YQ-921: support CA in token accessor client lib

ref:d5943b2a972b88b2c0e68b34f09da45396310eaa
author: uzhas <uzhas@yandex-team.ru> 2022-02-28 20:18:16 +0300
committer: uzhas <uzhas@yandex-team.ru> 2022-02-28 20:18:16 +0300
commit: 93f07d505bc32b305ac64f7248ec3fd24e4b849f (patch)
tree: 823982d922781741066404d920261daaca4f6522
parent: c30c788ce473dde15e86c03b7bb1140bd1c48e12 (diff)
download: ydb-93f07d505bc32b305ac64f7248ec3fd24e4b849f.tar.gz
8 files changed, 24 insertions, 7 deletions
diff --git a/ydb/core/yq/libs/config/protos/token_accessor.proto b/ydb/core/yq/libs/config/protos/token_accessor.proto
index 6885b3381c..9321f0abbe 100644
--- a/ydb/core/yq/libs/config/protos/token_accessor.proto
+++ b/ydb/core/yq/libs/config/protos/token_accessor.proto
@@ -11,4 +11,5 @@ message TTokenAccessorConfig {
     string Endpoint = 2; // GRPC endpoint of token accessor daemon
     bool UseSsl = 3; // Whether to use SSL
     string HmacSecretFile = 4;
+    string SslCaCert = 5;
 }
diff --git a/ydb/core/yq/libs/init/init.cpp b/ydb/core/yq/libs/init/init.cpp
index 0720b306a0..a77f7f62b9 100644
--- a/ydb/core/yq/libs/init/init.cpp
+++ b/ydb/core/yq/libs/init/init.cpp
@@ -123,7 +123,8 @@ void Init(
         yqCounters->GetSubgroup("subcomponent", "http_gateway"));
 
     if (protoConfig.GetTokenAccessor().GetEnabled()) {
-        credentialsFactory = NYql::CreateSecuredServiceAccountCredentialsOverTokenAccessorFactory(protoConfig.GetTokenAccessor().GetEndpoint(), protoConfig.GetTokenAccessor().GetUseSsl());
+        const auto& tokenAccessorConfig = protoConfig.GetTokenAccessor();
+        credentialsFactory = NYql::CreateSecuredServiceAccountCredentialsOverTokenAccessorFactory(tokenAccessorConfig.GetEndpoint(), tokenAccessorConfig.GetUseSsl(), tokenAccessorConfig.GetSslCaCert());
         RegisterDqPqReadActorFactory(*sourceActorFactory, yqSharedResources->YdbDriver, credentialsFactory, !protoConfig.GetReadActorsFactoryConfig().GetPqReadActorFactoryConfig().GetCookieCommitMode());
         RegisterYdbReadActorFactory(*sourceActorFactory, yqSharedResources->YdbDriver, credentialsFactory);
         RegisterS3ReadActorFactory(*sourceActorFactory, credentialsFactory,
diff --git a/ydb/library/yql/providers/common/token_accessor/client/factory.cpp b/ydb/library/yql/providers/common/token_accessor/client/factory.cpp
index f849fec67b..b077c56d33 100644
--- a/ydb/library/yql/providers/common/token_accessor/client/factory.cpp
+++ b/ydb/library/yql/providers/common/token_accessor/client/factory.cpp
@@ -14,11 +14,13 @@ public:
     TSecuredServiceAccountCredentialsFactoryImpl(
         const TString& tokenAccessorEndpoint,
         bool useSsl,
+        const TString& sslCaCert,
         const TDuration& refreshPeriod,
         const TDuration& requestTimeout
     )
         : TokenAccessorEndpoint(tokenAccessorEndpoint)
         , UseSsl(useSsl)
+        , SslCaCert(sslCaCert)
         , RefreshPeriod(refreshPeriod)
         , RequestTimeout(requestTimeout) {
     }
@@ -27,12 +29,13 @@ public:
         Y_ENSURE(serviceAccountId);
         Y_ENSURE(serviceAccountIdSignature);
 
-        return CreateTokenAccessorCredentialsProviderFactory(TokenAccessorEndpoint, UseSsl, serviceAccountId, serviceAccountIdSignature, RefreshPeriod, RequestTimeout);
+        return CreateTokenAccessorCredentialsProviderFactory(TokenAccessorEndpoint, UseSsl, SslCaCert, serviceAccountId, serviceAccountIdSignature, RefreshPeriod, RequestTimeout);
     }
 
 private:
     const TString TokenAccessorEndpoint;
     const bool UseSsl;
+    const TString SslCaCert;
     const TDuration RefreshPeriod;
     const TDuration RequestTimeout;
 };
@@ -48,9 +51,10 @@ std::shared_ptr<NYdb::ICredentialsProviderFactory> WrapWithBearerIfNeeded(std::s
 ISecuredServiceAccountCredentialsFactory::TPtr CreateSecuredServiceAccountCredentialsOverTokenAccessorFactory(
     const TString& tokenAccessorEndpoint,
     bool useSsl,
+    const TString& sslCaCert,
     const TDuration& refreshPeriod,
     const TDuration& requestTimeout) {
-    return std::make_shared<TSecuredServiceAccountCredentialsFactoryImpl>(tokenAccessorEndpoint, useSsl, refreshPeriod, requestTimeout);
+    return std::make_shared<TSecuredServiceAccountCredentialsFactoryImpl>(tokenAccessorEndpoint, useSsl, sslCaCert, refreshPeriod, requestTimeout);
 }
 
 std::shared_ptr<NYdb::ICredentialsProviderFactory> CreateCredentialsProviderFactoryForStructuredToken(ISecuredServiceAccountCredentialsFactory::TPtr factory, const TString& structuredTokenJson, bool addBearerToToken) {
diff --git a/ydb/library/yql/providers/common/token_accessor/client/factory.h b/ydb/library/yql/providers/common/token_accessor/client/factory.h
index 610fb773d6..f798949e29 100644
--- a/ydb/library/yql/providers/common/token_accessor/client/factory.h
+++ b/ydb/library/yql/providers/common/token_accessor/client/factory.h
@@ -17,6 +17,7 @@ public:
 ISecuredServiceAccountCredentialsFactory::TPtr CreateSecuredServiceAccountCredentialsOverTokenAccessorFactory(
     const TString& tokenAccessorEndpoint,
     bool useSsl,
+    const TString& sslCaCert,
     const TDuration& refreshPeriod = TDuration::Hours(1),
     const TDuration& requestTimeout = TDuration::Seconds(10)
 );
diff --git a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.cpp b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.cpp
index 018714a749..220f624e3f 100644
--- a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.cpp
+++ b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.cpp
@@ -22,6 +22,7 @@ private:
     public:
         TImpl(const TString& tokenAccessorEndpoint,
             bool useSsl,
+            const TString& sslCaCert,
             const TString& serviceAccountId,
             const TString& serviceAccountIdSignature,
             const TDuration& refreshPeriod,
@@ -38,6 +39,7 @@ private:
             NGrpc::TGRpcClientConfig grpcConf;
             grpcConf.Locator = tokenAccessorEndpoint;
             grpcConf.EnableSsl = useSsl;
+            grpcConf.SslCaCert = sslCaCert;
             Connection = Client->CreateGRpcServiceConnection<TokenAccessorService>(grpcConf);
         }
 
@@ -144,12 +146,13 @@ public:
     TTokenAccessorCredentialsProvider(
         const TString& tokenAccessorEndpoint,
         bool useSsl,
+        const TString& sslCaCert,
         const TString& serviceAccountId,
         const TString& serviceAccountIdSignature,
         const TDuration& refreshPeriod,
         const TDuration& requestTimeout
     )
-        : Impl(std::make_shared<TImpl>(tokenAccessorEndpoint, useSsl, serviceAccountId, serviceAccountIdSignature, refreshPeriod, requestTimeout))
+        : Impl(std::make_shared<TImpl>(tokenAccessorEndpoint, useSsl, sslCaCert, serviceAccountId, serviceAccountIdSignature, refreshPeriod, requestTimeout))
     {
         Impl->UpdateTicket(true);
     }
@@ -175,11 +178,12 @@ private:
 std::shared_ptr<NYdb::ICredentialsProvider> CreateTokenAccessorCredentialsProvider(
     const TString& tokenAccessorEndpoint,
     bool useSsl,
+    const TString& sslCaCert,
     const TString& serviceAccountId,
     const TString& serviceAccountIdSignature,
     const TDuration& refreshPeriod,
     const TDuration& requestTimeout
 ) {
-    return std::make_shared<TTokenAccessorCredentialsProvider>(tokenAccessorEndpoint, useSsl, serviceAccountId, serviceAccountIdSignature, refreshPeriod, requestTimeout);
+    return std::make_shared<TTokenAccessorCredentialsProvider>(tokenAccessorEndpoint, useSsl, sslCaCert, serviceAccountId, serviceAccountIdSignature, refreshPeriod, requestTimeout);
 }
 }
diff --git a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.h b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.h
index b8bcd10dbc..768a12f5e7 100644
--- a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.h
+++ b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client.h
@@ -8,6 +8,7 @@ namespace NYql {
 std::shared_ptr<NYdb::ICredentialsProvider> CreateTokenAccessorCredentialsProvider(
     const TString& tokenAccessorEndpoint,
     bool useSsl,
+    const TString& sslCaCert,
     const TString& serviceAccountId,
     const TString& serviceAccountIdSignature,
     const TDuration& refreshPeriod = TDuration::Hours(1),
diff --git a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.cpp b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.cpp
index b3105b220d..49ae1aab4f 100644
--- a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.cpp
+++ b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.cpp
@@ -12,6 +12,7 @@ public:
     TTokenAccessorCredentialsProviderFactory(
         const TString& tokenAccessorEndpoint,
         bool useSsl,
+        const TString& sslCaCert,
         const TString& serviceAccountId,
         const TString& serviceAccountIdSignature,
         const TDuration& refreshPeriod,
@@ -19,6 +20,7 @@ public:
     )
         : TokenAccessorEndpoint(tokenAccessorEndpoint)
         , UseSsl(useSsl)
+        , SslCaCert(sslCaCert)
         , ServiceAccountId(serviceAccountId)
         , ServiceAccountIdSignature(serviceAccountIdSignature)
         , RefreshPeriod(refreshPeriod)
@@ -31,12 +33,13 @@ public:
     }
 
     std::shared_ptr<NYdb::ICredentialsProvider> CreateProvider() const override {
-        return CreateTokenAccessorCredentialsProvider(TokenAccessorEndpoint, UseSsl, ServiceAccountId, ServiceAccountIdSignature, RefreshPeriod, RequestTimeout);
+        return CreateTokenAccessorCredentialsProvider(TokenAccessorEndpoint, UseSsl, SslCaCert, ServiceAccountId, ServiceAccountIdSignature, RefreshPeriod, RequestTimeout);
     }
 
 private:
     const TString TokenAccessorEndpoint;
     const bool UseSsl;
+    const TString SslCaCert;
     const TString ServiceAccountId;
     const TString ServiceAccountIdSignature;
     const TDuration RefreshPeriod;
@@ -48,11 +51,12 @@ private:
 std::shared_ptr<NYdb::ICredentialsProviderFactory> CreateTokenAccessorCredentialsProviderFactory(
     const TString& tokenAccessorEndpoint,
     bool useSsl,
+    const TString& sslCaCert,
     const TString& serviceAccountId,
     const TString& serviceAccountIdSignature,
     const TDuration& refreshPeriod,
     const TDuration& requestTimeout)
 {
-    return std::make_shared<TTokenAccessorCredentialsProviderFactory>(tokenAccessorEndpoint, useSsl, serviceAccountId, serviceAccountIdSignature, refreshPeriod, requestTimeout);
+    return std::make_shared<TTokenAccessorCredentialsProviderFactory>(tokenAccessorEndpoint, useSsl, sslCaCert, serviceAccountId, serviceAccountIdSignature, refreshPeriod, requestTimeout);
 }
 }
diff --git a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.h b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.h
index 7a9b4a9327..b3b82acdb2 100644
--- a/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.h
+++ b/ydb/library/yql/providers/common/token_accessor/client/token_accessor_client_factory.h
@@ -8,6 +8,7 @@ namespace NYql {
 std::shared_ptr<NYdb::ICredentialsProviderFactory> CreateTokenAccessorCredentialsProviderFactory(
     const TString& tokenAccessorEndpoint,
     bool useSsl,
+    const TString& sslCaCert,
     const TString& serviceAccountId,
     const TString& serviceAccountIdSignature,
     const TDuration& refreshPeriod = TDuration::Hours(1),
author	uzhas <uzhas@yandex-team.ru>	2022-02-28 20:18:16 +0300
committer	uzhas <uzhas@yandex-team.ru>	2022-02-28 20:18:16 +0300
commit	93f07d505bc32b305ac64f7248ec3fd24e4b849f (patch)
tree	823982d922781741066404d920261daaca4f6522
parent	c30c788ce473dde15e86c03b7bb1140bd1c48e12 (diff)
download	ydb-93f07d505bc32b305ac64f7248ec3fd24e4b849f.tar.gz