Sanitize option for cluster state request

[Evgenik2]

Changelog entry

...

Changelog category

• Not for changelog (changelog entry is not required)

Description for reviewers

...

[ydbot]

Run Extra Tests

Run additional tests for this PR. You can customize:

• Test Size: small, medium, large (default: all)
• Test Targets: any directory path (default: ydb/)
• Sanitizers: ASAN, MSAN, TSAN
• Coredumps: enable for debugging (default: off)
• Additional args: custom ya make arguments

[github-actions]

🟢 2025-12-04 11:56:36 UTC The validation of the Pull Request description is successful.

[github-actions]

⚪ 2025-12-04 11:59:22 UTC Pre-commit check linux-x86_64-relwithdebinfo for 5007aea has started.
⚪ 2025-12-04 11:59:41 UTC Artifacts will be uploaded here
⚪ 2025-12-04 12:01:48 UTC ya make is running...
🟢 2025-12-04 14:20:10 UTC ydbd size 2.3 GiB changed* by +1.9 KiB, which is < 100.0 KiB vs main: OK

ydbd size dash	main: c629cc7	merge: 5007aea	diff	diff %
ydbd size	2 463 934 552 Bytes	2 463 936 488 Bytes	+1.9 KiB	+0.000%
ydbd stripped size	524 484 000 Bytes	524 484 512 Bytes	+512 Bytes	+0.000%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}
⚫ 2025-12-04 14:20:12 UTC Check cancelled

[github-actions]

⚪ 2025-12-04 11:59:24 UTC Pre-commit check linux-x86_64-release-asan for 5007aea has started.
⚪ 2025-12-04 11:59:39 UTC Artifacts will be uploaded here
⚪ 2025-12-04 12:01:43 UTC ya make is running...
🟡 2025-12-04 13:50:48 UTC Some tests failed, follow the links below. This fail is not in blocking policy yet

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
14258	14188	0	43	15	12

🟢 2025-12-04 13:50:56 UTC Build successful.
🟢 2025-12-04 13:51:26 UTC ydbd size 3.8 GiB changed* by +1.9 KiB, which is < 100.0 KiB vs main: OK

ydbd size dash	main: c629cc7	merge: 5007aea	diff	diff %
ydbd size	4 123 186 104 Bytes	4 123 188 056 Bytes	+1.9 KiB	+0.000%
ydbd stripped size	1 531 143 768 Bytes	1 531 144 856 Bytes	+1.1 KiB	+0.000%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2025-12-04 14:22:21 UTC Pre-commit check linux-x86_64-relwithdebinfo for ed2e011 has started.
⚪ 2025-12-04 14:22:38 UTC Artifacts will be uploaded here
⚪ 2025-12-04 14:24:49 UTC ya make is running...
🟡 2025-12-04 16:39:28 UTC Some tests failed, follow the links below. Going to retry failed tests...

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
41785	38924	0	1	2842	18

⚪ 2025-12-04 16:39:41 UTC ya make is running... (failed tests rerun, try 2)
🟢 2025-12-04 16:52:23 UTC Tests successful.

Ya make output | Test bloat | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
36 (only retried tests)	21	0	0	0	15

🟢 2025-12-04 16:52:30 UTC Build successful.
🟢 2025-12-04 16:52:48 UTC ydbd size 2.3 GiB changed* by +1.9 KiB, which is < 100.0 KiB vs main: OK

ydbd size dash	main: 2201001	merge: ed2e011	diff	diff %
ydbd size	2 463 956 176 Bytes	2 463 958 112 Bytes	+1.9 KiB	+0.000%
ydbd stripped size	524 487 136 Bytes	524 487 648 Bytes	+512 Bytes	+0.000%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2025-12-04 14:22:48 UTC Pre-commit check linux-x86_64-release-asan for ed2e011 has started.
⚪ 2025-12-04 14:23:05 UTC Artifacts will be uploaded here
⚪ 2025-12-04 14:25:13 UTC ya make is running...
🟡 2025-12-04 16:12:33 UTC Some tests failed, follow the links below. This fail is not in blocking policy yet

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
13538	13478	0	45	8	7

🟢 2025-12-04 16:12:41 UTC Build successful.
🟢 2025-12-04 16:13:10 UTC ydbd size 3.8 GiB changed* by +1.9 KiB, which is < 100.0 KiB vs main: OK

ydbd size dash	main: 2201001	merge: ed2e011	diff	diff %
ydbd size	4 123 223 272 Bytes	4 123 225 224 Bytes	+1.9 KiB	+0.000%
ydbd stripped size	1 531 161 400 Bytes	1 531 162 488 Bytes	+1.1 KiB	+0.000%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[Copilot]

Pull request overview

This PR adds a sanitize option to the cluster state request API, allowing users to control whether sensitive data (authentication information, user SIDs, query text, etc.) is sanitized in the output. By default, cluster state previously always sanitized sensitive data; this change makes it configurable.

Key Changes:

• Added bool sanitize field to the ClusterStateRequest protobuf message
• Implemented the setting throughout the stack: C++ SDK, CLI, and gRPC service
• Modified query generation logic to conditionally sanitize or skip sensitive queries based on the flag

Critical Security Issue: The protobuf field defaults to false, which means old clients that don't explicitly set this field will expose sensitive data that was previously always sanitized. This is a breaking change with security implications.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
ydb/public/api/protos/ydb_monitoring.proto	Added sanitize boolean field to ClusterStateRequest (defaults to false - security concern)
ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/monitoring/monitoring.h	Added optional Sanitize setting to TClusterStateSettings
ydb/public/sdk/cpp/src/client/monitoring/monitoring.cpp	Implemented setting the sanitize field in the protobuf request
ydb/public/lib/ydb_cli/commands/ydb_state.h	Added NoSanitize flag to CLI command state
ydb/public/lib/ydb_cli/commands/ydb_state.cpp	Added --no-sanitize command-line option and wired it to the SDK setting
ydb/core/grpc_services/rpc_cluster_state.cpp	Modified server-side query generation to respect the sanitize flag for both column-level and query-level sanitization

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pnv1]

Add a changelog entry please https://github.com/ydb-platform/ydb/blob/main/ydb/apps/ydb/CHANGELOG.md

[github-actions]

⚪ 2025-12-05 10:43:37 UTC Pre-commit check linux-x86_64-relwithdebinfo for 2b3da03 has started.
⚪ 2025-12-05 10:43:43 UTC Artifacts will be uploaded here
⚪ 2025-12-05 10:45:05 UTC ya make is running...

[github-actions]

⚪ 2025-12-05 10:44:42 UTC Pre-commit check linux-x86_64-release-asan for 2b3da03 has started.
⚪ 2025-12-05 10:45:00 UTC Artifacts will be uploaded here
⚪ 2025-12-05 10:47:04 UTC ya make is running...