ydb-platform
diff --git a/‎ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp‎
Lines changed: 9 additions & 8 deletions b/‎ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎ydb/core/tx/replication/controller/secret_resolver.cpp‎
Lines changed: 4 additions & 4 deletions b/‎ydb/core/tx/replication/controller/secret_resolver.cpp‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎ydb/core/tx/tiering/tier/checker.cpp‎
Lines changed: 9 additions & 7 deletions b/‎ydb/core/tx/tiering/tier/checker.cpp‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎ydb/core/tx/tiering/tier/object.cpp‎
Lines changed: 13 additions & 7 deletions b/‎ydb/core/tx/tiering/tier/object.cpp‎
Lines changed: 13 additions & 7 deletions
diff --git a/‎ydb/core/tx/tiering/tier/object.h‎
Lines changed: 3 additions & 2 deletions b/‎ydb/core/tx/tiering/tier/object.h‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎ydb/services/ext_index/ut/ut_ext_index.cpp‎
Lines changed: 0 additions & 3 deletions b/‎ydb/services/ext_index/ut/ut_ext_index.cpp‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎ydb/services/metadata/initializer/ut/ut_init.cpp‎
Lines changed: 0 additions & 3 deletions b/‎ydb/services/metadata/initializer/ut/ut_init.cpp‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎ydb/services/metadata/secret/accessor/secret_id.cpp‎
Lines changed: 33 additions & 0 deletions b/‎ydb/services/metadata/secret/accessor/secret_id.cpp‎
Lines changed: 33 additions & 0 deletions
@@ -19,10 +19,9 @@ class TDescribeSecretsActor: public NActors::TActorBootstrapped<TDescribeSecrets
         std::vector<TString> secretValues;
         secretValues.reserve(SecretIds.size());
         for (const auto& secretId: SecretIds) {
-            TString secretValue;
-            bool isFound = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretId), secretValue);
-            if (isFound) {
-                secretValues.push_back(secretValue);
+            auto secretValue = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretId));
+            if (secretValue.IsSuccess()) {
+                secretValues.push_back(secretValue.DetachResult());
                 continue;
             }
 
@@ -32,10 +31,12 @@ class TDescribeSecretsActor: public NActors::TActorBootstrapped<TDescribeSecrets
                 return;
             }
 
-            isFound = !secretIds.empty() && snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretIds[0]), secretValue);
-            if (isFound) {
-                secretValues.push_back(secretValue);
-                continue;
+            if (!secretIds.empty()) {
+                secretValue = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretIds[0]));
+                if (secretValue.IsSuccess()) {
+                    secretValues.push_back(secretValue.DetachResult());
+                    continue;
+                }
             }
 
             if (!AskSent) {
 
@@ -47,12 +47,12 @@ class TSecretResolver: public TActorBootstrapped<TSecretResolver> {
     void Handle(NMetadata::NProvider::TEvRefreshSubscriberData::TPtr& ev) {
         const auto* snapshot = ev->Get()->GetSnapshotAs<NMetadata::NSecret::TSnapshot>();
 
-        TString secretValue;
-        if (!snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(SecretId), secretValue)) {
-            return Reply(false, TStringBuilder() << "Secret '" << SecretName << "' not found");
+        auto secretValue = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(SecretId));
+        if (secretValue.IsFail()) {
+            return Reply(false, secretValue.GetErrorMessage());
         }
 
-        Reply(secretValue);
+        Reply(secretValue.DetachResult());
     }
 
     template <typename... Args>
 
@@ -10,13 +10,15 @@ void TTierPreparationActor::StartChecker() {
         return;
     }
     auto g = PassAwayGuard();
-    for (auto&& tier : Objects) {
-        if (!Secrets->CheckSecretAccess(tier.GetAccessKey(), Context.GetExternalData().GetUserToken())) {
-            Controller->OnPreparationProblem("no access for secret: " + tier.GetAccessKey().DebugString());
-            return;
-        } else if (!Secrets->CheckSecretAccess(tier.GetSecretKey(), Context.GetExternalData().GetUserToken())) {
-            Controller->OnPreparationProblem("no access for secret: " + tier.GetSecretKey().DebugString());
-            return;
+    if (const auto& userToken = Context.GetExternalData().GetUserToken()) {
+        for (auto&& tier : Objects) {
+            if (!Secrets->CheckSecretAccess(tier.GetAccessKey(), *userToken)) {
+                Controller->OnPreparationProblem("no access for secret: " + tier.GetAccessKey().DebugString());
+                return;
+            } else if (!Secrets->CheckSecretAccess(tier.GetSecretKey(), *userToken)) {
+                Controller->OnPreparationProblem("no access for secret: " + tier.GetSecretKey().DebugString());
+                return;
+            }
         }
     }
     Controller->OnPreparationFinished(std::move(Objects));
 
@@ -44,16 +44,22 @@ NMetadata::NInternal::TTableRecord TTierConfig::SerializeToRecord() const {
     return result;
 }
 
-NKikimrSchemeOp::TS3Settings TTierConfig::GetPatchedConfig(
-    std::shared_ptr<NMetadata::NSecret::TSnapshot> secrets) const
-{
+NKikimrSchemeOp::TS3Settings TTierConfig::GetPatchedConfig(std::shared_ptr<NMetadata::NSecret::ISnapshotAccessor> secrets) const {
     auto config = ProtoConfig.GetObjectStorage();
     if (secrets) {
-        if (!secrets->GetSecretValue(GetAccessKey(), *config.MutableAccessKey())) {
-            ALS_ERROR(NKikimrServices::TX_TIERING) << "cannot read access key secret for " << GetAccessKey().DebugString();
+        {
+            auto value = secrets->GetSecretValue(GetAccessKey());
+            if (value.IsFail()) {
+                AFL_ERROR(NKikimrServices::TX_TIERING)("error", "invalid_secret")("object", "access_key")("reason", value.GetErrorMessage());
+            }
+            config.SetAccessKey(value.DetachResult());
         }
-        if (!secrets->GetSecretValue(GetSecretKey(), *config.MutableSecretKey())) {
-            ALS_ERROR(NKikimrServices::TX_TIERING) << "cannot read secret key secret for " << GetSecretKey().DebugString();
+        {
+            auto value = secrets->GetSecretValue(GetSecretKey());
+            if (value.IsFail()) {
+                AFL_ERROR(NKikimrServices::TX_TIERING)("error", "invalid_secret")("object", "secret_key")("reason", value.GetErrorMessage());
+            }
+            config.SetSecretKey(value.DetachResult());
         }
     }
     return config;
 
@@ -4,8 +4,9 @@
 #include <ydb/services/metadata/manager/preparation_controller.h>
 #include <ydb/services/metadata/manager/table_record.h>
 #include <ydb/services/metadata/manager/object.h>
+#include <ydb/services/metadata/secret/accessor/snapshot.h>
+#include <ydb/services/metadata/secret/accessor/secret_id.h>
 #include <ydb/services/metadata/service.h>
-#include <ydb/services/metadata/secret/secret.h>
 
 #include <library/cpp/json/writer/json_value.h>
 
@@ -59,7 +60,7 @@ class TTierConfig: public NMetadata::NModifications::TObject<TTierConfig> {
 
 
     static NMetadata::IClassBehaviour::TPtr GetBehaviour();
-    NKikimrSchemeOp::TS3Settings GetPatchedConfig(std::shared_ptr<NMetadata::NSecret::TSnapshot> secrets) const;
+    NKikimrSchemeOp::TS3Settings GetPatchedConfig(std::shared_ptr<NMetadata::NSecret::ISnapshotAccessor> secrets) const;
 
     class TDecoder: public NMetadata::NInternal::TDecoderBase {
     private:
 
@@ -1,6 +1,5 @@
 #include <ydb/core/cms/console/configs_dispatcher.h>
 #include <ydb/core/testlib/cs_helper.h>
-#include <ydb/core/tx/tiering/external_data.h>
 #include <ydb/core/tx/schemeshard/schemeshard.h>
 #include <ydb/core/tx/tx_proxy/proxy.h>
 #include <ydb/core/formats/arrow/size_calcer.h>
@@ -25,8 +24,6 @@
 
 namespace NKikimr {
 
-using namespace NColumnShard;
-
 class TLocalHelper: public Tests::NCS::THelper {
 private:
     using TBase = Tests::NCS::THelper;
 
@@ -1,6 +1,5 @@
 #include <ydb/core/cms/console/configs_dispatcher.h>
 #include <ydb/core/testlib/cs_helper.h>
-#include <ydb/core/tx/tiering/external_data.h>
 #include <ydb/core/tx/schemeshard/schemeshard.h>
 #include <ydb/core/tx/tx_proxy/proxy.h>
 #include <ydb/core/wrappers/ut_helpers/s3_mock.h>
@@ -28,8 +27,6 @@
 
 namespace NKikimr {
 
-using namespace NColumnShard;
-
 Y_UNIT_TEST_SUITE(Initializer) {
 
     class TTestInitializer: public NMetadata::NInitializer::IInitializationBehaviour {
 
@@ -0,0 +1,33 @@
+#include "secret_id.h"
+
+#include <ydb/services/metadata/manager/ydb_value_operator.h>
+#include <library/cpp/digest/md5/md5.h>
+
+namespace NKikimr::NMetadata::NSecret {
+
+TString TSecretId::SerializeToString() const {
+    TStringBuilder sb;
+    sb << "USId:" << OwnerUserId << ":" << SecretId;
+    return sb;
+}
+
+
+TString TSecretIdOrValue::DebugString() const {
+    return std::visit(TOverloaded(
+        [](std::monostate) -> TString{
+            return "__NONE__";
+        },
+        [](const TSecretId& id) -> TString{
+            return id.SerializeToString();
+        },
+        [](const TSecretName& name) -> TString{
+            return name.SerializeToString();
+        },
+        [](const TString& value) -> TString{
+            return MD5::Calc(value);
+        }
+    ),
+    State);
+}
+
+}
Original file line number	Diff line number	Diff line change
`@@ -47,12 +47,12 @@ class TSecretResolver: public TActorBootstrapped<TSecretResolver> {`
`47`	`47`	`void Handle(NMetadata::NProvider::TEvRefreshSubscriberData::TPtr& ev) {`
`48`	`48`	`const auto* snapshot = ev->Get()->GetSnapshotAs<NMetadata::NSecret::TSnapshot>();`
`49`	`49`
`50`		`- TString secretValue;`
`51`		`- if (!snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(SecretId), secretValue)) {`
`52`		`- return Reply(false, TStringBuilder() << "Secret '" << SecretName << "' not found");`
	`50`	`+ auto secretValue = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(SecretId));`
	`51`	`+ if (secretValue.IsFail()) {`
	`52`	`+ return Reply(false, secretValue.GetErrorMessage());`
`53`	`53`	`}`
`54`	`54`
`55`		`- Reply(secretValue);`
	`55`	`+ Reply(secretValue.DetachResult());`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`template <typename... Args>`