Usage from http

ydb/core/mon/async_http_mon.cpp

@@ -2,6 +2,7 @@
 #include <ydb/library/actors/core/actor_bootstrapped.h>
 #include <ydb/library/actors/http/http_proxy.h>
 #include <ydb/core/base/appdata.h>
+#include <ydb/core/grpc_services/base/base.h>
 #include <ydb/core/base/ticket_parser.h>
 
 #include <library/cpp/lwtrace/all.h>
@@ -246,21 +247,41 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         PassAway();
     }
 
-    void ReplyUnathorizedAndPassAway(const TString& error = {}) {
+    TString YdbToHttpError(Ydb::StatusIds::StatusCode status) {
+        switch (status) {
+        case Ydb::StatusIds::UNAUTHORIZED:
+            return "401 Unauthorized";
+        case Ydb::StatusIds::INTERNAL_ERROR:
+            return "500 Internal Server Error";
+        case Ydb::StatusIds::UNAVAILABLE:
+            return "503 Service Unavailable";
+        case Ydb::StatusIds::OVERLOADED:
+            return "429 Too Many Requests";
+        case Ydb::StatusIds::TIMEOUT:
+            return "408 Request Timeout";
+        case Ydb::StatusIds::PRECONDITION_FAILED:
+            return "412 Precondition Failed";
+        default:
+            return "400 Bad Request";
+        }
+    }
+
+    void ReplyErrorAndPassAway(const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result) {
         NHttp::THttpIncomingRequestPtr request = Event->Get()->Request;
         NHttp::THeaders headers(request->Headers);
         TStringBuilder response;
         TStringBuilder body;
-        body << "<html><body><h1>401 Unauthorized</h1>";
-        if (!error.empty()) {
-            body << "<p>" << error << "</p>";
+        const TString httpError = YdbToHttpError(result.Status);
+        body << "<html><body><h1>" << httpError << "</h1>";
+        if (result.Issues) {
+            body << "<p>" << result.Issues.ToString() << "</p>";
         }
         body << "</body></html>";
         TString origin = TString(headers["Origin"]);
         if (origin.empty()) {
             origin = "*";
         }
-        response << "HTTP/1.1 401 Unauthorized\r\n";
+        response << "HTTP/1.1 " << httpError << "\r\n";
         response << "Access-Control-Allow-Origin: " << origin << "\r\n";
         response << "Access-Control-Allow-Credentials: true\r\n";
         response << "Access-Control-Allow-Headers: Content-Type,Authorization,Origin,Accept\r\n";
@@ -291,17 +312,20 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         PassAway();
     }
 
-    void SendRequest(const NKikimr::TEvTicketParser::TEvAuthorizeTicketResult* authorizeResult = {}) {
+    void SendRequest(const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult* result = nullptr) {
         NHttp::THttpIncomingRequestPtr request = Event->Get()->Request;
         if (ActorMonPage->Authorizer) {
-            TString user = authorizeResult ? authorizeResult->Token->GetUserSID() : "anonymous";
+            TString user = (result && result->UserToken) ? result->UserToken->GetUserSID() : "anonymous";
             LOG_NOTICE_S(*TlsActivationContext, NActorsServices::HTTP,
                 (request->Address ? request->Address->ToString() : "")
                 << " " << user
                 << " " << request->Method
                 << " " << request->URL);
         }
-        TString serializedToken = authorizeResult ? authorizeResult->SerializedToken : "";
+        TString serializedToken;
+        if (result && result->UserToken) {
+            serializedToken = result->UserToken->GetSerializedToken();
+        }
         Send(ActorMonPage->TargetActorId, new NMon::TEvHttpInfo(
             Container, serializedToken), IEventHandle::FlagTrackDelivery);
     }
@@ -325,14 +349,14 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         PassAway();
     }
 
-    void Handle(NKikimr::TEvTicketParser::TEvAuthorizeTicketResult::TPtr& ev) {
-        const NKikimr::TEvTicketParser::TEvAuthorizeTicketResult& result(*ev->Get());
-        if (result.Error) {
-            return ReplyUnathorizedAndPassAway(result.Error.Message);
+    void Handle(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult::TPtr& ev) {
+        const NKikimr::NGRpcService::TEvRequestAuthAndCheckResult& result(*ev->Get());
+        if (result.Status != Ydb::StatusIds::SUCCESS) {
+            return ReplyErrorAndPassAway(result);
         }
         bool found = false;
         for (const TString& sid : ActorMonPage->AllowedSIDs) {
-            if (result.Token->IsExist(sid)) {
+            if (result.UserToken->IsExist(sid)) {
                 found = true;
                 break;
             }
@@ -348,7 +372,7 @@ class THttpMonLegacyActorRequest : public TActorBootstrapped<THttpMonLegacyActor
         switch (ev->GetTypeRewrite()) {
             hFunc(TEvents::TEvUndelivered, HandleUndelivered);
             hFunc(NMon::IEvHttpInfoRes, HandleResponse);
-            hFunc(NKikimr::TEvTicketParser::TEvAuthorizeTicketResult, Handle);
+            hFunc(NKikimr::NGRpcService::TEvRequestAuthAndCheckResult, Handle);
         }
     }
 };

ydb/core/mon/mon.cpp

@@ -2,16 +2,21 @@
 
 #include <ydb/core/base/appdata.h>
 #include <ydb/core/base/ticket_parser.h>
+#include <ydb/core/grpc_services/base/base.h>
 
 #include <ydb/core/protos/auth.pb.h>
 
+#include <library/cpp/json/json_value.h>
+#include <library/cpp/json/json_reader.h>
+
 namespace NActors {
 
 using namespace NMonitoring;
 using namespace NKikimr;
 
 namespace {
 
+/*
 const std::vector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry>& GetEntries(const TString& ticket) {
     if (ticket.StartsWith("Bearer")) {
         if (AppData()->AuthConfig.GetUseAccessService()
@@ -25,16 +30,42 @@ const std::vector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry>& GetEntr
     static std::vector<NKikimr::TEvTicketParser::TEvAuthorizeTicket::TEntry> emptyEntries = {};
     return emptyEntries;
 }
+*/
+
+TString GetDatabase(NMonitoring::IMonHttpRequest& request) {
+    if (const auto dbIt = request.GetParams().Find("database"); dbIt != request.GetParams().end()) {
+        return dbIt->second;
+    }
+    if (request.GetMethod() == HTTP_METHOD_POST) {
+        static NJson::TJsonReaderConfig JsonConfig;
+        NJson::TJsonValue requestData;
+        if (NJson::ReadJsonTree(request.GetPostContent(), &JsonConfig, &requestData)) {
+            return requestData["database"].GetString();
+        }
+    }
+    return {};
+}
+
+IEventHandle* GetRequestAuthAndCheckHandle(const NActors::TActorId& owner, const TString& database, const TString& ticket) {
+    return new NActors::IEventHandle(
+        NGRpcService::CreateGRpcRequestProxyId(),
+        owner,
+        new NKikimr::NGRpcService::TEvRequestAuthAndCheck(
+            database,
+            ticket ? TMaybe<TString>(ticket) : Nothing()),
+        IEventHandle::FlagTrackDelivery
+    );
+}
 
 } // namespace
 
 NActors::IEventHandle* SelectAuthorizationScheme(const NActors::TActorId& owner, NMonitoring::IMonHttpRequest& request) {
     TStringBuf ydbSessionId = request.GetCookie("ydb_session_id");
     TStringBuf authorization = request.GetHeader("Authorization");
     if (!authorization.empty()) {
-        return GetAuthorizeTicketHandle(owner, TString(authorization));
+        return GetRequestAuthAndCheckHandle(owner, GetDatabase(request), TString(authorization));
     } else if (!ydbSessionId.empty()) {
-        return GetAuthorizeTicketHandle(owner, TString("Login ") + TString(ydbSessionId));
+        return GetRequestAuthAndCheckHandle(owner, GetDatabase(request), TString("Login ") + TString(ydbSessionId));
     } else {
         return nullptr;
     }
@@ -45,35 +76,26 @@ NActors::IEventHandle* GetAuthorizeTicketResult(const NActors::TActorId& owner)
         return new NActors::IEventHandle(
             owner,
             owner,
-            new NKikimr::TEvTicketParser::TEvAuthorizeTicketResult(TString(), {
-                .Message = "No security credentials were provided",
-                .Retryable = false
-            })
+            new NKikimr::NGRpcService::TEvRequestAuthAndCheckResult(
+                Ydb::StatusIds::UNAUTHORIZED,
+                "No security credentials were provided")
         );
     } else if (!NKikimr::AppData()->DefaultUserSIDs.empty()) {
         TIntrusivePtr<NACLib::TUserToken> token = new NACLib::TUserToken(NKikimr::AppData()->DefaultUserSIDs);
         return new NActors::IEventHandle(
             owner,
             owner,
-            new NKikimr::TEvTicketParser::TEvAuthorizeTicketResult(TString(), token)
+            new NKikimr::NGRpcService::TEvRequestAuthAndCheckResult(
+                {},
+                {},
+                token
+            )
         );
     } else {
         return nullptr;
     }
 }
 
-IEventHandle* GetAuthorizeTicketHandle(const NActors::TActorId& owner, const TString& ticket) {
-    return new NActors::IEventHandle(
-        NKikimr::MakeTicketParserID(),
-        owner,
-        new NKikimr::TEvTicketParser::TEvAuthorizeTicket({
-            .Ticket = ticket,
-            .Entries = GetEntries(ticket),
-        }),
-        IEventHandle::FlagTrackDelivery
-    );
-}
-
 IMonPage* TMon::RegisterActorPage(TIndexMonPage* index, const TString& relPath,
     const TString& title, bool preTag, TActorSystem* actorSystem, const TActorId& actorId, bool useAuth, bool sortPages) {
     return RegisterActorPage({

ydb/core/mon/mon.h

@@ -13,7 +13,6 @@
 
 namespace NActors {
 
-IEventHandle* GetAuthorizeTicketHandle(const NActors::TActorId& owner, const TString& ticket);
 IEventHandle* SelectAuthorizationScheme(const NActors::TActorId& owner, NMonitoring::IMonHttpRequest& request);
 IEventHandle* GetAuthorizeTicketResult(const NActors::TActorId& owner);
 

ydb/core/mon/ya.make

@@ -13,6 +13,7 @@ SRCS(
 
 PEERDIR(
     ydb/library/actors/core
+    library/cpp/json
     library/cpp/lwtrace/mon
     library/cpp/string_utils/url
     ydb/core/base