ticket-parser: Add error message for log to TError struct of ticket parser (#11403)

molotkov-and · web-flow · commit f73f6dcefa37 · 2024-11-08T18:18:01.000+03:00
diff --git a/ydb/core/base/ticket_parser.h b/ydb/core/base/ticket_parser.h
@@ -154,14 +154,24 @@ namespace NKikimr {
 
         struct TError {
             TString Message;
+            TString LogMessage;
             bool Retryable = true;
 
             bool empty() const {
-                return Message.empty();
+                return Message.empty() && LogMessage.empty();
+            }
+
+            bool HasMessage() const {
+                return !Message.empty();
+            }
+
+            bool HasLogMessage() const {
+                return !LogMessage.empty();
             }
 
             void clear() {
                 Message.clear();
+                LogMessage.clear();
                 Retryable = true;
             }
 
diff --git a/ydb/core/security/secure_request.h b/ydb/core/security/secure_request.h
@@ -47,7 +47,7 @@ class TSecureRequestActor : public TBase {
                 if (!GetAdministrationAllowedSIDs().empty()) {
                     const auto& allowedSIDs(GetAdministrationAllowedSIDs());
                     if (std::find_if(allowedSIDs.begin(), allowedSIDs.end(), [&result](const TString& sid) -> bool { return result.Token->IsExist(sid); }) == allowedSIDs.end()) {
-                        return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Administrative access denied", false}, ctx);
+                        return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Administrative access denied", .Retryable = false}, ctx);
                     }
                 }
                 UserAdmin = true;
@@ -59,7 +59,7 @@ class TSecureRequestActor : public TBase {
 
     void Handle(TEvents::TEvUndelivered::TPtr&, const TActorContext& ctx) {
         if (IsTokenRequired()) {
-            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Access denied - error parsing token", false}, ctx);
+            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Access denied - error parsing token", .Retryable = false}, ctx);
         }
         static_cast<TBootstrap*>(this)->Bootstrap(ctx);
     }
@@ -166,7 +166,7 @@ class TSecureRequestActor : public TBase {
 
     void Bootstrap(const TActorContext& ctx) {
         if (IsTokenRequired() && !IsTokenExists()) {
-            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Access denied without user token", false}, ctx);
+            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Access denied without user token", .Retryable = false}, ctx);
         }
         if (SecurityToken.empty()) {
             if (!GetDefaultUserSIDs().empty()) {
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
@@ -649,14 +649,14 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
 
             if (record.Ticket.EndsWith("@" BUILTIN_ERROR_DOMAIN)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
-                SetError(key, record, { "Builtin error simulation" });
+                SetError(key, record, { .Message = "Builtin error simulation" });
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
 
             if (record.Ticket.EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
-                SetError(key, record, { "System domain not available for user usage", false });
+                SetError(key, record, { .Message = "System domain not available for user usage", .Retryable = false });
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
@@ -977,12 +977,12 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                         .AuthType = record.GetAuthType()
                     }));
                 } else {
-                    SetError(key, record, {errorMessage, false});
+                    SetError(key, record, {.Message = errorMessage, .Retryable = false});
                 }
             } else {
                 if (record.ResponsesLeft == 0 && (record.TokenType == TDerived::ETokenType::Unknown || record.TokenType == TDerived::ETokenType::AccessService || record.TokenType == TDerived::ETokenType::ApiKey)) {
                     bool retryable = IsRetryableGrpcError(response->Status);
-                    SetError(key, record, {response->Status.Msg, retryable});
+                    SetError(key, record, {.Message = response->Status.Msg, .Retryable = retryable});
                 }
             }
             if (record.ResponsesLeft == 0) {
@@ -1011,7 +1011,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             auto& record = it->second;
             record.ResponsesLeft--;
             if (!ev->Get()->Status.Ok()) {
-                SetError(key, record, {ev->Get()->Status.Msg});
+                SetError(key, record, {.Message = ev->Get()->Status.Msg});
             } else {
                 GetDerived()->SetToken(key, record, ev);
             }
@@ -1033,7 +1033,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             auto& record = it->second;
             record.ResponsesLeft--;
             if (!ev->Get()->Status.Ok()) {
-                SetError(key, record, {ev->Get()->Status.Msg});
+                SetError(key, record, {.Message = ev->Get()->Status.Msg});
             } else {
                 SetToken(key, record, new NACLib::TUserToken(record.Ticket, ev->Get()->Response.name() + "@" + ServiceDomain, {}));
             }
@@ -1322,7 +1322,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                     }
                 } else {
                     bool retryable = IsRetryableGrpcError(response->Status);
-                    itPermission->second.Error = {response->Status.Msg, retryable};
+                    itPermission->second.Error = {.Message = response->Status.Msg, .Retryable = retryable};
                     if (itPermission->second.Subject.empty() || !retryable) {
                         itPermission->second.Subject.clear();
                         BLOG_TRACE("Ticket "
@@ -1433,7 +1433,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             } else {
                 BLOG_D("Expired ticket " << record.GetMaskedTicket());
                 if (!record.AuthorizeRequests.empty()) {
-                    record.Error = {"Timed out", true};
+                    record.Error = {.Message = "Timed out", .Retryable = true};
                     Respond(record);
                 }
                 userTokens.erase(it);

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ class TSecureRequestActor : public TBase {`
`47`	`47`	`if (!GetAdministrationAllowedSIDs().empty()) {`
`48`	`48`	`const auto& allowedSIDs(GetAdministrationAllowedSIDs());`
`49`	`49`	`if (std::find_if(allowedSIDs.begin(), allowedSIDs.end(), [&result](const TString& sid) -> bool { return result.Token->IsExist(sid); }) == allowedSIDs.end()) {`
`50`		`- return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Administrative access denied", false}, ctx);`
	`50`	`+ return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Administrative access denied", .Retryable = false}, ctx);`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`	`UserAdmin = true;`
`@@ -59,7 +59,7 @@ class TSecureRequestActor : public TBase {`
`59`	`59`
`60`	`60`	`void Handle(TEvents::TEvUndelivered::TPtr&, const TActorContext& ctx) {`
`61`	`61`	`if (IsTokenRequired()) {`
`62`		`- return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Access denied - error parsing token", false}, ctx);`
	`62`	`+ return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Access denied - error parsing token", .Retryable = false}, ctx);`
`63`	`63`	`}`
`64`	`64`	`static_cast<TBootstrap*>(this)->Bootstrap(ctx);`
`65`	`65`	`}`
`@@ -166,7 +166,7 @@ class TSecureRequestActor : public TBase {`
`166`	`166`
`167`	`167`	`void Bootstrap(const TActorContext& ctx) {`
`168`	`168`	`if (IsTokenRequired() && !IsTokenExists()) {`
`169`		`- return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Access denied without user token", false}, ctx);`
	`169`	`+ return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Access denied without user token", .Retryable = false}, ctx);`
`170`	`170`	`}`
`171`	`171`	`if (SecurityToken.empty()) {`
`172`	`172`	`if (!GetDefaultUserSIDs().empty()) {`