YQ-4860 supported automatic access revert after secure FF disabled (ydb-platform#28202)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 2 people

ydb/core/kqp/common/events/script_executions.h

@@ -342,7 +342,21 @@ struct TEvSaveScriptPhysicalGraphResponse : public TEventLocal<TEvSaveScriptPhys
     NYql::TIssues Issues;
 };
 
+struct TEvGetScriptExecutionPhysicalGraph : public TEventWithDatabaseId<TEvGetScriptExecutionPhysicalGraph, TKqpScriptExecutionEvents::EvGetScriptExecutionPhysicalGraph> {
+    TEvGetScriptExecutionPhysicalGraph(const TString& database, const TString& executionId)
+        : TEventWithDatabaseId(database)
+        , ExecutionId(executionId)
+    {}
+
+    const TString ExecutionId;
+};
+
 struct TEvGetScriptPhysicalGraphResponse : public TEventLocal<TEvGetScriptPhysicalGraphResponse, TKqpScriptExecutionEvents::EvGetScriptPhysicalGraphResponse> {
+    TEvGetScriptPhysicalGraphResponse(Ydb::StatusIds::StatusCode status, NYql::TIssues issues)
+        : Status(status)
+        , Issues(std::move(issues))
+    {}
+
     TEvGetScriptPhysicalGraphResponse(Ydb::StatusIds::StatusCode status, NKikimrKqp::TQueryPhysicalGraph&& physicalGraph, i64 generation, NYql::TIssues issues)
         : Status(status)
         , PhysicalGraph(std::move(physicalGraph))

ydb/core/kqp/common/simple/kqp_event_ids.h

@@ -176,6 +176,7 @@ struct TKqpScriptExecutionEvents {
         EvGetScriptPhysicalGraphResponse,
         EvSaveScriptProgressResponse,
         EvResetScriptExecutionRetriesResponse,
+        EvGetScriptExecutionPhysicalGraph,
     };
 };
 

ydb/core/kqp/gateway/behaviour/streaming_query/behaviour.cpp

@@ -14,7 +14,7 @@ NMetadata::NInitializer::IInitializationBehaviour::TPtr TStreamingQueryBehaviour
 }
 
 TString TStreamingQueryBehaviour::GetInternalStorageTablePath() const {
-    return "streaming/queries";
+    return TStreamingQueryConfig::InternalTablesPath;
 }
 
 NMetadata::NModifications::IOperationsManager::TPtr TStreamingQueryBehaviour::ConstructOperationsManager() const {

ydb/core/kqp/gateway/behaviour/streaming_query/common/utils.cpp

@@ -1,11 +1,16 @@
 #include "utils.h"
 
+#include <ydb/core/base/path.h>
 #include <ydb/core/protos/flat_scheme_op.pb.h>
 
 #include <yql/essentials/sql/v1/node.h>
 
 namespace NKikimr::NKqp {
 
+TString TStreamingQueryMeta::GetTablesPath() {
+    return JoinPath({".metadata", InternalTablesPath});
+}
+
 TStreamingQuerySettings& TStreamingQuerySettings::FromProto(const NKikimrSchemeOp::TStreamingQueryProperties& info) {
     for (const auto& [name, value] : info.GetProperties()) {
         if (name == TStreamingQueryMeta::TSqlSettings::QUERY_TEXT_FEATURE) {

ydb/core/kqp/gateway/behaviour/streaming_query/common/utils.h

@@ -31,6 +31,10 @@ class TStreamingQueryMeta {
         // Internal query info
         static inline constexpr char QueryTextRevision[] = "__query_text_revision";
     };
+
+    static inline constexpr char InternalTablesPath[] = "streaming/queries";
+
+    static TString GetTablesPath();
 };
 
 // Used for properties parsing after describing streaming query

ydb/core/kqp/gateway/behaviour/streaming_query/common/ya.make

@@ -5,6 +5,7 @@ SRCS(
 )
 
 PEERDIR(
+    ydb/core/base
     ydb/core/protos
     yql/essentials/sql/v1
 )

ydb/core/kqp/gateway/behaviour/streaming_query/initializer.cpp

@@ -1,40 +1,81 @@
 #include "initializer.h"
 #include "object.h"
 
+#include <ydb/library/table_creator/table_creator.h>
+
 namespace NKikimr::NKqp {
 
 namespace {
 
-void AddColumn(Ydb::Table::CreateTableRequest& request, const TString& name, Ydb::Type::PrimitiveTypeId type, bool primary = false) {
-    if (primary) {
-        request.add_primary_key(name);
-    }
+using namespace NMetadata::NInitializer;
 
-    auto& column = *request.add_columns();
-    column.set_name(name);
-    column.mutable_type()->mutable_optional_type()->mutable_item()->set_type_id(type);
-}
+class TStreamingQueriesTablesCreator final : public NTableCreator::TMultiTableCreator {
+    using TBase = NTableCreator::TMultiTableCreator;
 
-}  // anonymous namespace
+public:
+    TStreamingQueriesTablesCreator(const TString& modificationId, IModifierExternalController::TPtr externalController)
+        : TBase({GetStreamingQueriesCreator()})
+        , ModificationId(modificationId)
+        , ExternalController(externalController)
+    {}
 
-void TStreamingQueryInitializer::DoPrepare(NMetadata::NInitializer::IInitializerInput::TPtr controller) const {
-    TVector<NMetadata::NInitializer::ITableModifier::TPtr> result;
-    {
-        Ydb::Table::CreateTableRequest request;
-        request.set_path(TStreamingQueryConfig::GetBehaviour()->GetStorageTablePath());
-        AddColumn(request, TStreamingQueryConfig::TColumns::DatabaseId, Ydb::Type::UTF8, true);
-        AddColumn(request, TStreamingQueryConfig::TColumns::QueryPath, Ydb::Type::UTF8, true);
-        AddColumn(request, TStreamingQueryConfig::TColumns::State, Ydb::Type::JSON);
-        result.emplace_back(std::make_shared<NMetadata::NInitializer::TGenericTableModifier<NMetadata::NRequest::TDialogCreateTable>>(request, "create"));
+protected:
+    static IActor* GetStreamingQueriesCreator() {
+        NACLib::TDiffACL acl;
+        acl.ClearAccess();
+        acl.SetInterruptInheritance(AppData()->FeatureFlags.GetEnableSecureScriptExecutions());
+
+        return CreateTableCreator(
+            SplitPath(TStreamingQueryConfig::GetTablesPath()),
+            {
+                Col(TStreamingQueryConfig::TColumns::DatabaseId, NScheme::NTypeIds::Utf8),
+                Col(TStreamingQueryConfig::TColumns::QueryPath, NScheme::NTypeIds::Utf8),
+                Col(TStreamingQueryConfig::TColumns::State, NScheme::NTypeIds::Json),
+            },
+            { TStreamingQueryConfig::TColumns::DatabaseId, TStreamingQueryConfig::TColumns::QueryPath },
+            NKikimrServices::KQP_PROXY,
+            {},
+            {},
+            /* isSystemUser */ true,
+            Nothing(),
+            acl
+        );
     }
 
-    if (AppData()->FeatureFlags.GetEnableSecureScriptExecutions()) {
-        result.emplace_back(NMetadata::NInitializer::TACLModifierConstructor::GetNoAccessModifier(TStreamingQueryConfig::GetBehaviour()->GetStorageTablePath(), "acl"));
-    } else {
-        result.emplace_back(NMetadata::NInitializer::TACLModifierConstructor::GetReadOnlyModifier(TStreamingQueryConfig::GetBehaviour()->GetStorageTablePath(), "acl"));
+    void OnTablesCreated(bool success, NYql::TIssues issues) final {
+        if (success) {
+            ExternalController->OnModificationFinished(ModificationId);
+        } else {
+            ExternalController->OnModificationFailed(Ydb::StatusIds::INTERNAL_ERROR, issues.ToString(), ModificationId);
+        }
     }
 
-    controller->OnPreparationFinished(result);
+private:
+    const TString ModificationId;
+    const IModifierExternalController::TPtr ExternalController;
+};
+
+class TStreamingQueriesTablesInitializer final : public ITableModifier {
+    static constexpr char MODIFICATION_ID[] = "create-generic";
+
+public:
+    TStreamingQueriesTablesInitializer()
+        : ITableModifier(MODIFICATION_ID, /* supportDbCache */ false)
+    {}
+
+protected:
+    bool DoExecute(IModifierExternalController::TPtr externalController, const NMetadata::NRequest::TConfig& config) const final {
+        Y_UNUSED(config);
+
+        TActivationContext::Register(new TStreamingQueriesTablesCreator(MODIFICATION_ID, externalController));
+        return true;
+    }
+};
+
+}  // anonymous namespace
+
+void TStreamingQueryInitializer::DoPrepare(IInitializerInput::TPtr controller) const {
+    controller->OnPreparationFinished({std::make_shared<TStreamingQueriesTablesInitializer>()});
 }
 
 }  // namespace NKikimr::NKqp

ydb/core/kqp/gateway/behaviour/streaming_query/queries.cpp

@@ -13,7 +13,6 @@
 #include <ydb/core/kqp/common/simple/services.h>
 #include <ydb/core/kqp/gateway/utils/scheme_helpers.h>
 #include <ydb/core/kqp/provider/yql_kikimr_gateway.h>
-#include <ydb/core/kqp/proxy_service/kqp_script_executions.h>
 #include <ydb/core/protos/schemeshard/operations.pb.h>
 #include <ydb/core/resource_pools/resource_pool_settings.h>
 #include <ydb/core/tx/scheme_cache/scheme_cache.h>
@@ -1704,8 +1703,8 @@ class TStartStreamingQueryTableActor final : public TActionActorBase<TStartStrea
         if (!State.GetPreviousExecutionIds().empty() && !StateLoaded) {
             StateLoaded = true;
             const auto& executionId = *State.GetPreviousExecutionIds().rbegin();
-            const auto& fetcherId = Register(CreateGetScriptExecutionPhysicalGraphActor(SelfId(), Context.GetDatabase(), executionId));
-            LOG_D("Load previous query state from execution: " << executionId << " with fetcher " << fetcherId);
+            SendToKqpProxy(std::make_unique<TEvGetScriptExecutionPhysicalGraph>(Context.GetDatabase(), executionId));
+            LOG_D("Load previous query state from execution: " << executionId);
             return;
         }
 

ydb/core/kqp/gateway/behaviour/streaming_query/ya.make

@@ -20,7 +20,6 @@ PEERDIR(
     ydb/core/kqp/gateway/behaviour/streaming_query/common
     ydb/core/kqp/gateway/utils
     ydb/core/kqp/provider
-    ydb/core/kqp/proxy_service
     ydb/core/protos
     ydb/core/protos/schemeshard
     ydb/core/resource_pools
@@ -29,6 +28,7 @@ PEERDIR(
     ydb/core/tx/tx_proxy
     ydb/library/conclusion
     ydb/library/query_actor
+    ydb/library/table_creator
     ydb/services/metadata
     ydb/services/metadata/abstract
     ydb/services/metadata/manager

ydb/core/kqp/proxy_service/kqp_proxy_service.cpp

@@ -2,51 +2,52 @@
 #include "kqp_proxy_service_impl.h"
 #include "kqp_script_executions.h"
 
+#include <ydb/core/actorlib_impl/long_timer.h>
 #include <ydb/core/base/appdata.h>
-#include <ydb/core/base/path.h>
-#include <ydb/core/base/location.h>
 #include <ydb/core/base/feature_flags.h>
+#include <ydb/core/base/location.h>
+#include <ydb/core/base/path.h>
 #include <ydb/core/base/statestorage.h>
 #include <ydb/core/cms/console/configs_dispatcher.h>
 #include <ydb/core/cms/console/console.h>
-#include <ydb/core/kqp/counters/kqp_counters.h>
+#include <ydb/core/fq/libs/checkpoint_storage/storage_service.h>
+#include <ydb/core/fq/libs/row_dispatcher/events/data_plane.h>
+#include <ydb/core/fq/libs/row_dispatcher/row_dispatcher_service.h>
 #include <ydb/core/kqp/common/events/script_executions.h>
 #include <ydb/core/kqp/common/events/workload_service.h>
 #include <ydb/core/kqp/common/kqp_lwtrace_probes.h>
 #include <ydb/core/kqp/common/kqp_timeouts.h>
 #include <ydb/core/kqp/compile_service/kqp_compile_service.h>
+#include <ydb/core/kqp/compute_actor/kqp_compute_actor.h>
+#include <ydb/core/kqp/counters/kqp_counters.h>
 #include <ydb/core/kqp/executer_actor/kqp_executer.h>
-#include <ydb/core/kqp/session_actor/kqp_worker_common.h>
+#include <ydb/core/kqp/gateway/behaviour/streaming_query/behaviour.h>
 #include <ydb/core/kqp/node_service/kqp_node_service.h>
+#include <ydb/core/kqp/session_actor/kqp_worker_common.h>
 #include <ydb/core/kqp/workload_service/kqp_workload_service.h>
-#include <ydb/core/resource_pools/resource_pool_settings.h>
-#include <ydb/core/tx/schemeshard/schemeshard.h>
-#include <ydb/library/yql/dq/actors/compute/dq_checkpoints.h>
-#include <ydb/library/yql/dq/actors/spilling/spilling_file.h>
-#include <ydb/library/yql/dq/actors/spilling/spilling.h>
-#include <ydb/core/actorlib_impl/long_timer.h>
-#include <ydb/public/sdk/cpp/src/library/operation_id/protos/operation_id.pb.h>
-#include <ydb/core/node_whiteboard/node_whiteboard.h>
-#include <ydb/core/ydb_convert/ydb_convert.h>
-#include <ydb/core/kqp/compute_actor/kqp_compute_actor.h>
 #include <ydb/core/mon/mon.h>
-#include <ydb/library/ydb_issue/issue_helpers.h>
+#include <ydb/core/node_whiteboard/node_whiteboard.h>
 #include <ydb/core/protos/workload_manager_config.pb.h>
+#include <ydb/core/resource_pools/resource_pool_settings.h>
 #include <ydb/core/sys_view/common/registry.h>
-#include <ydb/core/fq/libs/checkpoint_storage/storage_service.h>
-#include <ydb/core/fq/libs/row_dispatcher/events/data_plane.h>
-#include <ydb/core/fq/libs/row_dispatcher/row_dispatcher_service.h>
-
-#include <ydb/library/yql/utils/actor_log/log.h>
-#include <yql/essentials/core/services/mounts/yql_mounts.h>
-#include <ydb/library/yql/providers/common/http_gateway/yql_http_gateway.h>
-
+#include <ydb/core/tx/schemeshard/schemeshard.h>
+#include <ydb/core/ydb_convert/ydb_convert.h>
 #include <ydb/library/actors/core/actor_bootstrapped.h>
 #include <ydb/library/actors/core/interconnect.h>
 #include <ydb/library/actors/core/hfunc.h>
 #include <ydb/library/actors/core/log.h>
 #include <ydb/library/actors/http/http.h>
 #include <ydb/library/actors/interconnect/interconnect.h>
+#include <ydb/library/ydb_issue/issue_helpers.h>
+#include <ydb/library/yql/dq/actors/compute/dq_checkpoints.h>
+#include <ydb/library/yql/dq/actors/spilling/spilling_file.h>
+#include <ydb/library/yql/dq/actors/spilling/spilling.h>
+#include <ydb/library/yql/providers/common/http_gateway/yql_http_gateway.h>
+#include <ydb/library/yql/utils/actor_log/log.h>
+#include <ydb/public/sdk/cpp/src/library/operation_id/protos/operation_id.pb.h>
+
+#include <yql/essentials/core/services/mounts/yql_mounts.h>
+
 #include <library/cpp/lwtrace/mon/mon_lwtrace.h>
 #include <library/cpp/monlib/service/pages/templates.h>
 #include <library/cpp/resource/resource.h>
@@ -174,6 +175,7 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
         GetScriptExecutionOperation,
         ListScriptExecutionOperations,
         CancelScriptExecutionOperation,
+        GetScriptExecutionPhysicalGraph,
     };
 
 public:
@@ -447,7 +449,13 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
         LogConfig.Swap(event.MutableConfig()->MutableLogConfig());
         UpdateYqlLogLevels();
 
-        FeatureFlags.Swap(event.MutableConfig()->MutableFeatureFlags());
+        auto* newFeatureFlags = event.MutableConfig()->MutableFeatureFlags();
+        if (newFeatureFlags->GetEnableSecureScriptExecutions() != FeatureFlags.GetEnableSecureScriptExecutions()) {
+            ScriptExecutionsCreationStatus = EScriptExecutionsCreationStatus::NotStarted;
+            Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvResetManagerRegistration(TStreamingQueryBehaviour::GetInstance()));
+        }
+
+        FeatureFlags.Swap(newFeatureFlags);
         WorkloadManagerConfig.Swap(event.MutableConfig()->MutableWorkloadManagerConfig());
         ResourcePoolsCache.UpdateConfig(FeatureFlags, WorkloadManagerConfig, ActorContext());
 
@@ -1247,6 +1255,7 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
             hFunc(NKqp::TEvGetScriptExecutionOperation, Handle);
             hFunc(NKqp::TEvListScriptExecutionOperations, Handle);
             hFunc(NKqp::TEvCancelScriptExecutionOperation, Handle);
+            hFunc(NKqp::TEvGetScriptExecutionPhysicalGraph, Handle);
             hFunc(TEvInterconnect::TEvNodeConnected, Handle);
             hFunc(TEvInterconnect::TEvNodeDisconnected, Handle);
             hFunc(TEvKqp::TEvListSessionsRequest, Handle);
@@ -1549,6 +1558,10 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
             case EDelayedRequestType::CancelScriptExecutionOperation:
                 HandleDelayedScriptRequestError<TEvCancelScriptExecutionOperationResponse>(std::move(requestEvent), status, std::move(issues));
                 break;
+
+            case EDelayedRequestType::GetScriptExecutionPhysicalGraph:
+                HandleDelayedScriptRequestError<TEvGetScriptPhysicalGraphResponse>(std::move(requestEvent), status, std::move(issues));
+                break;
         }
     }
 
@@ -1557,9 +1570,14 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
         Send(requestEvent->Sender, new TResponse(status, std::move(issues)), 0, requestEvent->Cookie);
     }
 
+    void StartScriptExecutionsTablesCreation() {
+        ScriptExecutionsCreationStatus = EScriptExecutionsCreationStatus::Pending;
+        Register(CreateScriptExecutionsTablesCreator(FeatureFlags), TMailboxType::HTSwap, AppData()->SystemPoolId);
+    }
+
     template<typename TEvent>
     bool CheckScriptExecutionsTablesReady(TEvent& ev, EDelayedRequestType requestType) {
-        if (!AppData()->FeatureFlags.GetEnableScriptExecutionOperations()) {
+        if (!FeatureFlags.GetEnableScriptExecutionOperations()) {
             NYql::TIssues issues;
             issues.AddIssue("ExecuteScript feature is not enabled");
             HandleDelayedRequestError(requestType, std::move(ev), Ydb::StatusIds::UNSUPPORTED, std::move(issues));
@@ -1574,8 +1592,7 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
 
         switch (ScriptExecutionsCreationStatus) {
             case EScriptExecutionsCreationStatus::NotStarted:
-                ScriptExecutionsCreationStatus = EScriptExecutionsCreationStatus::Pending;
-                Register(CreateScriptExecutionsTablesCreator(FeatureFlags), TMailboxType::HTSwap, AppData()->SystemPoolId);
+                StartScriptExecutionsTablesCreation();
                 [[fallthrough]];
             case EScriptExecutionsCreationStatus::Pending:
                 if (DelayedEventsQueue.size() < 10000) {
@@ -1595,6 +1612,11 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
     }
 
     void Handle(TEvScriptExecutionsTablesCreationFinished::TPtr& ev) {
+        if (ScriptExecutionsCreationStatus == EScriptExecutionsCreationStatus::NotStarted) {
+            StartScriptExecutionsTablesCreation();
+            return;
+        }
+
         ScriptExecutionsCreationStatus = EScriptExecutionsCreationStatus::Finished;
 
         NYql::TIssue rootIssue;
@@ -1641,6 +1663,12 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
         }
     }
 
+    void Handle(TEvGetScriptExecutionPhysicalGraph::TPtr& ev) {
+        if (CheckScriptExecutionsTablesReady(ev, EDelayedRequestType::GetScriptExecutionPhysicalGraph)) {
+            Register(CreateGetScriptExecutionPhysicalGraphActor(ev->Sender, ev->Get()->Database, ev->Get()->ExecutionId));
+        }
+    }
+
     void Handle(TEvInterconnect::TEvNodeConnected::TPtr& ev) {
         TNodeId nodeId = ev->Get()->NodeId;
         auto sessions = LocalSessions->FindSessions(nodeId);
@@ -1867,7 +1895,7 @@ class TKqpProxyService : public TActorBootstrapped<TKqpProxyService> {
     }
 };
 
-} // namespace
+} // anonymous namespace
 
 IActor* CreateKqpProxyService(const NKikimrConfig::TLogConfig& logConfig,
     const NKikimrConfig::TTableServiceConfig& tableServiceConfig,