rights for the yds.writer role

проверяются права для роли `yds.writer` во время работы по протоколу `PQv1` и `Topic API`

2 files changed, 45 insertions, 0 deletions

diff --git a/ydb/core/grpc_services/grpc_request_check_actor.h b/ydb/core/grpc_services/grpc_request_check_actor.h
index b1226204bf..a589584584 100644
--- a/ydb/core/grpc_services/grpc_request_check_actor.h
+++ b/ydb/core/grpc_services/grpc_request_check_actor.h
@@ -506,6 +506,36 @@ const TVector<TString>& TGrpcRequestCheckActor<TEvent>::GetPermissions() {
     return permissions;
 }
 
+// role yds.write permissions for PQv1
+template <>
+inline
+const TVector<TString>& TGrpcRequestCheckActor<TEvStreamPQWriteRequest>::GetPermissions() {
+    static const TVector<TString> permissions = {
+        "ydb.databases.list",
+        "ydb.databases.create",
+        "ydb.databases.connect",
+        "ydb.tables.select",
+        "ydb.schemas.getMetadata",
+        "ydb.streams.write"
+    };
+    return permissions;
+}
+
+// role yds.write permissions for Topic API
+template <>
+inline
+const TVector<TString>& TGrpcRequestCheckActor<TEvStreamTopicWriteRequest>::GetPermissions() {
+    static const TVector<TString> permissions = {
+        "ydb.databases.list",
+        "ydb.databases.create",
+        "ydb.databases.connect",
+        "ydb.tables.select",
+        "ydb.schemas.getMetadata",
+        "ydb.streams.write"
+    };
+    return permissions;
+}
+
 template <typename TEvent>
 IActor* CreateGrpcRequestCheckActor(
     const TActorId& owner,
diff --git a/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp b/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp
index 63b497f97c..3ea60c3588 100644
--- a/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp
+++ b/ydb/services/persqueue_v1/persqueue_new_schemecache_ut.cpp
@@ -366,6 +366,21 @@ namespace NKikimr::NPersQueueTests {
                     };
 
                 {
+                    NYdb::NScheme::TSchemeClient schemeClient(*ydbDriver);
+                    NYdb::NScheme::TPermissions permissions("user@builtin", {"ydb.generic.read", "ydb.generic.write"});
+
+                    auto result = schemeClient.ModifyPermissions("/Root",
+                                                                 NYdb::NScheme::TModifyPermissionsSettings().AddGrantPermissions(permissions)).ExtractValueSync();
+                    Cerr << result.GetIssues().ToString() << "\n";
+                    UNIT_ASSERT(result.IsSuccess());
+                }
+
+                {
+                    auto newDriverCfg = driverCfg;
+                    newDriverCfg.SetAuthToken("user@builtin");
+
+                    ydbDriver = MakeHolder<NYdb::TDriver>(newDriverCfg);
+
                     auto writer = CreateSimpleWriter(*ydbDriver, fullTopicName, "123", 1);
                     for (int i = 0; i < 4; ++i) {
                         bool res = writer->Write(TString(10, 'a'));