reply unavailable insdead of access_denied on retriable IAM errors

reply unavailable insdead of access_denied on retriable IAM errors

7 files changed, 31 insertions, 18 deletions

diff --git a/ydb/core/http_proxy/CMakeLists.darwin-x86_64.txt b/ydb/core/http_proxy/CMakeLists.darwin-x86_64.txt
index 3be3d9f298b..7b3deb955e3 100644
--- a/ydb/core/http_proxy/CMakeLists.darwin-x86_64.txt
+++ b/ydb/core/http_proxy/CMakeLists.darwin-x86_64.txt
@@ -21,6 +21,7 @@ target_link_libraries(ydb-core-http_proxy PUBLIC
   ydb-core-base
   ydb-core-protos
   core-grpc_services-local_rpc
+  ydb-core-security
   yql-public-issue
   library-http_proxy-authorization
   library-http_proxy-error
diff --git a/ydb/core/http_proxy/CMakeLists.linux-aarch64.txt b/ydb/core/http_proxy/CMakeLists.linux-aarch64.txt
index ca22afad07a..0d79a187105 100644
--- a/ydb/core/http_proxy/CMakeLists.linux-aarch64.txt
+++ b/ydb/core/http_proxy/CMakeLists.linux-aarch64.txt
@@ -22,6 +22,7 @@ target_link_libraries(ydb-core-http_proxy PUBLIC
   ydb-core-base
   ydb-core-protos
   core-grpc_services-local_rpc
+  ydb-core-security
   yql-public-issue
   library-http_proxy-authorization
   library-http_proxy-error
diff --git a/ydb/core/http_proxy/CMakeLists.linux-x86_64.txt b/ydb/core/http_proxy/CMakeLists.linux-x86_64.txt
index ca22afad07a..0d79a187105 100644
--- a/ydb/core/http_proxy/CMakeLists.linux-x86_64.txt
+++ b/ydb/core/http_proxy/CMakeLists.linux-x86_64.txt
@@ -22,6 +22,7 @@ target_link_libraries(ydb-core-http_proxy PUBLIC
   ydb-core-base
   ydb-core-protos
   core-grpc_services-local_rpc
+  ydb-core-security
   yql-public-issue
   library-http_proxy-authorization
   library-http_proxy-error
diff --git a/ydb/core/http_proxy/CMakeLists.windows-x86_64.txt b/ydb/core/http_proxy/CMakeLists.windows-x86_64.txt
index 3be3d9f298b..7b3deb955e3 100644
--- a/ydb/core/http_proxy/CMakeLists.windows-x86_64.txt
+++ b/ydb/core/http_proxy/CMakeLists.windows-x86_64.txt
@@ -21,6 +21,7 @@ target_link_libraries(ydb-core-http_proxy PUBLIC
   ydb-core-base
   ydb-core-protos
   core-grpc_services-local_rpc
+  ydb-core-security
   yql-public-issue
   library-http_proxy-authorization
   library-http_proxy-error
diff --git a/ydb/core/http_proxy/http_req.cpp b/ydb/core/http_proxy/http_req.cpp
index 5c82d8c67a6..5aae2d8114c 100644
--- a/ydb/core/http_proxy/http_req.cpp
+++ b/ydb/core/http_proxy/http_req.cpp
@@ -17,6 +17,7 @@
 #include <library/cpp/protobuf/json/proto2json_printer.h>
 #include <library/cpp/uri/uri.h>
 
+#include <ydb/core/security/ticket_parser_impl.h>
 #include <ydb/core/base/appdata.h>
 #include <ydb/core/grpc_caching/cached_grpc_request_actor.h>
 #include <ydb/core/grpc_services/local_rpc/local_rpc.h>
@@ -971,8 +972,8 @@ namespace NKikimr::NHttpProxy {
         void HandleTicketParser(const TEvTicketParser::TEvAuthorizeTicketResult::TPtr& ev, const TActorContext& ctx) {
 
             if (ev->Get()->Error) {
-                return ReplyWithError(ctx, NYdb::EStatus::UNAUTHORIZED, ev->Get()->Error.Message);
-            };
+                return ReplyWithError(ctx, ev->Get()->Error.Retryable ? NYdb::EStatus::UNAVAILABLE : NYdb::EStatus::UNAUTHORIZED, ev->Get()->Error.Message);
+            }
             ctx.Send(Sender, new TEvServerlessProxy::TEvToken(ev->Get()->Token->GetUserSID(), "", ev->Get()->SerializedToken, {"", DatabaseId, DatabasePath, CloudId, FolderId}));
 
             LOG_SP_DEBUG_S(ctx, NKikimrServices::HTTP_PROXY, "Authorized successfully");
@@ -1080,11 +1081,14 @@ namespace NKikimr::NHttpProxy {
                     SendAuthenticationRequest(ctx);
                     return;
                 }
-                return ReplyWithError(ctx, NYdb::EStatus::UNAUTHORIZED, TStringBuilder() <<
-                    "requestid " << RequestId << "; " <<
-                    "can not authenticate service account user: " << ev->Get()->Status.Msg);
+                return ReplyWithError(ctx, ev->Get()->Status.InternalError || NKikimr::IsRetryableGrpcError(ev->Get()->Status)
+                                                                    ? NYdb::EStatus::UNAVAILABLE
+                                                                    : NYdb::EStatus::UNAUTHORIZED,
+                                         TStringBuilder() << "requestid " << RequestId
+                                         << "; can not authenticate service account user");
+
             } else if (!ev->Get()->Response.subject().has_service_account()) {
-                return ReplyWithError(ctx, NYdb::EStatus::UNAUTHORIZED,
+                return ReplyWithError(ctx, NYdb::EStatus::INTERNAL_ERROR,
                                       "(this error should not have been reached).");
             }
             RetryCounter.Void();
@@ -1120,8 +1124,10 @@ namespace NKikimr::NHttpProxy {
                     SendIamTokenRequest(ctx);
                     return;
                 }
-                return ReplyWithError(ctx, NYdb::EStatus::UNAUTHORIZED, TStringBuilder() <<
-                                      "IAM token issue error: " << ev->Get()->Status.Msg);
+                return ReplyWithError(ctx, ev->Get()->Status.InternalError || NKikimr::IsRetryableGrpcError(ev->Get()->Status)
+                                                                    ? NYdb::EStatus::UNAVAILABLE
+                                                                    : NYdb::EStatus::UNAUTHORIZED,
+                                            TStringBuilder() << "IAM token issue error: " << ev->Get()->Status.Msg);
             }
             RetryCounter.Void();
 
diff --git a/ydb/core/http_proxy/ya.make b/ydb/core/http_proxy/ya.make
index 79cb89148bc..05534e05a81 100644
--- a/ydb/core/http_proxy/ya.make
+++ b/ydb/core/http_proxy/ya.make
@@ -28,6 +28,7 @@ PEERDIR(
     ydb/core/base
     ydb/core/protos
     ydb/core/grpc_services/local_rpc
+    ydb/core/security
     ydb/library/yql/public/issue
     ydb/library/http_proxy/authorization
     ydb/library/http_proxy/error
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
index 550deb5d15c..0814e47001e 100644
--- a/ydb/core/security/ticket_parser_impl.h
+++ b/ydb/core/security/ticket_parser_impl.h
@@ -21,6 +21,18 @@
 
 namespace NKikimr {
 
+inline bool IsRetryableGrpcError(const NGrpc::TGrpcStatus& status) {
+    switch (status.GRpcStatusCode) {
+    case grpc::StatusCode::UNAUTHENTICATED:
+    case grpc::StatusCode::PERMISSION_DENIED:
+    case grpc::StatusCode::INVALID_ARGUMENT:
+    case grpc::StatusCode::NOT_FOUND:
+        return false;
+    }
+    return true;
+}
+
+
 template <typename TDerived>
 class TTicketParserImpl : public TActorBootstrapped<TDerived> {
     using TThis = TTicketParserImpl;
@@ -62,16 +74,6 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
         return key.Str();
     }
 
-    static bool IsRetryableGrpcError(const NGrpc::TGrpcStatus& status) {
-        switch (status.GRpcStatusCode) {
-        case grpc::StatusCode::UNAUTHENTICATED:
-        case grpc::StatusCode::PERMISSION_DENIED:
-        case grpc::StatusCode::INVALID_ARGUMENT:
-        case grpc::StatusCode::NOT_FOUND:
-            return false;
-        }
-        return true;
-    }
 
     struct TPermissionRecord {
         TString Subject;