enhance: add privilege group privilege into built-in privilege group (#38393)

related issue: https://github.com/milvus-io/milvus/issues/37031 Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
2024-12-12 17:20:42 +08:00 · 2024-12-12 17:20:42 +08:00 · c2855a5c74
parent d0a8110a7a
commit c2855a5c74
2 changed files with 13 additions and 7 deletions
--- a/configs/milvus.yaml
+++ b/configs/milvus.yaml
@ -831,11 +831,11 @@ common:
        enabled: false # Whether to override build-in privilege groups
      cluster:
        readonly:
-          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups # Cluster level readonly privileges
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups # Cluster level readonly privileges
        readwrite:
-          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges
        admin:
-          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection # Cluster level admin privileges
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection,CreatePrivilegeGroup,DropPrivilegeGroup,OperatePrivilegeGroup # Cluster level admin privileges
      database:
        readonly:
          privileges: ShowCollections,DescribeDatabase # Database level readonly privileges
--- a/pkg/util/constant.go
+++ b/pkg/util/constant.go
@ -363,6 +363,7 @@ var (
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectUser.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()),
 	}

 	ClusterReadWritePrivilegeGroup = append(ClusterReadOnlyPrivilegeGroup,
@ -384,6 +385,9 @@ var (
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRenameCollection.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePrivilegeGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()),
 	)
 )

@ -407,11 +411,13 @@ func StringList(stringMap map[string]struct{}) []string {
 // MetaStore2API convert meta-store's privilege name to api's
 // example: PrivilegeAll -> All
 func MetaStore2API(name string) string {
-	prefix := PrivilegeWord
-	if strings.Contains(name, PrivilegeGroupWord) {
-		prefix = PrivilegeGroupWord
+	if strings.HasPrefix(name, PrivilegeGroupWord) {
+		return name[len(PrivilegeGroupWord):]
 	}
-	return name[strings.Index(name, prefix)+len(prefix):]
+	if strings.HasPrefix(name, PrivilegeWord) {
+		return name[len(PrivilegeWord):]
+	}
+	return name
 }

 func PrivilegeNameForAPI(name string) string {