Make scalar map join benchmark spit out same tuples amount as others (ydb-platform#24840)

nfrmtk · StekPerepolnen · commit 210047355459 · 2025-09-19T13:02:12.000+02:00
diff --git a/ydb/core/mon/audit/audit.cpp b/ydb/core/mon/audit/audit.cpp
@@ -1,5 +1,5 @@
 #include "audit.h"
-#include "auditable_actions.cpp"
+#include "audit_blacklist.cpp"
 
 #include <ydb/core/audit/audit_log.h>
 #include <ydb/core/audit/audit_config/audit_config.h>
@@ -50,9 +50,9 @@ namespace {
         return reason;
     }
 
-    inline TUrlMatcher CreateAuditableActionsMatcher() {
+    inline TUrlMatcher CreateBlacklistMatcher() {
         TUrlMatcher policy;
-        for (const auto& pattern : AUDITABLE_ACTIONS) {
+        for (const auto& pattern : AUDIT_BLACKLIST) {
             policy.AddPattern(pattern);
         }
         return policy;
@@ -73,8 +73,8 @@ void TAuditCtx::AddAuditLogPart(TStringBuf name, const TString& value) {
     Parts.emplace_back(name, value);
 }
 
-bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request) {
-    // only modifying methods are audited
+bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request) const {
+    // modifying methods are always audited
     const TString method(request->Method);
     static const THashSet<TString> MODIFYING_METHODS = {"POST", "PUT", "DELETE"};
     if (MODIFYING_METHODS.contains(method)) {
@@ -86,13 +86,13 @@ bool TAuditCtx::AuditableRequest(const NHttp::THttpIncomingRequestPtr& request)
         return false;
     }
 
-    // force audit for specific URLs
-    static auto FORCE_AUDIT_MATCHER = CreateAuditableActionsMatcher();
-    if (FORCE_AUDIT_MATCHER.Match(request->URL)) {
-        return true;
+    // skip audit for URLs from blacklist
+    static auto BLACKLIST_MATCHER = CreateBlacklistMatcher();
+    if (BLACKLIST_MATCHER.Match(request->URL)) {
+        return false;
     }
 
-    return false;
+    return true;
 }
 
 void TAuditCtx::InitAudit(const NHttp::TEvHttpProxy::TEvHttpIncomingRequest::TPtr& ev) {
diff --git a/ydb/core/mon/audit/audit.h b/ydb/core/mon/audit/audit.h
@@ -27,10 +27,10 @@ class TAuditCtx {
     void LogOnCompleted(const NHttp::THttpOutgoingResponsePtr& response);
     void SetSubjectType(NACLibProto::ESubjectType subjectType);
     static bool AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::ELogPhase logPhase, NACLibProto::ESubjectType subjectType);
+    bool AuditableRequest(const NHttp::THttpIncomingRequestPtr& request) const;
 
 private:
     void AddAuditLogPart(TStringBuf name, const TString& value);
-    bool AuditableRequest(const NHttp::THttpIncomingRequestPtr& request);
 
     TAuditParts Parts;
     bool Auditable = false;
diff --git a/ydb/core/mon/audit/audit_blacklist.cpp b/ydb/core/mon/audit/audit_blacklist.cpp
@@ -0,0 +1,19 @@
+#include "url_matcher.h"
+
+#include <util/generic/string.h>
+#include <util/generic/vector.h>
+
+namespace NMonitoring::NAudit {
+
+// Audit logging is enabled for all requests that either
+// 1) use modifying HTTP methods (POST, PUT, DELETE), or
+// 2) target endpoints not listed in AUDIT_BLACKLIST.
+// The blacklist excludes frequently queried read-only endpoints with no security value.
+const TVector<TUrlPattern> AUDIT_BLACKLIST = {
+    {.Path = "/counters"},
+    {.Path = "/counters/*"},
+    {.Path = "/viewer"},
+    {.Path = "/viewer/*"},
+};
+
+}
diff --git a/ydb/core/mon/audit/audit_ut.cpp b/ydb/core/mon/audit/audit_ut.cpp
@@ -5,8 +5,58 @@
 
 using namespace NMonitoring::NAudit;
 
+namespace {
+
+struct TRequestHolder {
+    NHttp::THttpIncomingRequestPtr Request;
+    TVector<TString> Storage;
+
+    TStringBuf Store(TString value) {
+        Storage.push_back(std::move(value));
+        return Storage.back();
+    }
+};
+
+NHttp::THttpIncomingRequestPtr MakeRequest(TString method, TString url) {
+    NHttp::THttpIncomingRequestPtr Request = new NHttp::THttpIncomingRequest();
+    Request->Method = std::move(method);
+    Request->URL = std::move(url);
+    return Request;
+}
+
+} // namespace
+
 Y_UNIT_TEST_SUITE(TAuditTest) {
     Y_UNIT_TEST(AuditDisabledWithoutAppData) {
         UNIT_ASSERT(!TAuditCtx::AuditEnabled(NKikimrConfig::TAuditConfig::TLogClassConfig::Completed, NACLibProto::SUBJECT_TYPE_ANONYMOUS));
     }
+
+    Y_UNIT_TEST(ModifyingMethodsAlwaysAuditable) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("POST", "/path")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("PUT", "/path")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("DELETE", "/path")));
+
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("POST", "/counters")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("PUT", "/counters")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("DELETE", "/counters")));
+    }
+
+    Y_UNIT_TEST(OptionsRequestsAreNotAudited) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("OPTIONS", "/path")));
+    }
+
+    Y_UNIT_TEST(BlacklistedPathsAreNotAudited) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/counters")));
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/viewer/subpage")));
+        UNIT_ASSERT(!ctx.AuditableRequest(MakeRequest("GET", "/viewer?mode=overview")));
+    }
+
+    Y_UNIT_TEST(OtherGetRequestsAreAudited) {
+        TAuditCtx ctx;
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("GET", "/other")));
+        UNIT_ASSERT(ctx.AuditableRequest(MakeRequest("GET", "/viewerstats?mode=overview")));
+    }
 }
diff --git a/ydb/core/mon/audit/auditable_actions.cpp b/ydb/core/mon/audit/auditable_actions.cpp
diff --git a/ydb/core/mon/audit/ya.make b/ydb/core/mon/audit/ya.make
@@ -5,7 +5,7 @@ RECURSE_FOR_TESTS(
 LIBRARY()
 
 SRCS(
-    auditable_actions.cpp
+    audit_blacklist.cpp
     audit.cpp
     url_matcher.cpp
 )

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ RECURSE_FOR_TESTS(`
`5`	`5`	`LIBRARY()`
`6`	`6`
`7`	`7`	`SRCS(`
`8`		`- auditable_actions.cpp`
	`8`	`+ audit_blacklist.cpp`
`9`	`9`	`audit.cpp`
`10`	`10`	`url_matcher.cpp`
`11`	`11`	`)`