ydb-platform
diff --git a/‎ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp
Lines changed: 94 additions & 1 deletion b/‎ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp
Lines changed: 94 additions & 1 deletion
@@ -1172,7 +1172,7 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
                 Value String,
                 PRIMARY KEY (Key)
             )
-            )") 
+            )")
             + (СolumnTable ? TString("WITH (STORE = COLUMN)") : "");
             auto result = session.ExecuteSchemeQuery(query).GetValueSync();
             UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
@@ -4850,6 +4850,99 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
         }
     }
 
+    Y_UNIT_TEST(ModifySysViewDirPermissions) {
+        NKikimrConfig::TFeatureFlags featureFlags;
+        featureFlags.SetEnableRealSystemViewPaths(true);
+        TKikimrRunner kikimr(featureFlags, "root@builtin");
+
+        auto userSchemeClient = kikimr.GetSchemeClient();
+        auto db = kikimr.GetTableClient();
+        auto session = db.CreateSession().GetValueSync().GetSession();
+
+        {
+            auto result = userSchemeClient.ListDirectory("/Root/.sys").GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL(result.GetStatus(), EStatus::UNAUTHORIZED);
+            UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(), "Access denied",
+                result.GetIssues().ToString()
+            );
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT DESCRIBE SCHEMA ON `/Root/.sys` TO `root@builtin`;
+                )";
+            auto result = session.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+            CheckPermissions(session, {
+                                            {.Path = "/Root/.sys",
+                                                .Permissions = {
+                                                    {"root@builtin", {"ydb.granular.describe_schema"}}
+                                                }
+                                            },
+                                        });
+        }
+        {
+            auto result = userSchemeClient.ListDirectory("/Root/.sys").GetValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT ALTER SCHEMA ON `/Root/.sys` TO `root@builtin`;
+                )";
+            auto result = session.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+            CheckPermissions(session, {{.Path = "/Root/.sys",
+                                        .Permissions = {
+                                            {"root@builtin", {"ydb.granular.describe_schema",
+                                                              "ydb.granular.alter_schema"}}
+                                            }
+                                        }});
+        }
+    }
+
+    Y_UNIT_TEST(ModifySysViewPermissions) {
+        NKikimrConfig::TFeatureFlags featureFlags;
+        featureFlags.SetEnableRealSystemViewPaths(true);
+        TKikimrRunner kikimr(featureFlags, "root@builtin");
+
+        auto userSchemeClient = kikimr.GetSchemeClient();
+        auto db = kikimr.GetTableClient();
+        auto userSession = db.CreateSession().GetValueSync().GetSession();
+        auto querySelect = TStringBuilder() << R"(
+            --!syntax_v1
+            SELECT * FROM `/Root/.sys/partition_stats`;
+            )";
+
+        {
+            auto result = userSession.ExecuteDataQuery(querySelect, TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_VALUES_EQUAL(result.GetStatus(), EStatus::SCHEME_ERROR);
+            UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(),
+                "it does not exist or you do not have access permissions",
+                result.GetIssues().ToString()
+            );
+        }
+        {
+            auto query = TStringBuilder() << R"(
+                --!syntax_v1
+                GRANT SELECT ON `/Root/.sys/partition_stats` TO `root@builtin`;
+                )";
+            auto result = userSession.ExecuteSchemeQuery(query).GetValueSync();
+            UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::SUCCESS, result.GetIssues().ToString());
+            CheckPermissions(userSession, {
+                                            {.Path = "/Root/.sys/partition_stats",
+                                                .Permissions = {
+                                                    {"root@builtin", {"ydb.generic.read"}}
+                                                }
+                                            },
+                                        });
+        }
+        {
+            auto result = userSession.ExecuteDataQuery(querySelect, TTxControl::BeginTx().CommitTx()).ExtractValueSync();
+            UNIT_ASSERT_C(result.IsSuccess(), result.GetIssues().ToString());
+        }
+    }
+
     Y_UNIT_TEST(ModifyUnknownPermissions) {
         TKikimrRunner kikimr;
         auto db = kikimr.GetTableClient();