milvus-io
/
milvus
mirror of https://github.com/milvus-io/milvus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support rg api rbac (#22097) 

Signed-off-by: Wei Liu <wei.liu@zilliz.com>
pull/22117/head
wei liu 2023-02-10 10:54:33 +08:00 committed by GitHub
parent f66d36f111
commit d078441522
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 102 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -27,7 +27,7 @@ require (
github.com/klauspost/compress v1.14.4
github.com/lingdor/stackerror v0.0.0-20191119040541-976d8885ed76
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
github.com/milvus-io/milvus-proto/go-api v0.0.0-20230129073344-87a125853a0b
github.com/milvus-io/milvus-proto/go-api v0.0.0-20230209081028-aabbca7f95ae
github.com/minio/minio-go/v7 v7.0.17
github.com/panjf2000/ants/v2 v2.4.8
github.com/pkg/errors v0.9.1

4
go.sum
View File

@ -491,8 +491,8 @@ github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyex
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
github.com/milvus-io/milvus-proto/go-api v0.0.0-20230129073344-87a125853a0b h1:HoJ3J70COnaR3WQTA4gN70DkiaMRPkyLI6yXrPqpFiU=
github.com/milvus-io/milvus-proto/go-api v0.0.0-20230129073344-87a125853a0b/go.mod h1:148qnlmZ0Fdm1Fq+Mj/OW2uDoEP25g3mjh0vMGtkgmk=
github.com/milvus-io/milvus-proto/go-api v0.0.0-20230209081028-aabbca7f95ae h1:4PPf72uc+pUFIT22yUHKrMMVyiJu8Q5l8FrQ4IkvAAY=
github.com/milvus-io/milvus-proto/go-api v0.0.0-20230209081028-aabbca7f95ae/go.mod h1:148qnlmZ0Fdm1Fq+Mj/OW2uDoEP25g3mjh0vMGtkgmk=
github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
github.com/milvus-io/pulsar-client-go v0.6.10/go.mod h1:lQqCkgwDF8YFYjKA+zOheTk1tev2B+bKj5j7+nm8M1w=
github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=

37
internal/core/src/pb/common.pb.cc
View File

@ -428,7 +428,7 @@ const char descriptor_table_protodef_common_2eproto[] PROTOBUF_SECTION_VARIABLE(
"ImportStarted\020\002\022\023\n\017ImportPersisted\020\005\022\021\n\r"
"ImportFlushed\020\010\022\023\n\017ImportCompleted\020\006\022\032\n\026"
"ImportFailedAndCleaned\020\007*2\n\nObjectType\022\016"
"\n\nCollection\020\000\022\n\n\006Global\020\001\022\010\n\004User\020\002*\233\005\n"
"\n\nCollection\020\000\022\n\n\006Global\020\001\022\010\n\004User\020\002*\333\006\n"
"\017ObjectPrivilege\022\020\n\014PrivilegeAll\020\000\022\035\n\031Pr"
"ivilegeCreateCollection\020\001\022\033\n\027PrivilegeDr"
"opCollection\020\002\022\037\n\033PrivilegeDescribeColle"
@ -445,24 +445,29 @@ const char descriptor_table_protodef_common_2eproto[] PROTOBUF_SECTION_VARIABLE(
"UpdateUser\020\024\022\032\n\026PrivilegeDropOwnership\020\025"
"\022\034\n\030PrivilegeSelectOwnership\020\026\022\034\n\030Privil"
"egeManageOwnership\020\027\022\027\n\023PrivilegeSelectU"
"ser\020\030\022\023\n\017PrivilegeUpsert\020\031*S\n\tStateCode\022"
"\020\n\014Initializing\020\000\022\013\n\007Healthy\020\001\022\014\n\010Abnorm"
"al\020\002\022\013\n\007StandBy\020\003\022\014\n\010Stopping\020\004*c\n\tLoadS"
"tate\022\025\n\021LoadStateNotExist\020\000\022\024\n\020LoadState"
"NotLoad\020\001\022\024\n\020LoadStateLoading\020\002\022\023\n\017LoadS"
"tateLoaded\020\003:^\n\021privilege_ext_obj\022\037.goog"
"le.protobuf.MessageOptions\030\351\007 \001(\0132!.milv"
"us.proto.common.PrivilegeExtBf\n\016io.milvu"
"s.grpcB\013CommonProtoP\001Z1github.com/milvus"
"-io/milvus-proto/go-api/commonpb\240\001\001\252\002\016IO"
".Milvus.Grpcb\006proto3"
"ser\020\030\022\023\n\017PrivilegeUpsert\020\031\022 \n\034PrivilegeC"
"reateResourceGroup\020\032\022\036\n\032PrivilegeDropRes"
"ourceGroup\020\033\022\"\n\036PrivilegeDescribeResourc"
"eGroup\020\034\022\037\n\033PrivilegeListResourceGroups\020"
"\035\022\031\n\025PrivilegeTransferNode\020\036\022\034\n\030Privileg"
"eTransferReplica\020\037*S\n\tStateCode\022\020\n\014Initi"
"alizing\020\000\022\013\n\007Healthy\020\001\022\014\n\010Abnormal\020\002\022\013\n\007"
"StandBy\020\003\022\014\n\010Stopping\020\004*c\n\tLoadState\022\025\n\021"
"LoadStateNotExist\020\000\022\024\n\020LoadStateNotLoad\020"
"\001\022\024\n\020LoadStateLoading\020\002\022\023\n\017LoadStateLoad"
"ed\020\003:^\n\021privilege_ext_obj\022\037.google.proto"
"buf.MessageOptions\030\351\007 \001(\0132!.milvus.proto"
".common.PrivilegeExtBf\n\016io.milvus.grpcB\013"
"CommonProtoP\001Z1github.com/milvus-io/milv"
"us-proto/go-api/commonpb\240\001\001\252\002\016IO.Milvus."
"Grpcb\006proto3"
;
static const ::_pbi::DescriptorTable* const descriptor_table_common_2eproto_deps[1] = {
&::descriptor_table_google_2fprotobuf_2fdescriptor_2eproto,
};
static ::_pbi::once_flag descriptor_table_common_2eproto_once;
const ::_pbi::DescriptorTable descriptor_table_common_2eproto = {
false, false, 5860, descriptor_table_protodef_common_2eproto,
false, false, 6052, descriptor_table_protodef_common_2eproto,
"common.proto",
&descriptor_table_common_2eproto_once, descriptor_table_common_2eproto_deps, 1, 11,
schemas, file_default_instances, TableStruct_common_2eproto::offsets,
@ -813,6 +818,12 @@ bool ObjectPrivilege_IsValid(int value) {
case 23:
case 24:
case 25:
case 26:
case 27:
case 28:
case 29:
case 30:
case 31:
return true;
default:
return false;

8
internal/core/src/pb/common.pb.h
View File

@ -542,12 +542,18 @@ enum ObjectPrivilege : int {
PrivilegeManageOwnership = 23,
PrivilegeSelectUser = 24,
PrivilegeUpsert = 25,
PrivilegeCreateResourceGroup = 26,
PrivilegeDropResourceGroup = 27,
PrivilegeDescribeResourceGroup = 28,
PrivilegeListResourceGroups = 29,
PrivilegeTransferNode = 30,
PrivilegeTransferReplica = 31,
ObjectPrivilege_INT_MIN_SENTINEL_DO_NOT_USE_ = std::numeric_limits<int32_t>::min(),
ObjectPrivilege_INT_MAX_SENTINEL_DO_NOT_USE_ = std::numeric_limits<int32_t>::max()
};
bool ObjectPrivilege_IsValid(int value);
constexpr ObjectPrivilege ObjectPrivilege_MIN = PrivilegeAll;
constexpr ObjectPrivilege ObjectPrivilege_MAX = PrivilegeUpsert;
constexpr ObjectPrivilege ObjectPrivilege_MAX = PrivilegeTransferReplica;
constexpr int ObjectPrivilege_ARRAYSIZE = ObjectPrivilege_MAX + 1;
const ::PROTOBUF_NAMESPACE_ID::EnumDescriptor* ObjectPrivilege_descriptor();

61
internal/proxy/privilege_interceptor_test.go
View File

@ -133,3 +133,64 @@ func TestPrivilegeInterceptor(t *testing.T) {
})
}
func TestResourceGroupPrivilege(t *testing.T) {
ctx := context.Background()
t.Run("Resource Group Privilege", func(t *testing.T) {
paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
_, err := PrivilegeInterceptor(ctx, &milvuspb.ListResourceGroupsRequest{})
assert.NotNil(t, err)
ctx = GetContext(context.Background(), "fooo:123456")
client := &MockRootCoordClientInterface{}
queryCoord := &MockQueryCoordClientInterface{}
mgr := newShardClientMgr()
client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
return &internalpb.ListPolicyResponse{
Status: &commonpb.Status{
ErrorCode: commonpb.ErrorCode_Success,
},
PolicyInfos: []string{
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String()),
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeTransferNode.String()),
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeTransferReplica.String()),
},
UserRoles: []string{
funcutil.EncodeUserRoleCache("fooo", "role1"),
},
}, nil
}
InitMetaCache(ctx, client, queryCoord, mgr)
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{
ResourceGroup: "rg",
})
assert.Nil(t, err)
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DropResourceGroupRequest{
ResourceGroup: "rg",
})
assert.Nil(t, err)
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DescribeResourceGroupRequest{
ResourceGroup: "rg",
})
assert.Nil(t, err)
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.ListResourceGroupsRequest{})
assert.Nil(t, err)
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.TransferNodeRequest{})
assert.Nil(t, err)
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.TransferReplicaRequest{})
assert.Nil(t, err)
})
}

7
internal/util/constant.go
View File

@ -93,6 +93,13 @@ var (
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropOwnership.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectOwnership.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeManageOwnership.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeTransferReplica.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeTransferNode.String()),
},
commonpb.ObjectType_User.String(): {
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),