ticket-parser: Add error message for log to TError struct of ticket parser

ydb/core/base/ticket_parser.h

@@ -154,14 +154,24 @@ namespace NKikimr {
 
         struct TError {
             TString Message;
+            TString LogMessage;
             bool Retryable = true;
 
             bool empty() const {
-                return Message.empty();
+                return Message.empty() && LogMessage.empty();
+            }
+
+            bool HasMessage() const {
+                return !Message.empty();
+            }
+
+            bool HasLogMessage() const {
+                return !LogMessage.empty();
             }
 
             void clear() {
                 Message.clear();
+                LogMessage.clear();
                 Retryable = true;
             }
 

ydb/core/security/secure_request.h

@@ -47,7 +47,7 @@ class TSecureRequestActor : public TBase {
                 if (!GetAdministrationAllowedSIDs().empty()) {
                     const auto& allowedSIDs(GetAdministrationAllowedSIDs());
                     if (std::find_if(allowedSIDs.begin(), allowedSIDs.end(), [&result](const TString& sid) -> bool { return result.Token->IsExist(sid); }) == allowedSIDs.end()) {
-                        return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Administrative access denied", false}, ctx);
+                        return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Administrative access denied", .Retryable = false}, ctx);
                     }
                 }
                 UserAdmin = true;
@@ -59,7 +59,7 @@ class TSecureRequestActor : public TBase {
 
     void Handle(TEvents::TEvUndelivered::TPtr&, const TActorContext& ctx) {
         if (IsTokenRequired()) {
-            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Access denied - error parsing token", false}, ctx);
+            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Access denied - error parsing token", .Retryable = false}, ctx);
         }
         static_cast<TBootstrap*>(this)->Bootstrap(ctx);
     }
@@ -166,7 +166,7 @@ class TSecureRequestActor : public TBase {
 
     void Bootstrap(const TActorContext& ctx) {
         if (IsTokenRequired() && !IsTokenExists()) {
-            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{"Access denied without user token", false}, ctx);
+            return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Access denied without user token", .Retryable = false}, ctx);
         }
         if (SecurityToken.empty()) {
             if (!GetDefaultUserSIDs().empty()) {

ydb/core/security/ticket_parser_impl.h

@@ -649,14 +649,14 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
 
             if (record.Ticket.EndsWith("@" BUILTIN_ERROR_DOMAIN)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
-                SetError(key, record, { "Builtin error simulation" });
+                SetError(key, record, { .Message = "Builtin error simulation" });
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
 
             if (record.Ticket.EndsWith("@" BUILTIN_SYSTEM_DOMAIN)) {
                 record.TokenType = TDerived::ETokenType::Builtin;
-                SetError(key, record, { "System domain not available for user usage", false });
+                SetError(key, record, { .Message = "System domain not available for user usage", .Retryable = false });
                 CounterTicketsBuiltin->Inc();
                 return true;
             }
@@ -977,12 +977,12 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                         .AuthType = record.GetAuthType()
                     }));
                 } else {
-                    SetError(key, record, {errorMessage, false});
+                    SetError(key, record, {.Message = errorMessage, .Retryable = false});
                 }
             } else {
                 if (record.ResponsesLeft == 0 && (record.TokenType == TDerived::ETokenType::Unknown || record.TokenType == TDerived::ETokenType::AccessService || record.TokenType == TDerived::ETokenType::ApiKey)) {
                     bool retryable = IsRetryableGrpcError(response->Status);
-                    SetError(key, record, {response->Status.Msg, retryable});
+                    SetError(key, record, {.Message = response->Status.Msg, .Retryable = retryable});
                 }
             }
             if (record.ResponsesLeft == 0) {
@@ -1011,7 +1011,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             auto& record = it->second;
             record.ResponsesLeft--;
             if (!ev->Get()->Status.Ok()) {
-                SetError(key, record, {ev->Get()->Status.Msg});
+                SetError(key, record, {.Message = ev->Get()->Status.Msg});
             } else {
                 GetDerived()->SetToken(key, record, ev);
             }
@@ -1033,7 +1033,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             auto& record = it->second;
             record.ResponsesLeft--;
             if (!ev->Get()->Status.Ok()) {
-                SetError(key, record, {ev->Get()->Status.Msg});
+                SetError(key, record, {.Message = ev->Get()->Status.Msg});
             } else {
                 SetToken(key, record, new NACLib::TUserToken(record.Ticket, ev->Get()->Response.name() + "@" + ServiceDomain, {}));
             }
@@ -1322,7 +1322,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                     }
                 } else {
                     bool retryable = IsRetryableGrpcError(response->Status);
-                    itPermission->second.Error = {response->Status.Msg, retryable};
+                    itPermission->second.Error = {.Message = response->Status.Msg, .Retryable = retryable};
                     if (itPermission->second.Subject.empty() || !retryable) {
                         itPermission->second.Subject.clear();
                         BLOG_TRACE("Ticket "
@@ -1433,7 +1433,7 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             } else {
                 BLOG_D("Expired ticket " << record.GetMaskedTicket());
                 if (!record.AuthorizeRequests.empty()) {
-                    record.Error = {"Timed out", true};
+                    record.Error = {.Message = "Timed out", .Retryable = true};
                     Respond(record);
                 }
                 userTokens.erase(it);