added the check of the transfer write permission (#17938)

Author: nshestakov

ydb/core/protos/replication.proto

@@ -96,6 +96,7 @@ message TReplicationConfig {
         }
         optional TTarget Target = 1;
         optional TBatchingSettings Batching = 2;
+        optional string RunAsUser = 3;
     }
 
     optional TConnectionParams SrcConnectionParams = 1;
@@ -258,6 +259,7 @@ message TTransferWriterSettings {
     optional NKikimrProto.TPathID PathId = 1;
     optional string TransformLambda = 2;
     optional TBatchingSettings Batching = 3;
+    optional string RunAsUser = 4;
 }
 
 message TRunWorkerCommand {

ydb/core/tx/replication/controller/event_util.cpp

@@ -60,6 +60,7 @@ THolder<TEvService::TEvRunWorker> MakeRunWorkerEv(
             dstPathId.ToProto(writerSettings.MutablePathId());
             writerSettings.SetTransformLambda(p->GetTransformLambda());
             writerSettings.MutableBatching()->CopyFrom(batchingSettings);
+            writerSettings.SetRunAsUser(p->GetRunAsUser());
             break;
         }
     }

ydb/core/tx/replication/controller/schema.h

@@ -48,9 +48,10 @@ struct TControllerSchema: NIceDb::Schema {
         };
         struct Issue: Column<9, NScheme::NTypeIds::Utf8> {};
         struct TransformLambda: Column<10, NScheme::NTypeIds::Utf8> {};
+        struct RunAsUser: Column<11, NScheme::NTypeIds::Utf8> {};
 
         using TKey = TableKey<ReplicationId, Id>;
-        using TColumns = TableColumns<ReplicationId, Id, Kind, SrcPath, DstPath, DstState, DstPathOwnerId, DstPathLocalId, Issue, TransformLambda>;
+        using TColumns = TableColumns<ReplicationId, Id, Kind, SrcPath, DstPath, DstState, DstPathOwnerId, DstPathLocalId, Issue, TransformLambda, RunAsUser>;
     };
 
     struct SrcStreams: Table<4> {

ydb/core/tx/replication/controller/target_discoverer.cpp

@@ -183,7 +183,8 @@ class TTargetDiscoverer: public TActorBootstrapped<TTargetDiscoverer> {
             const auto& targetConf = Config.GetTransferSpecific().GetTarget();
 
             const auto& target = ToAdd.emplace_back(TReplication::ETargetKind::Transfer,
-                std::make_shared<TTargetTransfer::TTransferConfig>(path.first, path.second, targetConf.GetTransformLambda()));
+                std::make_shared<TTargetTransfer::TTransferConfig>(path.first, path.second, targetConf.GetTransformLambda(),
+                    Config.GetTransferSpecific().GetRunAsUser()));
             LOG_I("Add target"
                 << ": srcPath# " << target.Config->GetSrcPath()
                 << ", dstPath# " << target.Config->GetDstPath()

ydb/core/tx/replication/controller/target_transfer.cpp

@@ -17,7 +17,8 @@ void TTargetTransfer::UpdateConfig(const NKikimrReplication::TReplicationConfig&
     Config = std::make_shared<TTargetTransfer::TTransferConfig>(
         GetConfig()->GetSrcPath(),
         GetConfig()->GetDstPath(),
-        t.GetTransformLambda());
+        t.GetTransformLambda(),
+        cfg.GetTransferSpecific().GetRunAsUser());
 }
 
 void TTargetTransfer::Progress(const TActorContext& ctx) {
@@ -55,14 +56,19 @@ TString TTargetTransfer::GetStreamPath() const {
     return CanonizePath(GetSrcPath());
 }
 
-TTargetTransfer::TTransferConfig::TTransferConfig(const TString& srcPath, const TString& dstPath, const TString& transformLambda)
+TTargetTransfer::TTransferConfig::TTransferConfig(const TString& srcPath, const TString& dstPath, const TString& transformLambda, const TString& runAsUser)
     : TConfigBase(ETargetKind::Transfer, srcPath, dstPath)
     , TransformLambda(transformLambda)
+    , RunAsUser(runAsUser)
 {
 }
 
 const TString& TTargetTransfer::TTransferConfig::GetTransformLambda() const {
     return TransformLambda;
 }
 
+const TString& TTargetTransfer::TTransferConfig::GetRunAsUser() const {
+    return RunAsUser;
+}
+
 }

ydb/core/tx/replication/controller/target_transfer.h

@@ -9,12 +9,14 @@ class TTargetTransfer: public TTargetWithStream {
     struct TTransferConfig : public TConfigBase {
         using TPtr = std::shared_ptr<TTransferConfig>;
 
-        TTransferConfig(const TString& srcPath, const TString& dstPath, const TString& transformLambda);
+        TTransferConfig(const TString& srcPath, const TString& dstPath, const TString& transformLambda, const TString& runAsUser);
 
         const TString& GetTransformLambda() const;
+        const TString& GetRunAsUser() const;
 
     private:
         TString TransformLambda;
+        TString RunAsUser;
     };
 
     explicit TTargetTransfer(TReplication* replication,

ydb/core/tx/replication/controller/tx_discovery_targets_result.cpp

@@ -46,15 +46,18 @@ class TController::TTxDiscoveryTargetsResult: public TTxBase {
                 const auto tid = Replication->AddTarget(target.Kind, target.Config);
 
                 TString transformLambda;
+                TString runAsUser;
                 if (auto p = std::dynamic_pointer_cast<const TTargetTransfer::TTransferConfig>(target.Config)) {
                     transformLambda = p->GetTransformLambda();
+                    runAsUser = p->GetRunAsUser();
                 }
 
                 db.Table<Schema::Targets>().Key(rid, tid).Update(
                     NIceDb::TUpdate<Schema::Targets::Kind>(target.Kind),
                     NIceDb::TUpdate<Schema::Targets::SrcPath>(target.Config->GetSrcPath()),
                     NIceDb::TUpdate<Schema::Targets::DstPath>(target.Config->GetDstPath()),
-                    NIceDb::TUpdate<Schema::Targets::TransformLambda>(transformLambda)
+                    NIceDb::TUpdate<Schema::Targets::TransformLambda>(transformLambda),
+                    NIceDb::TUpdate<Schema::Targets::RunAsUser>(runAsUser)
                 );
 
                 CLOG_N(ctx, "Add target"

ydb/core/tx/replication/controller/tx_init.cpp

@@ -88,6 +88,7 @@ class TController::TTxInit: public TTxBase {
                 rowset.GetValue<Schema::Targets::DstPathLocalId>()
             );
             const auto transformLambda = rowset.GetValue<Schema::Targets::TransformLambda>();
+            const auto runAsUser = rowset.GetValue<Schema::Targets::RunAsUser>();
 
             auto replication = Self->Find(rid);
             Y_VERIFY_S(replication, "Unknown replication: " << rid);
@@ -103,7 +104,7 @@ class TController::TTxInit: public TTxBase {
                     break;
 
                 case TReplication::ETargetKind::Transfer:
-                    config = std::make_shared<TTargetTransfer::TTransferConfig>(srcPath, dstPath, transformLambda);
+                    config = std::make_shared<TTargetTransfer::TTransferConfig>(srcPath, dstPath, transformLambda, runAsUser);
                     break;
             }
 

ydb/core/tx/replication/service/service.cpp

@@ -432,9 +432,10 @@ class TReplicationService: public TActorBootstrapped<TReplicationService> {
             transformLambda = writerSettings.GetTransformLambda(),
             compilationService = *CompilationService,
             batchingSettings = writerSettings.GetBatching(),
-            transferWriterFactory = transferWriterFactory
+            transferWriterFactory = transferWriterFactory,
+            runAsUser = writerSettings.GetRunAsUser()
         ]() {
-            return transferWriterFactory->Create({transformLambda, tablePathId, compilationService, batchingSettings});
+            return transferWriterFactory->Create({transformLambda, tablePathId, compilationService, batchingSettings, runAsUser});
         };
     }
 

ydb/core/tx/replication/service/transfer_writer_factory.h

@@ -21,6 +21,7 @@ class ITransferWriterFactory {
         const TPathId& TablePathId;
         const TActorId& CompileServiceId;
         const NKikimrReplication::TBatchingSettings& BatchingSettings;
+        const TString& RunAsUser;
     };
 
     virtual IActor* Create(const Parameters& parameters) const = 0;