Add the superuser config (#21611)

Signed-off-by: SimFG <bang.fu@zilliz.com>

configs/milvus.yaml

@@ -407,6 +407,10 @@ common:
 
   security:
     authorizationEnabled: false
+    # The superusers will ignore some system check processes,
+    # like the old password verification when updating the credential
+    superUsers:
+      - "root"
     # tls mode values [0, 1, 2]
     # 0 is close, 1 is one-way authentication, 2 is two-way authentication.
     tlsMode: 0

internal/proxy/proxy_test.go

@@ -2104,6 +2104,15 @@ func TestProxy(t *testing.T) {
 	wg.Add(1)
 	t.Run("credential UPDATE api", func(t *testing.T) {
 		defer wg.Done()
+		rootCtx := ctx
+		fooCtx := GetContext(context.Background(), "foo:123456")
+		ctx = fooCtx
+		originUsers := Params.CommonCfg.SuperUsers
+		Params.CommonCfg.SuperUsers = []string{"root"}
+		defer func() {
+			ctx = rootCtx
+			Params.CommonCfg.SuperUsers = originUsers
+		}()
 
 		// 2. update credential
 		newPassword := "new_password"
@@ -2155,6 +2164,14 @@ func TestProxy(t *testing.T) {
 		updateResp, err = proxy.UpdateCredential(ctx, updateCredentialReq)
 		assert.NoError(t, err)
 		assert.NotEqual(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
+
+		// super user
+		updateCredentialReq.OldPassword = crypto.Base64Encode("wrong_password")
+		updateCredentialReq.NewPassword = crypto.Base64Encode(newPassword)
+		updateResp, err = proxy.UpdateCredential(rootCtx, updateCredentialReq)
+		assert.NoError(t, err)
+		fmt.Println("simfg fubang:", updateResp)
+		assert.Equal(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)
 	})
 
 	wg.Add(1)

internal/proxy/util.go

@@ -724,6 +724,14 @@ func passwordVerify(ctx context.Context, username, rawPwd string, globalMetaCach
 		return false
 	}
 
+	if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" {
+		for _, s := range Params.CommonCfg.SuperUsers {
+			if s == currentUser {
+				return true
+			}
+		}
+	}
+
 	// hit cache
 	sha256Pwd := crypto.SHA256(rawPwd, credInfo.Username)
 	if credInfo.Sha256Password != "" {

internal/util/paramtable/component_param.go

@@ -164,6 +164,7 @@ type commonConfig struct {
 	SimdType    string
 
 	AuthorizationEnabled bool
+	SuperUsers           []string
 
 	ClusterName string
 
@@ -216,6 +217,7 @@ func (p *commonConfig) init(base *BaseTable) {
 	p.initThreadCoreCoefficient()
 
 	p.initEnableAuthorization()
+	p.initSuperUsers()
 
 	p.initClusterName()
 
@@ -464,6 +466,16 @@ func (p *commonConfig) initEnableAuthorization() {
 	p.AuthorizationEnabled = p.Base.ParseBool("common.security.authorizationEnabled", false)
 }
 
+func (p *commonConfig) initSuperUsers() {
+	users, err := p.Base.Load("common.security.superUsers")
+	if err != nil {
+		log.Warn("fail to load common.security.superUsers", zap.Error(err))
+		p.SuperUsers = []string{}
+		return
+	}
+	p.SuperUsers = strings.Split(users, ",")
+}
+
 func (p *commonConfig) initClusterName() {
 	p.ClusterName = p.Base.LoadWithDefault("common.cluster.name", "")
 }

internal/util/paramtable/component_param_test.go

@@ -133,6 +133,17 @@ func TestComponentParam(t *testing.T) {
 		t.Logf("default session TTL time = %d", Params.SessionTTL)
 		assert.Equal(t, Params.SessionRetryTimes, int64(DefaultSessionRetryTimes))
 		t.Logf("default session retry times = %d", Params.SessionRetryTimes)
+
+		Params.Base.Save("common.security.superUsers", "super1,super2,super3")
+		Params.initSuperUsers()
+		assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers)
+		Params.Base.Save("common.security.superUsers", "super")
+		Params.initSuperUsers()
+		assert.Equal(t, []string{"super"}, Params.SuperUsers)
+		Params.Base.Remove("common.security.superUsers")
+		Params.initSuperUsers()
+		assert.Equal(t, []string{}, Params.SuperUsers)
+		assert.Equal(t, 0, len(Params.SuperUsers))
 	})
 
 	t.Run("test rootCoordConfig", func(t *testing.T) {