Check client certificate/token when option EnforceUserTokenCheckRequirement is on

[UgnineSirdis]

Changelog entry

Support EnforceUserTokenCheckRequirement option for the case of mTLS

Changelog category

• Improvement

Additional information

...

[github-actions]

⚪ 2024-08-06 16:50:42 UTC Pre-commit check for a6e5022 has started.
⚪ 2024-08-06 16:53:55 UTC Check linux-x86_64-release-clang14 is running...
🟢 2024-08-06 17:31:27 UTC Build successful.

[github-actions]

⚪ 2024-08-06 16:50:43 UTC Pre-commit check for a6e5022 has started.
⚪ 2024-08-06 16:54:01 UTC Check linux-x86_64-release-asan is running...
🔴 2024-08-06 19:12:43 UTC Some tests failed, follow the links below.

Test history | Ya make output

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
11078	11040	0	3	22	13

🟢 2024-08-06 19:13:58 UTC Build successful.
🟢 2024-08-06 19:14:26 UTC ydbd size 5.4 GiB changed* by -1.8 MiB, which is <= 0 Bytes vs main: OK

ydbd size dash	main: 38a0fb6	merge: a6e5022	diff	diff %
ydbd size	5 831 264 472 Bytes	5 829 352 592 Bytes	-1.8 MiB	-0.033%
ydbd stripped size	1 464 774 128 Bytes	1 464 408 560 Bytes	-357.0 KiB	-0.025%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2024-08-06 16:52:18 UTC Pre-commit check for a6e5022 has started.
⚪ 2024-08-06 16:56:48 UTC Check linux-x86_64-relwithdebinfo is running...
🟡 2024-08-06 19:14:39 UTC Some tests failed, follow the links below. Going to retry failed tests...

Test history | Ya make output

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
39839	34515	0	2	5309	13

⚪ 2024-08-06 19:19:10 UTC Failed tests rerun (try 2) linux-x86_64-relwithdebinfo is running...
🟡 2024-08-06 19:30:19 UTC Some tests failed, follow the links below. Going to retry failed tests...

Test history | Ya make output

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
19 (only retried tests)	5	0	2	4	8

⚪ 2024-08-06 19:33:39 UTC Failed tests rerun (try 3) linux-x86_64-relwithdebinfo is running...
🟢 2024-08-06 19:40:43 UTC Tests successful.

Test history | Ya make output

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
14 (only retried tests)	6	0	0	0	8

🟢 2024-08-06 19:44:01 UTC Build successful.
🟢 2024-08-06 19:44:35 UTC ydbd size 8.1 GiB changed* by -965.9 KiB, which is <= 0 Bytes vs main: OK

ydbd size dash	main: 38a0fb6	merge: a6e5022	diff	diff %
ydbd size	8 672 465 152 Bytes	8 671 476 088 Bytes	-965.9 KiB	-0.011%
ydbd stripped size	471 954 152 Bytes	471 902 696 Bytes	-50.2 KiB	-0.011%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[UgnineSirdis]

If the cluster is in state when no token is required (and no client certificate is checked), this option helps to debug problems that can occur after configuration update. So if current state is dynamic node registration without using token/client certificate, we can setup client cert settings, node registration settings, EnforceUserTokenRequirement=false, EnforceUserTokenCheckRequirement=true in static nodes. After this dynamic nodes that still don't use client certificate will continue register. Then we can try mTLS on dynamic nodes: if client cert is specified, server starts checking it and returns related errors if something is set up wrong. But during this other nodes will continue work.