Add the superuser config (#21090)

Signed-off-by: SimFG <bang.fu@zilliz.com> Signed-off-by: SimFG <bang.fu@zilliz.com>
2022-12-09 16:13:20 +08:00 · 2022-12-09 16:13:20 +08:00 · 4a5c282b62
parent d67db2ed9b
commit 4a5c282b62
5 changed files with 39 additions and 0 deletions
--- a/configs/milvus.yaml
+++ b/configs/milvus.yaml
@ -403,6 +403,10 @@ common:

  security:
    authorizationEnabled: false
+    # The superusers will ignore some system check processes,
+    # like the old password verification when updating the credential
+    superUsers:
+      - "root"
    # tls mode values [0, 1, 2]
    # 0 is close, 1 is one-way authentication, 2 is two-way authentication.
    tlsMode: 0
--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@ -2237,6 +2237,12 @@ func TestProxy(t *testing.T) {
 	wg.Add(1)
 	t.Run("credential UPDATE api", func(t *testing.T) {
 		defer wg.Done()
+		rootCtx := ctx
+		fooCtx := GetContext(context.Background(), "foo:123456")
+		ctx = fooCtx
+		defer func() {
+			ctx = rootCtx
+		}()

 		// 2. update credential
 		newPassword := "new_password"
@ -2288,6 +2294,13 @@ func TestProxy(t *testing.T) {
 		updateResp, err = proxy.UpdateCredential(ctx, updateCredentialReq)
 		assert.NoError(t, err)
 		assert.NotEqual(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
+
+		// super user
+		updateCredentialReq.OldPassword = crypto.Base64Encode("wrong_password")
+		updateCredentialReq.NewPassword = crypto.Base64Encode(newPassword)
+		updateResp, err = proxy.UpdateCredential(rootCtx, updateCredentialReq)
+		assert.NoError(t, err)
+		assert.Equal(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
 	})

 	wg.Add(1)
--- a/internal/proxy/util.go
+++ b/internal/proxy/util.go
@ -728,6 +728,15 @@ func passwordVerify(ctx context.Context, username, rawPwd string, globalMetaCach
 		return false
 	}

+	if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" {
+		log.Debug("simfg password", zap.Strings("super users", Params.CommonCfg.SuperUsers.GetAsStrings()))
+		for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() {
+			if s == currentUser {
+				return true
+			}
+		}
+	}
+
 	// hit cache
 	sha256Pwd := crypto.SHA256(rawPwd, credInfo.Username)
 	if credInfo.Sha256Password != "" {
--- a/internal/util/paramtable/component_param.go
+++ b/internal/util/paramtable/component_param.go
@ -149,6 +149,7 @@ type commonConfig struct {
 	SimdType    ParamItem

 	AuthorizationEnabled ParamItem
+	SuperUsers           ParamItem

 	ClusterName ParamItem

@ -452,6 +453,12 @@ func (p *commonConfig) init(base *BaseTable) {
 	}
 	p.AuthorizationEnabled.Init(base.mgr)

+	p.SuperUsers = ParamItem{
+		Key:     "common.security.superUsers",
+		Version: "2.2.1",
+	}
+	p.SuperUsers.Init(base.mgr)
+
 	p.ClusterName = ParamItem{
 		Key:          "common.cluster.name",
 		Version:      "2.0.0",
--- a/internal/util/paramtable/component_param_test.go
+++ b/internal/util/paramtable/component_param_test.go
@ -124,6 +124,12 @@ func TestComponentParam(t *testing.T) {
 		t.Logf("default session TTL time = %d", Params.SessionTTL.GetAsInt64())
 		assert.Equal(t, Params.SessionRetryTimes.GetAsInt64(), int64(DefaultSessionRetryTimes))
 		t.Logf("default session retry times = %d", Params.SessionRetryTimes.GetAsInt64())
+
+		params.Save("common.security.superUsers", "super1,super2,super3")
+		assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers.GetAsStrings())
+
+		params.Save("common.security.superUsers", "")
+		assert.Equal(t, []string{""}, Params.SuperUsers.GetAsStrings())
 	})

 	t.Run("test rootCoordConfig", func(t *testing.T) {