milvus-io
/
milvus
mirror of https://github.com/milvus-io/milvus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

enhance: add config to control whether to init public role permissions (#33165) 

issue: #33164

Signed-off-by: SimFG <bang.fu@zilliz.com>
pull/33244/head
SimFG 2024-05-21 22:39:46 +08:00 committed by GitHub
parent ed39a38953
commit e18d5aceb6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 66 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
internal/rootcoord/root_coord.go
View File

@ -545,15 +545,29 @@ func (c *Core) initRbac() error {
}
}
if Params.ProxyCfg.EnablePublicPrivilege.GetAsBool() {
err = c.initPublicRolePrivilege()
if err != nil {
return err
}
}
if Params.RoleCfg.Enabled.GetAsBool() {
return c.initBuiltinRoles()
}
return nil
}
func (c *Core) initPublicRolePrivilege() error {
// grant privileges for the public role
globalPrivileges := []string{
commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(),
commonpb.ObjectPrivilege_PrivilegeShowCollections.String(),
}
collectionPrivileges := []string{
commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(),
}
var err error
for _, globalPrivilege := range globalPrivileges {
err = c.meta.OperatePrivilege(util.DefaultTenant, &milvuspb.GrantEntity{
Role: &milvuspb.RoleEntity{Name: util.RolePublic},
@ -584,9 +598,6 @@ func (c *Core) initRbac() error {
return errors.Wrap(err, "failed to grant collection privilege")
}
}
if Params.RoleCfg.Enabled.GetAsBool() {
return c.initBuiltinRoles()
}
return nil
}

42
internal/rootcoord/root_coord_test.go
View File

@ -1807,6 +1807,48 @@ func TestCore_Stop(t *testing.T) {
})
}
func TestCore_InitRBAC(t *testing.T) {
paramtable.Init()
t.Run("init default role and public role privilege", func(t *testing.T) {
meta := mockrootcoord.NewIMetaTable(t)
c := newTestCore(withHealthyCode(), withMeta(meta))
meta.EXPECT().CreateRole(mock.Anything, mock.Anything).Return(nil).Twice()
meta.EXPECT().OperatePrivilege(mock.Anything, mock.Anything, mock.Anything).Return(nil).Twice()
Params.Save(Params.RoleCfg.Enabled.Key, "false")
Params.Save(Params.ProxyCfg.EnablePublicPrivilege.Key, "true")
defer func() {
Params.Reset(Params.RoleCfg.Enabled.Key)
Params.Reset(Params.ProxyCfg.EnablePublicPrivilege.Key)
}()
err := c.initRbac()
assert.NoError(t, err)
})
t.Run("not init public role privilege and init default privilege", func(t *testing.T) {
builtinRoles := `{"db_admin": {"privileges": [{"object_type": "Global", "object_name": "*", "privilege": "CreateCollection", "db_name": "*"}]}}`
meta := mockrootcoord.NewIMetaTable(t)
c := newTestCore(withHealthyCode(), withMeta(meta))
meta.EXPECT().CreateRole(mock.Anything, mock.Anything).Return(nil).Times(3)
meta.EXPECT().OperatePrivilege(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
Params.Save(Params.RoleCfg.Enabled.Key, "true")
Params.Save(Params.RoleCfg.Roles.Key, builtinRoles)
Params.Save(Params.ProxyCfg.EnablePublicPrivilege.Key, "false")
defer func() {
Params.Reset(Params.RoleCfg.Enabled.Key)
Params.Reset(Params.RoleCfg.Roles.Key)
Params.Reset(Params.ProxyCfg.EnablePublicPrivilege.Key)
}()
err := c.initRbac()
assert.NoError(t, err)
})
}
type RootCoordSuite struct {
suite.Suite
}

9
pkg/util/paramtable/component_param.go
View File

@ -1034,6 +1034,7 @@ type proxyConfig struct {
MustUsePartitionKey ParamItem `refreshable:"true"`
SkipAutoIDCheck ParamItem `refreshable:"true"`
SkipPartitionKeyCheck ParamItem `refreshable:"true"`
EnablePublicPrivilege ParamItem `refreshable:"false"`
AccessLog AccessLogConfig
@ -1394,6 +1395,14 @@ please adjust in embedded Milvus: false`,
}
p.SkipPartitionKeyCheck.Init(base.mgr)
p.EnablePublicPrivilege = ParamItem{
Key: "proxy.enablePublicPrivilege",
Version: "2.4.1",
DefaultValue: "true",
Doc: "switch for whether proxy shall enable public privilege",
}
p.EnablePublicPrivilege.Init(base.mgr)
p.GracefulStopTimeout = ParamItem{
Key: "proxy.gracefulStopTimeout",
Version: "2.3.7",