milvus-io
/
milvus
mirror of https://github.com/milvus-io/milvus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Hide the password info when failing to authorize (#28428) (#28480) 

/kind improvement

Signed-off-by: SimFG <bang.fu@zilliz.com>
pull/28913/head
SimFG 2023-11-16 15:49:35 +08:00 committed by GitHub
parent f2e972abb3
commit 0b6235a1f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/core/conanfile.py
View File

@ -4,7 +4,7 @@ from conans import ConanFile
class MilvusConan(ConanFile):
settings = "os", "compiler", "build_type", "arch"
requires = (
"rocksdb/6.29.5",
"rocksdb/6.29.5@milvus/dev",
"boost/1.82.0",
"onetbb/2021.7.0",
"nlohmann_json/3.11.2",

13
internal/proxy/authentication_interceptor.go
View File

@ -6,7 +6,9 @@ import (
"strings"
"go.uber.org/zap"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
"github.com/milvus-io/milvus/pkg/log"
"github.com/milvus-io/milvus/pkg/metrics"
@ -60,7 +62,7 @@ func AuthenticationInterceptor(ctx context.Context) (context.Context, error) {
if len(authStrArr) < 1 {
log.Warn("key not found in header")
return nil, merr.WrapErrParameterInvalidMsg("missing authorization in header")
return nil, status.Error(codes.Unauthenticated, "missing authorization in header")
}
// token format: base64<username:password>
@ -69,14 +71,14 @@ func AuthenticationInterceptor(ctx context.Context) (context.Context, error) {
rawToken, err := crypto.Base64Decode(token)
if err != nil {
log.Warn("fail to decode the token", zap.Error(err))
return nil, merr.WrapErrParameterInvalidMsg("invalid token format")
return nil, status.Error(codes.Unauthenticated, "invalid token format")
}
if !strings.Contains(rawToken, util.CredentialSeperator) {
user, err := VerifyAPIKey(rawToken)
if err != nil {
log.Warn("fail to verify apikey", zap.Error(err))
return nil, err
return nil, status.Error(codes.Unauthenticated, "auth check failure, please check api key is correct")
}
metrics.UserRPCCounter.WithLabelValues(user).Inc()
userToken := fmt.Sprintf("%s%s%s", user, util.CredentialSeperator, "___")
@ -86,8 +88,9 @@ func AuthenticationInterceptor(ctx context.Context) (context.Context, error) {
// username+password authentication
username, password := parseMD(rawToken)
if !passwordVerify(ctx, username, password, globalMetaCache) {
msg := fmt.Sprintf("username: %s, password: %s", username, password)
return nil, merr.WrapErrParameterInvalid("vaild username and password", msg, "auth check failure, please check username and password are correct")
log.Warn("fail to verify password", zap.String("username", username))
// NOTE: don't use the merr, because it will cause the wrong retry behavior in the sdk
return nil, status.Error(codes.Unauthenticated, "auth check failure, please check username and password are correct")
}
metrics.UserRPCCounter.WithLabelValues(username).Inc()
}