Add require_password_in_authentication_commands driver flag to allow skipping password check in authentication commands

Issue: #927

* Changelog entry
  Type: feature
  Component: proxy

Add `require_password_in_authentication_commands` driver flag to allow skipping password check in authentication commands.

---

Pull Request resolved: <https://github.com/ytsaurus/ytsaurus/pull/970>
commit_hash:66969fd53213f0b456bf3f0ea50d264652c33ba1

5 files changed, 13 insertions, 0 deletions

diff --git a/yt/yt/client/driver/config.cpp b/yt/yt/client/driver/config.cpp
index d304ba8f46e..ea20d3a1ce9 100644
--- a/yt/yt/client/driver/config.cpp
+++ b/yt/yt/client/driver/config.cpp
@@ -58,6 +58,9 @@ void TDriverConfig::Register(TRegistrar registrar)
     registrar.Parameter("expect_structured_input_in_structured_batch_commands", &TThis::ExpectStructuredInputInStructuredBatchCommands)
         .Default(true);
 
+    registrar.Parameter("require_password_in_authentication_commands", &TThis::RequirePasswordInAuthenticationCommands)
+        .Default(true);
+
     registrar.Preprocessor([] (TThis* config) {
         config->ClientCache->Capacity = 1024_KB;
         config->ProxyDiscoveryCache->RefreshTime = TDuration::Seconds(15);
diff --git a/yt/yt/client/driver/config.h b/yt/yt/client/driver/config.h
index 1fe83c050ad..dcc378c72ee 100644
--- a/yt/yt/client/driver/config.h
+++ b/yt/yt/client/driver/config.h
@@ -45,6 +45,9 @@ public:
 
     bool ExpectStructuredInputInStructuredBatchCommands;
 
+    //! Controls whether authentication commands (SetUserPassword, IssueToken, ListUserTokens, etc.) require a correct password to be used.
+    bool RequirePasswordInAuthenticationCommands;
+
     REGISTER_YSON_STRUCT(TDriverConfig);
 
     static void Register(TRegistrar registrar);
diff --git a/yt/yt/client/driver/driver.cpp b/yt/yt/client/driver/driver.cpp
index afa22250e63..f5e2da24d37 100644
--- a/yt/yt/client/driver/driver.cpp
+++ b/yt/yt/client/driver/driver.cpp
@@ -432,6 +432,7 @@ public:
             identity.User);
 
         auto options = TClientOptions::FromAuthenticationIdentity(identity);
+        options.RequirePasswordInAuthenticationCommands = Config_->RequirePasswordInAuthenticationCommands;
         options.Token = request.UserToken;
         options.ServiceTicketAuth = request.ServiceTicket
             ? std::make_optional(New<NAuth::TServiceTicketFixedAuth>(*request.ServiceTicket))
diff --git a/yt/yt/client/driver/etc_commands.cpp b/yt/yt/client/driver/etc_commands.cpp
index 288d42610f2..c1267fdcdb4 100644
--- a/yt/yt/client/driver/etc_commands.cpp
+++ b/yt/yt/client/driver/etc_commands.cpp
@@ -96,6 +96,9 @@ void TGetSupportedFeaturesCommand::DoExecute(ICommandContextPtr context)
     for (auto staticFeature : StaticFeatures) {
         features->AddChild(TString(staticFeature.first), BuildYsonNodeFluently().Value(staticFeature.second));
     }
+    features->AddChild(
+        "require_password_in_authentication_commands",
+        BuildYsonNodeFluently().Value(context->GetConfig()->RequirePasswordInAuthenticationCommands));
     context->ProduceOutputValue(BuildYsonStringFluently()
         .BeginMap()
             .Item("features").Value(features)
diff --git a/yt/yt/library/auth/authentication_options.h b/yt/yt/library/auth/authentication_options.h
index 155fc8eeb7b..e29599007fb 100644
--- a/yt/yt/library/auth/authentication_options.h
+++ b/yt/yt/library/auth/authentication_options.h
@@ -38,6 +38,9 @@ struct TAuthenticationOptions
     std::optional<TString> SslSessionId;
     std::optional<IServiceTicketAuthPtr> ServiceTicketAuth;
     std::optional<TString> UserTicket;
+
+    //! Controls whether authentication commands (SetUserPassword, IssueToken, ListUserTokens, etc.) require a correct password to be used.
+    bool RequirePasswordInAuthenticationCommands;
 };
 
 ////////////////////////////////////////////////////////////////////////////////