Merge 1384a8f into 849f74f

Author: ildar-khisambeev

ydb/core/persqueue/partition_monitoring.cpp

@@ -12,6 +12,7 @@
 #include <ydb/core/protos/counters_pq.pb.h>
 #include <ydb/core/protos/msgbus.pb.h>
 #include <ydb/library/persqueue/topic_parser/topic_parser.h>
+#include <ydb/library/protobuf_printer/security_printer.h>
 #include <ydb/public/lib/base/msgbus.h>
 #include <library/cpp/html/pcdata/pcdata.h>
 #include <library/cpp/monlib/service/pages/templates.h>
@@ -22,6 +23,14 @@
 
 namespace NKikimr::NPQ {
 
+TString PrintConfig(const NKikimrPQ::TPQTabletConfig& cfg) {
+    TSecurityTextFormatPrinter<NKikimrPQ::TPQTabletConfig> printer;
+    printer.SetSingleLineMode(true);
+    TString string;
+    printer.PrintToString(cfg, &string);
+    return string;
+}
+
 void HtmlOutput(IOutputStream& out, const TString& line, const std::deque<std::pair<TKey, ui32>>& keys) {
     HTML(out) {
         TABLE() {
@@ -107,7 +116,7 @@ void TPartition::HandleMonitoring(TEvPQ::TEvMonRequest::TPtr& ev, const TActorCo
         out << "AvgWriteSize per " << avg.GetDuration().ToString() << " is " << avg.GetValue() << " bytes";
         res.push_back(out.Str()); out.Clear();
     }
-    out << Config.DebugString(); res.push_back(out.Str()); out.Clear();
+    out << PrintConfig(Config); res.push_back(out.Str()); out.Clear();
     HTML(out) {
         DIV_CLASS_ID("tab-pane fade", Sprintf("partition_%u", Partition.InternalPartitionId)) {
             TABLE_SORTABLE_CLASS("table") {

ydb/core/protos/pqconfig.proto

@@ -219,11 +219,11 @@ message TMirrorPartitionConfig {
     message TCredentials {
         message IamCredentials {
             optional string Endpoint = 1;
-            optional string ServiceAccountKey = 2;
+            optional string ServiceAccountKey = 2 [(Ydb.sensitive) = true];
         }
         oneof Credentials {
-            string OauthToken = 1;
-            string JwtParams = 2;
+            string OauthToken = 1 [(Ydb.sensitive) = true];
+            string JwtParams = 2 [(Ydb.sensitive) = true];
             IamCredentials Iam = 3;
         }
     }

ydb/core/tx/schemeshard/schemeshard__operation.cpp

@@ -85,6 +85,14 @@ NKikimrScheme::TEvModifySchemeTransaction GetRecordForPrint(const NKikimrScheme:
     return recordForPrint;
 }
 
+TString PrintSecurely(const NKikimrScheme::TEvModifySchemeTransaction& record) {
+    TSecurityTextFormatPrinter<NKikimrScheme::TEvModifySchemeTransaction> printer;
+    printer.SetSingleLineMode(true);
+    TString string;
+    printer.PrintToString(record, &string);
+    return string;
+}
+
 THolder<TProposeResponse> TSchemeShard::IgniteOperation(TProposeRequest& request, TOperationContext& context) {
     THolder<TProposeResponse> response = nullptr;
 
@@ -183,7 +191,7 @@ THolder<TProposeResponse> TSchemeShard::IgniteOperation(TProposeRequest& request
                                     << ", already accepted parts: " << operation->Parts.size()
                                     << ", propose result status: " << NKikimrScheme::EStatus_Name(response->Record.GetStatus())
                                     << ", with reason: " << response->Record.GetReason()
-                                    << ", tx message: " << GetRecordForPrint(record).ShortDebugString());
+                                    << ", tx message: " << PrintSecurely(record));
                 }
 
                 Y_VERIFY_S(context.IsUndoChangesSafe(),
@@ -194,7 +202,7 @@ THolder<TProposeResponse> TSchemeShard::IgniteOperation(TProposeRequest& request
                                << ", already accepted parts: " << operation->Parts.size()
                                << ", propose result status: " << NKikimrScheme::EStatus_Name(response->Record.GetStatus())
                                << ", with reason: " << response->Record.GetReason()
-                               << ", tx message: " << GetRecordForPrint(record).ShortDebugString());
+                               << ", tx message: " << PrintSecurely(record));
 
                 context.OnComplete = {}; // recreate
                 context.DbChanges = {};
@@ -237,7 +245,7 @@ struct TSchemeShard::TTxOperationPropose: public NTabletFlatExecutor::TTransacti
 
         LOG_DEBUG_S(ctx, NKikimrServices::FLAT_TX_SCHEMESHARD,
                     "TTxOperationPropose Execute"
-                        << ", message: " << GetRecordForPrint(Request->Get()->Record).ShortDebugString()
+                        << ", message: " << PrintSecurely(Request->Get()->Record)
                         << ", at schemeshard: " << selfId);
 
         txc.DB.NoMoreReadsForTx();

ydb/public/api/protos/draft/persqueue_common.proto

@@ -35,8 +35,7 @@ enum ECodec {
 
 message Credentials {
     oneof credentials {
-        bytes tvm_service_ticket = 1;
-        bytes oauth_token = 2;
+        bytes tvm_service_ticket = 1 [(Ydb.sensitive) = true];
+        bytes oauth_token = 2 [(Ydb.sensitive) = true];
     }
 }
-

ydb/public/api/protos/ydb_persqueue_v1.proto

@@ -38,7 +38,7 @@ message OffsetsRange {
 
 // In-session reauthentication and reauthorization, lets user increase session lifetime. You should wait for 'update_token_response' before sending next 'update_token_request'.
 message UpdateTokenRequest {
-    string token = 1;
+    string token = 1 [(Ydb.sensitive) = true];
 }
 
 message UpdateTokenResponse {
@@ -788,7 +788,7 @@ message MigrationStreamingReadClientMessage {
     }
 
     // User credentials if update is needed or empty string.
-    bytes token = 20;
+    bytes token = 20 [(Ydb.sensitive) = true];
 }
 
 /**
@@ -1073,8 +1073,8 @@ message Credentials {
         string service_account_key = 2;
     }
     oneof credentials {
-        string oauth_token = 1;
-        string jwt_params = 2;
+        string oauth_token = 1 [(Ydb.sensitive) = true];
+        string jwt_params = 2 [(Ydb.sensitive) = true];
         Iam iam = 3;
     }
 }

ydb/public/api/protos/ydb_topic.proto

@@ -43,7 +43,7 @@ message OffsetsRange {
 // In-session reauthentication and reauthorization, lets user increase session lifetime.
 // Client should wait for UpdateTokenResponse before sending next UpdateTokenRequest.
 message UpdateTokenRequest {
-    string token = 1;
+    string token = 1 [(Ydb.sensitive) = true];
 }
 
 message UpdateTokenResponse {
@@ -167,7 +167,7 @@ message StreamWriteMessage {
                 // Explicit partition id to write to.
                 int64 partition_id = 6;
                 // Explicit partition location to write to.
-                PartitionWithGeneration partition_with_generation = 8;                
+                PartitionWithGeneration partition_with_generation = 8;
             }
             // Message metadata. Overall size is limited to 4096 symbols (all keys and values combined).
             repeated MetadataItem metadata_items = 7 [(Ydb.size).le = 1000];
@@ -534,7 +534,7 @@ message StreamReadMessage {
 
         // Flag of graceful stop, used only when InitRequest.direct_read is true
         // Client must pass this value unchanged from the StopPartitionSessionRequest.
-        // Server can sent two StopPartitionSessionRequests, the first with graceful=true, the second with graceful=false. The client must answer both of them. 
+        // Server can sent two StopPartitionSessionRequests, the first with graceful=true, the second with graceful=false. The client must answer both of them.
         bool graceful = 2;
     }
 
@@ -563,22 +563,22 @@ message StreamReadMessage {
 // Messages for bidirectional streaming rpc StreamDirectRead
 message StreamDirectReadMessage {
 
-    // Client-server message for direct read session. 
+    // Client-server message for direct read session.
     //     InitDirectRead - command from client to create and start a direct read session.
     //     StartDirectReadPartitionSession - command from client to create and start a direct read partition session.
-    //     UpdateTokenRequest - request to update auth token    
+    //     UpdateTokenRequest - request to update auth token
     message FromClient {
         oneof client_message {
             InitDirectRead init_direct_read = 1;
             StartDirectReadPartitionSession start_direct_read_partition_session = 2;
-            UpdateTokenRequest update_token_request = 3;            
+            UpdateTokenRequest update_token_request = 3;
         }
     }
 
-    // Server-client message for direct read session. 
+    // Server-client message for direct read session.
     //     DirectReadResponse - portion of message data.
     //     StopDirectReadPartitionSession - command from server to stop a direct read partition session.
-    //     UpdateTokenResponse - acknowledgment of token update.    
+    //     UpdateTokenResponse - acknowledgment of token update.
     message FromServer {
         // Server status of response.
         Ydb.StatusIds.StatusCode status = 1;
@@ -642,13 +642,13 @@ message StreamDirectReadMessage {
     message DirectReadResponse {
         // Partition session identifier.
         int64 partition_session_id = 1;
-        
+
         // Read request identifier.
         int64 direct_read_id = 2;
 
         // Messages data
         StreamReadMessage.ReadResponse.PartitionData partition_data = 3;
-    }    
+    }
 }
 
 message TransactionIdentity {
@@ -843,7 +843,7 @@ message CreateTopicRequest {
     // How long data in partition should be stored. Must be greater than 0 and less than limit for this database.
     // Default limit - 36 hours.
     google.protobuf.Duration retention_period = 4;
-    
+
     // How much data in partition should be stored. Must be greater than 0 and less than limit for this database.
     // Zero value means infinite limit.
     int64 retention_storage_mb = 5 [(Ydb.value) = ">= 0"];
@@ -923,7 +923,7 @@ message DescribeTopicResult {
 
     // Settings for partitioning
     PartitioningSettings partitioning_settings = 2;
-    
+
     // Partitions description.
     repeated PartitionInfo partitions = 3;
 
@@ -932,7 +932,7 @@ message DescribeTopicResult {
     //
     // How long data in partition should be stored.
     google.protobuf.Duration retention_period = 4;
-    
+
     // How much data in partition should be stored.
     // Zero value means infinite limit.
     int64 retention_storage_mb = 5;
@@ -943,7 +943,7 @@ message DescribeTopicResult {
     // Writes with codec not from this list are forbidden.
     // If empty, codec compatibility check for the topic is disabled.
     SupportedCodecs supported_codecs = 7;
-    
+
     // Partition write speed in bytes per second.
     // Zero value means default limit: 1 MB per second.
     int64 partition_write_speed_bytes_per_second = 8;
@@ -1135,7 +1135,7 @@ message AlterTopicRequest {
     // How long data in partition should be stored. Must be greater than 0 and less than limit for this database.
     // Default limit - 36 hours.
     google.protobuf.Duration set_retention_period = 4;
-    
+
     // How much data in partition should be stored. Must be greater than 0 and less than limit for this database.
     optional int64 set_retention_storage_mb = 5 [(Ydb.value) = ">= 0"];
 
@@ -1148,7 +1148,7 @@ message AlterTopicRequest {
 
     // Partition write speed in bytes per second. Must be less than database limit. Default limit - 1 MB/s.
     optional int64 set_partition_write_speed_bytes_per_second = 8 [(Ydb.value) = ">= 0"];
-    
+
     // Burst size for write in partition, in bytes. Must be less than database limit. Default limit - 1 MB.
     optional int64 set_partition_write_burst_bytes = 9 [(Ydb.value) = ">= 0"];