diff --git a/pkg/go.mod b/pkg/go.mod
index e147dee50b..2959f9384d 100644
--- a/pkg/go.mod
+++ b/pkg/go.mod
@@ -14,7 +14,7 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
github.com/klauspost/compress v1.16.5
github.com/lingdor/stackerror v0.0.0-20191119040541-976d8885ed76
- github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20231220103033-abd0d12ba669
+ github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20240109020841-d367b5a59df1
github.com/nats-io/nats-server/v2 v2.9.17
github.com/nats-io/nats.go v1.24.0
github.com/panjf2000/ants/v2 v2.7.2
diff --git a/pkg/go.sum b/pkg/go.sum
index 34630a0acd..18b33b9d02 100644
--- a/pkg/go.sum
+++ b/pkg/go.sum
@@ -213,6 +213,7 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -419,6 +420,7 @@ github.com/kataras/iris/v12 v12.1.8/go.mod h1:LMYy4VlP67TQ3Zgriz8RE2h2kMZV2SgMYb
github.com/kataras/neffos v0.0.14/go.mod h1:8lqADm8PnbeFfL7CLXh1WHw53dG27MC3pgi2R1rmoTE=
github.com/kataras/pio v0.0.2/go.mod h1:hAoW0t9UmXi4R5Oyq5Z4irTbaTsOemSrDGUtaTl7Dro=
github.com/kataras/sitemap v0.0.5/go.mod h1:KY2eugMKiPwsJgx7+U103YZehfvNGOXURubcGyk0Bz8=
+github.com/keybase/go-keychain v0.0.0-20190712205309-48d3d31d256d/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc=
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -482,8 +484,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfr
github.com/mediocregopher/radix/v3 v3.4.2/go.mod h1:8FL3F6UQRXHXIBSPUs5h0RybMF8i4n7wVopoX3x7Bv8=
github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20231220103033-abd0d12ba669 h1:yUtc+pVKVhmmnwTY9iyV8+EmhrNjZ74Hxm3y5QKCNyg=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20231220103033-abd0d12ba669/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20240109020841-d367b5a59df1 h1:oNpMivd94JAMhdSVsFw8t1b+olXz8pbzd5PES21sth8=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20240109020841-d367b5a59df1/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
github.com/milvus-io/pulsar-client-go v0.6.10/go.mod h1:lQqCkgwDF8YFYjKA+zOheTk1tev2B+bKj5j7+nm8M1w=
github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
diff --git a/pkg/util/constant.go b/pkg/util/constant.go
index 525ce2ffd7..95011d8aca 100644
--- a/pkg/util/constant.go
+++ b/pkg/util/constant.go
@@ -131,6 +131,11 @@ var (
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateDatabase.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropDatabase.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListDatabases.String()),
+
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateAlias.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropAlias.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeAlias.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListAliases.String()),
},
commonpb.ObjectType_User.String(): {
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),
diff --git a/pkg/util/funcutil/policy_test.go b/pkg/util/funcutil/policy_test.go
index 2eadb491b9..8659b82205 100644
--- a/pkg/util/funcutil/policy_test.go
+++ b/pkg/util/funcutil/policy_test.go
@@ -20,7 +20,7 @@ func Test_GetPrivilegeExtObj(t *testing.T) {
assert.Equal(t, commonpb.ObjectPrivilege_PrivilegeLoad, privilegeExt.ObjectPrivilege)
assert.Equal(t, int32(3), privilegeExt.ObjectNameIndex)
- request2 := &milvuspb.ListAliasesRequest{}
+ request2 := &milvuspb.GetPersistentSegmentInfoRequest{}
_, err = GetPrivilegeExtObj(request2)
assert.Error(t, err)
}
diff --git a/tests/python_client/testcases/test_utility.py b/tests/python_client/testcases/test_utility.py
index addf62dc62..d7dbef0097 100644
--- a/tests/python_client/testcases/test_utility.py
+++ b/tests/python_client/testcases/test_utility.py
@@ -4343,6 +4343,67 @@ class TestUtilityRBAC(TestcaseBase):
self.utility_wrap.describe_resource_group(name=ct.default_resource_group_name,
check_task=CheckTasks.check_permission_deny)
+ @pytest.mark.tags(CaseLabel.RBAC)
+ def test_alias_rbac(self, host, port):
+ """
+ target: test rbac related to alias interfaces
+ method: Create a role and grant privileges related to aliases.
+ Verify if a user can execute the corresponding alias interface
+ based on whether the user possesses the role.
+ expected: Users with the assigned role can access the alias interface,
+ while those without the role cannot.
+ """
+
+ self.connection_wrap.connect(host=host, port=port, user=ct.default_user,
+ password=ct.default_password, check_task=ct.CheckTasks.ccr)
+ user = cf.gen_unique_str(prefix)
+ password = cf.gen_unique_str(prefix)
+ r_name = cf.gen_unique_str(prefix)
+ c_name = cf.gen_unique_str(prefix)
+ alias_name = cf.gen_unique_str(prefix)
+ u, _ = self.utility_wrap.create_user(user=user, password=password)
+ user2 = cf.gen_unique_str(prefix)
+ u2, _ = self.utility_wrap.create_user(user=user2, password=password)
+
+
+ self.utility_wrap.init_role(r_name)
+ self.utility_wrap.create_role()
+ self.utility_wrap.role_add_user(user)
+
+ db_kwargs = {}
+ # grant user privilege
+ self.utility_wrap.init_role(r_name)
+ alias_privileges = [
+ {"object": "Global", "object_name": "*", "privilege": "CreateAlias"},
+ {"object": "Global", "object_name": "*", "privilege": "DropAlias"},
+ {"object": "Global", "object_name": "*", "privilege": "DescribeAlias"},
+ {"object": "Global", "object_name": "*", "privilege": "ListAliases"},
+ ]
+
+ for grant_item in alias_privileges:
+ self.utility_wrap.role_grant(grant_item["object"], grant_item["object_name"], grant_item["privilege"],
+ **db_kwargs)
+
+ self.init_collection_wrap(name=c_name)
+ self.connection_wrap.disconnect(alias=DefaultConfig.DEFAULT_USING)
+
+ self.connection_wrap.connect(host=host, port=port, user=user,
+ password=password, check_task=ct.CheckTasks.ccr, **db_kwargs)
+
+ self.utility_wrap.create_alias(c_name, alias_name)
+ self.utility_wrap.drop_alias(alias_name)
+
+ self.connection_wrap.disconnect(alias=DefaultConfig.DEFAULT_USING)
+ self.connection_wrap.connect(host=host, port=port, user=user2,
+ password=password, check_task=ct.CheckTasks.ccr, **db_kwargs)
+
+
+ # user2 can not create or drop alias
+ self.utility_wrap.create_alias(c_name, alias_name,
+ check_task=CheckTasks.check_permission_deny)
+
+ self.utility_wrap.drop_alias(alias_name,
+ check_task=CheckTasks.check_permission_deny)
class TestUtilityNegativeRbac(TestcaseBase):
@@ -4990,6 +5051,7 @@ class TestUtilityNegativeRbac(TestcaseBase):
self.utility_wrap.create_role(check_task=CheckTasks.err_res, check_items=error)
+
@pytest.mark.tags(CaseLabel.L3)
class TestUtilityFlushAll(TestcaseBase):