Add UNAUTHORIZED status to dq (#15138)

author: kungurtsev <kungasc@ydb.tech> 2025-03-01 11:14:03 +0100
committer: GitHub <noreply@github.com> 2025-03-01 11:14:03 +0100
commit: a697f06b0485f40a82467c6164c3cb878ed1f282 (patch)
tree: 6881db7ec1a34d4e5595b565566948caf147d2fd
parent: 0bab9e91fdce2c8c57d782881f291f79a6cf5348 (diff)
download: ydb-a697f06b0485f40a82467c6164c3cb878ed1f282.tar.gz
6 files changed, 16 insertions, 8 deletions
diff --git a/ydb/core/kqp/compute_actor/kqp_pure_compute_actor.cpp b/ydb/core/kqp/compute_actor/kqp_pure_compute_actor.cpp
index 62fd105ca4..2e019e5379 100644
--- a/ydb/core/kqp/compute_actor/kqp_pure_compute_actor.cpp
+++ b/ydb/core/kqp/compute_actor/kqp_pure_compute_actor.cpp
@@ -283,7 +283,7 @@ void TKqpComputeActor::HandleExecute(TEvKqpCompute::TEvScanError::TPtr& ev) {
     IssuesFromMessage(ev->Get()->Record.GetIssues(), issues);
 
     State = NDqProto::COMPUTE_STATE_FAILURE;
-    ReportStateAndMaybeDie(YdbStatusToDqStatus(status), issues);
+    ReportStateAndMaybeDie(YdbStatusToDqStatus(status, EStatusCompatibilityLevel::WithUnauthorized), issues);
 }
 
 IActor* CreateKqpComputeActor(const TActorId& executerId, ui64 txId, NDqProto::TDqTask* task,
diff --git a/ydb/core/sys_view/ut_kqp.cpp b/ydb/core/sys_view/ut_kqp.cpp
index 17963caa8e..fd2547c873 100644
--- a/ydb/core/sys_view/ut_kqp.cpp
+++ b/ydb/core/sys_view/ut_kqp.cpp
@@ -151,7 +151,7 @@ void SetupAuthAccessEnvironment(TTestEnv& env) {
 }
 
 void CheckAuthAdministratorAccessIsRequired(TScanQueryPartIterator& it) {
-    NKqp::StreamResultToYson(it, false, EStatus::INTERNAL_ERROR, 
+    NKqp::StreamResultToYson(it, false, EStatus::UNAUTHORIZED, 
         "Administrator access is required");
 }
 
diff --git a/ydb/library/yql/dq/actors/dq.cpp b/ydb/library/yql/dq/actors/dq.cpp
index 3aa472cc70..793d1f0c7f 100644
--- a/ydb/library/yql/dq/actors/dq.cpp
+++ b/ydb/library/yql/dq/actors/dq.cpp
@@ -32,13 +32,15 @@ Ydb::StatusIds::StatusCode DqStatusToYdbStatus(NYql::NDqProto::StatusIds::Status
         return Ydb::StatusIds::SCHEME_ERROR;
     case NYql::NDqProto::StatusIds::UNSUPPORTED:
         return Ydb::StatusIds::UNSUPPORTED;
+    case NYql::NDqProto::StatusIds::UNAUTHORIZED:
+        return Ydb::StatusIds::UNAUTHORIZED;
     case NYql::NDqProto::StatusIds::GENERIC_ERROR:
     default:
         return Ydb::StatusIds::GENERIC_ERROR;
     }
 }
 
-NYql::NDqProto::StatusIds::StatusCode YdbStatusToDqStatus(Ydb::StatusIds::StatusCode statusCode) {
+NYql::NDqProto::StatusIds::StatusCode YdbStatusToDqStatus(Ydb::StatusIds::StatusCode statusCode, EStatusCompatibilityLevel compatibility) {
     switch(statusCode) {
     case Ydb::StatusIds::STATUS_CODE_UNSPECIFIED:
         return NYql::NDqProto::StatusIds::UNSPECIFIED;
@@ -47,6 +49,9 @@ NYql::NDqProto::StatusIds::StatusCode YdbStatusToDqStatus(Ydb::StatusIds::Status
     case Ydb::StatusIds::BAD_REQUEST:
         return NYql::NDqProto::StatusIds::BAD_REQUEST;
     case Ydb::StatusIds::UNAUTHORIZED:
+        return compatibility >= EStatusCompatibilityLevel::WithUnauthorized
+            ? NYql::NDqProto::StatusIds::UNAUTHORIZED
+            : NYql::NDqProto::StatusIds::INTERNAL_ERROR;
     case Ydb::StatusIds::INTERNAL_ERROR:
         return NYql::NDqProto::StatusIds::INTERNAL_ERROR;
     case Ydb::StatusIds::ABORTED:
diff --git a/ydb/library/yql/dq/actors/dq.h b/ydb/library/yql/dq/actors/dq.h
index 9d68e9fed1..64a8095060 100644
--- a/ydb/library/yql/dq/actors/dq.h
+++ b/ydb/library/yql/dq/actors/dq.h
@@ -11,8 +11,13 @@
 
 namespace NYql::NDq {
 
+enum class EStatusCompatibilityLevel {
+    Basic,
+    WithUnauthorized
+};
+
 Ydb::StatusIds::StatusCode DqStatusToYdbStatus(NYql::NDqProto::StatusIds::StatusCode statusCode);
-NYql::NDqProto::StatusIds::StatusCode YdbStatusToDqStatus(Ydb::StatusIds::StatusCode statusCode);
+NYql::NDqProto::StatusIds::StatusCode YdbStatusToDqStatus(Ydb::StatusIds::StatusCode statusCode, EStatusCompatibilityLevel compatibility = EStatusCompatibilityLevel::Basic);
 
 struct TEvDq {
 
diff --git a/ydb/library/yql/dq/actors/protos/dq_status_codes.proto b/ydb/library/yql/dq/actors/protos/dq_status_codes.proto
index 7947ec73d4..a8318457b0 100644
--- a/ydb/library/yql/dq/actors/protos/dq_status_codes.proto
+++ b/ydb/library/yql/dq/actors/protos/dq_status_codes.proto
@@ -22,5 +22,6 @@ message StatusIds {
         SCHEME_ERROR = 14;
         GENERIC_ERROR = 15;
         UNDETERMINED =  16;
+        UNAUTHORIZED =  17;
     }
 }
diff --git a/ydb/tests/functional/tenants/test_auth_system_views.py b/ydb/tests/functional/tenants/test_auth_system_views.py
index d231663e03..00c7b2bcf7 100644
--- a/ydb/tests/functional/tenants/test_auth_system_views.py
+++ b/ydb/tests/functional/tenants/test_auth_system_views.py
@@ -162,8 +162,5 @@ def test_tenant_auth_groups_access(ydb_endpoint, ydb_root, prepared_test_env, yd
 
         else:
             assert error is not None, result
-
-            # FIXME: status should have been UNAUTHORIZED
-            # assert error.status == ydb.issues.StatusCode.UNAUTHORIZED
-            assert error.status == ydb.issues.StatusCode.INTERNAL_ERROR
+            assert error.status == ydb.issues.StatusCode.UNAUTHORIZED
             assert 'Administrator access is required' in error.message
author	kungurtsev <kungasc@ydb.tech>	2025-03-01 11:14:03 +0100
committer	GitHub <noreply@github.com>	2025-03-01 11:14:03 +0100
commit	a697f06b0485f40a82467c6164c3cb878ed1f282 (patch)
tree	6881db7ec1a34d4e5595b565566948caf147d2fd
parent	0bab9e91fdce2c8c57d782881f291f79a6cf5348 (diff)
download	ydb-a697f06b0485f40a82467c6164c3cb878ed1f282.tar.gz