Change /healthcheck with database reponse to previous state

Author: yurikiselev

ydb/core/viewer/viewer_healthcheck.h

@@ -124,20 +124,6 @@ class TJsonHealthCheck : public TViewerPipeClient {
             return checkAccessMonitoring;
         }
 
-        { // TODO(yurikiselev): DEAL WITH IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-            // When enforce_user_token is on and a token is present, require monitoring access for JSON
-            // (do not use the legacy IsDatabaseRequest bypass that incorrectly allows e.g. user@builtin).
-            const auto enforceUserToken = config.AppConfig.GetDomainsConfig().GetSecurityConfig().GetEnforceUserTokenRequirement();
-            const TString tokenSerialized = GetRequest().GetUserTokenObject();
-            if (enforceUserToken && !tokenSerialized.empty()) {
-                return checkAccessMonitoring;
-            }
-            // Legacy: database-prefixed URL without token was historically allowed.
-            if (enforceUserToken && tokenSerialized.empty() && !Database.empty()) {
-                return true;
-            }
-        }
-
         // The database requests were left without any authentication checks for a long time,
         // so we ignore access check for it by default.
         return IsDatabaseRequest() || checkAccessMonitoring;

ydb/tests/functional/security/test_mon_endpoints_auth.py

@@ -246,9 +246,9 @@ def ydb_cluster_with_require_healthcheck_auth(certificates):
     },
     '/healthcheck?database=%2FRoot': {
         None: 200,
-        'user@builtin': 403,
-        'database@builtin': 403,
-        'viewer@builtin': 403,
+        'user@builtin': 200,
+        'database@builtin': 200,
+        'viewer@builtin': 200,
         'monitoring@builtin': 200,
         'root@builtin': 200,
     },