Add permissions for describe of topic (#9562)

ydb-platform · Sep 24, 2024 · 693313e · 693313e
1 parent f768ce3
commit 693313e
Showing 1 changed file with 30 additions and 1 deletion.
diff --git a/ydb/services/persqueue_v1/topic.cpp b/ydb/services/persqueue_v1/topic.cpp
@@ -42,6 +42,35 @@ void TGRpcTopicService::DoUpdateOffsetsInTransaction(std::unique_ptr<IRequestOpC
     TActivationContext::AsActorContext().Register(new TUpdateOffsetsInTransactionActor(p.release()));
 }
 
+namespace {
+
+using namespace NKikimr;
+
+void YdsProcessAttr(const TSchemeBoardEvents::TDescribeSchemeResult& schemeData, NGRpcService::ICheckerIface* checker) {
+    static const std::vector<TString> allowedAttributes = {"folder_id", "service_account_id", "database_id"};
+    //full list of permissions for compatibility. remove old permissions later.
+    static const TVector<TString> permissions = {
+        "ydb.databases.list",
+        "ydb.databases.create",
+        "ydb.databases.connect",
+        "ydb.tables.select",
+        "ydb.schemas.getMetadata",
+        "ydb.streams.write"
+    };
+    TVector<std::pair<TString, TString>> attributes;
+    attributes.reserve(schemeData.GetPathDescription().UserAttributesSize());
+    for (const auto& attr : schemeData.GetPathDescription().GetUserAttributes()) {
+        if (std::find(allowedAttributes.begin(), allowedAttributes.end(), attr.GetKey()) != allowedAttributes.end()) {
+            attributes.emplace_back(attr.GetKey(), attr.GetValue());
+        }
+    }
+    if (!attributes.empty()) {
+        checker->SetEntries({{permissions, attributes}});
+    }
+}
+
+}
+
 void TGRpcTopicService::SetupIncomingRequests(NYdbGrpc::TLoggerPtr logger) {
 
     using namespace std::placeholders;
@@ -145,7 +174,7 @@ void TGRpcTopicService::SetupIncomingRequests(NYdbGrpc::TLoggerPtr logger) {
     })
 
     ADD_REQUEST(DescribePartition, TopicService, DescribePartitionRequest, DescribePartitionResponse, {
-        ActorSystem_->Send(GRpcRequestProxyId_, new TEvDescribePartitionRequest(ctx, &DoDescribePartitionRequest, TRequestAuxSettings{RLSWITCH(TRateLimiterMode::Rps), nullptr, TAuditMode::Off}));
+        ActorSystem_->Send(GRpcRequestProxyId_, new TEvDescribePartitionRequest(ctx, &DoDescribePartitionRequest, TRequestAuxSettings{RLSWITCH(TRateLimiterMode::Rps), YdsProcessAttr, TAuditMode::Off}));
     })
 #undef ADD_REQUEST