mv CheckAccessWith{UpdateRow,WriteTopic}Permission; use GetAccess

Author: qyryq

ydb/core/tx/scheme_board/cache.cpp

@@ -296,11 +296,12 @@ namespace {
                         continue;
                     }
 
-                    if (!securityObject->CheckAccess(entry.Access, *Context->Request->UserToken)) {
+                    auto access = GetAccess(entry);
+                    if (!securityObject->CheckAccess(access, *Context->Request->UserToken)) {
                         SBC_LOG_W("Access denied"
                             << ": self# " << this->SelfId()
                             << ", for# " << Context->Request->UserToken->GetUserSID()
-                            << ", access# " << NACLib::AccessRightsToString(entry.Access));
+                            << ", access# " << NACLib::AccessRightsToString(access));
 
                         SetErrorAndClear(
                             Context.Get(),

ydb/services/lib/actors/pq_schema_actor.h

@@ -139,7 +139,7 @@ namespace NKikimr::NGRpcProxy::V1 {
             navigateRequest->DatabaseName = CanonizePath(Database);
             navigateRequest->ResultSet.emplace_back(NSchemeCache::TSchemeCacheNavigate::TEntry{
                 .Path = NKikimr::SplitPath(GetTopicPath()),
-                .Access = CheckAccessWithUpdateRowPermission ? NACLib::UpdateRow : NACLib::DescribeSchema,
+                .Access = CheckAccessWithWriteTopicPermission ? NACLib::UpdateRow : NACLib::DescribeSchema,
                 .Operation = NSchemeCache::TSchemeCacheNavigate::OpList,
                 .ShowPrivatePath = showPrivate,
                 .SyncVersion = true,
@@ -250,7 +250,7 @@ namespace NKikimr::NGRpcProxy::V1 {
 
     protected:
         bool IsDead = false;
-        bool CheckAccessWithUpdateRowPermission = false;
+        bool CheckAccessWithWriteTopicPermission = false;
         const TString TopicPath;
         const TString Database;
     };

ydb/services/persqueue_v1/actors/schema_actors.cpp

@@ -1311,7 +1311,7 @@ TDescribePartitionActor::TDescribePartitionActor(NKikimr::NGRpcService::IRequest
 
 void TDescribePartitionActor::Bootstrap(const NActors::TActorContext& ctx) {
     LOG_DEBUG_S(ctx, NKikimrServices::PQ_READ_PROXY, "TDescribePartitionActor" << ctx.SelfID.ToString() << ": Bootstrap");
-    CheckAccessWithUpdateRowPermission = true;
+    CheckAccessWithWriteTopicPermission = true;
     TBase::Bootstrap(ctx);
     SendDescribeProposeRequest(ctx);
     Become(&TDescribePartitionActor::StateWork);
@@ -1322,7 +1322,7 @@ void TDescribePartitionActor::StateWork(TAutoPtr<IEventHandle>& ev) {
         case TEvTxProxySchemeCache::TEvNavigateKeySetResult::EventType:
             if (NeedToRequestWithDescribeSchema(ev)) {
                 // We do not have the UpdateRow permission. Check if we're allowed to DescribeSchema.
-                CheckAccessWithUpdateRowPermission = false;
+                CheckAccessWithWriteTopicPermission = false;
                 SendDescribeProposeRequest(ActorContext());
                 break;
             }
@@ -1337,7 +1337,7 @@ void TDescribePartitionActor::StateWork(TAutoPtr<IEventHandle>& ev) {
 // Return true if we need to send a second request to SchemeCache with DescribeSchema permission,
 // because the first request checking the UpdateRow permission resulted in an AccessDenied error.
 bool TDescribePartitionActor::NeedToRequestWithDescribeSchema(TAutoPtr<IEventHandle>& ev) {
-    if (!CheckAccessWithUpdateRowPermission) {
+    if (!CheckAccessWithWriteTopicPermission) {
         // We've already sent a request with DescribeSchema, ev is a response to it.
         return false;
     }