Show the dynamic node use certificate in node broker viewer

5 files changed, 28 insertions, 8 deletions

diff --git a/ydb/core/client/server/msgbus_server_node_registration.cpp b/ydb/core/client/server/msgbus_server_node_registration.cpp
index 3b57aafcb48..e19f2c0524f 100644
--- a/ydb/core/client/server/msgbus_server_node_registration.cpp
+++ b/ydb/core/client/server/msgbus_server_node_registration.cpp
@@ -21,6 +21,15 @@ class TNodeRegistrationActor : public TActorBootstrapped<TNodeRegistrationActor>
 {
     using TActorBase = TActorBootstrapped<TNodeRegistrationActor>;
 
+    struct TNodeAuthorizationResult {
+        bool IsAuthorized = false;
+        bool IsCertififateUsed = false;
+
+        operator bool() const {
+            return IsAuthorized;
+        }
+    };
+
 public:
     static constexpr NKikimrServices::TActivity::EType ActorActivityType() {
         return NKikimrServices::TActivity::MSGBUS_COMMON;
@@ -35,7 +44,8 @@ public:
 
     void Bootstrap(const TActorContext &ctx)
     {
-        if (!IsNodeAuthorized()) {
+        const TNodeAuthorizationResult nodeAuthorizationResult = IsNodeAuthorized();
+        if (!nodeAuthorizationResult.IsAuthorized) {
             SendReplyAndDie(ctx);
         }
 
@@ -78,6 +88,8 @@ public:
         if (Request.HasPath()) {
             request->Record.SetPath(Request.GetPath());
         }
+        request->Record.SetAuthorizedByCertificate(nodeAuthorizationResult.IsCertififateUsed);
+
         NTabletPipe::SendData(ctx, NodeBrokerPipe, request.Release());
 
         Become(&TNodeRegistrationActor::MainState);
@@ -172,14 +184,15 @@ public:
     }
 
 private:
-    bool IsNodeAuthorized() {
+    TNodeAuthorizationResult IsNodeAuthorized() {
+        TNodeAuthorizationResult result {.IsAuthorized = false, .IsCertififateUsed = false};
         auto* appdata = AppData();
         if (appdata && appdata->FeatureFlags.GetEnableDynamicNodeAuthorization() && DynamicNodeAuthorizationParams) {
             const auto& nodeAuthValues = FindClientCert();
             if (nodeAuthValues.empty()) {
                 Response.MutableStatus()->SetCode(TStatus::UNAUTHORIZED);
                 Response.MutableStatus()->SetReason("Cannot authorize node. Node has not provided certificate");
-                return false;
+                return result;
             }
             const auto& pemCert = nodeAuthValues.front();
             TMap<TString, TString> subjectDescription;
@@ -191,16 +204,18 @@ private:
             if (!DynamicNodeAuthorizationParams.IsSubjectDescriptionMatched(subjectDescription)) {
                 Response.MutableStatus()->SetCode(TStatus::UNAUTHORIZED);
                 Response.MutableStatus()->SetReason("Cannot authorize node by certificate");
-                return false;
+                return result;
             }
-            auto host = Request.GetHost();
+            const auto& host = Request.GetHost();
             if (!DynamicNodeAuthorizationParams.IsHostMatchAttributeCN(host)) {
                 Response.MutableStatus()->SetCode(TStatus::UNAUTHORIZED);
                 Response.MutableStatus()->SetReason("Cannot authorize node with host: " + host);
-                return false;
+                return result;
             }
+            result.IsCertififateUsed = true;
         }
-        return true;
+        result.IsAuthorized = true;
+        return result;;
     }
 
     NKikimrClient::TNodeRegistrationRequest Request;
diff --git a/ydb/core/mind/node_broker.cpp b/ydb/core/mind/node_broker.cpp
index 0df4b675b59..ca7aa9cbc52 100644
--- a/ydb/core/mind/node_broker.cpp
+++ b/ydb/core/mind/node_broker.cpp
@@ -115,7 +115,8 @@ bool TNodeBroker::OnRenderAppHtmlPage(NMon::TEvRemoteHttpInfo::TPtr ev,
                     << "   DataCenter: " << node.Location.GetDataCenterId() << Endl
                     << "   Location: " << node.Location.ToString() << Endl
                     << "   Lease: " << node.Lease << Endl
-                    << "   Expire: " << node.ExpirationString() << Endl;
+                    << "   Expire: " << node.ExpirationString() << Endl
+                    << "   AuthorizedByCertificate: " << (node.AuthorizedByCertificate ? "true" : "false") << Endl;
             }
             str << Endl;
 
diff --git a/ydb/core/mind/node_broker__register_node.cpp b/ydb/core/mind/node_broker__register_node.cpp
index b656297837b..56ce38b92ac 100644
--- a/ydb/core/mind/node_broker__register_node.cpp
+++ b/ydb/core/mind/node_broker__register_node.cpp
@@ -91,6 +91,7 @@ public:
                 Self->DbUpdateNodeLease(node, txc);
                 ExtendLease = true;
             }
+            node.AuthorizedByCertificate = rec.GetAuthorizedByCertificate();
 
             Response->Record.MutableStatus()->SetCode(TStatus::OK);
             Self->FillNodeInfo(node, *Response->Record.MutableNode());
@@ -105,6 +106,7 @@ public:
         Self->FreeIds.Reset(NodeId);
 
         Node = MakeHolder<TNodeInfo>(NodeId, rec.GetAddress(), host, rec.GetResolveHost(), port, loc, false);
+        Node->AuthorizedByCertificate = rec.GetAuthorizedByCertificate();
         Node->Lease = 1;
         Node->Expire = expire;
 
diff --git a/ydb/core/mind/node_broker_impl.h b/ydb/core/mind/node_broker_impl.h
index e3b68b0587b..212e84c5cff 100644
--- a/ydb/core/mind/node_broker_impl.h
+++ b/ydb/core/mind/node_broker_impl.h
@@ -103,6 +103,7 @@ private:
         ui32 Lease;
         TInstant Expire;
         bool LegacyUpdatePending = false;
+        bool AuthorizedByCertificate = false;
     };
 
     // State changes to apply while moving to the next epoch.
diff --git a/ydb/core/protos/node_broker.proto b/ydb/core/protos/node_broker.proto
index 84b418c4b09..11a7b5a12bd 100644
--- a/ydb/core/protos/node_broker.proto
+++ b/ydb/core/protos/node_broker.proto
@@ -68,6 +68,7 @@ message TRegistrationRequest {
   optional NActorsInterconnect.TNodeLocation Location = 5;
   optional bool FixedNodeId = 6;
   optional string Path = 7;
+  optional bool AuthorizedByCertificate = 8;
 }
 
 message TRegistrationResponse {