diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go index cc330fa3c9..4e8fc35ee1 100644 --- a/internal/rootcoord/root_coord.go +++ b/internal/rootcoord/root_coord.go @@ -545,15 +545,29 @@ func (c *Core) initRbac() error { } } + if Params.ProxyCfg.EnablePublicPrivilege.GetAsBool() { + err = c.initPublicRolePrivilege() + if err != nil { + return err + } + } + + if Params.RoleCfg.Enabled.GetAsBool() { + return c.initBuiltinRoles() + } + return nil +} + +func (c *Core) initPublicRolePrivilege() error { // grant privileges for the public role globalPrivileges := []string{ commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(), - commonpb.ObjectPrivilege_PrivilegeShowCollections.String(), } collectionPrivileges := []string{ commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(), } + var err error for _, globalPrivilege := range globalPrivileges { err = c.meta.OperatePrivilege(util.DefaultTenant, &milvuspb.GrantEntity{ Role: &milvuspb.RoleEntity{Name: util.RolePublic}, @@ -584,9 +598,6 @@ func (c *Core) initRbac() error { return errors.Wrap(err, "failed to grant collection privilege") } } - if Params.RoleCfg.Enabled.GetAsBool() { - return c.initBuiltinRoles() - } return nil } diff --git a/internal/rootcoord/root_coord_test.go b/internal/rootcoord/root_coord_test.go index 832526d61b..bbdb896b52 100644 --- a/internal/rootcoord/root_coord_test.go +++ b/internal/rootcoord/root_coord_test.go @@ -1807,6 +1807,48 @@ func TestCore_Stop(t *testing.T) { }) } +func TestCore_InitRBAC(t *testing.T) { + paramtable.Init() + t.Run("init default role and public role privilege", func(t *testing.T) { + meta := mockrootcoord.NewIMetaTable(t) + c := newTestCore(withHealthyCode(), withMeta(meta)) + meta.EXPECT().CreateRole(mock.Anything, mock.Anything).Return(nil).Twice() + meta.EXPECT().OperatePrivilege(mock.Anything, mock.Anything, mock.Anything).Return(nil).Twice() + + Params.Save(Params.RoleCfg.Enabled.Key, "false") + Params.Save(Params.ProxyCfg.EnablePublicPrivilege.Key, "true") + + defer func() { + Params.Reset(Params.RoleCfg.Enabled.Key) + Params.Reset(Params.ProxyCfg.EnablePublicPrivilege.Key) + }() + + err := c.initRbac() + assert.NoError(t, err) + }) + + t.Run("not init public role privilege and init default privilege", func(t *testing.T) { + builtinRoles := `{"db_admin": {"privileges": [{"object_type": "Global", "object_name": "*", "privilege": "CreateCollection", "db_name": "*"}]}}` + meta := mockrootcoord.NewIMetaTable(t) + c := newTestCore(withHealthyCode(), withMeta(meta)) + meta.EXPECT().CreateRole(mock.Anything, mock.Anything).Return(nil).Times(3) + meta.EXPECT().OperatePrivilege(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once() + + Params.Save(Params.RoleCfg.Enabled.Key, "true") + Params.Save(Params.RoleCfg.Roles.Key, builtinRoles) + Params.Save(Params.ProxyCfg.EnablePublicPrivilege.Key, "false") + + defer func() { + Params.Reset(Params.RoleCfg.Enabled.Key) + Params.Reset(Params.RoleCfg.Roles.Key) + Params.Reset(Params.ProxyCfg.EnablePublicPrivilege.Key) + }() + + err := c.initRbac() + assert.NoError(t, err) + }) +} + type RootCoordSuite struct { suite.Suite } diff --git a/pkg/util/paramtable/component_param.go b/pkg/util/paramtable/component_param.go index 117757815a..8804240da4 100644 --- a/pkg/util/paramtable/component_param.go +++ b/pkg/util/paramtable/component_param.go @@ -1034,6 +1034,7 @@ type proxyConfig struct { MustUsePartitionKey ParamItem `refreshable:"true"` SkipAutoIDCheck ParamItem `refreshable:"true"` SkipPartitionKeyCheck ParamItem `refreshable:"true"` + EnablePublicPrivilege ParamItem `refreshable:"false"` AccessLog AccessLogConfig @@ -1394,6 +1395,14 @@ please adjust in embedded Milvus: false`, } p.SkipPartitionKeyCheck.Init(base.mgr) + p.EnablePublicPrivilege = ParamItem{ + Key: "proxy.enablePublicPrivilege", + Version: "2.4.1", + DefaultValue: "true", + Doc: "switch for whether proxy shall enable public privilege", + } + p.EnablePublicPrivilege.Init(base.mgr) + p.GracefulStopTimeout = ParamItem{ Key: "proxy.gracefulStopTimeout", Version: "2.3.7",