From 1fc93a53763d16b6e621ec76cad7e7275c73e3a4 Mon Sep 17 00:00:00 2001
From: Semyon <yentsovsemyon@ydb.tech>
Date: Mon, 16 Dec 2024 18:46:40 +0300
Subject: [PATCH] implement secret identification by name (#12641)

Conflicts:
	ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp
	ydb/services/metadata/secret/snapshot.cpp
	ydb/services/metadata/secret/snapshot.h
---
 .../kqp_federated_query_actors.cpp            |  23 ++--
 .../engines/changes/general_compaction.cpp    |   1 +
 .../constructor/read_metadata.cpp             |   3 +
 .../engines/storage/granule/portions_index.h  |   1 +
 .../tx/columnshard/hooks/testing/controller.h |   1 +
 .../controller/secret_resolver.cpp            |   8 +-
 ydb/core/tx/tiering/tier/checker.cpp          |  16 ++-
 ydb/core/tx/tiering/tier/object.cpp           |  20 ++-
 ydb/core/tx/tiering/tier/object.h             |   2 +-
 ydb/services/ext_index/ut/ut_ext_index.cpp    |   3 -
 .../metadata/initializer/ut/ut_init.cpp       |   3 -
 ydb/services/metadata/secret/secret.cpp       |  22 ++-
 ydb/services/metadata/secret/secret.h         | 125 +++++++++++++-----
 ydb/services/metadata/secret/snapshot.cpp     | 106 +++++++++++----
 ydb/services/metadata/secret/snapshot.h       |   5 +-
 ydb/services/metadata/secret/ut/ut_secret.cpp |   3 -
 16 files changed, 231 insertions(+), 111 deletions(-)

diff --git a/ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp b/ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp
index c6150636e5df..14243df2c784 100644
--- a/ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp
+++ b/ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp
@@ -19,18 +19,19 @@ class TDescribeSecretsActor: public NActors::TActorBootstrapped<TDescribeSecrets
         std::vector<TString> secretValues;
         secretValues.reserve(SecretIds.size());
         for (const auto& secretId: SecretIds) {
-            TString secretValue;
-            const bool isFound = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretId), secretValue);
-            if (!isFound) {
-                if (!AskSent) {
-                    AskSent = true;
-                    Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvAskSnapshot(GetSecretsSnapshotParser()));
-                } else {
-                    CompleteAndPassAway(TEvDescribeSecretsResponse::TDescription(Ydb::StatusIds::BAD_REQUEST, { NYql::TIssue("secret with name '" + secretId.GetSecretId() + "' not found") }));
-                }
-                return;
+            auto secretValue = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(secretId));
+            if (secretValue.IsSuccess()) {
+                secretValues.push_back(secretValue.DetachResult());
+                continue;
             }
-            secretValues.push_back(secretValue);
+
+            if (!AskSent) {
+                AskSent = true;
+                Send(NMetadata::NProvider::MakeServiceId(SelfId().NodeId()), new NMetadata::NProvider::TEvAskSnapshot(GetSecretsSnapshotParser()));
+            } else {
+                CompleteAndPassAway(TEvDescribeSecretsResponse::TDescription(Ydb::StatusIds::BAD_REQUEST, { NYql::TIssue("secret with name '" + secretId.GetSecretId() + "' not found") }));
+            }
+            return;
         }
 
         CompleteAndPassAway(TEvDescribeSecretsResponse::TDescription(secretValues));
diff --git a/ydb/core/tx/columnshard/engines/changes/general_compaction.cpp b/ydb/core/tx/columnshard/engines/changes/general_compaction.cpp
index e0655927c758..88e1d5ea4610 100644
--- a/ydb/core/tx/columnshard/engines/changes/general_compaction.cpp
+++ b/ydb/core/tx/columnshard/engines/changes/general_compaction.cpp
@@ -13,6 +13,7 @@ namespace NKikimr::NOlap::NCompaction {
 std::shared_ptr<NArrow::TColumnFilter> TGeneralCompactColumnEngineChanges::BuildPortionFilter(
     const std::optional<NKikimr::NOlap::TGranuleShardingInfo>& shardingActual, const std::shared_ptr<NArrow::TGeneralContainer>& batch,
     const TPortionInfo& pInfo, const THashSet<ui64>& portionsInUsage, const ISnapshotSchema::TPtr& resultSchema) const {
+    Y_UNUSED(resultSchema);
     std::shared_ptr<NArrow::TColumnFilter> filter;
     if (shardingActual && pInfo.NeedShardingFilter(*shardingActual)) {
         std::set<std::string> fieldNames;
diff --git a/ydb/core/tx/columnshard/engines/reader/simple_reader/constructor/read_metadata.cpp b/ydb/core/tx/columnshard/engines/reader/simple_reader/constructor/read_metadata.cpp
index 646e58c1857d..31ad53590f62 100644
--- a/ydb/core/tx/columnshard/engines/reader/simple_reader/constructor/read_metadata.cpp
+++ b/ydb/core/tx/columnshard/engines/reader/simple_reader/constructor/read_metadata.cpp
@@ -13,6 +13,9 @@ std::unique_ptr<TScanIteratorBase> TReadMetadata::StartScan(const std::shared_pt
 
 TConclusionStatus TReadMetadata::DoInitCustom(
     const NColumnShard::TColumnShard* owner, const TReadDescription& readDescription, const TDataStorageAccessor& dataAccessor) {
+    Y_UNUSED(owner);
+    Y_UNUSED(readDescription);
+    Y_UNUSED(dataAccessor);
     return TConclusionStatus::Success();
 }
 
diff --git a/ydb/core/tx/columnshard/engines/storage/granule/portions_index.h b/ydb/core/tx/columnshard/engines/storage/granule/portions_index.h
index 75201f1d188d..d93b544c7aa1 100644
--- a/ydb/core/tx/columnshard/engines/storage/granule/portions_index.h
+++ b/ydb/core/tx/columnshard/engines/storage/granule/portions_index.h
@@ -19,6 +19,7 @@ class TPortionsIndex {
         : Owner(owner)
     {
         Y_UNUSED(Owner);
+        Y_UNUSED(counters);
     }
 
     void AddPortion(const std::shared_ptr<TPortionInfo>& p) {
diff --git a/ydb/core/tx/columnshard/hooks/testing/controller.h b/ydb/core/tx/columnshard/hooks/testing/controller.h
index 9076e8183cd1..f9bf371afa4d 100644
--- a/ydb/core/tx/columnshard/hooks/testing/controller.h
+++ b/ydb/core/tx/columnshard/hooks/testing/controller.h
@@ -193,6 +193,7 @@ class TController: public TReadOnlyController {
         return OverrideRejectMemoryIntervalLimit.value_or(def);
     }
     virtual ui64 DoGetMetadataRequestSoftMemoryLimit(const ui64 def) const override {
+        Y_UNUSED(def);
         return 0;
     }
     virtual EOptimizerCompactionWeightControl GetCompactionControl() const override {
diff --git a/ydb/core/tx/replication/controller/secret_resolver.cpp b/ydb/core/tx/replication/controller/secret_resolver.cpp
index cbc289ec9fb4..03c2d603772b 100644
--- a/ydb/core/tx/replication/controller/secret_resolver.cpp
+++ b/ydb/core/tx/replication/controller/secret_resolver.cpp
@@ -47,12 +47,12 @@ class TSecretResolver: public TActorBootstrapped<TSecretResolver> {
     void Handle(NMetadata::NProvider::TEvRefreshSubscriberData::TPtr& ev) {
         const auto* snapshot = ev->Get()->GetSnapshotAs<NMetadata::NSecret::TSnapshot>();
 
-        TString secretValue;
-        if (!snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(SecretId), secretValue)) {
-            return Reply(false, TStringBuilder() << "Secret '" << SecretName << "' not found");
+        auto secretValue = snapshot->GetSecretValue(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(SecretId));
+        if (secretValue.IsFail()) {
+            return Reply(false, secretValue.GetErrorMessage());
         }
 
-        Reply(secretValue);
+        Reply(secretValue.DetachResult());
     }
 
     template <typename... Args>
diff --git a/ydb/core/tx/tiering/tier/checker.cpp b/ydb/core/tx/tiering/tier/checker.cpp
index 32ec8da0e7b4..af9d88ae6910 100644
--- a/ydb/core/tx/tiering/tier/checker.cpp
+++ b/ydb/core/tx/tiering/tier/checker.cpp
@@ -10,13 +10,15 @@ void TTierPreparationActor::StartChecker() {
         return;
     }
     auto g = PassAwayGuard();
-    for (auto&& tier : Objects) {
-        if (!Secrets->CheckSecretAccess(tier.GetAccessKey(), Context.GetExternalData().GetUserToken())) {
-            Controller->OnPreparationProblem("no access for secret: " + tier.GetAccessKey().DebugString());
-            return;
-        } else if (!Secrets->CheckSecretAccess(tier.GetSecretKey(), Context.GetExternalData().GetUserToken())) {
-            Controller->OnPreparationProblem("no access for secret: " + tier.GetSecretKey().DebugString());
-            return;
+    if (const auto& userToken = Context.GetExternalData().GetUserToken()) {
+        for (auto&& tier : Objects) {
+            if (!Secrets->CheckSecretAccess(tier.GetAccessKey(), *userToken)) {
+                Controller->OnPreparationProblem("no access for secret: " + tier.GetAccessKey().DebugString());
+                return;
+            } else if (!Secrets->CheckSecretAccess(tier.GetSecretKey(), *userToken)) {
+                Controller->OnPreparationProblem("no access for secret: " + tier.GetSecretKey().DebugString());
+                return;
+            }
         }
     }
     Controller->OnPreparationFinished(std::move(Objects));
diff --git a/ydb/core/tx/tiering/tier/object.cpp b/ydb/core/tx/tiering/tier/object.cpp
index e5045a3ee887..7b98282fd6a4 100644
--- a/ydb/core/tx/tiering/tier/object.cpp
+++ b/ydb/core/tx/tiering/tier/object.cpp
@@ -44,16 +44,22 @@ NMetadata::NInternal::TTableRecord TTierConfig::SerializeToRecord() const {
     return result;
 }
 
-NKikimrSchemeOp::TS3Settings TTierConfig::GetPatchedConfig(
-    std::shared_ptr<NMetadata::NSecret::TSnapshot> secrets) const
-{
+NKikimrSchemeOp::TS3Settings TTierConfig::GetPatchedConfig(std::shared_ptr<NMetadata::NSecret::TSnapshot> secrets) const {
     auto config = ProtoConfig.GetObjectStorage();
     if (secrets) {
-        if (!secrets->GetSecretValue(GetAccessKey(), *config.MutableAccessKey())) {
-            ALS_ERROR(NKikimrServices::TX_TIERING) << "cannot read access key secret for " << GetAccessKey().DebugString();
+        {
+            auto value = secrets->GetSecretValue(GetAccessKey());
+            if (value.IsFail()) {
+                AFL_ERROR(NKikimrServices::TX_TIERING)("error", "invalid_secret")("object", "access_key")("reason", value.GetErrorMessage());
+            }
+            config.SetAccessKey(value.DetachResult());
         }
-        if (!secrets->GetSecretValue(GetSecretKey(), *config.MutableSecretKey())) {
-            ALS_ERROR(NKikimrServices::TX_TIERING) << "cannot read secret key secret for " << GetSecretKey().DebugString();
+        {
+            auto value = secrets->GetSecretValue(GetSecretKey());
+            if (value.IsFail()) {
+                AFL_ERROR(NKikimrServices::TX_TIERING)("error", "invalid_secret")("object", "secret_key")("reason", value.GetErrorMessage());
+            }
+            config.SetSecretKey(value.DetachResult());
         }
     }
     return config;
diff --git a/ydb/core/tx/tiering/tier/object.h b/ydb/core/tx/tiering/tier/object.h
index 96bdfc490ac2..89ce3cdfd83f 100644
--- a/ydb/core/tx/tiering/tier/object.h
+++ b/ydb/core/tx/tiering/tier/object.h
@@ -4,8 +4,8 @@
 #include <ydb/services/metadata/manager/preparation_controller.h>
 #include <ydb/services/metadata/manager/table_record.h>
 #include <ydb/services/metadata/manager/object.h>
+#include <ydb/services/metadata/secret/snapshot.h>
 #include <ydb/services/metadata/service.h>
-#include <ydb/services/metadata/secret/secret.h>
 
 #include <library/cpp/json/writer/json_value.h>
 
diff --git a/ydb/services/ext_index/ut/ut_ext_index.cpp b/ydb/services/ext_index/ut/ut_ext_index.cpp
index ec67f99c8478..2083968943aa 100644
--- a/ydb/services/ext_index/ut/ut_ext_index.cpp
+++ b/ydb/services/ext_index/ut/ut_ext_index.cpp
@@ -1,6 +1,5 @@
 #include <ydb/core/cms/console/configs_dispatcher.h>
 #include <ydb/core/testlib/cs_helper.h>
-#include <ydb/core/tx/tiering/external_data.h>
 #include <ydb/core/tx/schemeshard/schemeshard.h>
 #include <ydb/core/tx/tx_proxy/proxy.h>
 #include <ydb/core/formats/arrow/size_calcer.h>
@@ -25,8 +24,6 @@
 
 namespace NKikimr {
 
-using namespace NColumnShard;
-
 class TLocalHelper: public Tests::NCS::THelper {
 private:
     using TBase = Tests::NCS::THelper;
diff --git a/ydb/services/metadata/initializer/ut/ut_init.cpp b/ydb/services/metadata/initializer/ut/ut_init.cpp
index bce2dd7a12f7..5207e20e9910 100644
--- a/ydb/services/metadata/initializer/ut/ut_init.cpp
+++ b/ydb/services/metadata/initializer/ut/ut_init.cpp
@@ -1,6 +1,5 @@
 #include <ydb/core/cms/console/configs_dispatcher.h>
 #include <ydb/core/testlib/cs_helper.h>
-#include <ydb/core/tx/tiering/external_data.h>
 #include <ydb/core/tx/schemeshard/schemeshard.h>
 #include <ydb/core/tx/tx_proxy/proxy.h>
 #include <ydb/core/wrappers/ut_helpers/s3_mock.h>
@@ -28,8 +27,6 @@
 
 namespace NKikimr {
 
-using namespace NColumnShard;
-
 Y_UNIT_TEST_SUITE(Initializer) {
 
     class TTestInitializer: public NMetadata::NInitializer::IInitializationBehaviour {
diff --git a/ydb/services/metadata/secret/secret.cpp b/ydb/services/metadata/secret/secret.cpp
index ec447c1d0ed6..86cf163da3eb 100644
--- a/ydb/services/metadata/secret/secret.cpp
+++ b/ydb/services/metadata/secret/secret.cpp
@@ -38,14 +38,22 @@ TString TSecretId::SerializeToString() const {
     return sb;
 }
 
-
 TString TSecretIdOrValue::DebugString() const {
-    if (SecretId) {
-        return SecretId->SerializeToString();
-    } else if (Value) {
-        return MD5::Calc(*Value);
-    }
-    return "";
+    return std::visit(TOverloaded(
+        [](std::monostate) -> TString{
+            return "__NONE__";
+        },
+        [](const TSecretId& id) -> TString{
+            return id.SerializeToString();
+        },
+        [](const TSecretName& name) -> TString{
+            return name.SerializeToString();
+        },
+        [](const TString& value) -> TString{
+            return MD5::Calc(value);
+        }
+    ),
+    State);
 }
 
 }
diff --git a/ydb/services/metadata/secret/secret.h b/ydb/services/metadata/secret/secret.h
index 70920091bf31..7511cbb56037 100644
--- a/ydb/services/metadata/secret/secret.h
+++ b/ydb/services/metadata/secret/secret.h
@@ -12,7 +12,10 @@ class TSecretId {
 private:
     YDB_READONLY_PROTECT_DEF(TString, OwnerUserId);
     YDB_READONLY_PROTECT_DEF(TString, SecretId);
+
 public:
+    inline static const TString PrefixWithUser = "USId:";
+
     TSecretId() = default;
     TSecretId(const TString& ownerUserId, const TString& secretId)
         : OwnerUserId(ownerUserId)
@@ -31,7 +34,7 @@ class TSecretId {
         if (proto.HasValue()) {
             return proto.GetValue();
         } else {
-            return TStringBuilder() << "USId:" << (proto.GetSecretOwnerId() ? proto.GetSecretOwnerId() : defaultOwnerId) << ":" << SecretId;
+            return TStringBuilder() << PrefixWithUser << (proto.GetSecretOwnerId() ? proto.GetSecretOwnerId() : defaultOwnerId) << ":" << SecretId;
         }
     }
 
@@ -43,18 +46,41 @@ class TSecretId {
     }
 };
 
+class TSecretName {
+private:
+    YDB_READONLY_DEF(TString, SecretId);
+
+public:
+    inline static const TString PrefixNoUser = "SId:";
+
+    TSecretName() = default;
+    TSecretName(const TString& secretId) : SecretId(secretId) {}
+
+    TString SerializeToString() const {
+        return TStringBuilder() << "SId:" << SecretId;
+    }
+
+    bool DeserializeFromString(const TString& secretString) {
+        if (secretString.StartsWith(PrefixNoUser)) {
+            SecretId = secretString.substr(PrefixNoUser.size());
+            return true;
+        }
+        return false;
+    }
+};
+
 class TSecretIdOrValue {
 private:
-    YDB_READONLY_DEF(std::optional<TSecretId>, SecretId);
-    YDB_READONLY_DEF(std::optional<TString>, Value);
+    using TState = std::variant<std::monostate, TSecretId, TSecretName, TString>;
+    YDB_READONLY_DEF(TState, State);
+
+private:
     TSecretIdOrValue() = default;
 
-    bool DeserializeFromStringImpl(const TString& info, const TString& defaultUserId) {
-        static const TString prefixWithUser = "USId:";
-        static const TString prefixNoUser = "SId:";
-        if (info.StartsWith(prefixWithUser)) {
+    bool DeserializeFromStringImpl(const TString& info, const TString& defaultUserId = "") {
+        if (info.StartsWith(TSecretId::PrefixWithUser)) {
             TStringBuf sb(info.data(), info.size());
-            sb.Skip(prefixWithUser.size());
+            sb.Skip(TSecretId::PrefixWithUser.size());
             TStringBuf uId;
             TStringBuf sId;
             if (!sb.TrySplit(':', uId, sId)) {
@@ -63,32 +89,37 @@ class TSecretIdOrValue {
             if (!uId || !sId) {
                 return false;
             }
-            SecretId = TSecretId(uId, sId);
-        } else if (info.StartsWith(prefixNoUser)) {
+            State = TSecretId(uId, sId);
+        } else if (info.StartsWith(TSecretName::PrefixNoUser)) {
             TStringBuf sb(info.data(), info.size());
-            sb.Skip(prefixNoUser.size());
-            SecretId = TSecretId(defaultUserId, TString(sb));
-            if (!sb || !defaultUserId) {
+            sb.Skip(TSecretName::PrefixNoUser.size());
+            if (!sb) {
                 return false;
             }
+            if (defaultUserId) {
+                State = TSecretId(defaultUserId, TString(sb));
+            } else {
+                State = TSecretName(TString(sb));
+            }
         } else {
-            Value = info;
+            State = info;
         }
         return true;
     }
-    explicit TSecretIdOrValue(const TSecretId& id)
-        : SecretId(id) {
 
+    explicit TSecretIdOrValue(const TSecretId& id)
+        : State(id) {
+    }
+    explicit TSecretIdOrValue(const TSecretName& id)
+        : State(id) {
     }
-
     explicit TSecretIdOrValue(const TString& value)
-        : Value(value) {
-
+        : State(value) {
     }
 
 public:
     bool operator!() const {
-        return !Value && !SecretId;
+        return std::holds_alternative<std::monostate>(State);
     }
 
     static TSecretIdOrValue BuildAsValue(const TString& value) {
@@ -103,12 +134,18 @@ class TSecretIdOrValue {
         return TSecretIdOrValue(id);
     }
 
-    static std::optional<TSecretIdOrValue> DeserializeFromOptional(const NKikimrSchemeOp::TSecretableVariable& proto, const TString& secretInfo, const TString& defaultOwnerId = Default<TString>()) {
+    static TSecretIdOrValue BuildAsId(const TSecretName& id) {
+        return TSecretIdOrValue(id);
+    }
+
+    static std::optional<TSecretIdOrValue> DeserializeFromOptional(
+        const NKikimrSchemeOp::TSecretableVariable& proto, const TString& secretInfo, const TString& defaultOwnerId = Default<TString>()) {
         if (proto.HasSecretId()) {
             return DeserializeFromProto(proto, defaultOwnerId);
         } else if (proto.HasValue()) {
             return DeserializeFromString(proto.GetValue().GetData());
-        } if (secretInfo) {
+        }
+        if (secretInfo) {
             return DeserializeFromString(secretInfo, defaultOwnerId);
         } else {
             return {};
@@ -117,16 +154,25 @@ class TSecretIdOrValue {
 
     NKikimrSchemeOp::TSecretableVariable SerializeToProto() const {
         NKikimrSchemeOp::TSecretableVariable result;
-        if (SecretId) {
-            result.MutableSecretId()->SetId(SecretId->GetSecretId());
-            result.MutableSecretId()->SetOwnerId(SecretId->GetOwnerUserId());
-        } else if (Value) {
-            result.MutableValue()->SetData(*Value);
-        }
+        std::visit(TOverloaded(
+            [](std::monostate){ },
+            [&result](const TSecretId& id){
+                result.MutableSecretId()->SetId(id.GetSecretId());
+                result.MutableSecretId()->SetOwnerId(id.GetOwnerUserId());
+            },
+            [&result](const TSecretName& name){
+                result.MutableSecretId()->SetId(name.GetSecretId());
+            },
+            [&result](const TString& value){
+                result.MutableValue()->SetData(value);
+            }
+        ),
+        State);
         return result;
     }
 
-    static std::optional<TSecretIdOrValue> DeserializeFromProto(const NKikimrSchemeOp::TSecretableVariable& proto, const TString& defaultOwnerId = Default<TString>()) {
+    static std::optional<TSecretIdOrValue> DeserializeFromProto(
+        const NKikimrSchemeOp::TSecretableVariable& proto, const TString& defaultOwnerId = Default<TString>()) {
         if (proto.HasSecretId()) {
             TString ownerId;
             TString secretId;
@@ -157,12 +203,21 @@ class TSecretIdOrValue {
     }
 
     TString SerializeToString() const {
-        if (SecretId) {
-            return SecretId->SerializeToString();
-        } else if (Value) {
-            return *Value;
-        }
-        return "";
+        return std::visit(TOverloaded(
+            [](std::monostate) -> TString{
+                return "";
+            },
+            [](const TSecretId& id) -> TString{
+                return TStringBuilder() << TSecretId::PrefixWithUser << id.GetOwnerUserId() << ":" << id.GetSecretId();
+            },
+            [](const TSecretName& name) -> TString{
+                return TStringBuilder() << TSecretName::PrefixNoUser << name.GetSecretId();
+            },
+            [](const TString& value) -> TString{
+                return value;
+            }
+        ),
+        State);
     }
 
     TString DebugString() const;
diff --git a/ydb/services/metadata/secret/snapshot.cpp b/ydb/services/metadata/secret/snapshot.cpp
index c9d4fb194d39..60397660b14f 100644
--- a/ydb/services/metadata/secret/snapshot.cpp
+++ b/ydb/services/metadata/secret/snapshot.cpp
@@ -35,52 +35,102 @@ bool TSnapshot::PatchString(TString& stringForPath) const {
     if (!sId) {
         return false;
     }
-    return GetSecretValue(*sId, stringForPath);
-}
-
-bool TSnapshot::CheckSecretAccess(const TSecretIdOrValue& sIdOrValue, const std::optional<NACLib::TUserToken>& userToken) const {
-    if (!userToken || !sIdOrValue) {
+    if (auto value = GetSecretValue(*sId); value.IsSuccess()) {
+        stringForPath = value.DetachResult();
         return true;
     }
-    if (sIdOrValue.GetValue()) {
+    return false;
+}
+
+bool TSnapshot::CheckSecretAccess(const TSecretIdOrValue& sIdOrValue, const NACLib::TUserToken& userToken) const {
+    if (std::holds_alternative<TString>(sIdOrValue.GetState()) || std::holds_alternative<std::monostate>(sIdOrValue.GetState())) {
         return true;
     }
-    if (!sIdOrValue.GetSecretId()) {
-        return false;
-    }
-    const auto sId = *sIdOrValue.GetSecretId();
-    auto it = Secrets.find(sId);
+
+    auto findId = std::visit(TOverloaded(
+        [](std::monostate) -> const TSecretId* {
+            Y_ABORT();
+        },
+        [](const TSecretId& id) -> const TSecretId*{
+            return &id;
+        },
+        [this](const TSecretName& name) -> const TSecretId*{
+            const auto findSecrets = IndexByName.FindPtr(name.GetSecretId());
+            if (!findSecrets) {
+                return nullptr;
+            }
+            AFL_VERIFY(!findSecrets->empty());
+            if (findSecrets->size() > 1) {
+                return nullptr;
+            }
+            return &*findSecrets->begin();
+        },
+        [](const TString& value) -> const TSecretId*{
+            Y_UNUSED(value);
+            Y_ABORT();
+        }
+    ),
+    sIdOrValue.GetState());
+
+    auto it = Secrets.find(*findId);
     if (it == Secrets.end()) {
         return false;
     }
-    if (it->second.GetOwnerUserId() == userToken->GetUserSID()) {
+    if (it->second.GetOwnerUserId() == userToken.GetUserSID()) {
         return true;
     }
     for (auto&& i : Access) {
-        if (i != sId) {
+        if (i != *findId) {
             continue;
         }
-        if (userToken->IsExist(i.GetAccessSID())) {
+        if (userToken.IsExist(i.GetAccessSID())) {
             return true;
         }
     }
     return false;
 }
 
-bool TSnapshot::GetSecretValue(const TSecretIdOrValue& sId, TString& result) const {
-    if (sId.GetValue()) {
-        result = *sId.GetValue();
-        return true;
-    }
-    if (!sId.GetSecretId()) {
-        return false;;
-    }
-    auto it = Secrets.find(*sId.GetSecretId());
-    if (it == Secrets.end()) {
-        return false;
-    }
-    result = it->second.GetValue();
-    return true;
+TConclusion<TString> TSnapshot::GetSecretValue(const TSecretIdOrValue& sId) const {
+    return std::visit(TOverloaded(
+        [](std::monostate) -> TConclusion<TString>{
+            return TConclusionStatus::Fail("Empty secret id");
+        },
+        [this](const TSecretId& id) -> TConclusion<TString>{
+            if (const auto findSecret = Secrets.find(id); findSecret != Secrets.end()) {
+                return findSecret->second.GetValue();
+            }
+            return TConclusionStatus::Fail(TStringBuilder() << "No such secret: " << id.SerializeToString());
+        },
+        [this](const TSecretName& name) -> TConclusion<TString>{
+            if (const auto findSecrets = IndexByName.FindPtr(name.GetSecretId())) {
+                AFL_VERIFY(!findSecrets->empty());
+                if (findSecrets->size() > 1) {
+                    return TConclusionStatus::Fail(TStringBuilder() << "Can't identify secret: More than 1 secret found with such name: " << name.GetSecretId());
+                }
+                auto secret = Secrets.find(*findSecrets->begin());
+                AFL_VERIFY(secret != Secrets.end())("secret", findSecrets->begin()->SerializeToString());
+                return secret->second.GetValue();
+            }
+            return TConclusionStatus::Fail(TStringBuilder() << "No such secret: " << name.SerializeToString());
+        },
+        [](const TString& value) -> TConclusion<TString>{
+            return value;
+        }
+    ),
+    sId.GetState());
 }
 
+std::vector<TSecretId> TSnapshot::GetSecretIds(const std::optional<NACLib::TUserToken>& userToken, const TString& secretId) const {
+    std::vector<TSecretId> secretIds;
+    for (const auto& [key, value]: Secrets) {
+        if (key.GetSecretId() != secretId) {
+            continue;
+        }
+        if (userToken && !CheckSecretAccess(NMetadata::NSecret::TSecretIdOrValue::BuildAsId(key), *userToken)) {
+            continue;
+        }
+        secretIds.push_back(key);
+    }
+    return secretIds;
+}
 }
diff --git a/ydb/services/metadata/secret/snapshot.h b/ydb/services/metadata/secret/snapshot.h
index e1863d333c1d..92aabfc17431 100644
--- a/ydb/services/metadata/secret/snapshot.h
+++ b/ydb/services/metadata/secret/snapshot.h
@@ -22,9 +22,10 @@ class TSnapshot: public NFetcher::ISnapshot {
     virtual TString DoSerializeToString() const override;
 public:
     using TBase::TBase;
-    bool CheckSecretAccess(const TSecretIdOrValue& sIdOrValue, const std::optional<NACLib::TUserToken>& userToken) const;
+    bool CheckSecretAccess(const TSecretIdOrValue& sIdOrValue, const NACLib::TUserToken& userToken) const;
     bool PatchString(TString& stringForPath) const;
-    bool GetSecretValue(const TSecretIdOrValue& secretId, TString& result) const;
+    TConclusion<TString> GetSecretValue(const TSecretIdOrValue& secretId) const;
+    std::vector<TSecretId> GetSecretIds(const std::optional<NACLib::TUserToken>& userToken, const TString& secretId) const;
 };
 
 }
diff --git a/ydb/services/metadata/secret/ut/ut_secret.cpp b/ydb/services/metadata/secret/ut/ut_secret.cpp
index 16da9e76d149..039cd2c3a8a6 100644
--- a/ydb/services/metadata/secret/ut/ut_secret.cpp
+++ b/ydb/services/metadata/secret/ut/ut_secret.cpp
@@ -1,6 +1,5 @@
 #include <ydb/core/cms/console/configs_dispatcher.h>
 #include <ydb/core/testlib/cs_helper.h>
-#include <ydb/core/tx/tiering/external_data.h>
 #include <ydb/core/tx/schemeshard/schemeshard.h>
 #include <ydb/core/tx/tx_proxy/proxy.h>
 #include <ydb/core/wrappers/ut_helpers/s3_mock.h>
@@ -26,8 +25,6 @@
 
 namespace NKikimr {
 
-using namespace NColumnShard;
-
 Y_UNIT_TEST_SUITE(Secret) {
 
     class TJsonChecker {