Add the superuser config (#21090)

Signed-off-by: SimFG <bang.fu@zilliz.com> Signed-off-by: SimFG <bang.fu@zilliz.com>
2022-12-09 16:13:20 +08:00 · 2022-12-09 16:13:20 +08:00 · 4a5c282b62
parent d67db2ed9b
commit 4a5c282b62
5 changed files with 39 additions and 0 deletions
--- a/configs/milvus.yaml
+++ b/configs/milvus.yaml
@ -403,6 +403,10 @@ common:
  security:
    authorizationEnabled: false
    # The superusers will ignore some system check processes,
    # like the old password verification when updating the credential
    superUsers:
      - "root"
    # tls mode values [0, 1, 2]
    # 0 is close, 1 is one-way authentication, 2 is two-way authentication.
    tlsMode: 0
--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@ -2237,6 +2237,12 @@ func TestProxy(t *testing.T) {
 	wg.Add(1)
 	t.Run("credential UPDATE api", func(t *testing.T) {
 		defer wg.Done()
 		rootCtx := ctx
 		fooCtx := GetContext(context.Background(), "foo:123456")
 		ctx = fooCtx
 		defer func() {
 			ctx = rootCtx
 		}()
 		// 2. update credential
 		newPassword := "new_password"
@ -2288,6 +2294,13 @@ func TestProxy(t *testing.T) {
 		updateResp, err = proxy.UpdateCredential(ctx, updateCredentialReq)
 		assert.NoError(t, err)
 		assert.NotEqual(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
 		// super user
 		updateCredentialReq.OldPassword = crypto.Base64Encode("wrong_password")
 		updateCredentialReq.NewPassword = crypto.Base64Encode(newPassword)
 		updateResp, err = proxy.UpdateCredential(rootCtx, updateCredentialReq)
 		assert.NoError(t, err)
 		assert.Equal(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
 	})
 	wg.Add(1)
--- a/internal/proxy/util.go
+++ b/internal/proxy/util.go
@ -728,6 +728,15 @@ func passwordVerify(ctx context.Context, username, rawPwd string, globalMetaCach
 		return false
 	}
 	if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" {
 		log.Debug("simfg password", zap.Strings("super users", Params.CommonCfg.SuperUsers.GetAsStrings()))
 		for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() {
 			if s == currentUser {
 				return true
 			}
 		}
 	}
 	// hit cache
 	sha256Pwd := crypto.SHA256(rawPwd, credInfo.Username)
 	if credInfo.Sha256Password != "" {
--- a/internal/util/paramtable/component_param.go
+++ b/internal/util/paramtable/component_param.go
@ -149,6 +149,7 @@ type commonConfig struct {
 	SimdType    ParamItem
 	AuthorizationEnabled ParamItem
 	SuperUsers           ParamItem
 	ClusterName ParamItem
@ -452,6 +453,12 @@ func (p *commonConfig) init(base *BaseTable) {
 	}
 	p.AuthorizationEnabled.Init(base.mgr)
 	p.SuperUsers = ParamItem{
 		Key:     "common.security.superUsers",
 		Version: "2.2.1",
 	}
 	p.SuperUsers.Init(base.mgr)
 	p.ClusterName = ParamItem{
 		Key:          "common.cluster.name",
 		Version:      "2.0.0",
--- a/internal/util/paramtable/component_param_test.go
+++ b/internal/util/paramtable/component_param_test.go
@ -124,6 +124,12 @@ func TestComponentParam(t *testing.T) {
 		t.Logf("default session TTL time = %d", Params.SessionTTL.GetAsInt64())
 		assert.Equal(t, Params.SessionRetryTimes.GetAsInt64(), int64(DefaultSessionRetryTimes))
 		t.Logf("default session retry times = %d", Params.SessionRetryTimes.GetAsInt64())
 		params.Save("common.security.superUsers", "super1,super2,super3")
 		assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers.GetAsStrings())
 		params.Save("common.security.superUsers", "")
 		assert.Equal(t, []string{""}, Params.SuperUsers.GetAsStrings())
 	})
 	t.Run("test rootCoordConfig", func(t *testing.T) {