Replaced check rights readAttributes and WriteAttributes with SelectRow for read topics

Author: molotkov-and

ydb/core/kqp/session_actor/kqp_query_state.cpp

@@ -260,7 +260,8 @@ std::unique_ptr<NSchemeCache::TSchemeCacheNavigate> TKqpQueryState::BuildSchemeC
 }
 
 bool TKqpQueryState::IsAccessDenied(const NSchemeCache::TSchemeCacheNavigate& response, TString& message) {
-    auto rights = NACLib::EAccessRights::ReadAttributes | NACLib::EAccessRights::WriteAttributes;
+    // in future check right UseConsumer
+    auto rights = NACLib::EAccessRights::SelectRow;
     // don't build message string on success path
     bool denied = std::any_of(response.ResultSet.begin(), response.ResultSet.end(), [&] (auto& result) {
         return result.SecurityObject && !result.SecurityObject->CheckAccess(rights, *UserToken);

ydb/core/testlib/test_pq_client.h

@@ -879,8 +879,8 @@ class TFlatMsgBusPQClient : public NFlatTests::TFlatMsgBusClient {
 
     void GrantConsumerAccess(const TString& oldName, const TString& subj) {
         NACLib::TDiffACL acl;
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, subj);
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::WriteAttributes, subj);
+        // in future use right UseConsumer
+        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::SelectRow, subj);
         auto name = NPersQueue::ConvertOldConsumerName(oldName);
         auto pos = name.rfind("/");
         Y_ABORT_UNLESS(pos != TString::npos);

ydb/services/persqueue_v1/actors/read_init_auth_actor.cpp

@@ -238,7 +238,8 @@ void TReadInitAndAuthActor::HandleClientSchemeCacheResponse(
         return;
     }
 
-    NACLib::EAccessRights rights = (NACLib::EAccessRights)(NACLib::EAccessRights::ReadAttributes + NACLib::EAccessRights::WriteAttributes);
+    // in future use right UseConsumer
+    auto rights = NACLib::EAccessRights::SelectRow;
     if (
             !CheckACLPermissionsForNavigate(entry.SecurityObject, path, rights, "No ReadAsConsumer permissions", ctx)
     ) {

ydb/services/persqueue_v1/ut/topic_service_ut.cpp

@@ -156,8 +156,8 @@ class TUpdateOffsetsInTransactionFixture : public NUnitTest::TBaseFixture {
 
         NACLib::TDiffACL acl;
         acl.AddAccess(NACLib::EAccessType::Allow, NACLib::DescribeSchema, AUTH_TOKEN);
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, AUTH_TOKEN);
-        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::WriteAttributes, AUTH_TOKEN);
+        // in future use right UseConsumer
+        acl.AddAccess(NACLib::EAccessType::Allow, NACLib::SelectRow, AUTH_TOKEN);
         server->AnnoyingClient->ModifyACL(TOPIC_PARENT, VALID_TOPIC_NAME, acl.SerializeAsString());
 
         auto driverCfg = NYdb::TDriverConfig()
@@ -328,7 +328,8 @@ Y_UNIT_TEST_F(AccessRights, TUpdateOffsetsInTransactionFixture) {
     UNIT_ASSERT_VALUES_EQUAL(response.operation().status(), Ydb::StatusIds::SUCCESS);
 
     NACLib::TDiffACL acl;
-    acl.RemoveAccess(NACLib::EAccessType::Allow, NACLib::ReadAttributes, AUTH_TOKEN);
+    // in future use right UseConsumer
+    acl.RemoveAccess(NACLib::EAccessType::Allow, NACLib::SelectRow, AUTH_TOKEN);
     server->AnnoyingClient->ModifyACL(TOPIC_PARENT, VALID_TOPIC_NAME, acl.SerializeAsString());
 
     response = Call_UpdateOffsetsInTransaction({