mirror of https://github.com/milvus-io/milvus.git
Add the superuser config (#21090)
Signed-off-by: SimFG <bang.fu@zilliz.com> Signed-off-by: SimFG <bang.fu@zilliz.com>pull/21042/head
parent
d67db2ed9b
commit
4a5c282b62
|
@ -403,6 +403,10 @@ common:
|
|||
|
||||
security:
|
||||
authorizationEnabled: false
|
||||
# The superusers will ignore some system check processes,
|
||||
# like the old password verification when updating the credential
|
||||
superUsers:
|
||||
- "root"
|
||||
# tls mode values [0, 1, 2]
|
||||
# 0 is close, 1 is one-way authentication, 2 is two-way authentication.
|
||||
tlsMode: 0
|
||||
|
|
|
@ -2237,6 +2237,12 @@ func TestProxy(t *testing.T) {
|
|||
wg.Add(1)
|
||||
t.Run("credential UPDATE api", func(t *testing.T) {
|
||||
defer wg.Done()
|
||||
rootCtx := ctx
|
||||
fooCtx := GetContext(context.Background(), "foo:123456")
|
||||
ctx = fooCtx
|
||||
defer func() {
|
||||
ctx = rootCtx
|
||||
}()
|
||||
|
||||
// 2. update credential
|
||||
newPassword := "new_password"
|
||||
|
@ -2288,6 +2294,13 @@ func TestProxy(t *testing.T) {
|
|||
updateResp, err = proxy.UpdateCredential(ctx, updateCredentialReq)
|
||||
assert.NoError(t, err)
|
||||
assert.NotEqual(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
|
||||
|
||||
// super user
|
||||
updateCredentialReq.OldPassword = crypto.Base64Encode("wrong_password")
|
||||
updateCredentialReq.NewPassword = crypto.Base64Encode(newPassword)
|
||||
updateResp, err = proxy.UpdateCredential(rootCtx, updateCredentialReq)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
|
||||
})
|
||||
|
||||
wg.Add(1)
|
||||
|
|
|
@ -728,6 +728,15 @@ func passwordVerify(ctx context.Context, username, rawPwd string, globalMetaCach
|
|||
return false
|
||||
}
|
||||
|
||||
if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" {
|
||||
log.Debug("simfg password", zap.Strings("super users", Params.CommonCfg.SuperUsers.GetAsStrings()))
|
||||
for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() {
|
||||
if s == currentUser {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// hit cache
|
||||
sha256Pwd := crypto.SHA256(rawPwd, credInfo.Username)
|
||||
if credInfo.Sha256Password != "" {
|
||||
|
|
|
@ -149,6 +149,7 @@ type commonConfig struct {
|
|||
SimdType ParamItem
|
||||
|
||||
AuthorizationEnabled ParamItem
|
||||
SuperUsers ParamItem
|
||||
|
||||
ClusterName ParamItem
|
||||
|
||||
|
@ -452,6 +453,12 @@ func (p *commonConfig) init(base *BaseTable) {
|
|||
}
|
||||
p.AuthorizationEnabled.Init(base.mgr)
|
||||
|
||||
p.SuperUsers = ParamItem{
|
||||
Key: "common.security.superUsers",
|
||||
Version: "2.2.1",
|
||||
}
|
||||
p.SuperUsers.Init(base.mgr)
|
||||
|
||||
p.ClusterName = ParamItem{
|
||||
Key: "common.cluster.name",
|
||||
Version: "2.0.0",
|
||||
|
|
|
@ -124,6 +124,12 @@ func TestComponentParam(t *testing.T) {
|
|||
t.Logf("default session TTL time = %d", Params.SessionTTL.GetAsInt64())
|
||||
assert.Equal(t, Params.SessionRetryTimes.GetAsInt64(), int64(DefaultSessionRetryTimes))
|
||||
t.Logf("default session retry times = %d", Params.SessionRetryTimes.GetAsInt64())
|
||||
|
||||
params.Save("common.security.superUsers", "super1,super2,super3")
|
||||
assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers.GetAsStrings())
|
||||
|
||||
params.Save("common.security.superUsers", "")
|
||||
assert.Equal(t, []string{""}, Params.SuperUsers.GetAsStrings())
|
||||
})
|
||||
|
||||
t.Run("test rootCoordConfig", func(t *testing.T) {
|
||||
|
|
Loading…
Reference in New Issue