipe::SendData(SelfId(), ConsolePipe, request.release());
+        Self()->Become(&TFetchStorageConfigRequest::StateConsoleFetchFunc);
+    }
+
+    STFUNC(StateConsoleFetchFunc) {
+        switch (ev->GetTypeRewrite()) {
+            hFunc(NConsole::TEvConsole::TEvGetAllConfigsResponse, Handle);
+            default:
+                return StateConsoleFunc(ev);
+        }
+    }
+
+    void Handle(NConsole::TEvConsole::TEvGetAllConfigsResponse::TPtr& ev) {
+        ReplyWithResult(Ydb::StatusIds::SUCCESS, ev->Get()->Record.GetResponse(), ActorContext());
+    }
 };
 
 void DoReplaceConfig(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvider&) {
@@ -372,3 +568,4 @@ void DoBootstrapCluster(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvide
 }
 
 } // namespace NKikimr::NGRpcService
+

ydb/core/grpc_services/rpc_config_base.h

@@ -15,6 +15,7 @@
 #include <ydb/core/ydb_convert/ydb_convert.h>
 #include <ydb-cpp-sdk/library/operation_id/operation_id.h>
 #include <ydb-cpp-sdk/client/resources/ydb_resources.h>
+#include <ydb/core/cms/console/console.h>
 
 namespace NKikimr::NGRpcService {
 
@@ -351,6 +352,37 @@ class TBSConfigRequestGrpc : public TRpcOperationRequestActor<TDerived, TRequest
             NKikimrIssues::TIssuesIds::SHARD_NOT_AVAILABLE, self->ActorContext());
     }
 
+    TActorId ConsolePipe;
+
+    STFUNC(StateConsoleFunc) {
+        switch (ev->GetTypeRewrite()) {
+            hFunc(NConsole::TEvConsole::TEvGenericError, HandleConsole);
+            hFunc(TEvTabletPipe::TEvClientDestroyed, HandleConsole);
+            hFunc(TEvTabletPipe::TEvClientConnected, HandleConsole);
+            default:
+                return TBase::StateFuncBase(ev);
+        }
+    }
+
+    void HandleConsole(NConsole::TEvConsole::TEvGenericError::TPtr& ev) {
+        auto *self = Self();
+        self->Reply(ev->Get()->Record.GetYdbStatus(), ev->Get()->Record.GetIssues(), self->ActorContext());
+    }
+    
+    void HandleConsole(TEvTabletPipe::TEvClientDestroyed::TPtr&) {
+        auto *self = Self();
+        self->Reply(Ydb::StatusIds::UNAVAILABLE, "Connection to Console was lost",
+                   NKikimrIssues::TIssuesIds::SHARD_NOT_AVAILABLE, self->ActorContext());
+    }
+
+    void HandleConsole(TEvTabletPipe::TEvClientConnected::TPtr& ev) {
+        if (ev->Get()->Status != NKikimrProto::OK) {
+            auto *self = Self();
+            self->Reply(Ydb::StatusIds::UNAVAILABLE, "Failed to connect to Console",
+                       NKikimrIssues::TIssuesIds::SHARD_NOT_AVAILABLE, self->ActorContext());
+        }
+    }
+
     virtual bool ValidateRequest(Ydb::StatusIds::StatusCode& status, NYql::TIssues& issues) = 0;
     virtual std::unique_ptr<IEventBase> ProcessControllerQuery() = 0;
 

ydb/core/mind/bscontroller/console_interaction.cpp

@@ -277,14 +277,34 @@ namespace NKikimr::NBsController {
             PendingYamlConfig.reset();
         }
 
-        if (PendingYamlConfig && !NYamlConfig::IsMainConfig(*PendingYamlConfig)) {
-            return IssueGRpcResponse(NKikimrBlobStorage::TEvControllerReplaceConfigResponse::InvalidRequest,
-                "cluster YAML config is not of MainConfig kind");
+        if (PendingYamlConfig) {
+            const ui64 expected = Self.YamlConfig
+                ? GetVersion(*Self.YamlConfig) + 1
+                : 0;
+
+            if (!NYamlConfig::IsMainConfig(*PendingYamlConfig)) {
+                return IssueGRpcResponse(NKikimrBlobStorage::TEvControllerReplaceConfigResponse::InvalidRequest,
+                    "cluster YAML config is not of MainConfig kind");
+            } else if (const auto& meta = NYamlConfig::GetMainMetadata(*PendingYamlConfig); meta.Version != expected) {
+                return IssueGRpcResponse(NKikimrBlobStorage::TEvControllerReplaceConfigResponse::InvalidRequest,
+                     TStringBuilder() << "cluster YAML config version mismatch got# " << meta.Version
+                         << " expected# " << expected);
+           }
         }
 
-        if (PendingStorageYamlConfig && *PendingStorageYamlConfig && !NYamlConfig::IsStorageConfig(**PendingStorageYamlConfig)) {
-            return IssueGRpcResponse(NKikimrBlobStorage::TEvControllerReplaceConfigResponse::InvalidRequest,
-                "storage YAML config is not of StorageConfig kind");
+        if (PendingStorageYamlConfig && *PendingStorageYamlConfig) {
+            const ui64 expected = Self.StorageYamlConfig
+                ? Self.StorageYamlConfigVersion + 1
+                : 0;
+
+            if (!NYamlConfig::IsStorageConfig(**PendingStorageYamlConfig)) {
+                return IssueGRpcResponse(NKikimrBlobStorage::TEvControllerReplaceConfigResponse::InvalidRequest,
+                    "storage YAML config is not of StorageConfig kind");
+            } else if (const auto& meta = NYamlConfig::GetStorageMetadata(**PendingStorageYamlConfig); meta.Version != expected) {
+                return IssueGRpcResponse(NKikimrBlobStorage::TEvControllerReplaceConfigResponse::InvalidRequest,
+                    TStringBuilder() << "storage YAML config version mismatch got# " << meta.Version
+                        << " expected# " << expected);
+            }
         }
 
         if (record.GetSkipConsoleValidation() || !record.HasClusterYaml()) {