mirror of https://github.com/milvus-io/milvus.git
enhance: add config to control whether to init public role permissions (#33165)
issue: #33164 Signed-off-by: SimFG <bang.fu@zilliz.com>pull/33244/head
SimFG
GitHub
parent
ed39a38953
commit
e18d5aceb6
|
|
@ -545,15 +545,29 @@ func (c *Core) initRbac() error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if Params.ProxyCfg.EnablePublicPrivilege.GetAsBool() {
|
||||||
|
err = c.initPublicRolePrivilege()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if Params.RoleCfg.Enabled.GetAsBool() {
|
||||||
|
return c.initBuiltinRoles()
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Core) initPublicRolePrivilege() error {
|
||||||
// grant privileges for the public role
|
// grant privileges for the public role
|
||||||
globalPrivileges := []string{
|
globalPrivileges := []string{
|
||||||
commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(),
|
commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(),
|
||||||
commonpb.ObjectPrivilege_PrivilegeShowCollections.String(),
|
|
||||||
}
|
}
|
||||||
collectionPrivileges := []string{
|
collectionPrivileges := []string{
|
||||||
commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(),
|
commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
for _, globalPrivilege := range globalPrivileges {
|
for _, globalPrivilege := range globalPrivileges {
|
||||||
err = c.meta.OperatePrivilege(util.DefaultTenant, &milvuspb.GrantEntity{
|
err = c.meta.OperatePrivilege(util.DefaultTenant, &milvuspb.GrantEntity{
|
||||||
Role: &milvuspb.RoleEntity{Name: util.RolePublic},
|
Role: &milvuspb.RoleEntity{Name: util.RolePublic},
|
||||||
|
|
@ -584,9 +598,6 @@ func (c *Core) initRbac() error {
|
||||||
return errors.Wrap(err, "failed to grant collection privilege")
|
return errors.Wrap(err, "failed to grant collection privilege")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if Params.RoleCfg.Enabled.GetAsBool() {
|
|
||||||
return c.initBuiltinRoles()
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1807,6 +1807,48 @@ func TestCore_Stop(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCore_InitRBAC(t *testing.T) {
|
||||||
|
paramtable.Init()
|
||||||
|
t.Run("init default role and public role privilege", func(t *testing.T) {
|
||||||
|
meta := mockrootcoord.NewIMetaTable(t)
|
||||||
|
c := newTestCore(withHealthyCode(), withMeta(meta))
|
||||||
|
meta.EXPECT().CreateRole(mock.Anything, mock.Anything).Return(nil).Twice()
|
||||||
|
meta.EXPECT().OperatePrivilege(mock.Anything, mock.Anything, mock.Anything).Return(nil).Twice()
|
||||||
|
|
||||||
|
Params.Save(Params.RoleCfg.Enabled.Key, "false")
|
||||||
|
Params.Save(Params.ProxyCfg.EnablePublicPrivilege.Key, "true")
|
||||||
|
|
||||||
|
defer func() {
|
||||||
|
Params.Reset(Params.RoleCfg.Enabled.Key)
|
||||||
|
Params.Reset(Params.ProxyCfg.EnablePublicPrivilege.Key)
|
||||||
|
}()
|
||||||
|
|
||||||
|
err := c.initRbac()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("not init public role privilege and init default privilege", func(t *testing.T) {
|
||||||
|
builtinRoles := `{"db_admin": {"privileges": [{"object_type": "Global", "object_name": "*", "privilege": "CreateCollection", "db_name": "*"}]}}`
|
||||||
|
meta := mockrootcoord.NewIMetaTable(t)
|
||||||
|
c := newTestCore(withHealthyCode(), withMeta(meta))
|
||||||
|
meta.EXPECT().CreateRole(mock.Anything, mock.Anything).Return(nil).Times(3)
|
||||||
|
meta.EXPECT().OperatePrivilege(mock.Anything, mock.Anything, mock.Anything).Return(nil).Once()
|
||||||
|
|
||||||
|
Params.Save(Params.RoleCfg.Enabled.Key, "true")
|
||||||
|
Params.Save(Params.RoleCfg.Roles.Key, builtinRoles)
|
||||||
|
Params.Save(Params.ProxyCfg.EnablePublicPrivilege.Key, "false")
|
||||||
|
|
||||||
|
defer func() {
|
||||||
|
Params.Reset(Params.RoleCfg.Enabled.Key)
|
||||||
|
Params.Reset(Params.RoleCfg.Roles.Key)
|
||||||
|
Params.Reset(Params.ProxyCfg.EnablePublicPrivilege.Key)
|
||||||
|
}()
|
||||||
|
|
||||||
|
err := c.initRbac()
|
||||||
|
assert.NoError(t, err)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
type RootCoordSuite struct {
|
type RootCoordSuite struct {
|
||||||
suite.Suite
|
suite.Suite
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1034,6 +1034,7 @@ type proxyConfig struct {
|
||||||
MustUsePartitionKey ParamItem `refreshable:"true"`
|
MustUsePartitionKey ParamItem `refreshable:"true"`
|
||||||
SkipAutoIDCheck ParamItem `refreshable:"true"`
|
SkipAutoIDCheck ParamItem `refreshable:"true"`
|
||||||
SkipPartitionKeyCheck ParamItem `refreshable:"true"`
|
SkipPartitionKeyCheck ParamItem `refreshable:"true"`
|
||||||
|
EnablePublicPrivilege ParamItem `refreshable:"false"`
|
||||||
|
|
||||||
AccessLog AccessLogConfig
|
AccessLog AccessLogConfig
|
||||||
|
|
||||||
|
|
@ -1394,6 +1395,14 @@ please adjust in embedded Milvus: false`,
|
||||||
}
|
}
|
||||||
p.SkipPartitionKeyCheck.Init(base.mgr)
|
p.SkipPartitionKeyCheck.Init(base.mgr)
|
||||||
|
|
||||||
|
p.EnablePublicPrivilege = ParamItem{
|
||||||
|
Key: "proxy.enablePublicPrivilege",
|
||||||
|
Version: "2.4.1",
|
||||||
|
DefaultValue: "true",
|
||||||
|
Doc: "switch for whether proxy shall enable public privilege",
|
||||||
|
}
|
||||||
|
p.EnablePublicPrivilege.Init(base.mgr)
|
||||||
|
|
||||||
p.GracefulStopTimeout = ParamItem{
|
p.GracefulStopTimeout = ParamItem{
|
||||||
Key: "proxy.gracefulStopTimeout",
|
Key: "proxy.gracefulStopTimeout",
|
||||||
Version: "2.3.7",
|
Version: "2.3.7",
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue