mirror of https://github.com/milvus-io/milvus.git
fix: rbac revoke check if there is same privilege in other privilege groups granted (#38558)
related: https://github.com/milvus-io/milvus/issues/38557 Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>pull/38555/head
parent
1639779b5d
commit
de8858931a
|
@ -32,6 +32,7 @@ import (
|
||||||
clientv3 "go.etcd.io/etcd/client/v3"
|
clientv3 "go.etcd.io/etcd/client/v3"
|
||||||
"go.uber.org/atomic"
|
"go.uber.org/atomic"
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
|
"google.golang.org/protobuf/proto"
|
||||||
|
|
||||||
"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
|
"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
|
||||||
"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
|
"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
|
||||||
|
@ -2775,6 +2776,25 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
// if there is same grant in the other privilege groups, the grant should not be removed from the cache
|
||||||
|
if in.Type == milvuspb.OperatePrivilegeType_Revoke {
|
||||||
|
metaGrants, err := c.meta.SelectGrant(ctx, util.DefaultTenant, &milvuspb.GrantEntity{
|
||||||
|
Role: in.Entity.Role,
|
||||||
|
DbName: in.Entity.DbName,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
metaExpandGrants, err := c.expandPrivilegeGroups(ctx, metaGrants, groups)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
expandGrants = lo.Filter(expandGrants, func(g1 *milvuspb.GrantEntity, _ int) bool {
|
||||||
|
return !lo.ContainsBy(metaExpandGrants, func(g2 *milvuspb.GrantEntity) bool {
|
||||||
|
return proto.Equal(g1, g2)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
}
|
||||||
if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
|
if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
|
||||||
OpType: opType,
|
OpType: opType,
|
||||||
OpKey: funcutil.PolicyForPrivileges(expandGrants),
|
OpKey: funcutil.PolicyForPrivileges(expandGrants),
|
||||||
|
|
Loading…
Reference in New Issue