remove kafka cloud role check (#13816)

Author: a-serebryanskiy

ydb/core/kafka_proxy/actors/kafka_sasl_auth_actor.cpp

@@ -54,20 +54,6 @@ void TKafkaSaslAuthActor::Handle(NKikimr::TEvTicketParser::TEvAuthorizeTicketRes
     }
     UserToken = ev->Get()->Token;
 
-    if (ClientAuthData.UserName.empty()) {
-        bool gotPermission = false;
-        for (auto & sid : UserToken->GetGroupSIDs()) {
-            if (sid == NKikimr::NGRpcProxy::V1::KafkaPlainAuthSid) {
-                gotPermission = true;
-                break;
-            }
-        }
-        if (!gotPermission) {
-            SendResponseAndDie(EKafkaErrors::SASL_AUTHENTICATION_FAILED, "", TStringBuilder() << "no permission '" << NKikimr::NGRpcProxy::V1::KafkaPlainAuthPermission << "'", ctx);
-            return;
-        }
-    }
-
     SendResponseAndDie(EKafkaErrors::NONE_ERROR, "", "", ctx);
 }
 
@@ -174,7 +160,7 @@ void TKafkaSaslAuthActor::SendLoginRequest(TKafkaSaslAuthActor::TAuthData authDa
 }
 
 void TKafkaSaslAuthActor::SendApiKeyRequest() {
-    auto entries = NKikimr::NGRpcProxy::V1::GetTicketParserEntries(DatabaseId, FolderId, true);
+    auto entries = NKikimr::NGRpcProxy::V1::GetTicketParserEntries(DatabaseId, FolderId);
 
     Send(NKikimr::MakeTicketParserID(), new NKikimr::TEvTicketParser::TEvAuthorizeTicket({
         .Database = DatabasePath,

ydb/library/testlib/service_mocks/access_service_mock.h

@@ -137,7 +137,7 @@ class TTicketParserAccessServiceMock : public yandex::cloud::priv::servicecontro
     THashSet<TString> AllowedUserPermissions = {
         "user1-something.read",
         "ApiKey-value-valid-something.read",
-        "ApiKey-value-valid-ydb.api.kafkaPlainAuth",
+        "ApiKey-value-valid-ydb.streams.write",
         "user1-monitoring.view"};
     THashMap<TString, TString> AllowedServicePermissions = {{"service1-something.write", "root1/folder1"}};
     THashSet<TString> AllowedResourceIds = {};
@@ -200,7 +200,6 @@ class TTicketParserAccessServiceMockV2 : public yandex::cloud::priv::accessservi
     THashSet<TString> AllowedUserPermissions = {
         "user1-something.read",
         "ApiKey-value-valid-something.read",
-        "ApiKey-value-valid-ydb.api.kafkaPlainAuth",
         "user1-monitoring.view"
     };
     THashMap<TString, TString> AllowedServicePermissions = {{"service1-something.write", "root1/folder1"}};

ydb/services/persqueue_v1/actors/persqueue_utils.h

@@ -17,9 +17,6 @@ namespace NKikimr::NGRpcProxy::V1 {
 #endif
 #define PQ_LOG_PREFIX "session cookie " << Cookie << " consumer " << ClientPath << " session " << Session
 
-static constexpr char KafkaPlainAuthPermission[] = "ydb.api.kafkaPlainAuth";
-static constexpr char KafkaPlainAuthSid[] = "ydb.api.kafkaPlainAuth@as";
-
 // moved to ydb/core/client/server/msgbus_server_persqueue.h?
 // const TString& TopicPrefix(const TActorContext& ctx);
 
@@ -76,7 +73,7 @@ static inline bool InternalErrorCode(Ydb::PersQueue::ErrorCode::ErrorCode errorC
 void FillIssue(Ydb::Issue::IssueMessage* issue, const Ydb::PersQueue::ErrorCode::ErrorCode errorCode, const TString& errorReason);
 
 
-static inline TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry>  GetTicketParserEntries(const TString& dbId, const TString& folderId, bool useKafkaApi = false) {
+static inline TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry>  GetTicketParserEntries(const TString& dbId, const TString& folderId) {
     TVector<TString> permissions = {
         "ydb.databases.list",
         "ydb.databases.create",
@@ -85,9 +82,6 @@ static inline TVector<TEvTicketParser::TEvAuthorizeTicket::TEntry>  GetTicketPar
         "ydb.schemas.getMetadata",
         "ydb.streams.write"
     };
-    if (useKafkaApi) {
-        permissions.push_back(KafkaPlainAuthPermission);
-    }
     TVector<std::pair<TString, TString>> attributes;
     if (!dbId.empty()) attributes.push_back({"database_id", dbId});
     if (!folderId.empty()) attributes.push_back({"folder_id", folderId});