view query/ast checking has been added

ydb/core/grpc_services/rpc_fq.cpp

@@ -479,7 +479,8 @@ std::unique_ptr<TEvProxyRuntimeEvent> CreateFederatedQueryDescribeQueryRequestOp
             NPerms::Required("yq.queries.get"),
             NPerms::Optional("yq.queries.viewAst"),
             NPerms::Optional("yq.resources.viewPublic"),
-            NPerms::Optional("yq.resources.viewPrivate")
+            NPerms::Optional("yq.resources.viewPrivate"),
+            NPerms::Optional("yq.queries.viewQueryText")
         };
     }};
 
@@ -577,7 +578,9 @@ std::unique_ptr<TEvProxyRuntimeEvent> CreateFederatedQueryDescribeJobRequestOper
         return {
             NPerms::Required("yq.jobs.get"),
             NPerms::Optional("yq.resources.viewPublic"),
-            NPerms::Optional("yq.resources.viewPrivate")
+            NPerms::Optional("yq.resources.viewPrivate"),
+            NPerms::Optional("yq.queries.viewAst"),
+            NPerms::Optional("yq.queries.viewQueryText")
         };
     } };
 

ydb/core/yq/libs/control_plane_proxy/control_plane_proxy.cpp

@@ -1385,6 +1385,8 @@ private:
         static const TPermissions availablePermissions {
             TPermissions::TPermission::VIEW_PUBLIC
             | TPermissions::TPermission::VIEW_PRIVATE
+            | TPermissions::TPermission::VIEW_AST
+            | TPermissions::VIEW_QUERY_TEXT
         };
 
         Register(new TRequestActor<YandexQuery::DescribeJobRequest,

ydb/core/yq/libs/control_plane_proxy/ut/control_plane_proxy_ut.cpp

@@ -2484,13 +2484,13 @@ Y_UNIT_TEST_SUITE(TControlPlaneProxyCheckNegativePermissionsSuccess) {
         UNIT_ASSERT_VALUES_EQUAL(event->Scope, "yandexcloud://my_folder");
         UNIT_ASSERT(permissions.Check(TPermissions::VIEW_PUBLIC));
         UNIT_ASSERT(permissions.Check(TPermissions::VIEW_PRIVATE));
-        UNIT_ASSERT(!permissions.Check(TPermissions::VIEW_AST));
+        UNIT_ASSERT(permissions.Check(TPermissions::VIEW_AST));
         UNIT_ASSERT(!permissions.Check(TPermissions::MANAGE_PUBLIC));
         UNIT_ASSERT(!permissions.Check(TPermissions::MANAGE_PRIVATE));
         UNIT_ASSERT(!permissions.Check(TPermissions::CONNECTIONS_USE));
         UNIT_ASSERT(!permissions.Check(TPermissions::BINDINGS_USE));
         UNIT_ASSERT(!permissions.Check(TPermissions::QUERY_INVOKE));
-        UNIT_ASSERT(!permissions.Check(TPermissions::VIEW_QUERY_TEXT));
+        UNIT_ASSERT(permissions.Check(TPermissions::VIEW_QUERY_TEXT));
     }
 
     Y_UNIT_TEST(ShouldSendCreateConnection)

ydb/core/yq/libs/control_plane_storage/ydb_control_plane_storage_queries.cpp

@@ -1741,7 +1741,7 @@ void TYdbControlPlaneStorageActor::Handle(TEvControlPlaneStorage::TEvDescribeJob
     const TString token = event.Token;
     TPermissions permissions = Config->Proto.GetEnablePermissions()
         ? event.Permissions
-        : TPermissions{TPermissions::VIEW_PUBLIC};
+        : TPermissions{TPermissions::VIEW_PUBLIC | TPermissions::VIEW_AST | TPermissions::VIEW_QUERY_TEXT};
     if (IsSuperUser(user)) {
         permissions.SetAll();
     }
@@ -1792,6 +1792,12 @@ void TYdbControlPlaneStorageActor::Handle(TEvControlPlaneStorage::TEvDescribeJob
         if (!hasViewAccces) {
             ythrow TCodeLineException(TIssuesIds::ACCESS_DENIED) << "Job does not exist or permission denied. Please check the job id or your access rights";
         }
+        if (!permissions.Check(TPermissions::VIEW_AST)) {
+            result.mutable_job()->clear_ast();
+        }
+        if (!permissions.Check(TPermissions::VIEW_QUERY_TEXT)) {
+            result.mutable_job()->clear_text();
+        }
         return result;
     };