view query/ast checking has been added

author: hcpp <[email protected]> 2023-02-04 00:24:43 +0300
committer: hcpp <[email protected]> 2023-02-04 00:24:43 +0300
commit: 5a626ee1b7159798bb105e085af58f9506610d55 (patch)
tree: 65bb82a1b663252a357ce44b6bbc8d51cfeed99f
parent: 627bd5967f6a8f8ef59b5b768bd49cfffb25bc4a (diff)
4 files changed, 16 insertions, 5 deletions
diff --git a/ydb/core/grpc_services/rpc_fq.cpp b/ydb/core/grpc_services/rpc_fq.cpp
index 9748a18a320..df9a05117fc 100644
--- a/ydb/core/grpc_services/rpc_fq.cpp
+++ b/ydb/core/grpc_services/rpc_fq.cpp
@@ -479,7 +479,8 @@ std::unique_ptr<TEvProxyRuntimeEvent> CreateFederatedQueryDescribeQueryRequestOp
             NPerms::Required("yq.queries.get"),
             NPerms::Optional("yq.queries.viewAst"),
             NPerms::Optional("yq.resources.viewPublic"),
-            NPerms::Optional("yq.resources.viewPrivate")
+            NPerms::Optional("yq.resources.viewPrivate"),
+            NPerms::Optional("yq.queries.viewQueryText")
         };
     }};
 
@@ -577,7 +578,9 @@ std::unique_ptr<TEvProxyRuntimeEvent> CreateFederatedQueryDescribeJobRequestOper
         return {
             NPerms::Required("yq.jobs.get"),
             NPerms::Optional("yq.resources.viewPublic"),
-            NPerms::Optional("yq.resources.viewPrivate")
+            NPerms::Optional("yq.resources.viewPrivate"),
+            NPerms::Optional("yq.queries.viewAst"),
+            NPerms::Optional("yq.queries.viewQueryText")
         };
     } };
 
diff --git a/ydb/core/yq/libs/control_plane_proxy/control_plane_proxy.cpp b/ydb/core/yq/libs/control_plane_proxy/control_plane_proxy.cpp
index 33a7361512a..0c098fa72e0 100644
--- a/ydb/core/yq/libs/control_plane_proxy/control_plane_proxy.cpp
+++ b/ydb/core/yq/libs/control_plane_proxy/control_plane_proxy.cpp
@@ -1385,6 +1385,8 @@ private:
         static const TPermissions availablePermissions {
             TPermissions::TPermission::VIEW_PUBLIC
             | TPermissions::TPermission::VIEW_PRIVATE
+            | TPermissions::TPermission::VIEW_AST
+            | TPermissions::VIEW_QUERY_TEXT
         };
 
         Register(new TRequestActor<YandexQuery::DescribeJobRequest,
diff --git a/ydb/core/yq/libs/control_plane_proxy/ut/control_plane_proxy_ut.cpp b/ydb/core/yq/libs/control_plane_proxy/ut/control_plane_proxy_ut.cpp
index c7e1ccfee3c..12878629966 100644
--- a/ydb/core/yq/libs/control_plane_proxy/ut/control_plane_proxy_ut.cpp
+++ b/ydb/core/yq/libs/control_plane_proxy/ut/control_plane_proxy_ut.cpp
@@ -2484,13 +2484,13 @@ Y_UNIT_TEST_SUITE(TControlPlaneProxyCheckNegativePermissionsSuccess) {
         UNIT_ASSERT_VALUES_EQUAL(event->Scope, "yandexcloud://my_folder");
         UNIT_ASSERT(permissions.Check(TPermissions::VIEW_PUBLIC));
         UNIT_ASSERT(permissions.Check(TPermissions::VIEW_PRIVATE));
-        UNIT_ASSERT(!permissions.Check(TPermissions::VIEW_AST));
+        UNIT_ASSERT(permissions.Check(TPermissions::VIEW_AST));
         UNIT_ASSERT(!permissions.Check(TPermissions::MANAGE_PUBLIC));
         UNIT_ASSERT(!permissions.Check(TPermissions::MANAGE_PRIVATE));
         UNIT_ASSERT(!permissions.Check(TPermissions::CONNECTIONS_USE));
         UNIT_ASSERT(!permissions.Check(TPermissions::BINDINGS_USE));
         UNIT_ASSERT(!permissions.Check(TPermissions::QUERY_INVOKE));
-        UNIT_ASSERT(!permissions.Check(TPermissions::VIEW_QUERY_TEXT));
+        UNIT_ASSERT(permissions.Check(TPermissions::VIEW_QUERY_TEXT));
     }
 
     Y_UNIT_TEST(ShouldSendCreateConnection)
diff --git a/ydb/core/yq/libs/control_plane_storage/ydb_control_plane_storage_queries.cpp b/ydb/core/yq/libs/control_plane_storage/ydb_control_plane_storage_queries.cpp
index d2bd31d4329..d90bfebfa17 100644
--- a/ydb/core/yq/libs/control_plane_storage/ydb_control_plane_storage_queries.cpp
+++ b/ydb/core/yq/libs/control_plane_storage/ydb_control_plane_storage_queries.cpp
@@ -1741,7 +1741,7 @@ void TYdbControlPlaneStorageActor::Handle(TEvControlPlaneStorage::TEvDescribeJob
     const TString token = event.Token;
     TPermissions permissions = Config->Proto.GetEnablePermissions()
         ? event.Permissions
-        : TPermissions{TPermissions::VIEW_PUBLIC};
+        : TPermissions{TPermissions::VIEW_PUBLIC | TPermissions::VIEW_AST | TPermissions::VIEW_QUERY_TEXT};
     if (IsSuperUser(user)) {
         permissions.SetAll();
     }
@@ -1792,6 +1792,12 @@ void TYdbControlPlaneStorageActor::Handle(TEvControlPlaneStorage::TEvDescribeJob
         if (!hasViewAccces) {
             ythrow TCodeLineException(TIssuesIds::ACCESS_DENIED) << "Job does not exist or permission denied. Please check the job id or your access rights";
         }
+        if (!permissions.Check(TPermissions::VIEW_AST)) {
+            result.mutable_job()->clear_ast();
+        }
+        if (!permissions.Check(TPermissions::VIEW_QUERY_TEXT)) {
+            result.mutable_job()->clear_text();
+        }
         return result;
     };
author	hcpp <[email protected]>	2023-02-04 00:24:43 +0300
committer	hcpp <[email protected]>	2023-02-04 00:24:43 +0300
commit	5a626ee1b7159798bb105e085af58f9506610d55 (patch)
tree	65bb82a1b663252a357ce44b6bbc8d51cfeed99f
parent	627bd5967f6a8f8ef59b5b768bd49cfffb25bc4a (diff)