We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No description provided.
The text was updated successfully, but these errors were encountered:
When we request this http handle with Authorize header (and authorization enabled in YDB):
curl -vv 'http://localhost:2944/viewer/json/query?timeout=600000&base64=false&schema=modern' -H "Authorization: $YDB_TOKEN" -H 'content-type: application/json' --data-raw '{"query":"select * from `test/test_table`","database":"/local","action":"execute-script","syntax":"yql_v1","stats":"profile"}'
the main difference from ydb cli is that ydb cli used grpc and http uses direct actor system request for query execution.
In grpc subsystem before executing any grpc request user access token is sent to ticket parser with authorize request (with rights check: ydb.databases.list, ydb.databases.create, ydb.databases.connect, ydb.tables.select, ydb.schemas.getMetadata), but in http we send to ticket parser only authenticate request (without rights check) here: https://github.com/ydb-platform/ydb/blob/main/ydb/core/mon/mon.cpp#L65 (entries are empty array: https://github.com/ydb-platform/ydb/blob/main/ydb/core/mon/mon.cpp#L15). Then ticket parser says that everything is OK, user is 123@as and he participates in no interesting groups. This parsed token is passed then to KQP proxy actor service here: https://github.com/ydb-platform/ydb/blob/main/ydb/core/viewer/json_query.h#L225 => KQP failures to get needed rights for query execution (because we haven't requested any rights).
ydb.databases.list, ydb.databases.create, ydb.databases.connect, ydb.tables.select, ydb.schemas.getMetadata
123@as
Sorry, something went wrong.
Merge to 24-1: #6410 Merge to 24-2: #6422 Merge to 24-3 is not required (already there)
UgnineSirdis
Successfully merging a pull request may close this issue.
No description provided.
The text was updated successfully, but these errors were encountered: