YQ-4356 supported secure script executions

[GrigoriyPA]

Changelog entry

Supported secure script executions (only user who created script execution operation can access it and see in list result)

Changelog category

• Bugfix

Description for reviewers

[github-actions]

🔴 2025-10-14 07:20:06 UTC The validation of the Pull Request description has failed. Please update the description.

Bugfix requires a linked issue in the changelog entry

[Copilot]

Pull Request Overview

This PR implements secure script executions, adding user authentication and access control to script execution operations so that only users who created a script execution operation can access or view their operations in listings.

Key Changes

• Added user SID (Security Identifier) parameter to all script execution operation methods and events
• Introduced a new feature flag EnableSecureScriptExecutions to control this functionality
• Modified script execution metadata tables to include access control lists when secure mode is enabled

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
ydb/tests/tools/kqprun/src/ydb_setup.h	Added userSID parameters to script execution method signatures
ydb/tests/tools/kqprun/src/ydb_setup.cpp	Implemented userSID parameter passing to internal methods
ydb/tests/tools/kqprun/src/kqp_runner.h	Updated method signatures to accept userSID
ydb/tests/tools/kqprun/src/kqp_runner.cpp	Added userSID parameter handling in script execution methods
ydb/tests/tools/kqprun/kqprun.cpp	Added userSID extraction helper and usage
ydb/library/table_creator/table_creator.h	Added newTableAcl parameter for table creation
ydb/library/table_creator/table_creator.cpp	Implemented ACL setting logic during table creation
ydb/core/viewer/viewer_query.h	Added userSID extraction helper and parameter passing
ydb/core/testlib/basics/feature_flags.h	Added EnableSecureScriptExecutions feature flag setter
ydb/core/protos/feature_flags.proto	Added EnableSecureScriptExecutions feature flag definition
ydb/core/kqp/ut/federated_query/s3/kqp_federated_query_ut.cpp	Added comprehensive test for secure script executions
ydb/core/kqp/ut/federated_query/common/common.h	Updated WaitScriptExecutionOperation to accept userSID
ydb/core/kqp/ut/federated_query/common/common.cpp	Implemented userSID parameter in operation waiting
ydb/core/kqp/proxy_service/kqp_script_executions_ut.cpp	Added test for secure script execution table creation
ydb/core/kqp/proxy_service/kqp_script_executions.h	Updated method signatures to include userSID parameters
ydb/core/kqp/proxy_service/kqp_script_executions.cpp	Implemented user access control checks and secure table creation
ydb/core/kqp/proxy_service/kqp_proxy_service.cpp	Updated table creator call with feature flags
ydb/core/kqp/gateway/behaviour/streaming_query/queries.cpp	Added userSID parameter for system operations
ydb/core/kqp/common/events/script_executions.h	Added userSID fields to script execution events
ydb/core/grpc_services/rpc_list_operations.cpp	Added userSID extraction for operation listing
ydb/core/grpc_services/rpc_get_operation.cpp	Added userSID extraction for operation retrieval
ydb/core/grpc_services/rpc_forget_operation.cpp	Added userSID extraction for operation forgetting
ydb/core/grpc_services/rpc_common/rpc_common.h	Added GetUserSID helper function
ydb/core/grpc_services/rpc_cancel_operation.cpp	Added userSID extraction for operation cancellation
ydb/core/grpc_services/query/rpc_fetch_script_results.cpp	Added userSID extraction for result fetching

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[github-actions]

⚪ 2025-10-14 07:21:58 UTC Pre-commit check linux-x86_64-relwithdebinfo for 95de177 has started.
⚪ 2025-10-14 07:22:11 UTC Artifacts will be uploaded here
⚪ 2025-10-14 07:26:15 UTC ya make is running...
⚫ 2025-10-14 07:33:25 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 07:22:33 UTC Pre-commit check linux-x86_64-release-asan for 95de177 has started.
⚪ 2025-10-14 07:22:47 UTC Artifacts will be uploaded here
⚪ 2025-10-14 07:27:07 UTC ya make is running...
⚫ 2025-10-14 07:33:28 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 07:35:29 UTC Pre-commit check linux-x86_64-relwithdebinfo for 3e06c98 has started.
⚪ 2025-10-14 07:36:37 UTC Artifacts will be uploaded here
⚪ 2025-10-14 07:41:23 UTC ya make is running...
⚫ 2025-10-14 08:00:38 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 07:37:52 UTC Pre-commit check linux-x86_64-release-asan for 3e06c98 has started.
⚪ 2025-10-14 07:38:07 UTC Artifacts will be uploaded here
⚪ 2025-10-14 07:42:28 UTC ya make is running...
⚫ 2025-10-14 08:00:40 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 08:01:15 UTC Pre-commit check linux-x86_64-relwithdebinfo for 2f023c1 has started.
⚪ 2025-10-14 08:01:30 UTC Artifacts will be uploaded here
⚪ 2025-10-14 08:05:42 UTC ya make is running...
⚫ 2025-10-14 08:15:57 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 08:04:53 UTC Pre-commit check linux-x86_64-release-asan for 2f023c1 has started.
⚪ 2025-10-14 08:05:06 UTC Artifacts will be uploaded here
⚪ 2025-10-14 08:09:16 UTC ya make is running...
⚫ 2025-10-14 08:15:59 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 08:18:56 UTC Pre-commit check linux-x86_64-relwithdebinfo for 9b5da89 has started.
⚪ 2025-10-14 08:19:09 UTC Artifacts will be uploaded here
⚫ 2025-10-14 08:21:35 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 08:19:19 UTC Pre-commit check linux-x86_64-release-asan for 9b5da89 has started.
⚪ 2025-10-14 08:19:34 UTC Artifacts will be uploaded here
⚫ 2025-10-14 08:21:35 UTC Check cancelled

[github-actions]

⚪ 2025-10-14 08:23:06 UTC Pre-commit check linux-x86_64-relwithdebinfo for 0d949ef has started.
⚪ 2025-10-14 08:23:12 UTC Artifacts will be uploaded here
⚪ 2025-10-14 08:27:23 UTC ya make is running...

[github-actions]

⚪ 2025-10-14 08:26:04 UTC Pre-commit check linux-x86_64-release-asan for 0d949ef has started.
⚪ 2025-10-14 08:26:17 UTC Artifacts will be uploaded here
⚪ 2025-10-14 08:30:24 UTC ya make is running...
🟡 2025-10-14 11:17:25 UTC Some tests failed, follow the links below. This fail is not in blocking policy yet

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
17962	17492	0	187	264	19

🟢 2025-10-14 11:17:32 UTC Build successful.
🟡 2025-10-14 11:17:57 UTC ydbd size 3.8 GiB changed* by +177.5 KiB, which is >= 100.0 KiB vs main: Warning

ydbd size dash	main: 8d21141	merge: 0d949ef	diff	diff %
ydbd size	4 028 989 704 Bytes	4 029 171 504 Bytes	+177.5 KiB	+0.005%
ydbd stripped size	1 496 756 480 Bytes	1 496 815 552 Bytes	+57.7 KiB	+0.004%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2025-10-14 11:28:30 UTC Pre-commit check linux-x86_64-release-asan for 6202571 has started.
⚪ 2025-10-14 11:28:43 UTC Artifacts will be uploaded here
⚪ 2025-10-14 11:32:54 UTC ya make is running...
🟡 2025-10-14 13:45:43 UTC Some tests failed, follow the links below. This fail is not in blocking policy yet

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
17976	17470	0	220	271	15

🟢 2025-10-14 13:45:50 UTC Build successful.
🟡 2025-10-14 13:46:16 UTC ydbd size 3.8 GiB changed* by +181.6 KiB, which is >= 100.0 KiB vs main: Warning

ydbd size dash	main: 10a225c	merge: 6202571	diff	diff %
ydbd size	4 031 470 192 Bytes	4 031 656 200 Bytes	+181.6 KiB	+0.005%
ydbd stripped size	1 497 304 704 Bytes	1 497 368 000 Bytes	+61.8 KiB	+0.004%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2025-10-14 11:28:41 UTC Pre-commit check linux-x86_64-relwithdebinfo for 6202571 has started.
⚪ 2025-10-14 11:28:55 UTC Artifacts will be uploaded here
⚪ 2025-10-14 11:33:06 UTC ya make is running...
🟡 2025-10-14 13:16:32 UTC Some tests failed, follow the links below. Going to retry failed tests...

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
41163	38368	0	26	2744	25

⚪ 2025-10-14 13:16:42 UTC ya make is running... (failed tests rerun, try 2)
🟡 2025-10-14 13:41:25 UTC Some tests failed, follow the links below. Going to retry failed tests...

Ya make output | Test bloat | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
887 (only retried tests)	840	0	21	0	26

⚪ 2025-10-14 13:41:27 UTC ya make is running... (failed tests rerun, try 3)
🔴 2025-10-14 13:55:51 UTC Some tests failed, follow the links below.

Ya make output | Test bloat | Test bloat | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
500 (only retried tests)	458	0	20	0	22

🟢 2025-10-14 13:55:54 UTC Build successful.
🟢 2025-10-14 13:56:15 UTC ydbd size 2.3 GiB changed* by +96.6 KiB, which is < 100.0 KiB vs main: OK

ydbd size dash	main: 33eec4f	merge: 6202571	diff	diff %
ydbd size	2 423 187 176 Bytes	2 423 286 128 Bytes	+96.6 KiB	+0.004%
ydbd stripped size	515 834 952 Bytes	515 850 568 Bytes	+15.2 KiB	+0.003%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2025-10-15 10:48:52 UTC Pre-commit check linux-x86_64-relwithdebinfo for 5c36e73 has started.
⚪ 2025-10-15 10:49:19 UTC Artifacts will be uploaded here
⚪ 2025-10-15 10:53:58 UTC ya make is running...
🟡 2025-10-15 13:05:36 UTC Some tests failed, follow the links below. Going to retry failed tests...

Ya make output | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
41220	38442	0	2	2746	30

⚪ 2025-10-15 13:05:47 UTC ya make is running... (failed tests rerun, try 2)
🟢 2025-10-15 13:22:06 UTC Tests successful.

Ya make output | Test bloat | Test bloat

TESTS	PASSED	ERRORS	FAILED	SKIPPED	MUTED?
764 (only retried tests)	743	0	0	0	21

🟢 2025-10-15 13:22:09 UTC Build successful.
🟢 2025-10-15 13:22:26 UTC ydbd size 2.3 GiB changed* by +93.3 KiB, which is < 100.0 KiB vs main: OK

ydbd size dash	main: 6a97bc6	merge: 5c36e73	diff	diff %
ydbd size	2 423 994 432 Bytes	2 424 089 960 Bytes	+93.3 KiB	+0.004%
ydbd stripped size	515 998 440 Bytes	516 013 480 Bytes	+14.7 KiB	+0.003%

^{*please be aware that the difference is based on comparing your commit and the last completed build from the post-commit, check comparation}

[github-actions]

⚪ 2025-10-15 10:54:12 UTC Pre-commit check linux-x86_64-release-asan for 5c36e73 has started.
⚪ 2025-10-15 10:54:54 UTC Artifacts will be uploaded here
⚪ 2025-10-15 10:59:47 UTC ya make is running...