There is a bigger issue with init cluster in the operator. We don't use init_cluster.py script from ytsaurus repository and probably miss other important parts from it too.
In this ticket I would like to address ACLs for cypress nodes. Let's do @inherit_acl=%false for //sys, //sys/admin, //sys/tokens and //sys/tablet_cells. Let's make reasonable @acl to /. //sys, //sys/query_tracker, etc.
I checked in minikube that sensitive directories have allow everyone read. //sys, //sys/query_tracker, //sys/tablet_cells. //sys/admin does not exist by some reason
There is a bigger issue with init cluster in the operator. We don't use init_cluster.py script from
ytsaurusrepository and probably miss other important parts from it too.In this ticket I would like to address ACLs for cypress nodes. Let's do
@inherit_acl=%falsefor//sys,//sys/admin,//sys/tokensand//sys/tablet_cells. Let's make reasonable@aclto/.//sys,//sys/query_tracker, etc.I checked in minikube that sensitive directories have
allow everyone read.//sys,//sys/query_tracker,//sys/tablet_cells.//sys/admindoes not exist by some reason