Merge 320cb0b into b765769

Author: molotkov-and

ydb/core/kqp/session_actor/kqp_query_state.cpp

@@ -260,7 +260,7 @@ std::unique_ptr<NSchemeCache::TSchemeCacheNavigate> TKqpQueryState::BuildSchemeC
 }
 
 bool TKqpQueryState::IsAccessDenied(const NSchemeCache::TSchemeCacheNavigate& response, TString& message) {
-    auto rights = NACLib::EAccessRights::ReadAttributes | NACLib::EAccessRights::WriteAttributes;
+    auto rights = NACLib::EAccessRights::AccessTopicOffset;
     // don't build message string on success path
     bool denied = std::any_of(response.ResultSet.begin(), response.ResultSet.end(), [&] (auto& result) {
         return result.SecurityObject && !result.SecurityObject->CheckAccess(rights, *UserToken);

ydb/core/testlib/test_pq_client.h

@@ -879,8 +879,9 @@ class TFlatMsgBusPQClient : public NFlatTests::TFlatMsgBusClient {
 
     void GrantConsumerAccess(const TString& oldName, const TString& subj) {
         NACLib::TDiffACL acl;
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, subj);
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::WriteAttributes, subj);
+        // acl.AddAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, subj);
+        // acl.AddAccess(NACLib::EAccessType::Allow, NACLib::WriteAttributes, subj);
+        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::AccessTopicOffset, subj);
         auto name = NPersQueue::ConvertOldConsumerName(oldName);
         auto pos = name.rfind("/");
         Y_ABORT_UNLESS(pos != TString::npos);

ydb/core/viewer/browse.h

@@ -189,6 +189,9 @@ class TBrowse : public TActorBootstrapped<TBrowse> {
                         if ((ar & NACLib::EAccessRights::AlterSchema) != 0) {
                             pbAce.AddAccessRights("AlterSchema");
                         }
+                        if ((ar & NACLib::EAccessRights::AccessTopicOffset) != 0) {
+                            pbAce.AddAccessRights("AccessTopicOffset");
+                        }
                         pbAce.SetSubject(ace.GetSID());
                         auto inht = ace.GetInheritanceType();
                         if ((inht & NACLib::EInheritanceType::InheritObject) != 0) {
@@ -591,6 +594,9 @@ class TBrowseTabletsCommon : public TActorBootstrapped<TBrowseTabletsCommon> {
                         if (ar == NACLib::EAccessRights::GenericFullLegacy) {
                             pbAce.SetAccessRule("FullLegacy");
                         }
+                        if ((ar & NACLib::EAccessRights::AccessTopicOffset) != 0) {
+                            pbAce.AddAccessRights("AccessTopicOffset");
+                        }
                         pbAce.SetSubject(ace.GetSID());
                         auto inht = ace.GetInheritanceType();
                         if ((inht & NACLib::EInheritanceType::InheritObject) != 0) {

ydb/core/viewer/json_acl.h

@@ -125,7 +125,8 @@ class TJsonACL : public TViewerPipeClient<TJsonACL> {
                             {NACLib::EAccessRights::ReadStream, "ReadStream"},
                             {NACLib::EAccessRights::WriteStream, "WriteStream"},
                             {NACLib::EAccessRights::ReadTopic, "ReadTopic"},
-                            {NACLib::EAccessRights::WriteTopic, "WriteTopic"}
+                            {NACLib::EAccessRights::WriteTopic, "WriteTopic"},
+                            // {NACLib::EAccessRights::AccessTopicOffset, "AccessTopicOffset"}
                         };
                         auto ar = ace.GetAccessRight();
                         int shift = 0;

ydb/core/ydb_convert/ydb_convert.cpp

@@ -799,6 +799,7 @@ const TString YDB_GRANULAR_CREATE_QUEUE = "ydb.granular.create_queue";
 const TString YDB_GRANULAR_REMOVE_SCHEMA = "ydb.granular.remove_schema";
 const TString YDB_GRANULAR_DESCRIBE_SCHEMA = "ydb.granular.describe_schema";
 const TString YDB_GRANULAR_ALTER_SCHEMA = "ydb.granular.alter_schema";
+const TString YDB_GRANULAR_ACCESS_TOPIC_OFFSET = "ydb.granular.access_topic_offset";
 
 const TString& GetAclName(const TString& name) {
     static const THashMap<TString, TString> GranularNamesMap_ = {
@@ -845,7 +846,8 @@ const THashMap<TString, TACLAttrs> AccessMap_  = {
     { YDB_GRANULAR_CREATE_QUEUE, EAccessRights::CreateQueue },
     { YDB_GRANULAR_REMOVE_SCHEMA, EAccessRights::RemoveSchema },
     { YDB_GRANULAR_DESCRIBE_SCHEMA, EAccessRights::DescribeSchema },
-    { YDB_GRANULAR_ALTER_SCHEMA, EAccessRights::AlterSchema }
+    { YDB_GRANULAR_ALTER_SCHEMA, EAccessRights::AlterSchema },
+    { YDB_GRANULAR_ACCESS_TOPIC_OFFSET, EAccessRights::AccessTopicOffset },
 
 };
 

ydb/core/ydb_convert/ydb_convert_ut.cpp

@@ -1148,6 +1148,10 @@ Y_UNIT_TEST(SimpleConvertGood) {
     aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.alter_schema");
     UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::AlterSchema);
     UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
+
+    aclAttr = ConvertYdbPermissionNameToACLAttrs("ydb.granular.access_topic_offset");
+    UNIT_ASSERT_EQUAL(aclAttr.AccessMask, EAccessRights::AccessTopicOffset);
+    UNIT_ASSERT_EQUAL(aclAttr.InheritanceType, EInheritanceType::InheritObject | EInheritanceType::InheritContainer);
 }
 
 Y_UNIT_TEST(TestEqualGranularAndDeprecatedAcl) {

ydb/library/aclib/aclib.cpp

@@ -489,6 +489,8 @@ TString TACL::ToString(const NACLibProto::TACE& ace) {
                 rights.emplace_back("WUA");
             if (ar & EAccessRights::ConnectDatabase)
                 rights.emplace_back("ConnDB");
+            if (ar & EAccessRights::AccessTopicOffset)
+                rights.emplace_back("ATO");
             str << '(';
             for (auto jt = rights.begin(); jt != rights.end(); ++jt) {
                 if (jt != rights.begin()) {
@@ -577,6 +579,8 @@ ui32 TACL::SpecialRightsFromString(const TString& string) {
             result |= EAccessRights::GrantAccessRights;
         if (r == "ConnDB")
             result |= EAccessRights::ConnectDatabase;
+        if (r == "ATO")
+            result |= EAccessRights::AccessTopicOffset;
     }
     return result;
 }
@@ -792,6 +796,8 @@ TString AccessRightsToString(ui32 accessRights) {
         rights.emplace_back("WriteUserAttributes");
     if (accessRights & EAccessRights::ConnectDatabase)
         rights.emplace_back("ConnectDatabase");
+    if (accessRights & EAccessRights::AccessTopicOffset)
+        rights.emplace_back("AccessTopicOffset");
     TString result;
     for (auto it = rights.begin(); it != rights.end(); ++it) {
         if (it != rights.begin()) {

ydb/library/aclib/aclib.h

@@ -40,9 +40,10 @@ enum EAccessRights : ui32 { // bitmask
     WriteStream = 0x00020000, // writing streams
     ReadTopic = 0x00040000, // reading topics
     WriteTopic = 0x00080000, // writing topics
+    AccessTopicOffset = 0x00100000, // use topic offset
 
     GenericList = ReadAttributes | DescribeSchema,
-    GenericRead = SelectRow | GenericList,
+    GenericRead = SelectRow | AccessTopicOffset | GenericList,
     GenericWrite = UpdateRow | EraseRow | WriteAttributes | CreateDirectory | CreateTable | CreateQueue | RemoveSchema | AlterSchema | WriteUserAttributes,
     GenericUseLegacy = GenericRead | GenericWrite | GrantAccessRights,
     GenericUse = GenericUseLegacy | ConnectDatabase,

ydb/services/persqueue_v1/actors/read_init_auth_actor.cpp

@@ -238,7 +238,8 @@ void TReadInitAndAuthActor::HandleClientSchemeCacheResponse(
         return;
     }
 
-    NACLib::EAccessRights rights = (NACLib::EAccessRights)(NACLib::EAccessRights::ReadAttributes + NACLib::EAccessRights::WriteAttributes);
+    auto rights = NACLib::EAccessRights::AccessTopicOffset;
+    // NACLib::EAccessRights rights = (NACLib::EAccessRights)(NACLib::EAccessRights::ReadAttributes + NACLib::EAccessRights::WriteAttributes);
     if (
             !CheckACLPermissionsForNavigate(entry.SecurityObject, path, rights, "No ReadAsConsumer permissions", ctx)
     ) {

ydb/services/persqueue_v1/ut/topic_service_ut.cpp

@@ -156,8 +156,9 @@ class TUpdateOffsetsInTransactionFixture : public NUnitTest::TBaseFixture {
 
         NACLib::TDiffACL acl;
         acl.AddAccess(NACLib::EAccessType::Allow, NACLib::DescribeSchema, AUTH_TOKEN);
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, AUTH_TOKEN);
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::WriteAttributes, AUTH_TOKEN);
+        // acl.AddAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, AUTH_TOKEN);
+        // acl.AddAccess(NACLib::EAccessType::Allow, NACLib::WriteAttributes, AUTH_TOKEN);
+        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::AccessTopicOffset, AUTH_TOKEN);
         server->AnnoyingClient->ModifyACL(TOPIC_PARENT, VALID_TOPIC_NAME, acl.SerializeAsString());
 
         auto driverCfg = NYdb::TDriverConfig()
@@ -328,7 +329,7 @@ Y_UNIT_TEST_F(AccessRights, TUpdateOffsetsInTransactionFixture) {
     UNIT_ASSERT_VALUES_EQUAL(response.operation().status(), Ydb::StatusIds::SUCCESS);
 
     NACLib::TDiffACL acl;
-    acl.RemoveAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, AUTH_TOKEN);
+    acl.RemoveAccess(NACLib::EAccessType::Allow, NACLib::AccessTopicOffset, AUTH_TOKEN);
     server->AnnoyingClient->ModifyACL(TOPIC_PARENT, VALID_TOPIC_NAME, acl.SerializeAsString());
 
     response = Call_UpdateOffsetsInTransaction({