enhance: [GoSDK] add operate privilege & privilege group API (#38141)

related issue: https://github.com/milvus-io/milvus/issues/37031 Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
2024-12-03 18:32:40 +08:00 · 2024-12-03 18:32:40 +08:00 · 6f1b1ad78b
parent 4537e2cc46
commit 6f1b1ad78b
4 changed files with 499 additions and 0 deletions
--- a/client/entity/privilege_group.go
+++ b/client/entity/privilege_group.go
@ -0,0 +1,23 @@
+// Licensed to the LF AI & Data foundation under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package entity
+
+// PrivilegeGroup is the entity model for custom privilege group.
+type PrivilegeGroup struct {
+	GroupName  string
+	Privileges []string
+}
--- a/client/milvusclient/rbac.go
+++ b/client/milvusclient/rbac.go
@ -0,0 +1,96 @@
+// Licensed to the LF AI & Data foundation under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package milvusclient
+
+import (
+	"context"
+
+	"github.com/samber/lo"
+	"google.golang.org/grpc"
+
+	"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
+	"github.com/milvus-io/milvus/client/v2/entity"
+	"github.com/milvus-io/milvus/pkg/util/merr"
+)
+
+func (c *Client) GrantV2(ctx context.Context, option GrantV2Option, callOptions ...grpc.CallOption) error {
+	req := option.Request()
+
+	return c.callService(func(milvusService milvuspb.MilvusServiceClient) error {
+		resp, err := milvusService.OperatePrivilegeV2(ctx, req, callOptions...)
+		return merr.CheckRPCCall(resp, err)
+	})
+}
+
+func (c *Client) RevokeV2(ctx context.Context, option RevokeV2Option, callOptions ...grpc.CallOption) error {
+	req := option.Request()
+
+	return c.callService(func(milvusService milvuspb.MilvusServiceClient) error {
+		resp, err := milvusService.OperatePrivilegeV2(ctx, req, callOptions...)
+		return merr.CheckRPCCall(resp, err)
+	})
+}
+
+func (c *Client) CreatePrivilegeGroup(ctx context.Context, option CreatePrivilegeGroupOption, callOptions ...grpc.CallOption) error {
+	req := option.Request()
+
+	return c.callService(func(milvusService milvuspb.MilvusServiceClient) error {
+		resp, err := milvusService.CreatePrivilegeGroup(ctx, req, callOptions...)
+		return merr.CheckRPCCall(resp, err)
+	})
+}
+
+func (c *Client) DropPrivilegeGroup(ctx context.Context, option DropPrivilegeGroupOption, callOptions ...grpc.CallOption) error {
+	req := option.Request()
+
+	return c.callService(func(milvusService milvuspb.MilvusServiceClient) error {
+		resp, err := milvusService.DropPrivilegeGroup(ctx, req, callOptions...)
+		return merr.CheckRPCCall(resp, err)
+	})
+}
+
+func (c *Client) ListPrivilegeGroups(ctx context.Context, option ListPrivilegeGroupsOption, callOptions ...grpc.CallOption) ([]*entity.PrivilegeGroup, error) {
+	req := option.Request()
+
+	var privilegeGroups []*entity.PrivilegeGroup
+	err := c.callService(func(milvusService milvuspb.MilvusServiceClient) error {
+		r, err := milvusService.ListPrivilegeGroups(ctx, req, callOptions...)
+		if err != nil {
+			return err
+		}
+		for _, pg := range r.PrivilegeGroups {
+			privileges := lo.Map(pg.Privileges, func(p *milvuspb.PrivilegeEntity, _ int) string {
+				return p.Name
+			})
+			privilegeGroups = append(privilegeGroups, &entity.PrivilegeGroup{
+				GroupName:  pg.GroupName,
+				Privileges: privileges,
+			})
+		}
+		return nil
+	})
+	return privilegeGroups, err
+}
+
+func (c *Client) OperatePrivilegeGroup(ctx context.Context, option OperatePrivilegeGroupOption, callOptions ...grpc.CallOption) error {
+	req := option.Request()
+
+	return c.callService(func(milvusService milvuspb.MilvusServiceClient) error {
+		resp, err := milvusService.OperatePrivilegeGroup(ctx, req, callOptions...)
+		return merr.CheckRPCCall(resp, err)
+	})
+}
--- a/client/milvusclient/rbac_options.go
+++ b/client/milvusclient/rbac_options.go
@ -0,0 +1,171 @@
+// Licensed to the LF AI & Data foundation under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package milvusclient
+
+import (
+	"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
+)
+
+// GrantV2Option is the interface builds OperatePrivilegeV2Request
+type GrantV2Option interface {
+	Request() *milvuspb.OperatePrivilegeV2Request
+}
+
+type grantV2Option struct {
+	roleName       string
+	privilegeName  string
+	dbName         string
+	collectionName string
+}
+
+func (opt *grantV2Option) Request() *milvuspb.OperatePrivilegeV2Request {
+	return &milvuspb.OperatePrivilegeV2Request{
+		Role: &milvuspb.RoleEntity{Name: opt.roleName},
+		Grantor: &milvuspb.GrantorEntity{
+			Privilege: &milvuspb.PrivilegeEntity{Name: opt.privilegeName},
+		},
+		Type:           milvuspb.OperatePrivilegeType_Grant,
+		DbName:         opt.dbName,
+		CollectionName: opt.collectionName,
+	}
+}
+
+func NewGrantV2Option(roleName, privilegeName, dbName, collectionName string) *grantV2Option {
+	return &grantV2Option{
+		roleName:       roleName,
+		privilegeName:  privilegeName,
+		dbName:         dbName,
+		collectionName: collectionName,
+	}
+}
+
+// RevokeV2Option is the interface builds OperatePrivilegeV2Request
+type RevokeV2Option interface {
+	Request() *milvuspb.OperatePrivilegeV2Request
+}
+
+type revokeV2Option struct {
+	roleName       string
+	privilegeName  string
+	dbName         string
+	collectionName string
+}
+
+func (opt *revokeV2Option) Request() *milvuspb.OperatePrivilegeV2Request {
+	return &milvuspb.OperatePrivilegeV2Request{
+		Role: &milvuspb.RoleEntity{Name: opt.roleName},
+		Grantor: &milvuspb.GrantorEntity{
+			Privilege: &milvuspb.PrivilegeEntity{Name: opt.privilegeName},
+		},
+		Type:           milvuspb.OperatePrivilegeType_Revoke,
+		DbName:         opt.dbName,
+		CollectionName: opt.collectionName,
+	}
+}
+
+func NewRevokeV2Option(roleName, privilegeName, dbName, collectionName string) *revokeV2Option {
+	return &revokeV2Option{
+		roleName:       roleName,
+		privilegeName:  privilegeName,
+		dbName:         dbName,
+		collectionName: collectionName,
+	}
+}
+
+// CreatePrivilegeGroupOption is the interface builds CreatePrivilegeGroupRequest
+type CreatePrivilegeGroupOption interface {
+	Request() *milvuspb.CreatePrivilegeGroupRequest
+}
+
+type createPrivilegeGroupOption struct {
+	groupName string
+}
+
+func (opt *createPrivilegeGroupOption) Request() *milvuspb.CreatePrivilegeGroupRequest {
+	return &milvuspb.CreatePrivilegeGroupRequest{
+		GroupName: opt.groupName,
+	}
+}
+
+func NewCreatePrivilegeGroupOption(groupName string) *createPrivilegeGroupOption {
+	return &createPrivilegeGroupOption{
+		groupName: groupName,
+	}
+}
+
+// DropPrivilegeGroupOption is the interface builds DropPrivilegeGroupRequest
+type DropPrivilegeGroupOption interface {
+	Request() *milvuspb.DropPrivilegeGroupRequest
+}
+
+type dropPrivilegeGroupOption struct {
+	groupName string
+}
+
+func (opt *dropPrivilegeGroupOption) Request() *milvuspb.DropPrivilegeGroupRequest {
+	return &milvuspb.DropPrivilegeGroupRequest{
+		GroupName: opt.groupName,
+	}
+}
+
+func NewDropPrivilegeGroupOption(groupName string) *dropPrivilegeGroupOption {
+	return &dropPrivilegeGroupOption{
+		groupName: groupName,
+	}
+}
+
+// ListPrivilegeGroupsOption is the interface builds ListPrivilegeGroupsRequest
+type ListPrivilegeGroupsOption interface {
+	Request() *milvuspb.ListPrivilegeGroupsRequest
+}
+
+type listPrivilegeGroupsOption struct{}
+
+func (opt *listPrivilegeGroupsOption) Request() *milvuspb.ListPrivilegeGroupsRequest {
+	return &milvuspb.ListPrivilegeGroupsRequest{}
+}
+
+func NewListPrivilegeGroupsOption() *listPrivilegeGroupsOption {
+	return &listPrivilegeGroupsOption{}
+}
+
+// OperatePrivilegeGroupOption is the interface builds OperatePrivilegeGroupRequest
+type OperatePrivilegeGroupOption interface {
+	Request() *milvuspb.OperatePrivilegeGroupRequest
+}
+
+type operatePrivilegeGroupOption struct {
+	groupName   string
+	privileges  []*milvuspb.PrivilegeEntity
+	operateType milvuspb.OperatePrivilegeGroupType
+}
+
+func (opt *operatePrivilegeGroupOption) Request() *milvuspb.OperatePrivilegeGroupRequest {
+	return &milvuspb.OperatePrivilegeGroupRequest{
+		GroupName:  opt.groupName,
+		Privileges: opt.privileges,
+		Type:       opt.operateType,
+	}
+}
+
+func NewOperatePrivilegeGroupOption(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) *operatePrivilegeGroupOption {
+	return &operatePrivilegeGroupOption{
+		groupName:   groupName,
+		privileges:  privileges,
+		operateType: operateType,
+	}
+}
--- a/client/milvusclient/rbac_test.go
+++ b/client/milvusclient/rbac_test.go
@ -0,0 +1,209 @@
+// Licensed to the LF AI & Data foundation under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package milvusclient
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/suite"
+
+	"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
+	"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
+	"github.com/milvus-io/milvus/pkg/util/merr"
+)
+
+type PrivilgeGroupSuite struct {
+	MockSuiteBase
+}
+
+func (s *PrivilgeGroupSuite) TestGrantV2() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	roleName := fmt.Sprintf("test_role_%s", s.randString(6))
+	privilegeName := "Insert"
+	dbName := fmt.Sprintf("test_db_%s", s.randString(6))
+	collectionName := fmt.Sprintf("test_collection_%s", s.randString(6))
+
+	s.Run("success", func() {
+		s.mock.EXPECT().OperatePrivilegeV2(mock.Anything, mock.Anything).RunAndReturn(func(ctx context.Context, r *milvuspb.OperatePrivilegeV2Request) (*commonpb.Status, error) {
+			s.Equal(roleName, r.GetRole().GetName())
+			s.Equal(privilegeName, r.GetGrantor().GetPrivilege().GetName())
+			s.Equal(dbName, r.GetDbName())
+			s.Equal(collectionName, r.GetCollectionName())
+			return merr.Success(), nil
+		}).Once()
+
+		err := s.client.GrantV2(ctx, NewGrantV2Option(roleName, privilegeName, dbName, collectionName))
+		s.NoError(err)
+	})
+
+	s.Run("failure", func() {
+		s.mock.EXPECT().OperatePrivilegeV2(mock.Anything, mock.Anything).Return(nil, merr.WrapErrServiceInternal("mocked")).Once()
+
+		err := s.client.GrantV2(ctx, NewGrantV2Option(roleName, privilegeName, dbName, collectionName))
+		s.Error(err)
+	})
+}
+
+func (s *PrivilgeGroupSuite) TestRevokeV2() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	roleName := fmt.Sprintf("test_role_%s", s.randString(6))
+	privilegeName := "Insert"
+	dbName := fmt.Sprintf("test_db_%s", s.randString(6))
+	collectionName := fmt.Sprintf("test_collection_%s", s.randString(6))
+
+	s.Run("success", func() {
+		s.mock.EXPECT().OperatePrivilegeV2(mock.Anything, mock.Anything).RunAndReturn(func(ctx context.Context, r *milvuspb.OperatePrivilegeV2Request) (*commonpb.Status, error) {
+			s.Equal(roleName, r.GetRole().GetName())
+			s.Equal(privilegeName, r.GetGrantor().GetPrivilege().GetName())
+			s.Equal(dbName, r.GetDbName())
+			s.Equal(collectionName, r.GetCollectionName())
+			return merr.Success(), nil
+		}).Once()
+
+		err := s.client.RevokeV2(ctx, NewRevokeV2Option(roleName, privilegeName, dbName, collectionName))
+		s.NoError(err)
+	})
+
+	s.Run("failure", func() {
+		s.mock.EXPECT().OperatePrivilegeV2(mock.Anything, mock.Anything).Return(nil, merr.WrapErrServiceInternal("mocked")).Once()
+
+		err := s.client.RevokeV2(ctx, NewRevokeV2Option(roleName, privilegeName, dbName, collectionName))
+		s.Error(err)
+	})
+}
+
+func (s *PrivilgeGroupSuite) TestCreatePrivilegeGroup() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	groupName := fmt.Sprintf("test_pg_%s", s.randString(6))
+
+	s.Run("success", func() {
+		s.mock.EXPECT().CreatePrivilegeGroup(mock.Anything, mock.Anything).RunAndReturn(func(ctx context.Context, r *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+			s.Equal(groupName, r.GetGroupName())
+			return merr.Success(), nil
+		}).Once()
+
+		err := s.client.CreatePrivilegeGroup(ctx, NewCreatePrivilegeGroupOption(groupName))
+		s.NoError(err)
+	})
+
+	s.Run("failure", func() {
+		s.mock.EXPECT().CreatePrivilegeGroup(mock.Anything, mock.Anything).Return(nil, merr.WrapErrServiceInternal("mocked")).Once()
+
+		err := s.client.CreatePrivilegeGroup(ctx, NewCreatePrivilegeGroupOption(groupName))
+		s.Error(err)
+	})
+}
+
+func (s *PrivilgeGroupSuite) TestDropPrivilegeGroup() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	groupName := fmt.Sprintf("test_pg_%s", s.randString(6))
+
+	s.Run("success", func() {
+		s.mock.EXPECT().DropPrivilegeGroup(mock.Anything, mock.Anything).RunAndReturn(func(ctx context.Context, r *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+			s.Equal(groupName, r.GetGroupName())
+			return merr.Success(), nil
+		}).Once()
+
+		err := s.client.DropPrivilegeGroup(ctx, NewDropPrivilegeGroupOption(groupName))
+		s.NoError(err)
+	})
+
+	s.Run("failure", func() {
+		s.mock.EXPECT().DropPrivilegeGroup(mock.Anything, mock.Anything).Return(nil, merr.WrapErrServiceInternal("mocked")).Once()
+
+		err := s.client.DropPrivilegeGroup(ctx, NewDropPrivilegeGroupOption(groupName))
+		s.Error(err)
+	})
+}
+
+func (s *PrivilgeGroupSuite) TestListPrivilegeGroups() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	s.Run("success", func() {
+		s.mock.EXPECT().ListPrivilegeGroups(mock.Anything, mock.Anything).RunAndReturn(func(ctx context.Context, r *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+			return &milvuspb.ListPrivilegeGroupsResponse{
+				PrivilegeGroups: []*milvuspb.PrivilegeGroupInfo{
+					{
+						GroupName:  "pg1",
+						Privileges: []*milvuspb.PrivilegeEntity{{Name: "Insert"}, {Name: "Query"}},
+					},
+					{
+						GroupName:  "pg2",
+						Privileges: []*milvuspb.PrivilegeEntity{{Name: "Delete"}, {Name: "Query"}},
+					},
+				},
+			}, nil
+		}).Once()
+
+		pgs, err := s.client.ListPrivilegeGroups(ctx, NewListPrivilegeGroupsOption())
+		s.NoError(err)
+		s.Equal(2, len(pgs))
+		s.Equal("pg1", pgs[0].GroupName)
+		s.Equal([]string{"Insert", "Query"}, pgs[0].Privileges)
+		s.Equal("pg2", pgs[1].GroupName)
+		s.Equal([]string{"Delete", "Query"}, pgs[1].Privileges)
+	})
+
+	s.Run("failure", func() {
+		s.mock.EXPECT().ListPrivilegeGroups(mock.Anything, mock.Anything).Return(nil, merr.WrapErrServiceInternal("mocked")).Once()
+
+		_, err := s.client.ListPrivilegeGroups(ctx, NewListPrivilegeGroupsOption())
+		s.Error(err)
+	})
+}
+
+func (s *PrivilgeGroupSuite) TestOperatePrivilegeGroup() {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	groupName := fmt.Sprintf("test_pg_%s", s.randString(6))
+	privileges := []*milvuspb.PrivilegeEntity{{Name: "Insert"}, {Name: "Query"}}
+	operateType := milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup
+
+	s.Run("success", func() {
+		s.mock.EXPECT().OperatePrivilegeGroup(mock.Anything, mock.Anything).RunAndReturn(func(ctx context.Context, r *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+			s.Equal(groupName, r.GetGroupName())
+			return merr.Success(), nil
+		}).Once()
+
+		err := s.client.OperatePrivilegeGroup(ctx, NewOperatePrivilegeGroupOption(groupName, privileges, operateType))
+		s.NoError(err)
+	})
+
+	s.Run("failure", func() {
+		s.mock.EXPECT().OperatePrivilegeGroup(mock.Anything, mock.Anything).Return(nil, merr.WrapErrServiceInternal("mocked")).Once()
+
+		err := s.client.OperatePrivilegeGroup(ctx, NewOperatePrivilegeGroupOption(groupName, privileges, operateType))
+		s.Error(err)
+	})
+}
+
+func TestPrivilegeGroup(t *testing.T) {
+	suite.Run(t, new(PrivilgeGroupSuite))
+}