Make the rbac error message clearer (#21646)

Signed-off-by: SimFG <bang.fu@zilliz.com>
2023-01-12 13:55:42 +08:00 · 2023-01-12 13:55:42 +08:00 · 1ac30c7bd8
parent 03ce5c2656
commit 1ac30c7bd8
4 changed files with 14 additions and 15 deletions
--- a/configs/milvus.yaml
+++ b/configs/milvus.yaml
@ -409,8 +409,8 @@ common:
    authorizationEnabled: false
    # The superusers will ignore some system check processes,
    # like the old password verification when updating the credential
-    superUsers:
-      - "root"
+    # superUsers:
+    #  - "root"
    # tls mode values [0, 1, 2]
    # 0 is close, 1 is one-way authentication, 2 is two-way authentication.
    tlsMode: 0
--- a/internal/rootcoord/meta_table.go
+++ b/internal/rootcoord/meta_table.go
@ -881,7 +881,7 @@ func (mt *MetaTable) CreateRole(tenant string, entity *milvuspb.RoleEntity) erro
 		return err
 	}
 	if len(results) >= Params.ProxyCfg.MaxRoleNum {
-		errMsg := "unable to add role because the number of roles has reached the limit"
+		errMsg := "unable to create role because the number of roles has reached the limit"
 		log.Error(errMsg, zap.Int("max_role_num", Params.ProxyCfg.MaxRoleNum))
 		return errors.New(errMsg)
 	}
--- a/internal/rootcoord/root_coord.go
+++ b/internal/rootcoord/root_coord.go
@ -2012,7 +2012,7 @@ func (c *Core) CreateRole(ctx context.Context, in *milvuspb.CreateRoleRequest) (
 	if err != nil {
 		errMsg := "fail to create role"
 		log.Error(errMsg, zap.Any("in", in), zap.Error(err))
-		return failStatus(commonpb.ErrorCode_CreateRoleFailure, errMsg), nil
+		return failStatus(commonpb.ErrorCode_CreateRoleFailure, fmt.Sprintf("%s, error: %s", errMsg, err.Error())), nil
 	}

 	logger.Debug(method+" success", zap.String("role_name", entity.Name))
@ -2040,7 +2040,7 @@ func (c *Core) DropRole(ctx context.Context, in *milvuspb.DropRoleRequest) (*com
 		return errorutil.UnhealthyStatus(code), errorutil.UnhealthyError()
 	}
 	if _, err := c.meta.SelectRole(util.DefaultTenant, &milvuspb.RoleEntity{Name: in.RoleName}, false); err != nil {
-		errMsg := "the role isn't existed"
+		errMsg := "not found the role, maybe the role isn't existed or internal system error"
 		log.Error(errMsg, zap.Any("in", in), zap.Error(err))
 		return failStatus(commonpb.ErrorCode_DropRoleFailure, errMsg), nil
 	}
@ -2055,7 +2055,7 @@ func (c *Core) DropRole(ctx context.Context, in *milvuspb.DropRoleRequest) (*com
 	}
 	roleResults, err := c.meta.SelectRole(util.DefaultTenant, &milvuspb.RoleEntity{Name: in.RoleName}, true)
 	if err != nil {
-		errMsg := "fail to select a role by role name"
+		errMsg := "fail to find the role by role name, maybe the role isn't existed or internal system error"
 		log.Error(errMsg, zap.Any("in", in), zap.Error(err))
 		return failStatus(commonpb.ErrorCode_DropRoleFailure, errMsg), nil
 	}
@ -2109,12 +2109,12 @@ func (c *Core) OperateUserRole(ctx context.Context, in *milvuspb.OperateUserRole
 	}

 	if _, err := c.meta.SelectRole(util.DefaultTenant, &milvuspb.RoleEntity{Name: in.RoleName}, false); err != nil {
-		errMsg := "not found the role: " + in.RoleName
+		errMsg := "not found the role, maybe the role isn't existed or internal system error"
 		log.Error(errMsg, zap.Any("in", in), zap.Error(err))
 		return failStatus(commonpb.ErrorCode_OperateUserRoleFailure, errMsg), nil
 	}
 	if _, err := c.meta.SelectUser(util.DefaultTenant, &milvuspb.UserEntity{Name: in.Username}, false); err != nil {
-		errMsg := "not found the user: " + in.Username
+		errMsg := "not found the user, maybe the user isn't existed or internal system error"
 		log.Error(errMsg, zap.Any("in", in), zap.Error(err))
 		return failStatus(commonpb.ErrorCode_OperateUserRoleFailure, errMsg), nil
 	}
@ -2256,8 +2256,8 @@ func (c *Core) isValidRole(entity *milvuspb.RoleEntity) error {
 		return errors.New("the name in the role entity is empty")
 	}
 	if _, err := c.meta.SelectRole(util.DefaultTenant, &milvuspb.RoleEntity{Name: entity.Name}, false); err != nil {
-		log.Warn("fail to select the role", zap.Error(err))
-		return errors.New("not found the role: " + entity.Name)
+		log.Warn("fail to select the role", zap.String("role_name", entity.Name), zap.Error(err))
+		return errors.New("not found the role, maybe the role isn't existed or internal system error")
 	}
 	return nil
 }
@ -2283,8 +2283,8 @@ func (c *Core) isValidGrantor(entity *milvuspb.GrantorEntity, object string) err
 		return errors.New("the name in the user entity of the grantor entity is empty")
 	}
 	if _, err := c.meta.SelectUser(util.DefaultTenant, &milvuspb.UserEntity{Name: entity.User.Name}, false); err != nil {
-		log.Warn("fail to select the user", zap.Error(err))
-		return errors.New("not found the user: " + entity.User.Name)
+		log.Warn("fail to select the user", zap.String("username", entity.User.Name), zap.Error(err))
+		return errors.New("not found the user, maybe the user isn't existed or internal system error")
 	}
 	if entity.Privilege == nil {
 		return errors.New("the privilege entity in the grantor entity is nil")
--- a/internal/util/paramtable/component_param.go
+++ b/internal/util/paramtable/component_param.go
@ -467,9 +467,8 @@ func (p *commonConfig) initEnableAuthorization() {
 }

 func (p *commonConfig) initSuperUsers() {
-	users, err := p.Base.Load("common.security.superUsers")
-	if err != nil {
-		log.Warn("fail to load common.security.superUsers", zap.Error(err))
+	users := p.Base.LoadWithDefault("common.security.superUsers", "")
+	if users == "" {
 		p.SuperUsers = []string{}
 		return
 	}