secrets have been fixed (#7409)

dorooleg · web-flow · commit f010ee3321a6 · 2024-08-08T14:44:23.000+03:00
diff --git a/ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp b/ydb/core/fq/libs/compute/ydb/synchronization_service/synchronization_service.cpp
@@ -436,6 +436,7 @@ class TSynchronizeScopeActor : public NActors::TActorBootstrapped<TSynchronizeSc
 
             request.Get()->Get()->YDBClient = Client;
             request.Get()->Get()->ComputeDatabase = ComputeDatabase;
+            request.Get()->Get()->Scope = Scope;
 
             Register(NFq::NPrivate::MakeCreateConnectionActor(
                 SelfId(),
@@ -465,6 +466,7 @@ class TSynchronizeScopeActor : public NActors::TActorBootstrapped<TSynchronizeSc
 
             request.Get()->Get()->YDBClient = Client;
             request.Get()->Get()->ComputeDatabase = ComputeDatabase;
+            request.Get()->Get()->Scope = Scope;
 
             auto it = Connections.find(binding.second.content().connection_id());
             if (it == Connections.end()) {
diff --git a/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp b/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.cpp
@@ -11,6 +11,14 @@
 namespace NFq {
 namespace NPrivate {
 
+namespace {
+
+TString MakeSecretKeyName(const TString& prefix, const TString& folderId, const TString& name) {
+    return TStringBuilder{} << prefix << "_" << folderId << "_" << name;
+}
+
+}
+
 TString MakeCreateExternalDataTableQuery(const FederatedQuery::BindingContent& content,
                                          const TString& connectionName,
                                          bool replaceIfExists) {
@@ -94,7 +102,8 @@ TString SignAccountId(const TString& id, const TSigner::TPtr& signer) {
 
 TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& setting,
                                 const TString& name,
-                                const TSigner::TPtr& signer) {
+                                const TSigner::TPtr& signer,
+                                const TString& folderId) {
     using namespace fmt::literals;
     TString secretObjects;
     auto serviceAccountId = ExtractServiceAccountId(setting);
@@ -103,7 +112,7 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting&
             R"(
                     UPSERT OBJECT {sa_secret_name} (TYPE SECRET) WITH value={signature};
                 )",
-            "sa_secret_name"_a = EncloseAndEscapeString("k1" + name, '`'),
+            "sa_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f1", folderId, name), '`'),
             "signature"_a       = EncloseSecret(EncloseAndEscapeString(SignAccountId(serviceAccountId, signer), '"'))) : std::string{};
     }
 
@@ -113,7 +122,7 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting&
                 R"(
                     UPSERT OBJECT {password_secret_name} (TYPE SECRET) WITH value={password};
                 )",
-            "password_secret_name"_a = EncloseAndEscapeString("k2" + name, '`'),
+            "password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '`'),
             "password"_a = EncloseSecret(EncloseAndEscapeString(*password, '"')));
     }
 
@@ -122,7 +131,8 @@ TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting&
 
 TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
                               const TString& name,
-                              const TSigner::TPtr& signer) {
+                              const TSigner::TPtr& signer,
+                              const TString& folderId) {
     using namespace fmt::literals;
     auto authMethod = GetYdbComputeAuthMethod(setting);
     switch (authMethod) {
@@ -139,7 +149,7 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
                 )",
             "auth_method"_a = ToString(authMethod),
             "service_account_id"_a = EncloseAndEscapeString(ExtractServiceAccountId(setting), '"'),
-            "sa_secret_name"_a = EncloseAndEscapeString(signer ? "k1" + name : TString{}, '"'));
+            "sa_secret_name"_a = EncloseAndEscapeString(signer ? MakeSecretKeyName("f1", folderId, name) : TString{}, '"'));
         case EYdbComputeAuth::BASIC:
             return fmt::format(
                     R"(,
@@ -149,7 +159,7 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
                     )",
                 "auth_method"_a = ToString(authMethod),
                 "login"_a = EncloseAndEscapeString(GetLogin(setting).GetOrElse({}), '"'),
-                "password_secret_name"_a = EncloseAndEscapeString("k2" + name, '"'));
+                "password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '"'));
         case EYdbComputeAuth::MDB_BASIC:
             return fmt::format(
                 R"(,
@@ -161,17 +171,18 @@ TString CreateAuthParamsQuery(const FederatedQuery::ConnectionSetting& setting,
                     )",
                 "auth_method"_a = ToString(authMethod),
                 "service_account_id"_a = EncloseAndEscapeString(ExtractServiceAccountId(setting), '"'),
-                "sa_secret_name"_a = EncloseAndEscapeString(signer ? "k1" + name : TString{}, '"'),
+                "sa_secret_name"_a = EncloseAndEscapeString(signer ? MakeSecretKeyName("f1", folderId, name) : TString{}, '"'),
                 "login"_a = EncloseAndEscapeString(GetLogin(setting).GetOrElse({}), '"'),
-                "password_secret_name"_a = EncloseAndEscapeString("k2" + name, '"'));
+                "password_secret_name"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '"'));
     }
 }
 
 TString MakeCreateExternalDataSourceQuery(
     const FederatedQuery::ConnectionContent& connectionContent,
     const TSigner::TPtr& signer,
     const NConfig::TCommonConfig& common,
-    bool replaceIfExists) {
+    bool replaceIfExists,
+    const TString& folderId) {
     using namespace fmt::literals;
 
     TString properties;
@@ -278,20 +289,25 @@ TString MakeCreateExternalDataSourceQuery(
         "auth_params"_a =
             CreateAuthParamsQuery(connectionContent.setting(),
                                   connectionContent.name(),
-                                  signer));
+                                  signer,
+                                  folderId));
 }
 
-TMaybe<TString> DropSecretObjectQuery(const TString& name) {
+TMaybe<TString> DropSecretObjectQuery(const TString& name, const TString& folderId) {
     using namespace fmt::literals;
     return fmt::format(
             R"(
                 DROP OBJECT {secret_name1} (TYPE SECRET);
                 DROP OBJECT {secret_name2} (TYPE SECRET);
                 DROP OBJECT {secret_name3} (TYPE SECRET); -- for backward compatibility
+                DROP OBJECT {secret_name4} (TYPE SECRET); -- for backward compatibility
+                DROP OBJECT {secret_name5} (TYPE SECRET); -- for backward compatibility
             )",
-        "secret_name1"_a = EncloseAndEscapeString("k1" + name, '`'),
-        "secret_name2"_a = EncloseAndEscapeString("k2" + name, '`'),
-        "secret_name3"_a = EncloseAndEscapeString(name, '`'));
+        "secret_name1"_a = EncloseAndEscapeString(MakeSecretKeyName("f1", folderId, name), '`'),
+        "secret_name2"_a = EncloseAndEscapeString(MakeSecretKeyName("f2", folderId, name), '`'),
+        "secret_name3"_a = EncloseAndEscapeString(TStringBuilder{} << "k1" << name, '`'),
+        "secret_name4"_a = EncloseAndEscapeString(TStringBuilder{} << "k2" << name, '`'),
+        "secret_name5"_a = EncloseAndEscapeString(name, '`'));
 }
 
 TString MakeDeleteExternalDataTableQuery(const TString& tableName) {
diff --git a/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h b/ydb/core/fq/libs/control_plane_proxy/actors/query_utils.h
@@ -10,15 +10,17 @@ namespace NPrivate {
 
 TMaybe<TString> CreateSecretObjectQuery(const FederatedQuery::ConnectionSetting& setting,
                                         const TString& name,
-                                        const TSigner::TPtr& signer);
+                                        const TSigner::TPtr& signer,
+                                        const TString& folderId);
 
-TMaybe<TString> DropSecretObjectQuery(const TString& name);
+TMaybe<TString> DropSecretObjectQuery(const TString& name, const TString& folderId);
 
 TString MakeCreateExternalDataSourceQuery(
     const FederatedQuery::ConnectionContent& connectionContent,
     const TSigner::TPtr& signer,
     const NConfig::TCommonConfig& common,
-    bool replaceIfExists);
+    bool replaceIfExists,
+    const TString& folderId);
 
 TString MakeDeleteExternalDataSourceQuery(const TString& sourceName);
 
diff --git a/ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp b/ydb/core/fq/libs/control_plane_proxy/actors/ydb_schema_query_actor.cpp
@@ -9,6 +9,7 @@
 #include <ydb/core/fq/libs/control_plane_proxy/events/events.h>
 #include <ydb/core/fq/libs/control_plane_storage/control_plane_storage.h>
 #include <ydb/public/api/protos/draft/fq.pb.h>
+#include <ydb/public/lib/fq/scope.h>
 #include <ydb/public/sdk/cpp/client/ydb_table/table.h>
 
 namespace NFq::NPrivate {
@@ -418,7 +419,7 @@ class TGenerateRecoverySQLIfExternalDataSourceAlreadyExistsActor :
 
         event->IsExactNameMatch = true;
 
-        TBase::Send(NFq::ControlPlaneStorageServiceActorId(), event);
+        TBase::Send(::NFq::ControlPlaneStorageServiceActorId(), event);
     }
 
     STRICT_STFUNC(StateFunc, cFunc(NActors::TEvents::TSystem::Wakeup, TBase::HandleTimeout);
@@ -493,7 +494,7 @@ class TGenerateRecoverySQLIfExternalDataTableAlreadyExistsActor :
 
         event->IsExactNameMatch = true;
 
-        TBase::Send(NFq::ControlPlaneStorageServiceActorId(), event);
+        TBase::Send(::NFq::ControlPlaneStorageServiceActorId(), event);
     }
 
     STRICT_STFUNC(StateFunc, cFunc(NActors::TEvents::TSystem::Wakeup, TBase::HandleTimeout);
@@ -543,7 +544,7 @@ IActor* MakeCreateConnectionActor(
     TCounters& counters,
     TPermissions permissions,
     const TCommonConfig& commonConfig,
-    const NFq::TComputeConfig& computeConfig,
+    const ::NFq::TComputeConfig& computeConfig,
     TSigner::TPtr signer,
     bool withoutRollback,
     TMaybe<TString> connectionId) {
@@ -557,10 +558,13 @@ IActor* MakeCreateConnectionActor(
          computeConfig](const TEvControlPlaneProxy::TEvCreateConnectionRequest::TPtr& req)
         -> std::vector<TSchemaQueryTask> {
         auto& connectionContent = req->Get()->Request.content();
+        const auto& scope = req->Get()->Scope;
+        const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder();
 
         auto createSecretStatement = CreateSecretObjectQuery(connectionContent.setting(),
                                                              connectionContent.name(),
-                                                             signer);
+                                                             signer,
+                                                             folderId);
 
         std::vector<TSchemaQueryTask> statements;
         if (createSecretStatement) {
@@ -603,7 +607,7 @@ IActor* MakeCreateConnectionActor(
         statements.push_back(TSchemaQueryTask{
             .SQL = MakeCreateExternalDataSourceQuery(
                 connectionContent, signer, commonConfig,
-                computeConfig.IsReplaceIfExistsSyntaxSupported()),
+                computeConfig.IsReplaceIfExistsSyntaxSupported(), folderId),
                              .ScheduleErrorRecoverySQLGeneration =
                                  withoutRollback
                                      ? NoRecoverySQLGeneration()
@@ -647,7 +651,7 @@ IActor* MakeModifyConnectionActor(
     TDuration requestTimeout,
     TCounters& counters,
     const TCommonConfig& commonConfig,
-    const NFq::TComputeConfig& computeConfig,
+    const ::NFq::TComputeConfig& computeConfig,
     TSigner::TPtr signer) {
     auto queryFactoryMethod =
         [signer = std::move(signer),
@@ -659,21 +663,24 @@ IActor* MakeModifyConnectionActor(
         auto& oldConnectionContent = (*request->Get()->OldConnectionContent);
         auto& oldBindings          = request->Get()->OldBindingContents;
         auto& newConnectionContent = request->Get()->Request.content();
+        const auto& scope = request->Get()->Scope;
+        const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder();
 
         auto dropOldSecret =
-            DropSecretObjectQuery(oldConnectionContent.name());
+            DropSecretObjectQuery(oldConnectionContent.name(), folderId);
         auto createNewSecret =
             CreateSecretObjectQuery(newConnectionContent.setting(),
                                     newConnectionContent.name(),
-                                    signer);
+                                    signer,
+                                    folderId);
 
         bool replaceSupported = computeConfig.IsReplaceIfExistsSyntaxSupported();
         if (replaceSupported &&
             oldConnectionContent.name() == newConnectionContent.name()) {
             // CREATE OR REPLACE
             auto createSecretStatement =
                 CreateSecretObjectQuery(newConnectionContent.setting(),
-                                        newConnectionContent.name(), signer);
+                                        newConnectionContent.name(), signer, folderId);
 
             std::vector<TSchemaQueryTask> statements;
             if (createSecretStatement) {
@@ -683,7 +690,7 @@ IActor* MakeModifyConnectionActor(
 
             statements.push_back(TSchemaQueryTask{
                 .SQL = MakeCreateExternalDataSourceQuery(
-                    newConnectionContent, signer, commonConfig, replaceSupported)});
+                    newConnectionContent, signer, commonConfig, replaceSupported, folderId)});
             return statements;
         }
 
@@ -712,26 +719,26 @@ IActor* MakeModifyConnectionActor(
         statements.push_back(TSchemaQueryTask{
             .SQL = TString{MakeDeleteExternalDataSourceQuery(oldConnectionContent.name())},
             .RollbackSQL           = TString{MakeCreateExternalDataSourceQuery(
-                oldConnectionContent, signer, commonConfig, false)},
+                oldConnectionContent, signer, commonConfig, false, folderId)},
             .ShouldSkipStepOnError = IsPathDoesNotExistIssue});
 
         if (dropOldSecret) {
             statements.push_back(TSchemaQueryTask{
                 .SQL         = *dropOldSecret,
                 .RollbackSQL = CreateSecretObjectQuery(oldConnectionContent.setting(),
                                                        oldConnectionContent.name(),
-                                                       signer),
+                                                       signer, folderId),
                 .ShouldSkipStepOnError = IsPathDoesNotExistIssue});
         }
         if (createNewSecret) {
             statements.push_back(TSchemaQueryTask{.SQL         = *createNewSecret,
                                                   .RollbackSQL = DropSecretObjectQuery(
-                                                      newConnectionContent.name())});
+                                                      newConnectionContent.name(), folderId)});
         }
 
         statements.push_back(
             TSchemaQueryTask{.SQL         = TString{MakeCreateExternalDataSourceQuery(
-                                 newConnectionContent, signer, commonConfig, false)},
+                                 newConnectionContent, signer, commonConfig, false, folderId)},
                              .RollbackSQL = TString{MakeDeleteExternalDataSourceQuery(
                                  newConnectionContent.name())}});
 
@@ -787,23 +794,25 @@ IActor* MakeDeleteConnectionActor(
             const TEvControlPlaneProxy::TEvDeleteConnectionRequest::TPtr& request)
         -> std::vector<TSchemaQueryTask> {
         auto& connectionContent = *request->Get()->ConnectionContent;
+        const auto& scope = request->Get()->Scope;
+        const TString folderId = NYdb::NFq::TScope{scope}.ParseFolder();
 
         auto dropSecret =
-            DropSecretObjectQuery(connectionContent.name());
+            DropSecretObjectQuery(connectionContent.name(), folderId);
 
         std::vector statements = {
             TSchemaQueryTask{.SQL = TString{MakeDeleteExternalDataSourceQuery(
                                  connectionContent.name())},
                              .RollbackSQL = MakeCreateExternalDataSourceQuery(
-                                 connectionContent, signer, commonConfig, false),
+                                 connectionContent, signer, commonConfig, false, folderId),
                              .ShouldSkipStepOnError = IsPathDoesNotExistIssue}};
         if (dropSecret) {
             statements.push_back(
                 TSchemaQueryTask{.SQL = *dropSecret,
                                  .RollbackSQL =
                                      CreateSecretObjectQuery(connectionContent.setting(),
                                                              connectionContent.name(),
-                                                             signer),
+                                                             signer, folderId),
                                  .ShouldSkipStepOnError = IsPathDoesNotExistIssue});
         }
         return statements;
@@ -832,7 +841,7 @@ IActor* MakeCreateBindingActor(const TActorId& proxyActorId,
                                TDuration requestTimeout,
                                TCounters& counters,
                                TPermissions permissions,
-                               const NFq::TComputeConfig& computeConfig,bool withoutRollback,
+                               const ::NFq::TComputeConfig& computeConfig,bool withoutRollback,
                                TMaybe<TString> bindingId) {
     auto queryFactoryMethod =
         [requestTimeout, &counters, permissions, withoutRollback, computeConfig](
@@ -916,7 +925,7 @@ IActor* MakeModifyBindingActor(const TActorId& proxyActorId,
                                TEvControlPlaneProxy::TEvModifyBindingRequest::TPtr request,
                                TDuration requestTimeout,
                                TCounters& counters,
-    const NFq::TComputeConfig& computeConfig) {
+    const ::NFq::TComputeConfig& computeConfig) {
     auto queryFactoryMethod =
         [computeConfig](const TEvControlPlaneProxy::TEvModifyBindingRequest::TPtr& request)
         -> std::vector<TSchemaQueryTask> {
