YQ-3006 added secrets validation (#3635)

Author: GrigoriyPA

ydb/core/kqp/executer_actor/kqp_executer_impl.h

@@ -1581,7 +1581,7 @@ class TKqpExecuterBase : public TActorBootstrapped<TDerived> {
     }
 
     void GetSecretsSnapshot() {
-        RegisterDescribeSecretsActor(this->SelfId(), UserToken ? UserToken->GetUserSID() : "", SecretNames, this->ActorContext(), MaximalSecretsSnapshotWaitTime);
+        RegisterDescribeSecretsActor(this->SelfId(), UserToken ? UserToken->GetUserSID() : "", SecretNames, this->ActorContext().ActorSystem(), MaximalSecretsSnapshotWaitTime);
     }
 
     void GetResourcesSnapshot() {

ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp

@@ -24,31 +24,34 @@ class TDescribeSecretsActor: public NActors::TActorBootstrapped<TDescribeSecrets
             const bool isFound = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretId), secretValue);
             if (!isFound) {
                 LastResponse = TEvDescribeSecretsResponse::TDescription(Ydb::StatusIds::BAD_REQUEST, { NYql::TIssue("secret with name '" + secretId.GetSecretId() + "' not found") });
+                if (!SubscribedOnSecrets) {
+                    CompleteAndPassAway(LastResponse);
+                }
                 return;
             }
             secretValues.push_back(secretValue);
         }
-        Promise.SetValue(TEvDescribeSecretsResponse::TDescription(secretValues));
 
-        UnsubscribeFromSecrets();
-        PassAway();
+        CompleteAndPassAway(TEvDescribeSecretsResponse::TDescription(secretValues));
     }
 
     void Handle(NActors::TEvents::TEvWakeup::TPtr&) {
-        Promise.SetValue(LastResponse);
+        CompleteAndPassAway(LastResponse);
+    }
+
+    void CompleteAndPassAway(const TEvDescribeSecretsResponse::TDescription& response) {
+        Promise.SetValue(response);
 
-        UnsubscribeFromSecrets();
+        if (SubscribedOnSecrets) {
+            this->Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvUnsubscribeExternal(GetSecretsSnapshotParser()));
+        }
         PassAway();
     }
 
     NMetadata::NFetcher::ISnapshotsFetcher::TPtr GetSecretsSnapshotParser() {
         return std::make_shared<NMetadata::NSecret::TSnapshotsFetcher>();
     }
 
-    void UnsubscribeFromSecrets() {
-        this->Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvUnsubscribeExternal(GetSecretsSnapshotParser()));
-    }
-
 public:
     TDescribeSecretsActor(const TString& ownerUserId, const std::vector<TString>& secretIds, NThreading::TPromise<TEvDescribeSecretsResponse::TDescription> promise, TDuration maximalSecretsSnapshotWaitTime)
         : SecretIds(CreateSecretIds(ownerUserId, secretIds))
@@ -64,8 +67,13 @@ class TDescribeSecretsActor: public NActors::TActorBootstrapped<TDescribeSecrets
             return;
         }
 
-        this->Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvSubscribeExternal(GetSecretsSnapshotParser()));
-        this->Schedule(MaximalSecretsSnapshotWaitTime, new NActors::TEvents::TEvWakeup());
+        if (MaximalSecretsSnapshotWaitTime) {
+            this->Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvSubscribeExternal(GetSecretsSnapshotParser()));
+            this->Schedule(MaximalSecretsSnapshotWaitTime, new NActors::TEvents::TEvWakeup());
+        } else {
+            this->Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvAskSnapshot(GetSecretsSnapshotParser()));
+            SubscribedOnSecrets = false;
+        }
         Become(&TDescribeSecretsActor::StateFunc);
     }
 
@@ -83,6 +91,7 @@ class TDescribeSecretsActor: public NActors::TActorBootstrapped<TDescribeSecrets
     NThreading::TPromise<TEvDescribeSecretsResponse::TDescription> Promise;
     TEvDescribeSecretsResponse::TDescription LastResponse;
     TDuration MaximalSecretsSnapshotWaitTime;
+    bool SubscribedOnSecrets = true;
 };
 
 }  // anonymous namespace
@@ -91,13 +100,53 @@ IActor* CreateDescribeSecretsActor(const TString& ownerUserId, const std::vector
     return new TDescribeSecretsActor(ownerUserId, secretIds, promise, maximalSecretsSnapshotWaitTime);
 }
 
-void RegisterDescribeSecretsActor(const NActors::TActorId& replyActorId, const TString& ownerUserId, const std::vector<TString>& secretIds, const TActorContext& actorContext, TDuration maximalSecretsSnapshotWaitTime) {
+void RegisterDescribeSecretsActor(const NActors::TActorId& replyActorId, const TString& ownerUserId, const std::vector<TString>& secretIds, NActors::TActorSystem* actorSystem, TDuration maximalSecretsSnapshotWaitTime) {
     auto promise = NThreading::NewPromise<TEvDescribeSecretsResponse::TDescription>();
-    actorContext.Register(CreateDescribeSecretsActor(ownerUserId, secretIds, promise, maximalSecretsSnapshotWaitTime));
+    actorSystem->Register(CreateDescribeSecretsActor(ownerUserId, secretIds, promise, maximalSecretsSnapshotWaitTime));
 
-    promise.GetFuture().Subscribe([actorContext, replyActorId](const NThreading::TFuture<TEvDescribeSecretsResponse::TDescription>& result){
-        actorContext.Send(replyActorId, new TEvDescribeSecretsResponse(result.GetValue()));
+    promise.GetFuture().Subscribe([actorSystem, replyActorId](const NThreading::TFuture<TEvDescribeSecretsResponse::TDescription>& result){
+        actorSystem->Send(replyActorId, new TEvDescribeSecretsResponse(result.GetValue()));
     });
 }
 
+NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeExternalDataSourceSecrets(const NKikimrSchemeOp::TAuth& authDescription, const TString& ownerUserId, TActorSystem* actorSystem, TDuration maximalSecretsSnapshotWaitTime) {
+    switch (authDescription.identity_case()) {
+        case NKikimrSchemeOp::TAuth::kServiceAccount: {
+            const TString& saSecretId = authDescription.GetServiceAccount().GetSecretName();
+            auto promise = NThreading::NewPromise<TEvDescribeSecretsResponse::TDescription>();
+            actorSystem->Register(CreateDescribeSecretsActor(ownerUserId, {saSecretId}, promise, maximalSecretsSnapshotWaitTime));
+            return promise.GetFuture();
+        }
+
+        case NKikimrSchemeOp::TAuth::kNone:
+            return NThreading::MakeFuture(TEvDescribeSecretsResponse::TDescription({}));
+
+        case NKikimrSchemeOp::TAuth::kBasic: {
+            const TString& passwordSecretId = authDescription.GetBasic().GetPasswordSecretName();
+            auto promise = NThreading::NewPromise<TEvDescribeSecretsResponse::TDescription>();
+            actorSystem->Register(CreateDescribeSecretsActor(ownerUserId, {passwordSecretId}, promise, maximalSecretsSnapshotWaitTime));
+            return promise.GetFuture();
+        }
+
+        case NKikimrSchemeOp::TAuth::kMdbBasic: {
+            const TString& saSecretId = authDescription.GetMdbBasic().GetServiceAccountSecretName();
+            const TString& passwordSecreId = authDescription.GetMdbBasic().GetPasswordSecretName();
+            auto promise = NThreading::NewPromise<TEvDescribeSecretsResponse::TDescription>();
+            actorSystem->Register(CreateDescribeSecretsActor(ownerUserId, {saSecretId, passwordSecreId}, promise, maximalSecretsSnapshotWaitTime));
+            return promise.GetFuture();
+        }
+
+        case NKikimrSchemeOp::TAuth::kAws: {
+            const TString& awsAccessKeyIdSecretId = authDescription.GetAws().GetAwsAccessKeyIdSecretName();
+            const TString& awsAccessKeyKeySecretId = authDescription.GetAws().GetAwsSecretAccessKeySecretName();
+            auto promise = NThreading::NewPromise<TEvDescribeSecretsResponse::TDescription>();
+            actorSystem->Register(CreateDescribeSecretsActor(ownerUserId, {awsAccessKeyIdSecretId, awsAccessKeyKeySecretId}, promise, maximalSecretsSnapshotWaitTime));
+            return promise.GetFuture();
+        }
+
+        case NKikimrSchemeOp::TAuth::IDENTITY_NOT_SET:
+            return NThreading::MakeFuture(TEvDescribeSecretsResponse::TDescription(Ydb::StatusIds::BAD_REQUEST, { NYql::TIssue("identity case is not specified") }));
+    }
+}
+
 }  // namespace NKikimr::NKqp

ydb/core/kqp/federated_query/kqp_federated_query_actors.h

@@ -1,13 +1,17 @@
 #pragma once
 
 #include <ydb/core/kqp/common/events/script_executions.h>
+#include <ydb/core/protos/flat_scheme_op.pb.h>
 
 #include <ydb/library/actors/core/actor.h>
 
 
 namespace NKikimr::NKqp {
 
-NActors::IActor* CreateDescribeSecretsActor(const TString& ownerUserId, const std::vector<TString>& secretIds, NThreading::TPromise<TEvDescribeSecretsResponse::TDescription> promise, TDuration maximalSecretsSnapshotWaitTime);
-void RegisterDescribeSecretsActor(const NActors::TActorId& replyActorId, const TString& ownerUserId, const std::vector<TString>& secretIds, const TActorContext& actorContext, TDuration maximalSecretsSnapshotWaitTime);
+IActor* CreateDescribeSecretsActor(const TString& ownerUserId, const std::vector<TString>& secretIds, NThreading::TPromise<TEvDescribeSecretsResponse::TDescription> promise, TDuration maximalSecretsSnapshotWaitTime = TDuration::Zero());
+
+void RegisterDescribeSecretsActor(const TActorId& replyActorId, const TString& ownerUserId, const std::vector<TString>& secretIds, TActorSystem* actorSystem, TDuration maximalSecretsSnapshotWaitTime = TDuration::Zero());
+
+NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> DescribeExternalDataSourceSecrets(const NKikimrSchemeOp::TAuth& authDescription, const TString& ownerUserId, TActorSystem* actorSystem, TDuration maximalSecretsSnapshotWaitTime = TDuration::Zero());
 
 }  // namespace NKikimr::NKqp

ydb/core/kqp/federated_query/ya.make

@@ -12,6 +12,7 @@ PEERDIR(
     ydb/library/db_pool/protos
     ydb/library/yql/providers/common/http_gateway
     ydb/library/yql/providers/generic/connector/libcpp
+    ydb/services/metadata/secret
 )
 
 YQL_LAST_ABI_VERSION()

ydb/core/kqp/finalize_script_service/kqp_finalize_script_actor.cpp

@@ -75,7 +75,7 @@ class TScriptFinalizerActor : public TActorBootstrapped<TScriptFinalizerActor> {
     }
 
     void FetchSecrets() {
-        RegisterDescribeSecretsActor(SelfId(), UserToken_, SecretNames_, ActorContext(), MaximalSecretsSnapshotWaitTime_);
+        RegisterDescribeSecretsActor(SelfId(), UserToken_, SecretNames_, ActorContext().ActorSystem(), MaximalSecretsSnapshotWaitTime_);
     }
 
     void Handle(TEvDescribeSecretsResponse::TPtr& ev) {

ydb/core/kqp/gateway/behaviour/external_data_source/manager.cpp

@@ -2,6 +2,7 @@
 #include "manager.h"
 
 #include <ydb/core/tx/tx_proxy/proxy.h>
+#include <ydb/core/kqp/federated_query/kqp_federated_query_actors.h>
 #include <ydb/core/kqp/gateway/actors/scheme.h>
 #include <ydb/core/kqp/gateway/utils/scheme_helpers.h>
 #include <ydb/core/kqp/provider/yql_kikimr_gateway.h>
@@ -140,6 +141,20 @@ NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus> SendScheme
     });
 }
 
+NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus> ValidateCreateExternalDatasource(const NKikimrSchemeOp::TExternalDataSourceDescription& externaDataSourceDesc, const TExternalDataSourceManager::TInternalModificationContext& context) {
+    const auto& authDescription = externaDataSourceDesc.GetAuth();
+    const auto& externalData = context.GetExternalData();
+    const auto& userToken = externalData.GetUserToken();
+    auto describeFuture = DescribeExternalDataSourceSecrets(authDescription, userToken ? userToken->GetUserSID() : "", externalData.GetActorSystem());
+
+    return describeFuture.Apply([](const NThreading::TFuture<TEvDescribeSecretsResponse::TDescription>& f) mutable {
+        if (const auto& value = f.GetValue(); value.Status != Ydb::StatusIds::SUCCESS) {
+            return TExternalDataSourceManager::TYqlConclusionStatus::Fail(NYql::YqlStatusFromYdbStatus(value.Status), value.Issues.ToString());   
+        }
+        return TExternalDataSourceManager::TYqlConclusionStatus::Success();
+    });
+}
+
 }
 
 NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus> TExternalDataSourceManager::DoModify(const NYql::TObjectSettingsImpl& settings,
@@ -176,7 +191,14 @@ NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus> TExternalD
     auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme();
     FillCreateExternalDataSourceCommand(schemeTx, settings, context);
 
-    return SendSchemeRequest(ev.Release(), context.GetExternalData().GetActorSystem(), schemeTx.GetFailedOnAlreadyExists(), schemeTx.GetSuccessOnNotExist());
+    auto validationFuture = ValidateCreateExternalDatasource(schemeTx.GetCreateExternalDataSource(), context);
+
+    return validationFuture.Apply([ev = ev.Release(), context, schemeTx](const NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus>& f) {
+        if (const auto& value = f.GetValue(); value.IsFail()) {
+            return NThreading::MakeFuture(value);
+        }
+        return SendSchemeRequest(ev, context.GetExternalData().GetActorSystem(), schemeTx.GetFailedOnAlreadyExists(), schemeTx.GetSuccessOnNotExist());
+    });
 }
 
 NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus> TExternalDataSourceManager::DropExternalDataSource(const NYql::TDropObjectSettings& settings,
@@ -240,11 +262,15 @@ NThreading::TFuture<NMetadata::NModifications::IOperationsManager::TYqlConclusio
         ev->Record.SetUserToken(context.GetUserToken()->GetSerializedToken());
     }
 
+    auto validationFuture = NThreading::MakeFuture(TExternalDataSourceManager::TYqlConclusionStatus::Success());
     auto& schemeTx = *ev->Record.MutableTransaction()->MutableModifyScheme();
     switch (schemeOperation.GetOperationCase()) {
-        case NKqpProto::TKqpSchemeOperation::kCreateExternalDataSource:
-            schemeTx.CopyFrom(schemeOperation.GetCreateExternalDataSource());
+        case NKqpProto::TKqpSchemeOperation::kCreateExternalDataSource: {
+            const auto& createExternalDataSource = schemeOperation.GetCreateExternalDataSource();
+            validationFuture = ValidateCreateExternalDatasource(createExternalDataSource.GetCreateExternalDataSource(), context);
+            schemeTx.CopyFrom(createExternalDataSource);
             break;
+        }
         case NKqpProto::TKqpSchemeOperation::kAlterExternalDataSource:
             schemeTx.CopyFrom(schemeOperation.GetAlterExternalDataSource());
             break;
@@ -256,7 +282,12 @@ NThreading::TFuture<NMetadata::NModifications::IOperationsManager::TYqlConclusio
                 TStringBuilder() << "Execution of prepare operation for EXTERNAL_DATA_SOURCE object: unsupported operation: " << int(schemeOperation.GetOperationCase())));
     }
 
-    return SendSchemeRequest(ev.Release(), context.GetActorSystem(), schemeTx.GetFailedOnAlreadyExists(), schemeTx.GetSuccessOnNotExist());
+    return validationFuture.Apply([ev = ev.Release(), context, schemeTx](const NThreading::TFuture<TExternalDataSourceManager::TYqlConclusionStatus>& f) {
+        if (const auto& value = f.GetValue(); value.IsFail()) {
+            return NThreading::MakeFuture(value);
+        }
+        return SendSchemeRequest(ev, context.GetActorSystem(), schemeTx.GetFailedOnAlreadyExists(), schemeTx.GetSuccessOnNotExist());
+    });
 }
 
 }

ydb/core/kqp/gateway/kqp_metadata_loader.cpp

@@ -460,43 +460,7 @@ void UpdateExternalDataSourceSecretsValue(TTableMetadataResult& externalDataSour
 
 NThreading::TFuture<TEvDescribeSecretsResponse::TDescription> LoadExternalDataSourceSecretValues(const NSchemeCache::TSchemeCacheNavigate::TEntry& entry, const TIntrusiveConstPtr<NACLib::TUserToken>& userToken, TDuration maximalSecretsSnapshotWaitTime, TActorSystem* actorSystem) {
     const auto& authDescription = entry.ExternalDataSourceInfo->Description.GetAuth();
-    switch (authDescription.identity_case()) {
-        case NKikimrSchemeOp::TAuth::kServiceAccount: {
-            const TString& saSecretId = authDescription.GetServiceAccount().GetSecretName();
-            auto promise = NewPromise<TEvDescribeSecretsResponse::TDescription>();
-            actorSystem->Register(CreateDescribeSecretsActor(userToken ? userToken->GetUserSID() : "", {saSecretId}, promise, maximalSecretsSnapshotWaitTime));
-            return promise.GetFuture();
-        }
-
-        case NKikimrSchemeOp::TAuth::kNone:
-            return MakeFuture(TEvDescribeSecretsResponse::TDescription({}));
-
-        case NKikimrSchemeOp::TAuth::kBasic: {
-            const TString& passwordSecretId = authDescription.GetBasic().GetPasswordSecretName();
-            auto promise = NewPromise<TEvDescribeSecretsResponse::TDescription>();
-            actorSystem->Register(CreateDescribeSecretsActor(userToken ? userToken->GetUserSID() : "", {passwordSecretId}, promise, maximalSecretsSnapshotWaitTime));
-            return promise.GetFuture();
-        }
-
-        case NKikimrSchemeOp::TAuth::kMdbBasic: {
-            const TString& saSecretId = authDescription.GetMdbBasic().GetServiceAccountSecretName();
-            const TString& passwordSecreId = authDescription.GetMdbBasic().GetPasswordSecretName();
-            auto promise = NewPromise<TEvDescribeSecretsResponse::TDescription>();
-            actorSystem->Register(CreateDescribeSecretsActor(userToken ? userToken->GetUserSID() : "", {saSecretId, passwordSecreId}, promise, maximalSecretsSnapshotWaitTime));
-            return promise.GetFuture();
-        }
-
-        case NKikimrSchemeOp::TAuth::kAws: {
-            const TString& awsAccessKeyIdSecretId = authDescription.GetAws().GetAwsAccessKeyIdSecretName();
-            const TString& awsAccessKeyKeySecretId = authDescription.GetAws().GetAwsSecretAccessKeySecretName();
-            auto promise = NewPromise<TEvDescribeSecretsResponse::TDescription>();
-            actorSystem->Register(CreateDescribeSecretsActor(userToken ? userToken->GetUserSID() : "", {awsAccessKeyIdSecretId, awsAccessKeyKeySecretId}, promise, maximalSecretsSnapshotWaitTime));
-            return promise.GetFuture();
-        }
-
-        case NKikimrSchemeOp::TAuth::IDENTITY_NOT_SET:
-            return MakeFuture(TEvDescribeSecretsResponse::TDescription(Ydb::StatusIds::BAD_REQUEST, { NYql::TIssue("identity case is not specified") }));
-    }
+    return DescribeExternalDataSourceSecrets(authDescription, userToken ? userToken->GetUserSID() : "", actorSystem, maximalSecretsSnapshotWaitTime);
 }
 
 } // anonymous namespace

ydb/core/kqp/provider/yql_kikimr_gateway_ut.cpp

@@ -497,6 +497,26 @@ Y_UNIT_TEST_SUITE(KikimrIcGateway) {
         UNIT_ASSERT_VALUES_EQUAL(response.Metadata->ExternalSource.Properties.GetProperties().at("use_tls"), "true");
         UNIT_ASSERT_VALUES_EQUAL(response.Metadata->ExternalSource.Properties.GetProperties().at("schema"), "public");
     }
+
+    Y_UNIT_TEST(TestSecretsExistingValidation) {
+        TKikimrRunner kikimr;
+        kikimr.GetTestServer().GetRuntime()->GetAppData(0).FeatureFlags.SetEnableExternalDataSources(true);
+        auto db = kikimr.GetTableClient();
+        auto session = db.CreateSession().GetValueSync().GetSession();
+
+        TString secretId = "unexisting_secret_name";
+        auto query = TStringBuilder() << R"(
+            CREATE EXTERNAL DATA SOURCE `/Root/ExternalDataSource` WITH (
+                SOURCE_TYPE="YT",
+                LOCATION="localhost",
+                AUTH_METHOD="TOKEN",
+                TOKEN_SECRET_NAME=")" << secretId << R"("
+            );)";
+
+        auto result = session.ExecuteSchemeQuery(query).GetValueSync();
+        UNIT_ASSERT_C(result.GetStatus() == NYdb::EStatus::BAD_REQUEST, result.GetIssues().ToString());
+        UNIT_ASSERT_STRING_CONTAINS(result.GetIssues().ToOneLineString(), TStringBuilder() << "secret with name '" << secretId << "' not found");
+    }
 }
 
 } // namespace NYql

ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp

@@ -4675,6 +4675,8 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
         auto session = db.CreateSession().GetValueSync().GetSession();
         TString externalDataSourceName = "/Root/ExternalDataSource";
         auto query = TStringBuilder() << R"(
+            CREATE OBJECT mysasignature (TYPE SECRET) WITH (value = "mysasignaturevalue");
+
             CREATE EXTERNAL DATA SOURCE `)" << externalDataSourceName << R"(` WITH (
                 SOURCE_TYPE="ObjectStorage",
                 LOCATION="my-bucket",