YT-24358: Permission validation in Sequoia. Validate ad hoc permissions at master.

`TSupportsPermission` now has a separate method for permission checks that control access for operations on node's content. These checks are deeply integrated into a master's code, so replicating the same logic on Cypress Proxies would be inefficient. Instead, Cypress Proxy now forwards requests for certain methods with an effective ACL for a target node, so the access management is still conducted at master.
commit_hash:eaac8cba117d0151eb1035ff9f09bfab4a2efb38

3 files changed, 33 insertions, 16 deletions

diff --git a/yt/yt/core/ytree/ypath_detail.cpp b/yt/yt/core/ytree/ypath_detail.cpp
index 87e3c1558f5..891285101fb 100644
--- a/yt/yt/core/ytree/ypath_detail.cpp
+++ b/yt/yt/core/ytree/ypath_detail.cpp
@@ -258,20 +258,30 @@ void TSupportsPermissions::ValidatePermission(
     const std::string& /*user*/)
 { }
 
+void TSupportsPermissions::ValidateAdHocPermission(
+    EPermission permission,
+    const std::string& user)
+{
+    return ValidatePermission(
+        EPermissionCheckScope::This,
+        permission,
+        user);
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 
-TSupportsPermissions::TCachingPermissionValidator::TCachingPermissionValidator(
-    TSupportsPermissions* owner,
-    EPermissionCheckScope scope)
+TSupportsPermissions::TCachingAdHocPermissionValidator::TCachingAdHocPermissionValidator(
+    TSupportsPermissions* owner)
     : Owner_(owner)
-    , Scope_(scope)
 { }
 
-void TSupportsPermissions::TCachingPermissionValidator::Validate(EPermission permission, const std::string& user)
+void TSupportsPermissions::TCachingAdHocPermissionValidator::Validate(
+    EPermission permission,
+    const std::string& user)
 {
     auto& validatedPermissions = ValidatedPermissions_[user];
     if (None(validatedPermissions & permission)) {
-        Owner_->ValidatePermission(Scope_, permission, user);
+        Owner_->ValidateAdHocPermission(permission, user);
         validatedPermissions |= permission;
     }
 }
@@ -764,7 +774,7 @@ void TSupportsAttributes::ExistsAttribute(
 
 void TSupportsAttributes::DoSetAttribute(const TYPath& path, const TYsonString& newYson, bool force)
 {
-    TCachingPermissionValidator permissionValidator(this, EPermissionCheckScope::This);
+    TCachingAdHocPermissionValidator permissionValidator(this);
 
     auto* customAttributes = GetCustomAttributes();
     auto* builtinAttributeProvider = GetBuiltinAttributeProvider();
@@ -944,7 +954,7 @@ void TSupportsAttributes::SetAttribute(
 
 void TSupportsAttributes::DoRemoveAttribute(const TYPath& path, bool force)
 {
-    TCachingPermissionValidator permissionValidator(this, EPermissionCheckScope::This);
+    TCachingAdHocPermissionValidator permissionValidator(this);
 
     auto* customAttributes = GetCustomAttributes();
     auto* builtinAttributeProvider = GetBuiltinAttributeProvider();
diff --git a/yt/yt/core/ytree/ypath_detail.h b/yt/yt/core/ytree/ypath_detail.h
index 852f8bae936..dd4e81cbd23 100644
--- a/yt/yt/core/ytree/ypath_detail.h
+++ b/yt/yt/core/ytree/ypath_detail.h
@@ -226,27 +226,32 @@ class TSupportsPermissions
 protected:
     virtual ~TSupportsPermissions() = default;
 
+    // Validates permissions for structural tree operations and general node access.
     // The last argument will be empty for contexts where authenticated user is known
     // a-priori (like in object proxies in master), otherwise it will be set to user name
     // (like in operation controller orchid).
+    // TODO(danilalexeev): YT-24575. Rename this to "ValidateStructuralPermissions".
     virtual void ValidatePermission(
         EPermissionCheckScope scope,
         EPermission permission,
         // TODO(babenko): replace with optional
         const std::string& user = {});
 
-    class TCachingPermissionValidator
+    // Validates permissions for operations on node content (attributes/data).
+    virtual void ValidateAdHocPermission(
+        EPermission permission,
+        // TODO(babenko): replace with optional
+        const std::string& user = {});
+
+    class TCachingAdHocPermissionValidator
     {
     public:
-        TCachingPermissionValidator(
-            TSupportsPermissions* owner,
-            EPermissionCheckScope scope);
+        TCachingAdHocPermissionValidator(TSupportsPermissions* owner);
 
         void Validate(EPermission permission, const std::string& user = {});
 
     private:
         TSupportsPermissions* const Owner_;
-        const EPermissionCheckScope Scope_;
 
         THashMap<TString, EPermissionSet> ValidatedPermissions_;
     };
diff --git a/yt/yt/core/ytree/ypath_service.cpp b/yt/yt/core/ytree/ypath_service.cpp
index 242ef0086f6..64e96fd44f5 100644
--- a/yt/yt/core/ytree/ypath_service.cpp
+++ b/yt/yt/core/ytree/ypath_service.cpp
@@ -912,7 +912,7 @@ public:
         TPermissionValidator validator)
         : UnderlyingService_(std::move(underlyingService))
         , Validator_(std::move(validator))
-        , CachingPermissionValidator_(this, EPermissionCheckScope::This)
+        , CachingAdHocPermissionValidator_(this)
     { }
 
     TResolveResult Resolve(
@@ -931,7 +931,7 @@ private:
     const IYPathServicePtr UnderlyingService_;
     const TPermissionValidator Validator_;
 
-    TCachingPermissionValidator CachingPermissionValidator_;
+    TCachingAdHocPermissionValidator CachingAdHocPermissionValidator_;
 
     void ValidatePermission(
         EPermissionCheckScope /*scope*/,
@@ -944,7 +944,9 @@ private:
     bool DoInvoke(const IYPathServiceContextPtr& context) override
     {
         // TODO(max42): choose permission depending on method.
-        CachingPermissionValidator_.Validate(EPermission::Read, context->GetAuthenticationIdentity().User);
+        CachingAdHocPermissionValidator_.Validate(
+            EPermission::Read,
+            context->GetAuthenticationIdentity().User);
         ExecuteVerb(UnderlyingService_, context);
         return true;
     }