Cherry pick new secret fixes to stable-25-3-1 (#25631)

yurikiselev · web-flow · commit 4f24a5ff20d5 · 2025-09-25T00:53:45.000+05:00
diff --git a/.github/config/muted_ya.txt b/.github/config/muted_ya.txt
@@ -33,18 +33,11 @@ ydb/core/keyvalue/ut_trace TKeyValueTracingTest.ReadHuge
 ydb/core/keyvalue/ut_trace TKeyValueTracingTest.ReadSmall
 ydb/core/keyvalue/ut_trace TKeyValueTracingTest.WriteHuge
 ydb/core/keyvalue/ut_trace TKeyValueTracingTest.WriteSmall
-ydb/core/kqp/provider/ut KikimrIcGateway.TestLoadBasicSecretValueFromExternalDataSourceMetadata+UseSchemaSecrets
-ydb/core/kqp/provider/ut KikimrIcGateway.TestLoadServiceAccountSecretValueFromExternalDataSourceMetadata+UseSchemaSecrets
-ydb/core/kqp/provider/ut KikimrIcGateway.TestLoadTokenSecretValueFromExternalDataSourceMetadata+UseSchemaSecrets
 ydb/core/kqp/proxy_service/ut TestScriptExecutionsUtils.TestRetryLimiter
 ydb/core/kqp/ut/federated_query/datastreams KqpFederatedQueryDatastreams.RestoreScriptPhysicalGraphOnRetry
 ydb/core/kqp/ut/federated_query/datastreams KqpStreamingQueriesDdl.CreateStreamingQueryMatchRecognize
 ydb/core/kqp/ut/federated_query/s3 KqpFederatedQuery.TestReadLargeParquetFile
 ydb/core/kqp/ut/federated_query/s3 unittest.sole chunk
-ydb/core/kqp/federated_query/ut_service DescribeSchemaSecretsService.GetDroppedValue
-ydb/core/kqp/federated_query/ut_service DescribeSchemaSecretsService.GetInParallel
-ydb/core/kqp/federated_query/ut_service DescribeSchemaSecretsService.GetNewValue
-ydb/core/kqp/federated_query/ut_service DescribeSchemaSecretsService.GetUpdatedValue
 ydb/core/kqp/ut/indexes KqpMultishardIndex.WriteIntoRenamingAsyncIndex
 ydb/core/kqp/ut/indexes KqpMultishardIndex.WriteIntoRenamingSyncIndex
 ydb/core/kqp/ut/olap KqpOlapJson.BrokenJsonWriting[2,false,1024,0,0,0]
diff --git a/ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp b/ydb/core/kqp/federated_query/kqp_federated_query_actors.cpp
@@ -121,7 +121,8 @@ void TDescribeSchemaSecretsService::Handle(TEvTxProxySchemeCache::TEvNavigateKey
         return;
     }
 
-    // TODO (yurikiselev): Assert that request->ResultSet.front().SecretInfo->Description.GetValue() is empty [issue:23462]
+    const auto& secretDescription = request->ResultSet.front().SecretInfo->Description;
+    Y_ENSURE(!secretDescription.HasValue(), "SchemeCache must never contain secret values");
 
     const auto secretIt = SecretNameToValue.find(secretName);
     if (secretIt != SecretNameToValue.end()) { // some secret version is in cache
@@ -137,6 +138,7 @@ void TDescribeSchemaSecretsService::Handle(TEvTxProxySchemeCache::TEvNavigateKey
     TAutoPtr<TEvTxUserProxy::TEvNavigate> req(new TEvTxUserProxy::TEvNavigate());
     NKikimrSchemeOp::TDescribePath* record = req->Record.MutableDescribePath();
     record->SetPath(secretName);
+    record->MutableOptions()->SetReturnSecretValue(true);
     // TODO(yurikiselev): Deal with UserToken [issue:25472]
     Send(MakeTxProxyID(), req.Release(), 0, ev->Cookie);
 }
