Auth

8 files changed, 243 insertions, 4 deletions

diff --git a/contrib/libs/grpc/include/grpc++/support/status.h b/contrib/libs/grpc/include/grpc++/support/status.h
new file mode 100644
index 0000000000..e58a18bdf9
--- /dev/null
+++ b/contrib/libs/grpc/include/grpc++/support/status.h
@@ -0,0 +1,28 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// DEPRECATED: The headers in include/grpc++ are deprecated. Please include the
+// headers in include/grpcpp instead. This header exists only for backwards
+// compatibility.
+
+#ifndef GRPCXX_SUPPORT_STATUS_H
+#define GRPCXX_SUPPORT_STATUS_H
+
+#include <grpcpp/support/status.h>
+
+#endif  // GRPCXX_SUPPORT_STATUS_H
diff --git a/ydb/core/yq/libs/config/protos/quotas_manager.proto b/ydb/core/yq/libs/config/protos/quotas_manager.proto
index e0a4753920..e3119141d8 100644
--- a/ydb/core/yq/libs/config/protos/quotas_manager.proto
+++ b/ydb/core/yq/libs/config/protos/quotas_manager.proto
@@ -21,4 +21,5 @@ message TQuotasManagerConfig {
     bool Enabled = 1;
     repeated TQuotaList Quotas = 2;
     string UsageRefreshPeriod = 3;
+    bool EnablePermissions = 4;
 }
diff --git a/ydb/core/yq/libs/init/init.cpp b/ydb/core/yq/libs/init/init.cpp
index f10fd95034..5141c31a36 100644
--- a/ydb/core/yq/libs/init/init.cpp
+++ b/ydb/core/yq/libs/init/init.cpp
@@ -11,6 +11,7 @@
 #include <ydb/core/yq/libs/private_client/internal_service.h>
 #include <ydb/core/yq/libs/private_client/loopback_service.h>
 #include <ydb/core/yq/libs/quota_manager/quota_manager.h>
+#include <ydb/core/yq/libs/quota_manager/quota_proxy.h>
 #include <ydb/core/yq/libs/rate_limiter/control_plane_service/rate_limiter_control_plane_service.h>
 #include <ydb/core/yq/libs/shared_resources/shared_resources.h>
 #include <ydb/library/folder_service/folder_service.h>
@@ -291,6 +292,11 @@ void Init(
                 TQuotaDescription(SUBJECT_TYPE_CLOUD, QUOTA_TIME_LIMIT, 0)
             });
         actorRegistrator(NYq::MakeQuotaServiceActorId(), quotaService);
+
+        auto quotaProxy = NYq::CreateQuotaProxyActor(
+            protoConfig.GetQuotasManager(),
+            serviceCounters.Counters);
+        actorRegistrator(NYq::MakeQuotaProxyActorId(), quotaProxy);
     }
 }
 
diff --git a/ydb/core/yq/libs/quota_manager/CMakeLists.txt b/ydb/core/yq/libs/quota_manager/CMakeLists.txt
index 0186382aae..0ad54e9ebc 100644
--- a/ydb/core/yq/libs/quota_manager/CMakeLists.txt
+++ b/ydb/core/yq/libs/quota_manager/CMakeLists.txt
@@ -25,4 +25,5 @@ target_link_libraries(yq-libs-quota_manager PUBLIC
 )
 target_sources(yq-libs-quota_manager PRIVATE
   ${CMAKE_SOURCE_DIR}/ydb/core/yq/libs/quota_manager/quota_manager.cpp
+  ${CMAKE_SOURCE_DIR}/ydb/core/yq/libs/quota_manager/quota_proxy.cpp
 )
diff --git a/ydb/core/yq/libs/quota_manager/events/events.h b/ydb/core/yq/libs/quota_manager/events/events.h
index 235585b32c..0b87393bfe 100644
--- a/ydb/core/yq/libs/quota_manager/events/events.h
+++ b/ydb/core/yq/libs/quota_manager/events/events.h
@@ -2,6 +2,8 @@
 
 #include <memory>
 
+#include <grpc++/support/status.h>
+
 #include <util/generic/maybe.h>
 #include <util/generic/string.h>
 
@@ -57,7 +59,12 @@ using TQuotaMap = THashMap<TString, TQuotaUsage>;
 struct TEvQuotaService {
     // Event ids.
     enum EEv : ui32 {
-        EvQuotaGetRequest = YqEventSubspaceBegin(NYq::TYqEventSubspace::QuotaService),
+        EvQuotaProxyGetRequest = YqEventSubspaceBegin(NYq::TYqEventSubspace::QuotaService),
+        EvQuotaProxyGetResponse,
+        EvQuotaProxySetRequest,
+        EvQuotaProxySetResponse,
+        EvQuotaProxyErrorResponse,
+        EvQuotaGetRequest,
         EvQuotaGetResponse,
         EvQuotaChangeNotification,
         EvQuotaUsageRequest,
@@ -71,13 +78,66 @@ struct TEvQuotaService {
 
     static_assert(EvEnd <= YqEventSubspaceEnd(NYq::TYqEventSubspace::QuotaService), "All events must be in their subspace");
 
+    struct TQuotaProxyGetRequest : public NActors::TEventLocal<TQuotaProxyGetRequest, EvQuotaProxyGetRequest> {
+        TString User;
+        bool PermissionExists;
+        TString SubjectType;
+        TString SubjectId;
+
+        TQuotaProxyGetRequest(const TString& user, bool permissionExists, const TString& subjectType, const TString& subjectId)
+            : User(user), PermissionExists(permissionExists), SubjectType(subjectType), SubjectId(subjectId) {
+        }
+    };
+
+    struct TQuotaProxyGetResponse : public NActors::TEventLocal<TQuotaProxyGetResponse, EvQuotaProxyGetResponse> {
+        TString SubjectType;
+        TString SubjectId;
+        TQuotaMap Quotas;
+
+        TQuotaProxyGetResponse(const TString& subjectType, const TString& subjectId, const TQuotaMap& quotas)
+            : SubjectType(subjectType), SubjectId(subjectId), Quotas(quotas) {
+        }
+    };
+
+    struct TQuotaProxySetRequest : public NActors::TEventLocal<TQuotaProxySetRequest, EvQuotaProxySetRequest> {
+        TString User;
+        bool PermissionExists;
+        TString SubjectType;
+        TString SubjectId;
+        THashMap<TString, ui64> Limits;
+
+        TQuotaProxySetRequest(const TString& user, bool permissionExists, const TString& subjectType, const TString& subjectId, THashMap<TString, ui64>& limits)
+            : User(user), PermissionExists(permissionExists), SubjectType(subjectType), SubjectId(subjectId), Limits(limits) {
+        }
+    };
+
+    struct TQuotaProxySetResponse : public NActors::TEventLocal<TQuotaProxySetResponse, EvQuotaProxySetResponse> {
+        TString SubjectType;
+        TString SubjectId;
+        THashMap<TString, ui64> Limits;
+
+        TQuotaProxySetResponse(const TString& subjectType, const TString& subjectId, THashMap<TString, ui64>& limits)
+            : SubjectType(subjectType), SubjectId(subjectId), Limits(limits) {
+        }
+    };
+
+    struct TQuotaProxyErrorResponse : public NActors::TEventLocal<TQuotaProxyErrorResponse, EvQuotaProxyErrorResponse> {
+        grpc::StatusCode Code;
+        const TString Message;
+        const TString Details;
+
+        TQuotaProxyErrorResponse(grpc::StatusCode code, const TString& message, const TString& details = "")
+            : Code(code), Message(message), Details(details) {
+        }
+    };
+
     struct TQuotaGetRequest : public NActors::TEventLocal<TQuotaGetRequest, EvQuotaGetRequest> {
         TString SubjectType;
         TString SubjectId;
         bool AllowStaleUsage;
         TQuotaGetRequest(const TString& subjectType, const TString& subjectId, bool allowStaleUsage = false)
-            : SubjectType(subjectType), SubjectId(subjectId), AllowStaleUsage(allowStaleUsage)
-        {}
+            : SubjectType(subjectType), SubjectId(subjectId), AllowStaleUsage(allowStaleUsage) {
+        }
     };
 
     // Quota request never fails, if no quota exist (i.e. SubjectType is incorrect) empty list will be returned
@@ -122,6 +182,9 @@ struct TEvQuotaService {
         TQuotaSetRequest(const TString& subjectType, const TString& subjectId)
             : SubjectType(subjectType), SubjectId(subjectId)
         {}
+        TQuotaSetRequest(const TString& subjectType, const TString& subjectId, THashMap<TString, ui64> limits)
+            : SubjectType(subjectType), SubjectId(subjectId), Limits(limits)
+        {}
     };
 
     struct TQuotaSetResponse : public NActors::TEventLocal<TQuotaSetResponse, EvQuotaSetResponse> {
diff --git a/ydb/core/yq/libs/quota_manager/quota_manager.h b/ydb/core/yq/libs/quota_manager/quota_manager.h
index 6dd0ac56dd..b596123ece 100644
--- a/ydb/core/yq/libs/quota_manager/quota_manager.h
+++ b/ydb/core/yq/libs/quota_manager/quota_manager.h
@@ -1,7 +1,6 @@
 #pragma once
 
 #include <ydb/core/yq/libs/quota_manager/events/events.h>
-
 #include <ydb/core/yq/libs/config/protos/quotas_manager.pb.h>
 #include <ydb/core/yq/libs/shared_resources/shared_resources.h>
 
diff --git a/ydb/core/yq/libs/quota_manager/quota_proxy.cpp b/ydb/core/yq/libs/quota_manager/quota_proxy.cpp
new file mode 100644
index 0000000000..7e7394b80e
--- /dev/null
+++ b/ydb/core/yq/libs/quota_manager/quota_proxy.cpp
@@ -0,0 +1,125 @@
+#include "quota_manager.h"
+#include "quota_proxy.h"
+
+#include <library/cpp/actors/core/actor_bootstrapped.h>
+#include <library/cpp/actors/core/hfunc.h>
+#include <library/cpp/actors/core/log.h>
+
+#include <ydb/public/sdk/cpp/client/ydb_table/table.h>
+#include <ydb/core/yq/libs/control_plane_storage/util.h>
+#include <ydb/core/yq/libs/shared_resources/shared_resources.h>
+
+#include <ydb/core/protos/services.pb.h>
+
+#define LOG_E(stream) \
+    LOG_ERROR_S(*NActors::TlsActivationContext, NKikimrServices::FQ_QUOTA_SERVICE, stream)
+#define LOG_W(stream) \
+    LOG_WARN_S(*NActors::TlsActivationContext, NKikimrServices::FQ_QUOTA_SERVICE, stream)
+#define LOG_I(stream) \
+    LOG_INFO_S(*NActors::TlsActivationContext, NKikimrServices::FQ_QUOTA_SERVICE, stream)
+#define LOG_D(stream) \
+    LOG_DEBUG_S(*NActors::TlsActivationContext, NKikimrServices::FQ_QUOTA_SERVICE, stream)
+
+namespace NYq {
+
+NActors::TActorId MakeQuotaProxyActorId() {
+    constexpr TStringBuf name = "FQ_QPROX";
+    return NActors::TActorId(0, name);
+}
+
+class TQuotaProxyGetRequestActor : public NActors::TActorBootstrapped<TQuotaProxyGetRequestActor> {
+    TEvQuotaService::TQuotaProxyGetRequest::TPtr Ev;
+
+public:
+    TQuotaProxyGetRequestActor(TEvQuotaService::TQuotaProxyGetRequest::TPtr& ev) : Ev(ev) {
+    }
+
+    void Bootstrap() {
+        Become(&TQuotaProxyGetRequestActor::StateFunc);
+        Send(NYq::MakeQuotaServiceActorId(), new TEvQuotaService::TQuotaGetRequest(Ev->Get()->SubjectType, Ev->Get()->SubjectId));
+    }
+
+    STRICT_STFUNC(StateFunc,
+        hFunc(TEvQuotaService::TQuotaGetResponse, Handle)
+    );
+
+    void Handle(TEvQuotaService::TQuotaGetResponse::TPtr& ev) {
+        Send(Ev->Sender, new TEvQuotaService::TQuotaProxyGetResponse(ev->Get()->SubjectType, ev->Get()->SubjectId, ev->Get()->Quotas));
+        PassAway();
+    }
+};
+
+class TQuotaProxySetRequestActor : public NActors::TActorBootstrapped<TQuotaProxySetRequestActor> {
+    TEvQuotaService::TQuotaProxySetRequest::TPtr Ev;
+
+public:
+    TQuotaProxySetRequestActor(TEvQuotaService::TQuotaProxySetRequest::TPtr& ev) : Ev(ev) {
+    }
+
+    void Bootstrap() {
+        Become(&TQuotaProxySetRequestActor::StateFunc);
+        Send(NYq::MakeQuotaServiceActorId(), new TEvQuotaService::TQuotaSetRequest(Ev->Get()->SubjectType, Ev->Get()->SubjectId, Ev->Get()->Limits));
+    }
+
+    STRICT_STFUNC(StateFunc,
+        hFunc(TEvQuotaService::TQuotaSetResponse, Handle)
+    );
+
+    void Handle(TEvQuotaService::TQuotaSetResponse::TPtr& ev) {
+        Send(Ev->Sender, new TEvQuotaService::TQuotaProxySetResponse(ev->Get()->SubjectType, ev->Get()->SubjectId, ev->Get()->Limits));
+        PassAway();
+    }
+};
+
+class TQuotaProxyService : public NActors::TActorBootstrapped<TQuotaProxyService> {
+public:
+    TQuotaProxyService(
+        const NConfig::TQuotasManagerConfig& config,
+        const ::NMonitoring::TDynamicCounterPtr& counters)
+        : Config(config)
+        , ServiceCounters(counters->GetSubgroup("subsystem", "QuotaService"))
+    {
+    }
+
+    static constexpr char ActorName[] = "FQ_QUOTA_PROXY";
+
+    void Bootstrap() {
+        Become(&TQuotaProxyService::StateFunc);
+        LOG_I("STARTED");
+    }
+
+private:
+    STRICT_STFUNC(StateFunc,
+        hFunc(TEvQuotaService::TQuotaProxyGetRequest, Handle)
+        hFunc(TEvQuotaService::TQuotaProxySetRequest, Handle)
+    );
+
+    void Handle(TEvQuotaService::TQuotaProxyGetRequest::TPtr& ev) {
+        if (!ev->Get()->PermissionExists && Config.GetEnablePermissions()) {
+            Send(ev->Sender, new TEvQuotaService::TQuotaProxyErrorResponse(grpc::StatusCode::PERMISSION_DENIED, "Permission denied"));
+            return;
+        }
+
+        Register(new TQuotaProxyGetRequestActor(ev));
+    }
+
+    void Handle(TEvQuotaService::TQuotaProxySetRequest::TPtr& ev) {
+        if (!ev->Get()->PermissionExists && Config.GetEnablePermissions()) {
+            Send(ev->Sender, new TEvQuotaService::TQuotaProxyErrorResponse(grpc::StatusCode::PERMISSION_DENIED, "Permission denied"));
+            return;
+        }
+
+        Register(new TQuotaProxySetRequestActor(ev));
+    }
+
+    NConfig::TQuotasManagerConfig Config;
+    const ::NMonitoring::TDynamicCounterPtr ServiceCounters;
+};
+
+NActors::IActor* CreateQuotaProxyActor(
+    const NConfig::TQuotasManagerConfig& config,
+    const ::NMonitoring::TDynamicCounterPtr& counters) {
+        return new TQuotaProxyService(config, counters);
+}
+
+} /* NYq */
diff --git a/ydb/core/yq/libs/quota_manager/quota_proxy.h b/ydb/core/yq/libs/quota_manager/quota_proxy.h
new file mode 100644
index 0000000000..12376bac4b
--- /dev/null
+++ b/ydb/core/yq/libs/quota_manager/quota_proxy.h
@@ -0,0 +1,16 @@
+#pragma once
+
+#include <ydb/core/yq/libs/quota_manager/events/events.h>
+#include <ydb/core/yq/libs/config/protos/quotas_manager.pb.h>
+
+#include <library/cpp/monlib/dynamic_counters/counters.h>
+
+namespace NYq {
+
+NActors::TActorId MakeQuotaProxyActorId();
+
+NActors::IActor* CreateQuotaProxyActor(
+    const NConfig::TQuotasManagerConfig& config,
+    const ::NMonitoring::TDynamicCounterPtr& counters);
+
+} /* NYq */