Config option for node registration token (ydb-platform#7754)

StekPerepolnen · Aug 15, 2024 · 0ce24a5 · 0ce24a5
1 parent 6266c81
commit 0ce24a5
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 1 deletion.
diff --git a/ydb/core/config/init/init.cpp b/ydb/core/config/init/init.cpp
@@ -196,6 +196,7 @@ class TDefaultNodeBrokerClient
             const TGrpcSslSettings& grpcSettings,
             const TString addr,
             const NYdb::NDiscovery::TNodeRegistrationSettings& settings,
+            const TString& nodeRegistrationToken,
             const IEnv& env)
     {
         TCommandConfig::TServerEndpoint endpoint = TCommandConfig::ParseServerAddress(addr);
@@ -210,7 +211,9 @@ class TDefaultNodeBrokerClient
                 config.UseClientCertificate(certificate.c_str(), privateKey.c_str());
             }
         }
-        config.SetAuthToken(BUILTIN_ACL_ROOT);
+        if (nodeRegistrationToken) {
+            config.SetAuthToken(nodeRegistrationToken);
+        }
         config.SetEndpoint(endpoint.Address);
         auto connection = NYdb::TDriver(config);
 
@@ -224,6 +227,7 @@ class TDefaultNodeBrokerClient
         const TGrpcSslSettings& grpcSettings,
         const TVector<TString>& addrs,
         const NYdb::NDiscovery::TNodeRegistrationSettings& settings,
+        const TString& nodeRegistrationToken,
         const IEnv& env,
         IInitLogger& logger)
     {
@@ -234,6 +238,7 @@ class TDefaultNodeBrokerClient
                 result = TryToRegisterDynamicNode(grpcSettings,
                                                   addr,
                                                   settings,
+                                                  nodeRegistrationToken,
                                                   env);
                 if (result.IsSuccess()) {
                     logger.Out() << "Success. Registered as " << result.GetNodeId() << Endl;
@@ -289,6 +294,7 @@ class TDefaultNodeBrokerClient
        NYdb::NDiscovery::TNodeRegistrationResult result = RegisterDynamicNodeImpl(grpcSettings,
                                                                                   addrs,
                                                                                   newRegSettings,
+                                                                                  regSettings.NodeRegistrationToken,
                                                                                   env,
                                                                                   logger);
 

diff --git a/ydb/core/config/init/init.h b/ydb/core/config/init/init.h
@@ -118,6 +118,7 @@ struct TNodeRegistrationSettings {
     bool FixedNodeID;
     ui32 InterconnectPort;
     NActors::TNodeLocation Location;
+    TString NodeRegistrationToken;
 };
 
 class INodeRegistrationResult {

diff --git a/ydb/core/config/init/init_impl.h b/ydb/core/config/init/init_impl.h
@@ -1257,6 +1257,7 @@ class TInitialConfiguratorImpl
             cf.FixedNodeID,
             cf.InterconnectPort,
             cf.CreateNodeLocation(),
+            AppConfig.GetAuthConfig().GetNodeRegistrationToken(),
         };
 
         auto result = NodeBrokerClient.RegisterDynamicNode(cf.GrpcSslSettings, addrs, settings, Env, Logger);

diff --git a/ydb/core/protos/auth.proto b/ydb/core/protos/auth.proto
@@ -55,6 +55,7 @@ message TAuthConfig {
     optional string AccessServiceType = 79 [default = "Yandex_v2"]; // For now the following values are supported: "Yandex_v2", "Nebius_v1"
     optional string CertificateAuthenticationDomain = 80 [default = "cert"];
     optional bool EnableLoginAuthentication = 81 [default = true];
+    optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];
 }
 
 message TUserRegistryConfig {