From 9e8b6ace6d3c374514ab06e3fa7b5978242ba753 Mon Sep 17 00:00:00 2001
From: sthuang <167743503+shaoting-huang@users.noreply.github.com>
Date: Mon, 11 Nov 2024 14:20:29 +0800
Subject: [PATCH] enhance: [2.4] RBAC custom privilege group (#37560)
Cherry-pick from master
pr: https://github.com/milvus-io/milvus/pull/37087,
https://github.com/milvus-io/milvus/pull/37558
issue: #37031
---------
Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
---
go.mod | 2 +-
go.sum | 4 +-
internal/datacoord/mock_test.go | 16 +
internal/datanode/importv2/pool_test.go | 3 +-
.../distributed/proxy/httpserver/constant.go | 46 +--
.../proxy/httpserver/handler_v2.go | 86 +++++
.../proxy/httpserver/handler_v2_test.go | 28 +-
.../proxy/httpserver/request_v2.go | 5 +
internal/distributed/proxy/service.go | 16 +
.../distributed/rootcoord/client/client.go | 48 +++
.../rootcoord/client/client_test.go | 28 ++
internal/distributed/rootcoord/service.go | 16 +
internal/metastore/catalog.go | 5 +
internal/metastore/kv/rootcoord/kv_catalog.go | 124 ++++++-
.../metastore/kv/rootcoord/kv_catalog_test.go | 173 +++++++++-
.../kv/rootcoord/rootcoord_constant.go | 7 +
.../metastore/mocks/mock_rootcoord_catalog.go | 195 +++++++++++
internal/mocks/mock_proxy.go | 220 ++++++++++++
internal/mocks/mock_querynode.go | 4 -
internal/mocks/mock_querynode_client.go | 4 -
internal/mocks/mock_rootcoord.go | 220 ++++++++++++
internal/mocks/mock_rootcoord_client.go | 280 +++++++++++++++
internal/proto/internal.proto | 2 +
internal/proto/root_coord.proto | 4 +
internal/proxy/impl.go | 121 +++++++
internal/proxy/meta_cache.go | 10 +-
internal/proxy/rootcoord_mock_test.go | 16 +
internal/proxy/util.go | 8 -
internal/proxy/util_test.go | 4 -
internal/rootcoord/meta_table.go | 191 +++++++++++
internal/rootcoord/meta_table_test.go | 41 +++
internal/rootcoord/mock_test.go | 40 +++
internal/rootcoord/mocks/meta_table.go | 311 +++++++++++++++++
internal/rootcoord/root_coord.go | 318 ++++++++++++++++--
internal/rootcoord/root_coord_test.go | 39 +++
internal/util/mock/grpc_rootcoord_client.go | 16 +
pkg/go.mod | 2 +-
pkg/go.sum | 4 +-
pkg/metrics/rootcoord_metrics.go | 9 +
pkg/util/constant.go | 21 ++
pkg/util/funcutil/policy.go | 11 +
.../integration/rbac/privilege_group_test.go | 248 +++++++++++---
tests/integration/rbac/rbac_backup_test.go | 179 ++++++----
43 files changed, 2914 insertions(+), 211 deletions(-)
diff --git a/go.mod b/go.mod
index 1f209810b967a..d2f274bcf773f 100644
--- a/go.mod
+++ b/go.mod
@@ -26,7 +26,7 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
github.com/klauspost/compress v1.17.9
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
- github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241106083218-955997f1a757
+ github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241110064419-549e4694a7e7
github.com/minio/minio-go/v7 v7.0.73
github.com/pingcap/log v1.1.1-0.20221015072633-39906604fb81
github.com/prometheus/client_golang v1.14.0
diff --git a/go.sum b/go.sum
index 2d0b44e3dad02..06f4622fe0917 100644
--- a/go.sum
+++ b/go.sum
@@ -608,8 +608,8 @@ github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119 h1:9VXijWu
github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119/go.mod h1:DvXTE/K/RtHehxU8/GtDs4vFtfw64jJ3PaCnFri8CRg=
github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241106083218-955997f1a757 h1:t7B2lyq//BG8S+azUNEfohYxRtU5V9NAy8z0G+QAPo4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241106083218-955997f1a757/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241110064419-549e4694a7e7 h1:gq5xxDS2EIYVk3ujO+sQgDWrhTTpsmV+r6Gm7dfFrt8=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241110064419-549e4694a7e7/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
github.com/milvus-io/milvus-storage/go v0.0.0-20231227072638-ebd0b8e56d70 h1:Z+sp64fmAOxAG7mU0dfVOXvAXlwRB0c8a96rIM5HevI=
github.com/milvus-io/milvus-storage/go v0.0.0-20231227072638-ebd0b8e56d70/go.mod h1:GPETMcTZq1gLY1WA6Na5kiNAKnq8SEMMiVKUZrM3sho=
github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
diff --git a/internal/datacoord/mock_test.go b/internal/datacoord/mock_test.go
index aa0aee9c27e94..5012e309fca51 100644
--- a/internal/datacoord/mock_test.go
+++ b/internal/datacoord/mock_test.go
@@ -724,6 +724,22 @@ func (m *mockRootCoordClient) ListPolicy(ctx context.Context, in *internalpb.Lis
return &internalpb.ListPolicyResponse{Status: &commonpb.Status{ErrorCode: commonpb.ErrorCode_Success}}, nil
}
+func (m *mockRootCoordClient) CreatePrivilegeGroup(ctx context.Context, req *milvuspb.CreatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ panic("implement me")
+}
+
+func (m *mockRootCoordClient) DropPrivilegeGroup(ctx context.Context, req *milvuspb.DropPrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ panic("implement me")
+}
+
+func (m *mockRootCoordClient) ListPrivilegeGroups(ctx context.Context, req *milvuspb.ListPrivilegeGroupsRequest, opts ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ panic("implement me")
+}
+
+func (m *mockRootCoordClient) OperatePrivilegeGroup(ctx context.Context, req *milvuspb.OperatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ panic("implement me")
+}
+
type mockHandler struct {
meta *meta
}
diff --git a/internal/datanode/importv2/pool_test.go b/internal/datanode/importv2/pool_test.go
index 4449a5031c812..06873c6d31ae5 100644
--- a/internal/datanode/importv2/pool_test.go
+++ b/internal/datanode/importv2/pool_test.go
@@ -20,10 +20,9 @@ import (
"fmt"
"testing"
- "github.com/stretchr/testify/assert"
-
"github.com/milvus-io/milvus/pkg/config"
"github.com/milvus-io/milvus/pkg/util/paramtable"
+ "github.com/stretchr/testify/assert"
)
func TestResizePools(t *testing.T) {
diff --git a/internal/distributed/proxy/httpserver/constant.go b/internal/distributed/proxy/httpserver/constant.go
index 55b37063aa68a..4d4a3f8fcb2cb 100644
--- a/internal/distributed/proxy/httpserver/constant.go
+++ b/internal/distributed/proxy/httpserver/constant.go
@@ -9,14 +9,15 @@ import (
// v2
const (
// --- category ---
- CollectionCategory = "/collections/"
- EntityCategory = "/entities/"
- PartitionCategory = "/partitions/"
- UserCategory = "/users/"
- RoleCategory = "/roles/"
- IndexCategory = "/indexes/"
- AliasCategory = "/aliases/"
- ImportJobCategory = "/jobs/import/"
+ CollectionCategory = "/collections/"
+ EntityCategory = "/entities/"
+ PartitionCategory = "/partitions/"
+ UserCategory = "/users/"
+ RoleCategory = "/roles/"
+ IndexCategory = "/indexes/"
+ AliasCategory = "/aliases/"
+ ImportJobCategory = "/jobs/import/"
+ PrivilegeGroupCategory = "/privilege_groups/"
ListAction = "list"
HasAction = "has"
@@ -37,13 +38,15 @@ const (
AdvancedSearchAction = "advanced_search"
HybridSearchAction = "hybrid_search"
- UpdatePasswordAction = "update_password"
- GrantRoleAction = "grant_role"
- RevokeRoleAction = "revoke_role"
- GrantPrivilegeAction = "grant_privilege"
- RevokePrivilegeAction = "revoke_privilege"
- AlterAction = "alter"
- GetProgressAction = "get_progress" // deprecated, keep it for compatibility, use `/v2/vectordb/jobs/import/describe` instead
+ UpdatePasswordAction = "update_password"
+ GrantRoleAction = "grant_role"
+ RevokeRoleAction = "revoke_role"
+ GrantPrivilegeAction = "grant_privilege"
+ RevokePrivilegeAction = "revoke_privilege"
+ AlterAction = "alter"
+ GetProgressAction = "get_progress" // deprecated, keep it for compatibility, use `/v2/vectordb/jobs/import/describe` instead
+ AddPrivilegesToGroupAction = "add_privileges_to_group"
+ RemovePrivilegesFromGroupAction = "remove_privileges_from_group"
)
const (
@@ -116,11 +119,14 @@ const (
HTTPReturnRowCount = "rowCount"
- HTTPReturnObjectType = "objectType"
- HTTPReturnObjectName = "objectName"
- HTTPReturnPrivilege = "privilege"
- HTTPReturnGrantor = "grantor"
- HTTPReturnDbName = "dbName"
+ HTTPReturnObjectType = "objectType"
+ HTTPReturnObjectName = "objectName"
+ HTTPReturnPrivilege = "privilege"
+ HTTPReturnGrantor = "grantor"
+ HTTPReturnDbName = "dbName"
+ HTTPReturnPrivilegeGroupName = "privilegeGroupName"
+ HTTPReturnPrivileges = "privileges"
+ HTTPReturnPrivilegeGroups = "privilegeGroups"
DefaultMetricType = metric.COSINE
DefaultPrimaryFieldName = "id"
diff --git a/internal/distributed/proxy/httpserver/handler_v2.go b/internal/distributed/proxy/httpserver/handler_v2.go
index 5deb4bd0f9408..24092e75d5ca9 100644
--- a/internal/distributed/proxy/httpserver/handler_v2.go
+++ b/internal/distributed/proxy/httpserver/handler_v2.go
@@ -132,6 +132,13 @@ func (h *HandlersV2) RegisterRoutesToV2(router gin.IRouter) {
router.POST(RoleCategory+GrantPrivilegeAction, timeoutMiddleware(wrapperPost(func() any { return &GrantReq{} }, wrapperTraceLog(h.addPrivilegeToRole))))
router.POST(RoleCategory+RevokePrivilegeAction, timeoutMiddleware(wrapperPost(func() any { return &GrantReq{} }, wrapperTraceLog(h.removePrivilegeFromRole))))
+ // privilege group
+ router.POST(PrivilegeGroupCategory+CreateAction, timeoutMiddleware(wrapperPost(func() any { return &PrivilegeGroupReq{} }, wrapperTraceLog(h.createPrivilegeGroup))))
+ router.POST(PrivilegeGroupCategory+DropAction, timeoutMiddleware(wrapperPost(func() any { return &PrivilegeGroupReq{} }, wrapperTraceLog(h.dropPrivilegeGroup))))
+ router.POST(PrivilegeGroupCategory+ListAction, timeoutMiddleware(wrapperPost(func() any { return &PrivilegeGroupReq{} }, wrapperTraceLog(h.listPrivilegeGroups))))
+ router.POST(PrivilegeGroupCategory+AddPrivilegesToGroupAction, timeoutMiddleware(wrapperPost(func() any { return &PrivilegeGroupReq{} }, wrapperTraceLog(h.addPrivilegesToGroup))))
+ router.POST(PrivilegeGroupCategory+RemovePrivilegesFromGroupAction, timeoutMiddleware(wrapperPost(func() any { return &PrivilegeGroupReq{} }, wrapperTraceLog(h.removePrivilegesFromGroup))))
+
router.POST(IndexCategory+ListAction, timeoutMiddleware(wrapperPost(func() any { return &CollectionNameReq{} }, wrapperTraceLog(h.wrapperCheckDatabase(h.listIndexes)))))
router.POST(IndexCategory+DescribeAction, timeoutMiddleware(wrapperPost(func() any { return &IndexReq{} }, wrapperTraceLog(h.wrapperCheckDatabase(h.describeIndex)))))
@@ -1711,6 +1718,85 @@ func (h *HandlersV2) removePrivilegeFromRole(ctx context.Context, c *gin.Context
return h.operatePrivilegeToRole(ctx, c, anyReq.(*GrantReq), milvuspb.OperatePrivilegeType_Revoke, dbName)
}
+func (h *HandlersV2) createPrivilegeGroup(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+ httpReq := anyReq.(*PrivilegeGroupReq)
+ req := &milvuspb.CreatePrivilegeGroupRequest{
+ GroupName: httpReq.PrivilegeGroupName,
+ }
+ resp, err := wrapperProxy(ctx, c, req, h.checkAuth, false, "/milvus.proto.milvus.MilvusService/CreatePrivilegeGroup", func(reqCtx context.Context, req any) (interface{}, error) {
+ return h.proxy.CreatePrivilegeGroup(reqCtx, req.(*milvuspb.CreatePrivilegeGroupRequest))
+ })
+ if err == nil {
+ HTTPReturn(c, http.StatusOK, wrapperReturnDefault())
+ }
+ return resp, err
+}
+
+func (h *HandlersV2) dropPrivilegeGroup(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+ httpReq := anyReq.(*PrivilegeGroupReq)
+ req := &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: httpReq.PrivilegeGroupName,
+ }
+ resp, err := wrapperProxy(ctx, c, req, h.checkAuth, false, "/milvus.proto.milvus.MilvusService/DropPrivilegeGroup", func(reqCtx context.Context, req any) (interface{}, error) {
+ return h.proxy.DropPrivilegeGroup(reqCtx, req.(*milvuspb.DropPrivilegeGroupRequest))
+ })
+ if err == nil {
+ HTTPReturn(c, http.StatusOK, wrapperReturnDefault())
+ }
+ return resp, err
+}
+
+func (h *HandlersV2) listPrivilegeGroups(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+ req := &milvuspb.ListPrivilegeGroupsRequest{}
+ resp, err := wrapperProxy(ctx, c, req, h.checkAuth, false, "/milvus.proto.milvus.MilvusService/ListPrivilegeGroups", func(reqCtx context.Context, req any) (interface{}, error) {
+ return h.proxy.ListPrivilegeGroups(reqCtx, req.(*milvuspb.ListPrivilegeGroupsRequest))
+ })
+ if err == nil {
+ privGroups := make([]map[string]interface{}, 0)
+ for _, group := range resp.(*milvuspb.ListPrivilegeGroupsResponse).PrivilegeGroups {
+ privileges := make([]string, len(group.Privileges))
+ for i, privilege := range group.Privileges {
+ privileges[i] = privilege.Name
+ }
+ groupInfo := map[string]interface{}{
+ HTTPReturnPrivilegeGroupName: group.GroupName,
+ HTTPReturnPrivileges: strings.Join(privileges, ","),
+ }
+ privGroups = append(privGroups, groupInfo)
+ }
+ HTTPReturn(c, http.StatusOK, gin.H{HTTPReturnCode: merr.Code(nil), HTTPReturnData: gin.H{
+ HTTPReturnPrivilegeGroups: privGroups,
+ }})
+ }
+ return resp, err
+}
+
+func (h *HandlersV2) addPrivilegesToGroup(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+ return h.operatePrivilegeGroup(ctx, c, anyReq, dbName, milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup)
+}
+
+func (h *HandlersV2) removePrivilegesFromGroup(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+ return h.operatePrivilegeGroup(ctx, c, anyReq, dbName, milvuspb.OperatePrivilegeGroupType_RemovePrivilegesFromGroup)
+}
+
+func (h *HandlersV2) operatePrivilegeGroup(ctx context.Context, c *gin.Context, anyReq any, dbName string, operateType milvuspb.OperatePrivilegeGroupType) (interface{}, error) {
+ httpReq := anyReq.(*PrivilegeGroupReq)
+ req := &milvuspb.OperatePrivilegeGroupRequest{
+ GroupName: httpReq.PrivilegeGroupName,
+ Privileges: lo.Map(httpReq.Privileges, func(p string, _ int) *milvuspb.PrivilegeEntity {
+ return &milvuspb.PrivilegeEntity{Name: p}
+ }),
+ Type: operateType,
+ }
+ resp, err := wrapperProxy(ctx, c, req, h.checkAuth, false, "/milvus.proto.milvus.MilvusService/OperatePrivilegeGroup", func(reqCtx context.Context, req any) (interface{}, error) {
+ return h.proxy.OperatePrivilegeGroup(reqCtx, req.(*milvuspb.OperatePrivilegeGroupRequest))
+ })
+ if err == nil {
+ HTTPReturn(c, http.StatusOK, wrapperReturnDefault())
+ }
+ return resp, err
+}
+
func (h *HandlersV2) listIndexes(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
collectionGetter, _ := anyReq.(requestutil.CollectionNameGetter)
indexNames := []string{}
diff --git a/internal/distributed/proxy/httpserver/handler_v2_test.go b/internal/distributed/proxy/httpserver/handler_v2_test.go
index aca560b902598..96aaa4289f9ed 100644
--- a/internal/distributed/proxy/httpserver/handler_v2_test.go
+++ b/internal/distributed/proxy/httpserver/handler_v2_test.go
@@ -897,6 +897,10 @@ func TestMethodGet(t *testing.T) {
Status: &StatusSuccess,
Alias: DefaultAliasName,
}, nil).Once()
+ mp.EXPECT().ListPrivilegeGroups(mock.Anything, mock.Anything).Return(&milvuspb.ListPrivilegeGroupsResponse{
+ Status: &StatusSuccess,
+ PrivilegeGroups: []*milvuspb.PrivilegeGroupInfo{{GroupName: "group1", Privileges: []*milvuspb.PrivilegeEntity{{Name: "*"}}}},
+ }, nil).Once()
testEngine := initHTTPServerV2(mp, false)
queryTestCases := []rawTestCase{}
@@ -987,6 +991,9 @@ func TestMethodGet(t *testing.T) {
queryTestCases = append(queryTestCases, rawTestCase{
path: versionalV2(AliasCategory, DescribeAction),
})
+ queryTestCases = append(queryTestCases, rawTestCase{
+ path: versionalV2(PrivilegeGroupCategory, ListAction),
+ })
for _, testcase := range queryTestCases {
t.Run(testcase.path, func(t *testing.T) {
@@ -996,7 +1003,8 @@ func TestMethodGet(t *testing.T) {
`"indexName": "` + DefaultIndexName + `",` +
`"userName": "` + util.UserRoot + `",` +
`"roleName": "` + util.RoleAdmin + `",` +
- `"aliasName": "` + DefaultAliasName + `"` +
+ `"aliasName": "` + DefaultAliasName + `",` +
+ `"privilegeGroupName": "pg"` +
`}`))
req := httptest.NewRequest(http.MethodPost, testcase.path, bodyReader)
w := httptest.NewRecorder()
@@ -1037,6 +1045,7 @@ func TestMethodDelete(t *testing.T) {
mp.EXPECT().DropRole(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
mp.EXPECT().DropIndex(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
mp.EXPECT().DropAlias(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
+ mp.EXPECT().DropPrivilegeGroup(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
testEngine := initHTTPServerV2(mp, false)
queryTestCases := []rawTestCase{}
queryTestCases = append(queryTestCases, rawTestCase{
@@ -1057,10 +1066,13 @@ func TestMethodDelete(t *testing.T) {
queryTestCases = append(queryTestCases, rawTestCase{
path: versionalV2(AliasCategory, DropAction),
})
+ queryTestCases = append(queryTestCases, rawTestCase{
+ path: versionalV2(PrivilegeGroupCategory, DropAction),
+ })
for _, testcase := range queryTestCases {
t.Run(testcase.path, func(t *testing.T) {
bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "partitionName": "` + DefaultPartitionName +
- `", "userName": "` + util.UserRoot + `", "roleName": "` + util.RoleAdmin + `", "indexName": "` + DefaultIndexName + `", "aliasName": "` + DefaultAliasName + `"}`))
+ `", "userName": "` + util.UserRoot + `", "roleName": "` + util.RoleAdmin + `", "indexName": "` + DefaultIndexName + `", "aliasName": "` + DefaultAliasName + `", "privilegeGroupName": "pg"}`))
req := httptest.NewRequest(http.MethodPost, testcase.path, bodyReader)
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
@@ -1099,6 +1111,8 @@ func TestMethodPost(t *testing.T) {
mp.EXPECT().CreateIndex(mock.Anything, mock.Anything).Return(commonErrorStatus, nil).Once()
mp.EXPECT().CreateAlias(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
mp.EXPECT().AlterAlias(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
+ mp.EXPECT().CreatePrivilegeGroup(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Once()
+ mp.EXPECT().OperatePrivilegeGroup(mock.Anything, mock.Anything).Return(commonSuccessStatus, nil).Twice()
mp.EXPECT().ImportV2(mock.Anything, mock.Anything).Return(&internalpb.ImportResponse{
Status: commonSuccessStatus, JobID: "1234567890",
}, nil).Once()
@@ -1191,6 +1205,15 @@ func TestMethodPost(t *testing.T) {
queryTestCases = append(queryTestCases, rawTestCase{
path: versionalV2(ImportJobCategory, DescribeAction),
})
+ queryTestCases = append(queryTestCases, rawTestCase{
+ path: versionalV2(PrivilegeGroupCategory, CreateAction),
+ })
+ queryTestCases = append(queryTestCases, rawTestCase{
+ path: versionalV2(PrivilegeGroupCategory, AddPrivilegesToGroupAction),
+ })
+ queryTestCases = append(queryTestCases, rawTestCase{
+ path: versionalV2(PrivilegeGroupCategory, RemovePrivilegesFromGroupAction),
+ })
for _, testcase := range queryTestCases {
t.Run(testcase.path, func(t *testing.T) {
@@ -1201,6 +1224,7 @@ func TestMethodPost(t *testing.T) {
`"indexParams": [{"indexName": "` + DefaultIndexName + `", "fieldName": "book_intro", "metricType": "L2", "params": {"nlist": 30, "index_type": "IVF_FLAT"}}],` +
`"userName": "` + util.UserRoot + `", "password": "Milvus", "newPassword": "milvus", "roleName": "` + util.RoleAdmin + `",` +
`"roleName": "` + util.RoleAdmin + `", "objectType": "Global", "objectName": "*", "privilege": "*",` +
+ `"privilegeGroupName": "pg", "privileges": ["create", "drop"],` +
`"aliasName": "` + DefaultAliasName + `",` +
`"jobId": "1234567890",` +
`"files": [["book.json"]]` +
diff --git a/internal/distributed/proxy/httpserver/request_v2.go b/internal/distributed/proxy/httpserver/request_v2.go
index e7f1364a70ae9..fc7d82dc1fbd4 100644
--- a/internal/distributed/proxy/httpserver/request_v2.go
+++ b/internal/distributed/proxy/httpserver/request_v2.go
@@ -258,6 +258,11 @@ func (req *RoleReq) GetRoleName() string {
return req.RoleName
}
+type PrivilegeGroupReq struct {
+ PrivilegeGroupName string `json:"privilegeGroupName" binding:"required"`
+ Privileges []string `json:"privileges"`
+}
+
type GrantReq struct {
RoleName string `json:"roleName" binding:"required"`
ObjectType string `json:"objectType" binding:"required"`
diff --git a/internal/distributed/proxy/service.go b/internal/distributed/proxy/service.go
index 9b6a070c65d28..b941663cecc61 100644
--- a/internal/distributed/proxy/service.go
+++ b/internal/distributed/proxy/service.go
@@ -1060,6 +1060,22 @@ func (s *Server) RestoreRBAC(ctx context.Context, req *milvuspb.RestoreRBACMetaR
return s.proxy.RestoreRBAC(ctx, req)
}
+func (s *Server) CreatePrivilegeGroup(ctx context.Context, req *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ return s.proxy.CreatePrivilegeGroup(ctx, req)
+}
+
+func (s *Server) DropPrivilegeGroup(ctx context.Context, req *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+ return s.proxy.DropPrivilegeGroup(ctx, req)
+}
+
+func (s *Server) ListPrivilegeGroups(ctx context.Context, req *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ return s.proxy.ListPrivilegeGroups(ctx, req)
+}
+
+func (s *Server) OperatePrivilegeGroup(ctx context.Context, req *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ return s.proxy.OperatePrivilegeGroup(ctx, req)
+}
+
func (s *Server) RefreshPolicyInfoCache(ctx context.Context, req *proxypb.RefreshPolicyInfoCacheRequest) (*commonpb.Status, error) {
return s.proxy.RefreshPolicyInfoCache(ctx, req)
}
diff --git a/internal/distributed/rootcoord/client/client.go b/internal/distributed/rootcoord/client/client.go
index fbf8d2657f16e..6de68c45f7d66 100644
--- a/internal/distributed/rootcoord/client/client.go
+++ b/internal/distributed/rootcoord/client/client.go
@@ -694,3 +694,51 @@ func (c *Client) RestoreRBAC(ctx context.Context, in *milvuspb.RestoreRBACMetaRe
return client.RestoreRBAC(ctx, in)
})
}
+
+func (c *Client) CreatePrivilegeGroup(ctx context.Context, in *milvuspb.CreatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ in = typeutil.Clone(in)
+ commonpbutil.UpdateMsgBase(
+ in.GetBase(),
+ commonpbutil.FillMsgBaseFromClient(paramtable.GetNodeID(), commonpbutil.WithTargetID(c.sess.ServerID)),
+ )
+
+ return wrapGrpcCall(ctx, c, func(client rootcoordpb.RootCoordClient) (*commonpb.Status, error) {
+ return client.CreatePrivilegeGroup(ctx, in)
+ })
+}
+
+func (c *Client) DropPrivilegeGroup(ctx context.Context, in *milvuspb.DropPrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ in = typeutil.Clone(in)
+ commonpbutil.UpdateMsgBase(
+ in.GetBase(),
+ commonpbutil.FillMsgBaseFromClient(paramtable.GetNodeID(), commonpbutil.WithTargetID(c.sess.ServerID)),
+ )
+
+ return wrapGrpcCall(ctx, c, func(client rootcoordpb.RootCoordClient) (*commonpb.Status, error) {
+ return client.DropPrivilegeGroup(ctx, in)
+ })
+}
+
+func (c *Client) ListPrivilegeGroups(ctx context.Context, in *milvuspb.ListPrivilegeGroupsRequest, opts ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ in = typeutil.Clone(in)
+ commonpbutil.UpdateMsgBase(
+ in.GetBase(),
+ commonpbutil.FillMsgBaseFromClient(paramtable.GetNodeID(), commonpbutil.WithTargetID(c.sess.ServerID)),
+ )
+
+ return wrapGrpcCall(ctx, c, func(client rootcoordpb.RootCoordClient) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ return client.ListPrivilegeGroups(ctx, in)
+ })
+}
+
+func (c *Client) OperatePrivilegeGroup(ctx context.Context, in *milvuspb.OperatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ in = typeutil.Clone(in)
+ commonpbutil.UpdateMsgBase(
+ in.GetBase(),
+ commonpbutil.FillMsgBaseFromClient(paramtable.GetNodeID(), commonpbutil.WithTargetID(c.sess.ServerID)),
+ )
+
+ return wrapGrpcCall(ctx, c, func(client rootcoordpb.RootCoordClient) (*commonpb.Status, error) {
+ return client.OperatePrivilegeGroup(ctx, in)
+ })
+}
diff --git a/internal/distributed/rootcoord/client/client_test.go b/internal/distributed/rootcoord/client/client_test.go
index 07c092e687439..5661298327fe6 100644
--- a/internal/distributed/rootcoord/client/client_test.go
+++ b/internal/distributed/rootcoord/client/client_test.go
@@ -236,10 +236,38 @@ func Test_NewClient(t *testing.T) {
r, err := client.ListDatabases(ctx, nil)
retCheck(retNotNil, r, err)
}
+ {
+ r, err := client.AlterCollection(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
{
r, err := client.AlterDatabase(ctx, nil)
retCheck(retNotNil, r, err)
}
+ {
+ r, err := client.BackupRBAC(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
+ {
+ r, err := client.RestoreRBAC(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
+ {
+ r, err := client.CreatePrivilegeGroup(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
+ {
+ r, err := client.DropPrivilegeGroup(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
+ {
+ r, err := client.ListPrivilegeGroups(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
+ {
+ r, err := client.OperatePrivilegeGroup(ctx, nil)
+ retCheck(retNotNil, r, err)
+ }
}
client.(*Client).grpcClient = &mock.GRPCClientBase[rootcoordpb.RootCoordClient]{
diff --git a/internal/distributed/rootcoord/service.go b/internal/distributed/rootcoord/service.go
index 8210cf3085727..4f245d1b07654 100644
--- a/internal/distributed/rootcoord/service.go
+++ b/internal/distributed/rootcoord/service.go
@@ -545,3 +545,19 @@ func (s *Server) BackupRBAC(ctx context.Context, request *milvuspb.BackupRBACMet
func (s *Server) RestoreRBAC(ctx context.Context, request *milvuspb.RestoreRBACMetaRequest) (*commonpb.Status, error) {
return s.rootCoord.RestoreRBAC(ctx, request)
}
+
+func (s *Server) CreatePrivilegeGroup(ctx context.Context, request *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ return s.rootCoord.CreatePrivilegeGroup(ctx, request)
+}
+
+func (s *Server) DropPrivilegeGroup(ctx context.Context, request *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+ return s.rootCoord.DropPrivilegeGroup(ctx, request)
+}
+
+func (s *Server) ListPrivilegeGroups(ctx context.Context, request *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ return s.rootCoord.ListPrivilegeGroups(ctx, request)
+}
+
+func (s *Server) OperatePrivilegeGroup(ctx context.Context, request *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ return s.rootCoord.OperatePrivilegeGroup(ctx, request)
+}
diff --git a/internal/metastore/catalog.go b/internal/metastore/catalog.go
index b40ee8d5e7e79..2d23104912ee5 100644
--- a/internal/metastore/catalog.go
+++ b/internal/metastore/catalog.go
@@ -85,6 +85,11 @@ type RootCoordCatalog interface {
BackupRBAC(ctx context.Context, tenant string) (*milvuspb.RBACMeta, error)
RestoreRBAC(ctx context.Context, tenant string, meta *milvuspb.RBACMeta) error
+ GetPrivilegeGroup(ctx context.Context, groupName string) (*milvuspb.PrivilegeGroupInfo, error)
+ DropPrivilegeGroup(ctx context.Context, groupName string) error
+ SavePrivilegeGroup(ctx context.Context, data *milvuspb.PrivilegeGroupInfo) error
+ ListPrivilegeGroups(ctx context.Context) ([]*milvuspb.PrivilegeGroupInfo, error)
+
Close()
}
diff --git a/internal/metastore/kv/rootcoord/kv_catalog.go b/internal/metastore/kv/rootcoord/kv_catalog.go
index 28705ff8964db..7ed617d00a9da 100644
--- a/internal/metastore/kv/rootcoord/kv_catalog.go
+++ b/internal/metastore/kv/rootcoord/kv_catalog.go
@@ -1295,10 +1295,16 @@ func (kc *Catalog) BackupRBAC(ctx context.Context, tenant string) (*milvuspb.RBA
grantsEntity = append(grantsEntity, grants...)
}
+ privGroups, err := kc.ListPrivilegeGroups(ctx)
+ if err != nil {
+ return nil, err
+ }
+
return &milvuspb.RBACMeta{
- Users: userInfos,
- Roles: roleEntity,
- Grants: grantsEntity,
+ Users: userInfos,
+ Roles: roleEntity,
+ Grants: grantsEntity,
+ PrivilegeGroups: privGroups,
}, nil
}
@@ -1307,6 +1313,7 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
needRollbackUser := make([]*milvuspb.UserInfo, 0)
needRollbackRole := make([]*milvuspb.RoleEntity, 0)
needRollbackGrants := make([]*milvuspb.GrantEntity, 0)
+ needRollbackPrivilegeGroups := make([]*milvuspb.PrivilegeGroupInfo, 0)
defer func() {
if err != nil {
log.Warn("failed to restore rbac, try to rollback", zap.Error(err))
@@ -1333,6 +1340,14 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
log.Warn("failed to rollback users after restore failed", zap.Error(err))
}
}
+
+ // roll back privilege group
+ for _, group := range needRollbackPrivilegeGroups {
+ err = kc.DropPrivilegeGroup(ctx, group.GroupName)
+ if err != nil {
+ log.Warn("failed to rollback privilege groups after restore failed", zap.Error(err))
+ }
+ }
}
}()
@@ -1355,9 +1370,42 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
needRollbackRole = append(needRollbackRole, role)
}
- // restore grant
+ // restore privilege group
+ existPrivGroups, err := kc.ListPrivilegeGroups(ctx)
+ if err != nil {
+ return err
+ }
+ existPrivGroupMap := lo.SliceToMap(existPrivGroups, func(entity *milvuspb.PrivilegeGroupInfo) (string, struct{}) { return entity.GroupName, struct{}{} })
+ for _, group := range meta.PrivilegeGroups {
+ if _, ok := existPrivGroupMap[group.GroupName]; ok {
+ log.Warn("failed to restore, privilege group already exists", zap.String("group", group.GroupName))
+ err = errors.Newf("privilege group [%s] already exists", group.GroupName)
+ return err
+ }
+ err = kc.SavePrivilegeGroup(ctx, group)
+ if err != nil {
+ return err
+ }
+ needRollbackPrivilegeGroups = append(needRollbackPrivilegeGroups, group)
+ }
+
+ // restore grant, list latest privilege group first
+ existPrivGroups, err = kc.ListPrivilegeGroups(ctx)
+ if err != nil {
+ return err
+ }
+ existPrivGroupMap = lo.SliceToMap(existPrivGroups, func(entity *milvuspb.PrivilegeGroupInfo) (string, struct{}) { return entity.GroupName, struct{}{} })
for _, grant := range meta.Grants {
- grant.Grantor.Privilege.Name = util.PrivilegeNameForMetastore(grant.Grantor.Privilege.Name)
+ privName := grant.Grantor.Privilege.Name
+ if util.IsPrivilegeNameDefined(privName) {
+ grant.Grantor.Privilege.Name = util.PrivilegeNameForMetastore(privName)
+ } else if _, ok := existPrivGroupMap[privName]; ok {
+ grant.Grantor.Privilege.Name = util.PrivilegeGroupNameForMetastore(privName)
+ } else {
+ log.Warn("failed to restore, privilege group does not exist", zap.String("group", privName))
+ err = errors.Newf("privilege group [%s] does not exist", privName)
+ return err
+ }
err = kc.AlterGrant(ctx, tenant, grant, milvuspb.OperatePrivilegeType_Grant)
if err != nil {
return err
@@ -1402,6 +1450,72 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
return err
}
+func (kc *Catalog) GetPrivilegeGroup(ctx context.Context, groupName string) (*milvuspb.PrivilegeGroupInfo, error) {
+ k := BuildPrivilegeGroupkey(groupName)
+ val, err := kc.Txn.Load(k)
+ if err != nil {
+ if errors.Is(err, merr.ErrIoKeyNotFound) {
+ return nil, fmt.Errorf("privilege group [%s] does not exist", groupName)
+ }
+ log.Error("failed to load privilege group", zap.String("group", groupName), zap.Error(err))
+ return nil, err
+ }
+ privGroupInfo := &milvuspb.PrivilegeGroupInfo{}
+ err = proto.Unmarshal([]byte(val), privGroupInfo)
+ if err != nil {
+ log.Error("failed to unmarshal privilege group info", zap.Error(err))
+ return nil, err
+ }
+ return privGroupInfo, nil
+}
+
+func (kc *Catalog) DropPrivilegeGroup(ctx context.Context, groupName string) error {
+ k := BuildPrivilegeGroupkey(groupName)
+ err := kc.Txn.Remove(k)
+ if err != nil {
+ log.Warn("fail to drop privilege group", zap.String("key", k), zap.Error(err))
+ return err
+ }
+ return nil
+}
+
+func (kc *Catalog) SavePrivilegeGroup(ctx context.Context, data *milvuspb.PrivilegeGroupInfo) error {
+ k := BuildPrivilegeGroupkey(data.GroupName)
+ groupInfo := &milvuspb.PrivilegeGroupInfo{
+ GroupName: data.GroupName,
+ Privileges: lo.Uniq(data.Privileges),
+ }
+ v, err := proto.Marshal(groupInfo)
+ if err != nil {
+ log.Error("failed to marshal privilege group info", zap.Error(err))
+ return err
+ }
+ if err = kc.Txn.Save(k, string(v)); err != nil {
+ log.Warn("fail to put privilege group", zap.String("key", k), zap.Error(err))
+ return err
+ }
+ return nil
+}
+
+func (kc *Catalog) ListPrivilegeGroups(ctx context.Context) ([]*milvuspb.PrivilegeGroupInfo, error) {
+ _, vals, err := kc.Txn.LoadWithPrefix(PrivilegeGroupPrefix)
+ if err != nil {
+ log.Error("failed to list privilege groups", zap.String("prefix", PrivilegeGroupPrefix), zap.Error(err))
+ return nil, err
+ }
+ privGroups := make([]*milvuspb.PrivilegeGroupInfo, 0, len(vals))
+ for _, val := range vals {
+ privGroupInfo := &milvuspb.PrivilegeGroupInfo{}
+ err = proto.Unmarshal([]byte(val), privGroupInfo)
+ if err != nil {
+ log.Error("failed to unmarshal privilege group info", zap.Error(err))
+ return nil, err
+ }
+ privGroups = append(privGroups, privGroupInfo)
+ }
+ return privGroups, nil
+}
+
func (kc *Catalog) Close() {
// do nothing
}
diff --git a/internal/metastore/kv/rootcoord/kv_catalog_test.go b/internal/metastore/kv/rootcoord/kv_catalog_test.go
index 71817ae1098b7..f65f522dd6904 100644
--- a/internal/metastore/kv/rootcoord/kv_catalog_test.go
+++ b/internal/metastore/kv/rootcoord/kv_catalog_test.go
@@ -9,6 +9,7 @@ import (
"testing"
"github.com/cockroachdb/errors"
+ "github.com/samber/lo"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
@@ -2595,6 +2596,11 @@ func TestRBAC_Backup(t *testing.T) {
})
c.AlterUserRole(ctx, util.DefaultTenant, &milvuspb.UserEntity{Name: "user1"}, &milvuspb.RoleEntity{Name: "role1"}, milvuspb.OperateUserRoleType_AddUserToRole)
+ c.SavePrivilegeGroup(ctx, &milvuspb.PrivilegeGroupInfo{
+ GroupName: "custom_group",
+ Privileges: []*milvuspb.PrivilegeEntity{{Name: "CreateCollection"}},
+ })
+
// test backup success
backup, err := c.BackupRBAC(ctx, util.DefaultTenant)
assert.NoError(t, err)
@@ -2605,6 +2611,9 @@ func TestRBAC_Backup(t *testing.T) {
assert.Equal(t, "user1", backup.Users[0].User)
assert.Equal(t, 1, len(backup.Users[0].Roles))
assert.Equal(t, 1, len(backup.Roles))
+ assert.Equal(t, 1, len(backup.PrivilegeGroups))
+ assert.Equal(t, "custom_group", backup.PrivilegeGroups[0].GroupName)
+ assert.Equal(t, "CreateCollection", backup.PrivilegeGroups[0].Privileges[0].Name)
}
func TestRBAC_Restore(t *testing.T) {
@@ -2650,10 +2659,17 @@ func TestRBAC_Restore(t *testing.T) {
DbName: util.DefaultDBName,
Grantor: &milvuspb.GrantorEntity{
User: &milvuspb.UserEntity{Name: "user1"},
- Privilege: &milvuspb.PrivilegeEntity{Name: "PrivilegeLoad"},
+ Privilege: &milvuspb.PrivilegeEntity{Name: "Load"},
},
},
},
+
+ PrivilegeGroups: []*milvuspb.PrivilegeGroupInfo{
+ {
+ GroupName: "custom_group",
+ Privileges: []*milvuspb.PrivilegeEntity{{Name: "CreateCollection"}},
+ },
+ },
}
// test restore success
err := c.RestoreRBAC(ctx, util.DefaultTenant, rbacMeta)
@@ -2679,6 +2695,13 @@ func TestRBAC_Restore(t *testing.T) {
assert.Equal(t, "obj_name1", grants[0].ObjectName)
assert.Equal(t, "role1", grants[0].Role.Name)
assert.Equal(t, "user1", grants[0].Grantor.User.Name)
+ assert.Equal(t, "Load", grants[0].Grantor.Privilege.Name)
+ // check privilege group
+ privGroups, err := c.ListPrivilegeGroups(ctx)
+ assert.NoError(t, err)
+ assert.Len(t, privGroups, 1)
+ assert.Equal(t, "custom_group", privGroups[0].GroupName)
+ assert.Equal(t, "CreateCollection", privGroups[0].Privileges[0].Name)
rbacMeta2 := &milvuspb.RBACMeta{
Users: []*milvuspb.UserInfo{
@@ -2715,10 +2738,17 @@ func TestRBAC_Restore(t *testing.T) {
DbName: util.DefaultDBName,
Grantor: &milvuspb.GrantorEntity{
User: &milvuspb.UserEntity{Name: "user2"},
- Privilege: &milvuspb.PrivilegeEntity{Name: "PrivilegeLoad"},
+ Privilege: &milvuspb.PrivilegeEntity{Name: "Load"},
},
},
},
+
+ PrivilegeGroups: []*milvuspb.PrivilegeGroupInfo{
+ {
+ GroupName: "custom_group2",
+ Privileges: []*milvuspb.PrivilegeEntity{{Name: "DropCollection"}},
+ },
+ },
}
// test restore failed and roll back
@@ -2740,6 +2770,145 @@ func TestRBAC_Restore(t *testing.T) {
})
assert.NoError(t, err)
assert.Len(t, grants, 1)
+ assert.Equal(t, grants[0].Grantor.Privilege.Name, "Load")
+ // check privilege group
+ privGroups, err = c.ListPrivilegeGroups(ctx)
+ assert.NoError(t, err)
+ assert.Len(t, privGroups, 1)
+ assert.Equal(t, "custom_group", privGroups[0].GroupName)
+ assert.Equal(t, "CreateCollection", privGroups[0].Privileges[0].Name)
+}
+
+func TestRBAC_PrivilegeGroup(t *testing.T) {
+ ctx := context.TODO()
+ group1 := "group1"
+ group2 := "group2"
+ key1 := BuildPrivilegeGroupkey(group1)
+ key2 := BuildPrivilegeGroupkey(group2)
+ privGroupInfo1 := &milvuspb.PrivilegeGroupInfo{GroupName: group1, Privileges: []*milvuspb.PrivilegeEntity{{Name: "priv10"}, {Name: "priv11"}}}
+ privGroupInfo2 := &milvuspb.PrivilegeGroupInfo{GroupName: group2, Privileges: []*milvuspb.PrivilegeEntity{{Name: "priv20"}, {Name: "priv21"}}}
+ v1, _ := proto.Marshal(privGroupInfo1)
+ v2, _ := proto.Marshal(privGroupInfo2)
+
+ t.Run("test GetPrivilegeGroup", func(t *testing.T) {
+ var (
+ kvmock = mocks.NewTxnKV(t)
+ c = &Catalog{Txn: kvmock}
+ )
+ kvmock.EXPECT().Load(key1).Return(string(v1), nil)
+ kvmock.EXPECT().Load(key2).Return("", merr.ErrIoKeyNotFound)
+
+ tests := []struct {
+ description string
+ expectedErr error
+ groupName string
+ expectedPrivileges []string
+ }{
+ {"group not found", fmt.Errorf("privilege group [%s] does not exist", group2), group2, nil},
+ {"valid group", nil, group1, []string{"priv10", "priv11"}},
+ }
+ for _, test := range tests {
+ t.Run(test.description, func(t *testing.T) {
+ group, err := c.GetPrivilegeGroup(ctx, test.groupName)
+ if test.expectedErr != nil {
+ assert.Error(t, err, test.expectedErr)
+ } else {
+ assert.NoError(t, err)
+ assert.ElementsMatch(t, getPrivilegeNames(group.Privileges), test.expectedPrivileges)
+ }
+ })
+ }
+ })
+
+ t.Run("test DropPrivilegeGroup", func(t *testing.T) {
+ var (
+ kvmock = mocks.NewTxnKV(t)
+ c = &Catalog{Txn: kvmock}
+ )
+
+ kvmock.EXPECT().Remove(key1).Return(nil)
+ kvmock.EXPECT().Remove(key2).Return(errors.New("Mock remove failure"))
+
+ tests := []struct {
+ description string
+ isValid bool
+ groupName string
+ }{
+ {"valid group", true, group1},
+ {"remove failure", false, group2},
+ }
+
+ for _, test := range tests {
+ t.Run(test.description, func(t *testing.T) {
+ err := c.DropPrivilegeGroup(ctx, test.groupName)
+ if test.isValid {
+ assert.NoError(t, err)
+ } else {
+ assert.Error(t, err)
+ }
+ })
+ }
+ })
+
+ t.Run("test SavePrivilegeGroup", func(t *testing.T) {
+ var (
+ kvmock = mocks.NewTxnKV(t)
+ c = &Catalog{Txn: kvmock}
+ )
+
+ kvmock.EXPECT().Save(key1, mock.Anything).Return(nil)
+ kvmock.EXPECT().Save(key2, mock.Anything).Return(nil)
+
+ tests := []struct {
+ description string
+ isValid bool
+ group *milvuspb.PrivilegeGroupInfo
+ }{
+ {"valid group with existing key", true, &milvuspb.PrivilegeGroupInfo{GroupName: group1, Privileges: []*milvuspb.PrivilegeEntity{{Name: "priv10"}, {Name: "priv11"}}}},
+ {"valid group without existing key", true, &milvuspb.PrivilegeGroupInfo{GroupName: group2, Privileges: []*milvuspb.PrivilegeEntity{{Name: "priv10"}, {Name: "priv11"}}}},
+ }
+
+ for _, test := range tests {
+ t.Run(test.description, func(t *testing.T) {
+ err := c.SavePrivilegeGroup(ctx, test.group)
+ if test.isValid {
+ assert.NoError(t, err)
+ } else {
+ assert.Error(t, err)
+ }
+ })
+ }
+ })
+
+ t.Run("test ListPrivilegeGroups", func(t *testing.T) {
+ var (
+ kvmock = mocks.NewTxnKV(t)
+ c = &Catalog{Txn: kvmock}
+ )
+
+ kvmock.EXPECT().LoadWithPrefix(PrivilegeGroupPrefix).Return(
+ []string{key1, key2},
+ []string{string(v1), string(v2)},
+ nil,
+ )
+ groups, err := c.ListPrivilegeGroups(ctx)
+ assert.NoError(t, err)
+ groupNames := lo.Map(groups, func(g *milvuspb.PrivilegeGroupInfo, _ int) string {
+ return g.GroupName
+ })
+ assert.ElementsMatch(t, groupNames, []string{group1, group2})
+ assert.ElementsMatch(t, getPrivilegeNames(groups[0].Privileges), []string{"priv10", "priv11"})
+ assert.ElementsMatch(t, getPrivilegeNames(groups[1].Privileges), []string{"priv20", "priv21"})
+ })
+}
+
+func getPrivilegeNames(privileges []*milvuspb.PrivilegeEntity) []string {
+ if len(privileges) == 0 {
+ return []string{}
+ }
+ return lo.Map(privileges, func(p *milvuspb.PrivilegeEntity, _ int) string {
+ return p.Name
+ })
}
func TestCatalog_AlterDatabase(t *testing.T) {
diff --git a/internal/metastore/kv/rootcoord/rootcoord_constant.go b/internal/metastore/kv/rootcoord/rootcoord_constant.go
index b250216048a37..9a912f76fc34b 100644
--- a/internal/metastore/kv/rootcoord/rootcoord_constant.go
+++ b/internal/metastore/kv/rootcoord/rootcoord_constant.go
@@ -49,6 +49,9 @@ const (
// GranteeIDPrefix prefix for mapping among privilege and grantor
GranteeIDPrefix = ComponentPrefix + CommonCredentialPrefix + "/grantee-id"
+
+ // PrivilegeGroupPrefix prefix for privilege group
+ PrivilegeGroupPrefix = ComponentPrefix + "/privilege-group"
)
func BuildDatabasePrefixWithDBID(dbID int64) string {
@@ -69,3 +72,7 @@ func getDatabasePrefix(dbID int64) string {
}
return CollectionMetaPrefix
}
+
+func BuildPrivilegeGroupkey(groupName string) string {
+ return fmt.Sprintf("%s/%s", PrivilegeGroupPrefix, groupName)
+}
diff --git a/internal/metastore/mocks/mock_rootcoord_catalog.go b/internal/metastore/mocks/mock_rootcoord_catalog.go
index ca2ed2f27f18a..646eb849ae756 100644
--- a/internal/metastore/mocks/mock_rootcoord_catalog.go
+++ b/internal/metastore/mocks/mock_rootcoord_catalog.go
@@ -1828,3 +1828,198 @@ func NewRootCoordCatalog(t interface {
return mock
}
+
+// GetPrivilegeGroup provides a mock function with given fields: ctx, groupName
+func (_m *RootCoordCatalog) GetPrivilegeGroup(ctx context.Context, groupName string) (*milvuspb.PrivilegeGroupInfo, error) {
+ ret := _m.Called(ctx, groupName)
+
+ var r0 *milvuspb.PrivilegeGroupInfo
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, string) (*milvuspb.PrivilegeGroupInfo, error)); ok {
+ return rf(ctx, groupName)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, string) *milvuspb.PrivilegeGroupInfo); ok {
+ r0 = rf(ctx, groupName)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*milvuspb.PrivilegeGroupInfo)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+ r1 = rf(ctx, groupName)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// RootCoordCatalog_GetPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPrivilegeGroup'
+type RootCoordCatalog_GetPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// GetPrivilegeGroup is a helper method to define mock.On call
+// - ctx context.Context
+// - groupName string
+func (_e *RootCoordCatalog_Expecter) GetPrivilegeGroup(ctx interface{}, groupName interface{}) *RootCoordCatalog_GetPrivilegeGroup_Call {
+ return &RootCoordCatalog_GetPrivilegeGroup_Call{Call: _e.mock.On("GetPrivilegeGroup", ctx, groupName)}
+}
+
+func (_c *RootCoordCatalog_GetPrivilegeGroup_Call) Run(run func(ctx context.Context, groupName string)) *RootCoordCatalog_GetPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(string))
+ })
+ return _c
+}
+
+func (_c *RootCoordCatalog_GetPrivilegeGroup_Call) Return(_a0 *milvuspb.PrivilegeGroupInfo, _a1 error) *RootCoordCatalog_GetPrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *RootCoordCatalog_GetPrivilegeGroup_Call) RunAndReturn(run func(context.Context, string) (*milvuspb.PrivilegeGroupInfo,error)) *RootCoordCatalog_GetPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
+// DropPrivilegeGroup provides a mock function with given fields: ctx, groupName, privileges
+func (_m *RootCoordCatalog) DropPrivilegeGroup(ctx context.Context, groupName string) error {
+ ret := _m.Called(ctx, groupName)
+
+ var r0 error
+ if rf, ok := ret.Get(0).(func(context.Context, string) error); ok {
+ r0 = rf(ctx, groupName)
+ } else {
+ r0 = ret.Error(0)
+ }
+
+ return r0
+}
+
+// RootCoordCatalog_DropPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DropPrivilegeGroup'
+type RootCoordCatalog_DropPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// DropPrivilegeGroup is a helper method to define mock.On call
+// - ctx context.Context
+// - groupName string
+func (_e *RootCoordCatalog_Expecter) DropPrivilegeGroup(ctx interface{}, groupName interface{}) *RootCoordCatalog_DropPrivilegeGroup_Call {
+ return &RootCoordCatalog_DropPrivilegeGroup_Call{Call: _e.mock.On("DropPrivilegeGroup", ctx, groupName)}
+}
+
+func (_c *RootCoordCatalog_DropPrivilegeGroup_Call) Run(run func(ctx context.Context, groupName string)) *RootCoordCatalog_DropPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(string))
+ })
+ return _c
+}
+
+func (_c *RootCoordCatalog_DropPrivilegeGroup_Call) Return(_a0 error) *RootCoordCatalog_DropPrivilegeGroup_Call {
+ _c.Call.Return(_a0)
+ return _c
+}
+
+func (_c *RootCoordCatalog_DropPrivilegeGroup_Call) RunAndReturn(run func(context.Context, string) error) *RootCoordCatalog_DropPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
+// SavePrivilegeGroup provides a mock function with given fields: ctx, groupName, privileges
+func (_m *RootCoordCatalog) SavePrivilegeGroup(ctx context.Context, data *milvuspb.PrivilegeGroupInfo) error {
+ ret := _m.Called(ctx, data)
+
+ var r0 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.PrivilegeGroupInfo) error); ok {
+ r0 = rf(ctx, data)
+ } else {
+ r0 = ret.Error(0)
+ }
+
+ return r0
+}
+
+// RootCoordCatalog_SavePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SavePrivilegeGroup'
+type RootCoordCatalog_SavePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// SavePrivilegeGroup is a helper method to define mock.On call
+// - ctx context.Context
+// - groupName string
+func (_e *RootCoordCatalog_Expecter) SavePrivilegeGroup(ctx interface{}, data interface{}) *RootCoordCatalog_SavePrivilegeGroup_Call {
+ return &RootCoordCatalog_SavePrivilegeGroup_Call{Call: _e.mock.On("SavePrivilegeGroup", ctx, data)}
+}
+
+func (_c *RootCoordCatalog_SavePrivilegeGroup_Call) Run(run func(ctx context.Context, data *milvuspb.PrivilegeGroupInfo)) *RootCoordCatalog_SavePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.PrivilegeGroupInfo))
+ })
+ return _c
+}
+
+func (_c *RootCoordCatalog_SavePrivilegeGroup_Call) Return(_a0 error) *RootCoordCatalog_SavePrivilegeGroup_Call {
+ _c.Call.Return(_a0)
+ return _c
+}
+
+func (_c *RootCoordCatalog_SavePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.PrivilegeGroupInfo) error) *RootCoordCatalog_SavePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
+// ListPrivilegeGroups provides a mock function with given fields: ctx
+func (_m *RootCoordCatalog) ListPrivilegeGroups(ctx context.Context) ([]*milvuspb.PrivilegeGroupInfo, error) {
+ ret := _m.Called(ctx)
+
+ var r0 []*milvuspb.PrivilegeGroupInfo
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context) ([]*milvuspb.PrivilegeGroupInfo, error)); ok {
+ return rf(ctx)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context) []*milvuspb.PrivilegeGroupInfo); ok {
+ r0 = rf(ctx)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).([]*milvuspb.PrivilegeGroupInfo)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+ r1 = rf(ctx)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// RootCoordCatalog_ListPrivilegeGroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPrivilegeGroups'
+type RootCoordCatalog_ListPrivilegeGroups_Call struct {
+ *mock.Call
+}
+
+// ListPrivilegeGroups is a helper method to define mock.On call
+// - ctx context.Context
+func (_e *RootCoordCatalog_Expecter) ListPrivilegeGroups(ctx interface{}) *RootCoordCatalog_ListPrivilegeGroups_Call {
+ return &RootCoordCatalog_ListPrivilegeGroups_Call{Call: _e.mock.On("ListPrivilegeGroups", ctx)}
+}
+
+func (_c *RootCoordCatalog_ListPrivilegeGroups_Call) Run(run func(ctx context.Context)) *RootCoordCatalog_ListPrivilegeGroups_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context))
+ })
+ return _c
+}
+
+func (_c *RootCoordCatalog_ListPrivilegeGroups_Call) Return(_a0 []*milvuspb.PrivilegeGroupInfo, _a1 error) *RootCoordCatalog_ListPrivilegeGroups_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *RootCoordCatalog_ListPrivilegeGroups_Call) RunAndReturn(run func(context.Context) ([]*milvuspb.PrivilegeGroupInfo, error)) *RootCoordCatalog_ListPrivilegeGroups_Call {
+ _c.Call.Return(run)
+ return _c
+}
diff --git a/internal/mocks/mock_proxy.go b/internal/mocks/mock_proxy.go
index 36555c92ef429..2fc1856e907be 100644
--- a/internal/mocks/mock_proxy.go
+++ b/internal/mocks/mock_proxy.go
@@ -859,6 +859,61 @@ func (_c *MockProxy_CreatePartition_Call) RunAndReturn(run func(context.Context,
return _c
}
+// CreatePrivilegeGroup provides a mock function with given fields: _a0, _a1
+func (_m *MockProxy) CreatePrivilegeGroup(_a0 context.Context, _a1 *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) *commonpb.Status); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockProxy_CreatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreatePrivilegeGroup'
+type MockProxy_CreatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// CreatePrivilegeGroup is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.CreatePrivilegeGroupRequest
+func (_e *MockProxy_Expecter) CreatePrivilegeGroup(_a0 interface{}, _a1 interface{}) *MockProxy_CreatePrivilegeGroup_Call {
+ return &MockProxy_CreatePrivilegeGroup_Call{Call: _e.mock.On("CreatePrivilegeGroup", _a0, _a1)}
+}
+
+func (_c *MockProxy_CreatePrivilegeGroup_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.CreatePrivilegeGroupRequest)) *MockProxy_CreatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.CreatePrivilegeGroupRequest))
+ })
+ return _c
+}
+
+func (_c *MockProxy_CreatePrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *MockProxy_CreatePrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockProxy_CreatePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error)) *MockProxy_CreatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// CreateResourceGroup provides a mock function with given fields: _a0, _a1
func (_m *MockProxy) CreateResourceGroup(_a0 context.Context, _a1 *milvuspb.CreateResourceGroupRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
@@ -1684,6 +1739,61 @@ func (_c *MockProxy_DropPartition_Call) RunAndReturn(run func(context.Context, *
return _c
}
+// DropPrivilegeGroup provides a mock function with given fields: _a0, _a1
+func (_m *MockProxy) DropPrivilegeGroup(_a0 context.Context, _a1 *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest) *commonpb.Status); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockProxy_DropPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DropPrivilegeGroup'
+type MockProxy_DropPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// DropPrivilegeGroup is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.DropPrivilegeGroupRequest
+func (_e *MockProxy_Expecter) DropPrivilegeGroup(_a0 interface{}, _a1 interface{}) *MockProxy_DropPrivilegeGroup_Call {
+ return &MockProxy_DropPrivilegeGroup_Call{Call: _e.mock.On("DropPrivilegeGroup", _a0, _a1)}
+}
+
+func (_c *MockProxy_DropPrivilegeGroup_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.DropPrivilegeGroupRequest)) *MockProxy_DropPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.DropPrivilegeGroupRequest))
+ })
+ return _c
+}
+
+func (_c *MockProxy_DropPrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *MockProxy_DropPrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockProxy_DropPrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error)) *MockProxy_DropPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// DropResourceGroup provides a mock function with given fields: _a0, _a1
func (_m *MockProxy) DropResourceGroup(_a0 context.Context, _a1 *milvuspb.DropResourceGroupRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
@@ -4184,6 +4294,61 @@ func (_c *MockProxy_ListIndexedSegment_Call) RunAndReturn(run func(context.Conte
return _c
}
+// ListPrivilegeGroups provides a mock function with given fields: _a0, _a1
+func (_m *MockProxy) ListPrivilegeGroups(_a0 context.Context, _a1 *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *milvuspb.ListPrivilegeGroupsResponse
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) *milvuspb.ListPrivilegeGroupsResponse); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*milvuspb.ListPrivilegeGroupsResponse)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockProxy_ListPrivilegeGroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPrivilegeGroups'
+type MockProxy_ListPrivilegeGroups_Call struct {
+ *mock.Call
+}
+
+// ListPrivilegeGroups is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.ListPrivilegeGroupsRequest
+func (_e *MockProxy_Expecter) ListPrivilegeGroups(_a0 interface{}, _a1 interface{}) *MockProxy_ListPrivilegeGroups_Call {
+ return &MockProxy_ListPrivilegeGroups_Call{Call: _e.mock.On("ListPrivilegeGroups", _a0, _a1)}
+}
+
+func (_c *MockProxy_ListPrivilegeGroups_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.ListPrivilegeGroupsRequest)) *MockProxy_ListPrivilegeGroups_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.ListPrivilegeGroupsRequest))
+ })
+ return _c
+}
+
+func (_c *MockProxy_ListPrivilegeGroups_Call) Return(_a0 *milvuspb.ListPrivilegeGroupsResponse, _a1 error) *MockProxy_ListPrivilegeGroups_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockProxy_ListPrivilegeGroups_Call) RunAndReturn(run func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error)) *MockProxy_ListPrivilegeGroups_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// ListResourceGroups provides a mock function with given fields: _a0, _a1
func (_m *MockProxy) ListResourceGroups(_a0 context.Context, _a1 *milvuspb.ListResourceGroupsRequest) (*milvuspb.ListResourceGroupsResponse, error) {
ret := _m.Called(_a0, _a1)
@@ -4514,6 +4679,61 @@ func (_c *MockProxy_OperatePrivilege_Call) RunAndReturn(run func(context.Context
return _c
}
+// OperatePrivilegeGroup provides a mock function with given fields: _a0, _a1
+func (_m *MockProxy) OperatePrivilegeGroup(_a0 context.Context, _a1 *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) *commonpb.Status); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockProxy_OperatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OperatePrivilegeGroup'
+type MockProxy_OperatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// OperatePrivilegeGroup is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.OperatePrivilegeGroupRequest
+func (_e *MockProxy_Expecter) OperatePrivilegeGroup(_a0 interface{}, _a1 interface{}) *MockProxy_OperatePrivilegeGroup_Call {
+ return &MockProxy_OperatePrivilegeGroup_Call{Call: _e.mock.On("OperatePrivilegeGroup", _a0, _a1)}
+}
+
+func (_c *MockProxy_OperatePrivilegeGroup_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.OperatePrivilegeGroupRequest)) *MockProxy_OperatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.OperatePrivilegeGroupRequest))
+ })
+ return _c
+}
+
+func (_c *MockProxy_OperatePrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *MockProxy_OperatePrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockProxy_OperatePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error)) *MockProxy_OperatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// OperateUserRole provides a mock function with given fields: _a0, _a1
func (_m *MockProxy) OperateUserRole(_a0 context.Context, _a1 *milvuspb.OperateUserRoleRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
diff --git a/internal/mocks/mock_querynode.go b/internal/mocks/mock_querynode.go
index ccb27fa884e8d..abcf83fade8d0 100644
--- a/internal/mocks/mock_querynode.go
+++ b/internal/mocks/mock_querynode.go
@@ -89,10 +89,6 @@ func (_c *MockQueryNode_Delete_Call) RunAndReturn(run func(context.Context, *que
func (_m *MockQueryNode) DeleteBatch(_a0 context.Context, _a1 *querypb.DeleteBatchRequest) (*querypb.DeleteBatchResponse, error) {
ret := _m.Called(_a0, _a1)
- if len(ret) == 0 {
- panic("no return value specified for DeleteBatch")
- }
-
var r0 *querypb.DeleteBatchResponse
var r1 error
if rf, ok := ret.Get(0).(func(context.Context, *querypb.DeleteBatchRequest) (*querypb.DeleteBatchResponse, error)); ok {
diff --git a/internal/mocks/mock_querynode_client.go b/internal/mocks/mock_querynode_client.go
index 10e179518285a..e7777eb6ab7c6 100644
--- a/internal/mocks/mock_querynode_client.go
+++ b/internal/mocks/mock_querynode_client.go
@@ -153,10 +153,6 @@ func (_m *MockQueryNodeClient) DeleteBatch(ctx context.Context, in *querypb.Dele
_ca = append(_ca, _va...)
ret := _m.Called(_ca...)
- if len(ret) == 0 {
- panic("no return value specified for DeleteBatch")
- }
-
var r0 *querypb.DeleteBatchResponse
var r1 error
if rf, ok := ret.Get(0).(func(context.Context, *querypb.DeleteBatchRequest, ...grpc.CallOption) (*querypb.DeleteBatchResponse, error)); ok {
diff --git a/internal/mocks/mock_rootcoord.go b/internal/mocks/mock_rootcoord.go
index 00c997d90e9e0..877174804472f 100644
--- a/internal/mocks/mock_rootcoord.go
+++ b/internal/mocks/mock_rootcoord.go
@@ -696,6 +696,61 @@ func (_c *RootCoord_CreatePartition_Call) RunAndReturn(run func(context.Context,
return _c
}
+// CreatePrivilegeGroup provides a mock function with given fields: _a0, _a1
+func (_m *RootCoord) CreatePrivilegeGroup(_a0 context.Context, _a1 *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) *commonpb.Status); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// RootCoord_CreatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreatePrivilegeGroup'
+type RootCoord_CreatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// CreatePrivilegeGroup is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.CreatePrivilegeGroupRequest
+func (_e *RootCoord_Expecter) CreatePrivilegeGroup(_a0 interface{}, _a1 interface{}) *RootCoord_CreatePrivilegeGroup_Call {
+ return &RootCoord_CreatePrivilegeGroup_Call{Call: _e.mock.On("CreatePrivilegeGroup", _a0, _a1)}
+}
+
+func (_c *RootCoord_CreatePrivilegeGroup_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.CreatePrivilegeGroupRequest)) *RootCoord_CreatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.CreatePrivilegeGroupRequest))
+ })
+ return _c
+}
+
+func (_c *RootCoord_CreatePrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *RootCoord_CreatePrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *RootCoord_CreatePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error)) *RootCoord_CreatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// CreateRole provides a mock function with given fields: _a0, _a1
func (_m *RootCoord) CreateRole(_a0 context.Context, _a1 *milvuspb.CreateRoleRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
@@ -1246,6 +1301,61 @@ func (_c *RootCoord_DropPartition_Call) RunAndReturn(run func(context.Context, *
return _c
}
+// DropPrivilegeGroup provides a mock function with given fields: _a0, _a1
+func (_m *RootCoord) DropPrivilegeGroup(_a0 context.Context, _a1 *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest) *commonpb.Status); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// RootCoord_DropPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DropPrivilegeGroup'
+type RootCoord_DropPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// DropPrivilegeGroup is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.DropPrivilegeGroupRequest
+func (_e *RootCoord_Expecter) DropPrivilegeGroup(_a0 interface{}, _a1 interface{}) *RootCoord_DropPrivilegeGroup_Call {
+ return &RootCoord_DropPrivilegeGroup_Call{Call: _e.mock.On("DropPrivilegeGroup", _a0, _a1)}
+}
+
+func (_c *RootCoord_DropPrivilegeGroup_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.DropPrivilegeGroupRequest)) *RootCoord_DropPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.DropPrivilegeGroupRequest))
+ })
+ return _c
+}
+
+func (_c *RootCoord_DropPrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *RootCoord_DropPrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *RootCoord_DropPrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error)) *RootCoord_DropPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// DropRole provides a mock function with given fields: _a0, _a1
func (_m *RootCoord) DropRole(_a0 context.Context, _a1 *milvuspb.DropRoleRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
@@ -2002,6 +2112,61 @@ func (_c *RootCoord_ListPolicy_Call) RunAndReturn(run func(context.Context, *int
return _c
}
+// ListPrivilegeGroups provides a mock function with given fields: _a0, _a1
+func (_m *RootCoord) ListPrivilegeGroups(_a0 context.Context, _a1 *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *milvuspb.ListPrivilegeGroupsResponse
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) *milvuspb.ListPrivilegeGroupsResponse); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*milvuspb.ListPrivilegeGroupsResponse)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// RootCoord_ListPrivilegeGroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPrivilegeGroups'
+type RootCoord_ListPrivilegeGroups_Call struct {
+ *mock.Call
+}
+
+// ListPrivilegeGroups is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.ListPrivilegeGroupsRequest
+func (_e *RootCoord_Expecter) ListPrivilegeGroups(_a0 interface{}, _a1 interface{}) *RootCoord_ListPrivilegeGroups_Call {
+ return &RootCoord_ListPrivilegeGroups_Call{Call: _e.mock.On("ListPrivilegeGroups", _a0, _a1)}
+}
+
+func (_c *RootCoord_ListPrivilegeGroups_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.ListPrivilegeGroupsRequest)) *RootCoord_ListPrivilegeGroups_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.ListPrivilegeGroupsRequest))
+ })
+ return _c
+}
+
+func (_c *RootCoord_ListPrivilegeGroups_Call) Return(_a0 *milvuspb.ListPrivilegeGroupsResponse, _a1 error) *RootCoord_ListPrivilegeGroups_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *RootCoord_ListPrivilegeGroups_Call) RunAndReturn(run func(context.Context, *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error)) *RootCoord_ListPrivilegeGroups_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// OperatePrivilege provides a mock function with given fields: _a0, _a1
func (_m *RootCoord) OperatePrivilege(_a0 context.Context, _a1 *milvuspb.OperatePrivilegeRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
@@ -2057,6 +2222,61 @@ func (_c *RootCoord_OperatePrivilege_Call) RunAndReturn(run func(context.Context
return _c
}
+// OperatePrivilegeGroup provides a mock function with given fields: _a0, _a1
+func (_m *RootCoord) OperatePrivilegeGroup(_a0 context.Context, _a1 *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ ret := _m.Called(_a0, _a1)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error)); ok {
+ return rf(_a0, _a1)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) *commonpb.Status); ok {
+ r0 = rf(_a0, _a1)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) error); ok {
+ r1 = rf(_a0, _a1)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// RootCoord_OperatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OperatePrivilegeGroup'
+type RootCoord_OperatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// OperatePrivilegeGroup is a helper method to define mock.On call
+// - _a0 context.Context
+// - _a1 *milvuspb.OperatePrivilegeGroupRequest
+func (_e *RootCoord_Expecter) OperatePrivilegeGroup(_a0 interface{}, _a1 interface{}) *RootCoord_OperatePrivilegeGroup_Call {
+ return &RootCoord_OperatePrivilegeGroup_Call{Call: _e.mock.On("OperatePrivilegeGroup", _a0, _a1)}
+}
+
+func (_c *RootCoord_OperatePrivilegeGroup_Call) Run(run func(_a0 context.Context, _a1 *milvuspb.OperatePrivilegeGroupRequest)) *RootCoord_OperatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(context.Context), args[1].(*milvuspb.OperatePrivilegeGroupRequest))
+ })
+ return _c
+}
+
+func (_c *RootCoord_OperatePrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *RootCoord_OperatePrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *RootCoord_OperatePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error)) *RootCoord_OperatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// OperateUserRole provides a mock function with given fields: _a0, _a1
func (_m *RootCoord) OperateUserRole(_a0 context.Context, _a1 *milvuspb.OperateUserRoleRequest) (*commonpb.Status, error) {
ret := _m.Called(_a0, _a1)
diff --git a/internal/mocks/mock_rootcoord_client.go b/internal/mocks/mock_rootcoord_client.go
index dbb566bc3d4c3..3d3db95c6963d 100644
--- a/internal/mocks/mock_rootcoord_client.go
+++ b/internal/mocks/mock_rootcoord_client.go
@@ -914,6 +914,76 @@ func (_c *MockRootCoordClient_CreatePartition_Call) RunAndReturn(run func(contex
return _c
}
+// CreatePrivilegeGroup provides a mock function with given fields: ctx, in, opts
+func (_m *MockRootCoordClient) CreatePrivilegeGroup(ctx context.Context, in *milvuspb.CreatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ _va := make([]interface{}, len(opts))
+ for _i := range opts {
+ _va[_i] = opts[_i]
+ }
+ var _ca []interface{}
+ _ca = append(_ca, ctx, in)
+ _ca = append(_ca, _va...)
+ ret := _m.Called(_ca...)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest, ...grpc.CallOption) (*commonpb.Status, error)); ok {
+ return rf(ctx, in, opts...)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest, ...grpc.CallOption) *commonpb.Status); ok {
+ r0 = rf(ctx, in, opts...)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.CreatePrivilegeGroupRequest, ...grpc.CallOption) error); ok {
+ r1 = rf(ctx, in, opts...)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockRootCoordClient_CreatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreatePrivilegeGroup'
+type MockRootCoordClient_CreatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// CreatePrivilegeGroup is a helper method to define mock.On call
+// - ctx context.Context
+// - in *milvuspb.CreatePrivilegeGroupRequest
+// - opts ...grpc.CallOption
+func (_e *MockRootCoordClient_Expecter) CreatePrivilegeGroup(ctx interface{}, in interface{}, opts ...interface{}) *MockRootCoordClient_CreatePrivilegeGroup_Call {
+ return &MockRootCoordClient_CreatePrivilegeGroup_Call{Call: _e.mock.On("CreatePrivilegeGroup",
+ append([]interface{}{ctx, in}, opts...)...)}
+}
+
+func (_c *MockRootCoordClient_CreatePrivilegeGroup_Call) Run(run func(ctx context.Context, in *milvuspb.CreatePrivilegeGroupRequest, opts ...grpc.CallOption)) *MockRootCoordClient_CreatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ variadicArgs := make([]grpc.CallOption, len(args)-2)
+ for i, a := range args[2:] {
+ if a != nil {
+ variadicArgs[i] = a.(grpc.CallOption)
+ }
+ }
+ run(args[0].(context.Context), args[1].(*milvuspb.CreatePrivilegeGroupRequest), variadicArgs...)
+ })
+ return _c
+}
+
+func (_c *MockRootCoordClient_CreatePrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *MockRootCoordClient_CreatePrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockRootCoordClient_CreatePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.CreatePrivilegeGroupRequest, ...grpc.CallOption) (*commonpb.Status, error)) *MockRootCoordClient_CreatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// CreateRole provides a mock function with given fields: ctx, in, opts
func (_m *MockRootCoordClient) CreateRole(ctx context.Context, in *milvuspb.CreateRoleRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
_va := make([]interface{}, len(opts))
@@ -1614,6 +1684,76 @@ func (_c *MockRootCoordClient_DropPartition_Call) RunAndReturn(run func(context.
return _c
}
+// DropPrivilegeGroup provides a mock function with given fields: ctx, in, opts
+func (_m *MockRootCoordClient) DropPrivilegeGroup(ctx context.Context, in *milvuspb.DropPrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ _va := make([]interface{}, len(opts))
+ for _i := range opts {
+ _va[_i] = opts[_i]
+ }
+ var _ca []interface{}
+ _ca = append(_ca, ctx, in)
+ _ca = append(_ca, _va...)
+ ret := _m.Called(_ca...)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest, ...grpc.CallOption) (*commonpb.Status, error)); ok {
+ return rf(ctx, in, opts...)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest, ...grpc.CallOption) *commonpb.Status); ok {
+ r0 = rf(ctx, in, opts...)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.DropPrivilegeGroupRequest, ...grpc.CallOption) error); ok {
+ r1 = rf(ctx, in, opts...)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockRootCoordClient_DropPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DropPrivilegeGroup'
+type MockRootCoordClient_DropPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// DropPrivilegeGroup is a helper method to define mock.On call
+// - ctx context.Context
+// - in *milvuspb.DropPrivilegeGroupRequest
+// - opts ...grpc.CallOption
+func (_e *MockRootCoordClient_Expecter) DropPrivilegeGroup(ctx interface{}, in interface{}, opts ...interface{}) *MockRootCoordClient_DropPrivilegeGroup_Call {
+ return &MockRootCoordClient_DropPrivilegeGroup_Call{Call: _e.mock.On("DropPrivilegeGroup",
+ append([]interface{}{ctx, in}, opts...)...)}
+}
+
+func (_c *MockRootCoordClient_DropPrivilegeGroup_Call) Run(run func(ctx context.Context, in *milvuspb.DropPrivilegeGroupRequest, opts ...grpc.CallOption)) *MockRootCoordClient_DropPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ variadicArgs := make([]grpc.CallOption, len(args)-2)
+ for i, a := range args[2:] {
+ if a != nil {
+ variadicArgs[i] = a.(grpc.CallOption)
+ }
+ }
+ run(args[0].(context.Context), args[1].(*milvuspb.DropPrivilegeGroupRequest), variadicArgs...)
+ })
+ return _c
+}
+
+func (_c *MockRootCoordClient_DropPrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *MockRootCoordClient_DropPrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockRootCoordClient_DropPrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.DropPrivilegeGroupRequest, ...grpc.CallOption) (*commonpb.Status, error)) *MockRootCoordClient_DropPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// DropRole provides a mock function with given fields: ctx, in, opts
func (_m *MockRootCoordClient) DropRole(ctx context.Context, in *milvuspb.DropRoleRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
_va := make([]interface{}, len(opts))
@@ -2524,6 +2664,76 @@ func (_c *MockRootCoordClient_ListPolicy_Call) RunAndReturn(run func(context.Con
return _c
}
+// ListPrivilegeGroups provides a mock function with given fields: ctx, in, opts
+func (_m *MockRootCoordClient) ListPrivilegeGroups(ctx context.Context, in *milvuspb.ListPrivilegeGroupsRequest, opts ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ _va := make([]interface{}, len(opts))
+ for _i := range opts {
+ _va[_i] = opts[_i]
+ }
+ var _ca []interface{}
+ _ca = append(_ca, ctx, in)
+ _ca = append(_ca, _va...)
+ ret := _m.Called(_ca...)
+
+ var r0 *milvuspb.ListPrivilegeGroupsResponse
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest, ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error)); ok {
+ return rf(ctx, in, opts...)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest, ...grpc.CallOption) *milvuspb.ListPrivilegeGroupsResponse); ok {
+ r0 = rf(ctx, in, opts...)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*milvuspb.ListPrivilegeGroupsResponse)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.ListPrivilegeGroupsRequest, ...grpc.CallOption) error); ok {
+ r1 = rf(ctx, in, opts...)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockRootCoordClient_ListPrivilegeGroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPrivilegeGroups'
+type MockRootCoordClient_ListPrivilegeGroups_Call struct {
+ *mock.Call
+}
+
+// ListPrivilegeGroups is a helper method to define mock.On call
+// - ctx context.Context
+// - in *milvuspb.ListPrivilegeGroupsRequest
+// - opts ...grpc.CallOption
+func (_e *MockRootCoordClient_Expecter) ListPrivilegeGroups(ctx interface{}, in interface{}, opts ...interface{}) *MockRootCoordClient_ListPrivilegeGroups_Call {
+ return &MockRootCoordClient_ListPrivilegeGroups_Call{Call: _e.mock.On("ListPrivilegeGroups",
+ append([]interface{}{ctx, in}, opts...)...)}
+}
+
+func (_c *MockRootCoordClient_ListPrivilegeGroups_Call) Run(run func(ctx context.Context, in *milvuspb.ListPrivilegeGroupsRequest, opts ...grpc.CallOption)) *MockRootCoordClient_ListPrivilegeGroups_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ variadicArgs := make([]grpc.CallOption, len(args)-2)
+ for i, a := range args[2:] {
+ if a != nil {
+ variadicArgs[i] = a.(grpc.CallOption)
+ }
+ }
+ run(args[0].(context.Context), args[1].(*milvuspb.ListPrivilegeGroupsRequest), variadicArgs...)
+ })
+ return _c
+}
+
+func (_c *MockRootCoordClient_ListPrivilegeGroups_Call) Return(_a0 *milvuspb.ListPrivilegeGroupsResponse, _a1 error) *MockRootCoordClient_ListPrivilegeGroups_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockRootCoordClient_ListPrivilegeGroups_Call) RunAndReturn(run func(context.Context, *milvuspb.ListPrivilegeGroupsRequest, ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error)) *MockRootCoordClient_ListPrivilegeGroups_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// OperatePrivilege provides a mock function with given fields: ctx, in, opts
func (_m *MockRootCoordClient) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivilegeRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
_va := make([]interface{}, len(opts))
@@ -2594,6 +2804,76 @@ func (_c *MockRootCoordClient_OperatePrivilege_Call) RunAndReturn(run func(conte
return _c
}
+// OperatePrivilegeGroup provides a mock function with given fields: ctx, in, opts
+func (_m *MockRootCoordClient) OperatePrivilegeGroup(ctx context.Context, in *milvuspb.OperatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ _va := make([]interface{}, len(opts))
+ for _i := range opts {
+ _va[_i] = opts[_i]
+ }
+ var _ca []interface{}
+ _ca = append(_ca, ctx, in)
+ _ca = append(_ca, _va...)
+ ret := _m.Called(_ca...)
+
+ var r0 *commonpb.Status
+ var r1 error
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest, ...grpc.CallOption) (*commonpb.Status, error)); ok {
+ return rf(ctx, in, opts...)
+ }
+ if rf, ok := ret.Get(0).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest, ...grpc.CallOption) *commonpb.Status); ok {
+ r0 = rf(ctx, in, opts...)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).(*commonpb.Status)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(context.Context, *milvuspb.OperatePrivilegeGroupRequest, ...grpc.CallOption) error); ok {
+ r1 = rf(ctx, in, opts...)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// MockRootCoordClient_OperatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OperatePrivilegeGroup'
+type MockRootCoordClient_OperatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// OperatePrivilegeGroup is a helper method to define mock.On call
+// - ctx context.Context
+// - in *milvuspb.OperatePrivilegeGroupRequest
+// - opts ...grpc.CallOption
+func (_e *MockRootCoordClient_Expecter) OperatePrivilegeGroup(ctx interface{}, in interface{}, opts ...interface{}) *MockRootCoordClient_OperatePrivilegeGroup_Call {
+ return &MockRootCoordClient_OperatePrivilegeGroup_Call{Call: _e.mock.On("OperatePrivilegeGroup",
+ append([]interface{}{ctx, in}, opts...)...)}
+}
+
+func (_c *MockRootCoordClient_OperatePrivilegeGroup_Call) Run(run func(ctx context.Context, in *milvuspb.OperatePrivilegeGroupRequest, opts ...grpc.CallOption)) *MockRootCoordClient_OperatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ variadicArgs := make([]grpc.CallOption, len(args)-2)
+ for i, a := range args[2:] {
+ if a != nil {
+ variadicArgs[i] = a.(grpc.CallOption)
+ }
+ }
+ run(args[0].(context.Context), args[1].(*milvuspb.OperatePrivilegeGroupRequest), variadicArgs...)
+ })
+ return _c
+}
+
+func (_c *MockRootCoordClient_OperatePrivilegeGroup_Call) Return(_a0 *commonpb.Status, _a1 error) *MockRootCoordClient_OperatePrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *MockRootCoordClient_OperatePrivilegeGroup_Call) RunAndReturn(run func(context.Context, *milvuspb.OperatePrivilegeGroupRequest, ...grpc.CallOption) (*commonpb.Status, error)) *MockRootCoordClient_OperatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// OperateUserRole provides a mock function with given fields: ctx, in, opts
func (_m *MockRootCoordClient) OperateUserRole(ctx context.Context, in *milvuspb.OperateUserRoleRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
_va := make([]interface{}, len(opts))
diff --git a/internal/proto/internal.proto b/internal/proto/internal.proto
index 86bc546523841..7db4bd9a7c265 100644
--- a/internal/proto/internal.proto
+++ b/internal/proto/internal.proto
@@ -4,6 +4,7 @@ option go_package = "github.com/milvus-io/milvus/internal/proto/internalpb";
import "common.proto";
import "schema.proto";
+import "milvus.proto";
message GetTimeTickChannelRequest {
}
@@ -255,6 +256,7 @@ message ListPolicyResponse {
common.Status status = 1;
repeated string policy_infos = 2;
repeated string user_roles = 3;
+ repeated milvus.PrivilegeGroupInfo privilege_groups = 4;
}
message ShowConfigurationsRequest {
diff --git a/internal/proto/root_coord.proto b/internal/proto/root_coord.proto
index a1408f6e29656..bc1aadc6d6525 100644
--- a/internal/proto/root_coord.proto
+++ b/internal/proto/root_coord.proto
@@ -134,6 +134,10 @@ service RootCoord {
rpc ListPolicy(internal.ListPolicyRequest) returns (internal.ListPolicyResponse) {}
rpc BackupRBAC(milvus.BackupRBACMetaRequest) returns (milvus.BackupRBACMetaResponse){}
rpc RestoreRBAC(milvus.RestoreRBACMetaRequest) returns (common.Status){}
+ rpc CreatePrivilegeGroup(milvus.CreatePrivilegeGroupRequest) returns (common.Status) {}
+ rpc DropPrivilegeGroup(milvus.DropPrivilegeGroupRequest) returns (common.Status) {}
+ rpc ListPrivilegeGroups(milvus.ListPrivilegeGroupsRequest) returns (milvus.ListPrivilegeGroupsResponse) {}
+ rpc OperatePrivilegeGroup(milvus.OperatePrivilegeGroupRequest) returns (common.Status) {}
rpc CheckHealth(milvus.CheckHealthRequest) returns (milvus.CheckHealthResponse) {}
diff --git a/internal/proxy/impl.go b/internal/proxy/impl.go
index b186ffe91c52c..008a7ce98d83c 100644
--- a/internal/proxy/impl.go
+++ b/internal/proxy/impl.go
@@ -6388,3 +6388,124 @@ func DeregisterSubLabel(subLabel string) {
rateCol.DeregisterSubLabel(internalpb.RateType_DQLQuery.String(), subLabel)
rateCol.DeregisterSubLabel(internalpb.RateType_DQLSearch.String(), subLabel)
}
+
+func (node *Proxy) CreatePrivilegeGroup(ctx context.Context, req *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ ctx, sp := otel.Tracer(typeutil.ProxyRole).Start(ctx, "Proxy-CreatePrivilegeGroup")
+ defer sp.End()
+
+ log := log.Ctx(ctx)
+
+ log.Info("CreatePrivilegeGroup", zap.Any("req", req))
+ if err := merr.CheckHealthy(node.GetStateCode()); err != nil {
+ return merr.Status(err), nil
+ }
+ if req.GroupName == "" {
+ return merr.Status(fmt.Errorf("the group name in the drop privilege group request is nil")), nil
+ }
+ if req.Base == nil {
+ req.Base = &commonpb.MsgBase{}
+ }
+ req.Base.MsgType = commonpb.MsgType_CreatePrivilegeGroup
+
+ result, err := node.rootCoord.CreatePrivilegeGroup(ctx, req)
+ if err != nil {
+ log.Warn("fail to create privilege group", zap.Error(err))
+ return merr.Status(err), nil
+ }
+ if merr.Ok(result) {
+ SendReplicateMessagePack(ctx, node.replicateMsgStream, req)
+ }
+ return result, nil
+}
+
+func (node *Proxy) DropPrivilegeGroup(ctx context.Context, req *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+ ctx, sp := otel.Tracer(typeutil.ProxyRole).Start(ctx, "Proxy-DropPrivilegeGroup")
+ defer sp.End()
+
+ log := log.Ctx(ctx)
+
+ log.Info("DropPrivilegeGroup", zap.Any("req", req))
+ if err := merr.CheckHealthy(node.GetStateCode()); err != nil {
+ return merr.Status(err), nil
+ }
+ if req.GroupName == "" {
+ return merr.Status(fmt.Errorf("the group name in the drop privilege group request is nil")), nil
+ }
+ if req.Base == nil {
+ req.Base = &commonpb.MsgBase{}
+ }
+ req.Base.MsgType = commonpb.MsgType_DropPrivilegeGroup
+
+ result, err := node.rootCoord.DropPrivilegeGroup(ctx, req)
+ if err != nil {
+ log.Warn("fail to drop privilege group", zap.Error(err))
+ return merr.Status(err), nil
+ }
+ if merr.Ok(result) {
+ SendReplicateMessagePack(ctx, node.replicateMsgStream, req)
+ }
+ return result, nil
+}
+
+func (node *Proxy) ListPrivilegeGroups(ctx context.Context, req *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ ctx, sp := otel.Tracer(typeutil.ProxyRole).Start(ctx, "Proxy-ListPrivilegeGroups")
+ defer sp.End()
+
+ log := log.Ctx(ctx).With(
+ zap.String("role", typeutil.ProxyRole))
+
+ log.Debug("ListPrivilegeGroups")
+ if err := merr.CheckHealthy(node.GetStateCode()); err != nil {
+ return &milvuspb.ListPrivilegeGroupsResponse{Status: merr.Status(err)}, nil
+ }
+ if req.Base == nil {
+ req.Base = &commonpb.MsgBase{}
+ }
+ req.Base.MsgType = commonpb.MsgType_ListPrivilegeGroups
+ rootCoordReq := &milvuspb.ListPrivilegeGroupsRequest{
+ Base: commonpbutil.NewMsgBase(
+ commonpbutil.WithMsgType(commonpb.MsgType_ListPrivilegeGroups),
+ ),
+ }
+ resp, err := node.rootCoord.ListPrivilegeGroups(ctx, rootCoordReq)
+ if err != nil {
+ return &milvuspb.ListPrivilegeGroupsResponse{
+ Status: merr.Status(err),
+ }, nil
+ }
+ return resp, nil
+}
+
+func (node *Proxy) OperatePrivilegeGroup(ctx context.Context, req *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ ctx, sp := otel.Tracer(typeutil.ProxyRole).Start(ctx, "Proxy-OperatePrivilegeGroup")
+ defer sp.End()
+
+ log := log.Ctx(ctx)
+
+ log.Info("OperatePrivilegeGroup", zap.Any("req", req))
+ if err := merr.CheckHealthy(node.GetStateCode()); err != nil {
+ return merr.Status(err), nil
+ }
+ if req.GroupName == "" {
+ return merr.Status(fmt.Errorf("the group name in the drop privilege group request is nil")), nil
+ }
+ for _, priv := range req.GetPrivileges() {
+ if err := ValidatePrivilege(priv.Name); err != nil {
+ return merr.Status(err), nil
+ }
+ }
+ if req.Base == nil {
+ req.Base = &commonpb.MsgBase{}
+ }
+ req.Base.MsgType = commonpb.MsgType_OperatePrivilegeGroup
+
+ result, err := node.rootCoord.OperatePrivilegeGroup(ctx, req)
+ if err != nil {
+ log.Warn("fail to operate privilege group", zap.Error(err))
+ return merr.Status(err), nil
+ }
+ if merr.Ok(result) {
+ SendReplicateMessagePack(ctx, node.replicateMsgStream, req)
+ }
+ return result, nil
+}
diff --git a/internal/proxy/meta_cache.go b/internal/proxy/meta_cache.go
index 870b6ce12df02..16b16c3ce10c0 100644
--- a/internal/proxy/meta_cache.go
+++ b/internal/proxy/meta_cache.go
@@ -1120,9 +1120,15 @@ func (m *MetaCache) RefreshPolicyInfo(op typeutil.CacheOp) (err error) {
switch op.OpType {
case typeutil.CacheGrantPrivilege:
- m.privilegeInfos[op.OpKey] = struct{}{}
+ keys := funcutil.PrivilegesForPolicy(op.OpKey)
+ for _, key := range keys {
+ m.privilegeInfos[key] = struct{}{}
+ }
case typeutil.CacheRevokePrivilege:
- delete(m.privilegeInfos, op.OpKey)
+ keys := funcutil.PrivilegesForPolicy(op.OpKey)
+ for _, key := range keys {
+ delete(m.privilegeInfos, key)
+ }
case typeutil.CacheAddUserToRole:
user, role, err := funcutil.DecodeUserRoleCache(op.OpKey)
if err != nil {
diff --git a/internal/proxy/rootcoord_mock_test.go b/internal/proxy/rootcoord_mock_test.go
index a7c8f96e24cad..1fb988cbf554c 100644
--- a/internal/proxy/rootcoord_mock_test.go
+++ b/internal/proxy/rootcoord_mock_test.go
@@ -1130,6 +1130,22 @@ func (coord *RootCoordMock) RestoreRBAC(ctx context.Context, in *milvuspb.Restor
return &commonpb.Status{}, nil
}
+func (coord *RootCoordMock) CreatePrivilegeGroup(ctx context.Context, req *milvuspb.CreatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ return &commonpb.Status{}, nil
+}
+
+func (coord *RootCoordMock) DropPrivilegeGroup(ctx context.Context, req *milvuspb.DropPrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ return &commonpb.Status{}, nil
+}
+
+func (coord *RootCoordMock) ListPrivilegeGroups(ctx context.Context, req *milvuspb.ListPrivilegeGroupsRequest, opts ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ return &milvuspb.ListPrivilegeGroupsResponse{}, nil
+}
+
+func (coord *RootCoordMock) OperatePrivilegeGroup(ctx context.Context, req *milvuspb.OperatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ return &commonpb.Status{}, nil
+}
+
type DescribeCollectionFunc func(ctx context.Context, request *milvuspb.DescribeCollectionRequest, opts ...grpc.CallOption) (*milvuspb.DescribeCollectionResponse, error)
type ShowPartitionsFunc func(ctx context.Context, request *milvuspb.ShowPartitionsRequest, opts ...grpc.CallOption) (*milvuspb.ShowPartitionsResponse, error)
diff --git a/internal/proxy/util.go b/internal/proxy/util.go
index dc048daeb3fb5..dae3c88c56fe4 100644
--- a/internal/proxy/util.go
+++ b/internal/proxy/util.go
@@ -906,14 +906,6 @@ func ValidateObjectType(entity string) error {
return validateName(entity, "ObjectType")
}
-func ValidatePrincipalName(entity string) error {
- return validateName(entity, "PrincipalName")
-}
-
-func ValidatePrincipalType(entity string) error {
- return validateName(entity, "PrincipalType")
-}
-
func ValidatePrivilege(entity string) error {
if util.IsAnyWord(entity) {
return nil
diff --git a/internal/proxy/util_test.go b/internal/proxy/util_test.go
index f95a9299252c5..0aed56b3a4b09 100644
--- a/internal/proxy/util_test.go
+++ b/internal/proxy/util_test.go
@@ -804,8 +804,6 @@ func TestValidateName(t *testing.T) {
assert.Nil(t, ValidateRoleName(name))
assert.Nil(t, ValidateObjectName(name))
assert.Nil(t, ValidateObjectType(name))
- assert.Nil(t, ValidatePrincipalName(name))
- assert.Nil(t, ValidatePrincipalType(name))
assert.Nil(t, ValidatePrivilege(name))
}
@@ -828,8 +826,6 @@ func TestValidateName(t *testing.T) {
assert.NotNil(t, validateName(name, nameType))
assert.NotNil(t, ValidateRoleName(name))
assert.NotNil(t, ValidateObjectType(name))
- assert.NotNil(t, ValidatePrincipalName(name))
- assert.NotNil(t, ValidatePrincipalType(name))
assert.NotNil(t, ValidatePrivilege(name))
}
assert.NotNil(t, ValidateObjectName(" "))
diff --git a/internal/rootcoord/meta_table.go b/internal/rootcoord/meta_table.go
index f86eb82297c66..31364f431b055 100644
--- a/internal/rootcoord/meta_table.go
+++ b/internal/rootcoord/meta_table.go
@@ -22,6 +22,7 @@ import (
"sync"
"github.com/cockroachdb/errors"
+ "github.com/samber/lo"
"go.uber.org/zap"
"golang.org/x/exp/maps"
@@ -96,6 +97,12 @@ type IMetaTable interface {
ListUserRole(tenant string) ([]string, error)
BackupRBAC(ctx context.Context, tenant string) (*milvuspb.RBACMeta, error)
RestoreRBAC(ctx context.Context, tenant string, meta *milvuspb.RBACMeta) error
+ IsCustomPrivilegeGroup(groupName string) (bool, error)
+ CreatePrivilegeGroup(groupName string) error
+ DropPrivilegeGroup(groupName string) error
+ ListPrivilegeGroups() ([]*milvuspb.PrivilegeGroupInfo, error)
+ OperatePrivilegeGroup(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error
+ GetPrivilegeGroupRoles(groupName string) ([]*milvuspb.RoleEntity, error)
}
type MetaTable struct {
@@ -1425,3 +1432,187 @@ func (mt *MetaTable) RestoreRBAC(ctx context.Context, tenant string, meta *milvu
return mt.catalog.RestoreRBAC(mt.ctx, tenant, meta)
}
+
+// check if the privielge group name is defined by users
+func (mt *MetaTable) IsCustomPrivilegeGroup(groupName string) (bool, error) {
+ privGroups, err := mt.catalog.ListPrivilegeGroups(mt.ctx)
+ if err != nil {
+ return false, err
+ }
+ for _, group := range privGroups {
+ if group.GroupName == groupName {
+ return true, nil
+ }
+ }
+ return false, nil
+}
+
+func (mt *MetaTable) CreatePrivilegeGroup(groupName string) error {
+ if funcutil.IsEmptyString(groupName) {
+ return fmt.Errorf("the privilege group name is empty")
+ }
+ mt.permissionLock.Lock()
+ defer mt.permissionLock.Unlock()
+
+ definedByUsers, err := mt.IsCustomPrivilegeGroup(groupName)
+ if err != nil {
+ return err
+ }
+ if definedByUsers {
+ return merr.WrapErrParameterInvalidMsg("privilege group name [%s] is defined by users", groupName)
+ }
+ if util.IsPrivilegeNameDefined(groupName) {
+ return merr.WrapErrParameterInvalidMsg("privilege group name [%s] is defined by built in privileges or privilege groups in system", groupName)
+ }
+ data := &milvuspb.PrivilegeGroupInfo{
+ GroupName: groupName,
+ Privileges: make([]*milvuspb.PrivilegeEntity, 0),
+ }
+ return mt.catalog.SavePrivilegeGroup(mt.ctx, data)
+}
+
+func (mt *MetaTable) DropPrivilegeGroup(groupName string) error {
+ if funcutil.IsEmptyString(groupName) {
+ return fmt.Errorf("the privilege group name is empty")
+ }
+ mt.permissionLock.Lock()
+ defer mt.permissionLock.Unlock()
+
+ definedByUsers, err := mt.IsCustomPrivilegeGroup(groupName)
+ if err != nil {
+ return err
+ }
+ if !definedByUsers {
+ return nil
+ }
+ // check if the group is used by any role
+ roles, err := mt.catalog.ListRole(mt.ctx, util.DefaultTenant, nil, false)
+ if err != nil {
+ return err
+ }
+ roleEntity := lo.Map(roles, func(entity *milvuspb.RoleResult, _ int) *milvuspb.RoleEntity {
+ return entity.GetRole()
+ })
+ for _, role := range roleEntity {
+ grants, err := mt.catalog.ListGrant(mt.ctx, util.DefaultTenant, &milvuspb.GrantEntity{
+ Role: role,
+ DbName: util.AnyWord,
+ })
+ if err != nil {
+ return err
+ }
+ for _, grant := range grants {
+ if grant.Grantor.Privilege.Name == groupName {
+ return errors.Newf("privilege group [%s] is used by role [%s], Use REVOKE API to revoke it first", groupName, role.GetName())
+ }
+ }
+ }
+ return mt.catalog.DropPrivilegeGroup(mt.ctx, groupName)
+}
+
+func (mt *MetaTable) ListPrivilegeGroups() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ mt.permissionLock.Lock()
+ defer mt.permissionLock.Unlock()
+
+ return mt.catalog.ListPrivilegeGroups(mt.ctx)
+}
+
+func (mt *MetaTable) OperatePrivilegeGroup(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error {
+ if funcutil.IsEmptyString(groupName) {
+ return fmt.Errorf("the privilege group name is empty")
+ }
+ mt.permissionLock.Lock()
+ defer mt.permissionLock.Unlock()
+
+ // validate input params
+ definedByUsers, err := mt.IsCustomPrivilegeGroup(groupName)
+ if err != nil {
+ return err
+ }
+ if !definedByUsers {
+ return merr.WrapErrParameterInvalidMsg("there is no privilege group name [%s] to operate", groupName)
+ }
+ groups, err := mt.catalog.ListPrivilegeGroups(mt.ctx)
+ if err != nil {
+ return err
+ }
+ for _, p := range privileges {
+ if util.IsPrivilegeNameDefined(p.Name) {
+ continue
+ }
+ for _, group := range groups {
+ // add privileges for custom privilege group
+ if group.GroupName == p.Name {
+ privileges = append(privileges, group.Privileges...)
+ } else {
+ return merr.WrapErrParameterInvalidMsg("there is no privilege name or privielge group name [%s] defined in system to operate", p.Name)
+ }
+ }
+ }
+
+ // merge with current privileges
+ group, err := mt.catalog.GetPrivilegeGroup(mt.ctx, groupName)
+ if err != nil {
+ log.Warn("fail to get privilege group", zap.String("privilege_group", groupName), zap.Error(err))
+ return err
+ }
+ privSet := lo.SliceToMap(group.Privileges, func(p *milvuspb.PrivilegeEntity) (string, struct{}) {
+ return p.Name, struct{}{}
+ })
+ switch operateType {
+ case milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup:
+ for _, p := range privileges {
+ privSet[p.Name] = struct{}{}
+ }
+ case milvuspb.OperatePrivilegeGroupType_RemovePrivilegesFromGroup:
+ for _, p := range privileges {
+ delete(privSet, p.Name)
+ }
+ default:
+ log.Warn("unsupported operate type", zap.Any("operate_type", operateType))
+ return fmt.Errorf("unsupported operate type: %v", operateType)
+ }
+
+ mergedPrivs := lo.Map(lo.Keys(privSet), func(priv string, _ int) *milvuspb.PrivilegeEntity {
+ return &milvuspb.PrivilegeEntity{Name: priv}
+ })
+ data := &milvuspb.PrivilegeGroupInfo{
+ GroupName: groupName,
+ Privileges: mergedPrivs,
+ }
+ return mt.catalog.SavePrivilegeGroup(mt.ctx, data)
+}
+
+func (mt *MetaTable) GetPrivilegeGroupRoles(groupName string) ([]*milvuspb.RoleEntity, error) {
+ if funcutil.IsEmptyString(groupName) {
+ return nil, fmt.Errorf("the privilege group name is empty")
+ }
+ mt.permissionLock.RLock()
+ defer mt.permissionLock.RUnlock()
+
+ // get all roles
+ roles, err := mt.catalog.ListRole(mt.ctx, util.DefaultTenant, nil, false)
+ if err != nil {
+ return nil, err
+ }
+ roleEntity := lo.Map(roles, func(entity *milvuspb.RoleResult, _ int) *milvuspb.RoleEntity {
+ return entity.GetRole()
+ })
+
+ rolesMap := make(map[*milvuspb.RoleEntity]struct{})
+ for _, role := range roleEntity {
+ grants, err := mt.catalog.ListGrant(mt.ctx, util.DefaultTenant, &milvuspb.GrantEntity{
+ Role: role,
+ DbName: util.AnyWord,
+ })
+ if err != nil {
+ return nil, err
+ }
+ for _, grant := range grants {
+ if grant.Grantor.Privilege.Name == groupName {
+ rolesMap[role] = struct{}{}
+ }
+ }
+ }
+ return lo.Keys(rolesMap), nil
+}
diff --git a/internal/rootcoord/meta_table_test.go b/internal/rootcoord/meta_table_test.go
index 7bd666f7ca3c4..4192b655c03be 100644
--- a/internal/rootcoord/meta_table_test.go
+++ b/internal/rootcoord/meta_table_test.go
@@ -2071,3 +2071,44 @@ func TestMetaTable_RestoreRBAC(t *testing.T) {
err = mt.RestoreRBAC(context.TODO(), util.DefaultTenant, &milvuspb.RBACMeta{})
assert.Error(t, err)
}
+
+func TestMetaTable_PrivilegeGroup(t *testing.T) {
+ catalog := mocks.NewRootCoordCatalog(t)
+ catalog.EXPECT().ListPrivilegeGroups(mock.Anything).Return([]*milvuspb.PrivilegeGroupInfo{
+ {
+ GroupName: "pg1",
+ Privileges: []*milvuspb.PrivilegeEntity{{Name: "CreateCollection"}, {Name: "DescribeCollection"}},
+ },
+ }, nil)
+ catalog.EXPECT().ListRole(mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil, nil)
+ catalog.EXPECT().SavePrivilegeGroup(mock.Anything, mock.Anything).Return(nil)
+ catalog.EXPECT().DropPrivilegeGroup(mock.Anything, mock.Anything).Return(nil)
+ mt := &MetaTable{
+ dbName2Meta: map[string]*model.Database{
+ "not_commit": model.NewDatabase(1, "not_commit", pb.DatabaseState_DatabaseCreated, nil),
+ },
+ names: newNameDb(),
+ aliases: newNameDb(),
+ catalog: catalog,
+ }
+ err := mt.CreatePrivilegeGroup("pg1")
+ assert.Error(t, err)
+ err = mt.CreatePrivilegeGroup("")
+ assert.Error(t, err)
+ err = mt.CreatePrivilegeGroup("Insert")
+ assert.Error(t, err)
+ err = mt.CreatePrivilegeGroup("pg2")
+ assert.NoError(t, err)
+ err = mt.DropPrivilegeGroup("")
+ assert.Error(t, err)
+ err = mt.DropPrivilegeGroup("pg1")
+ assert.NoError(t, err)
+ err = mt.OperatePrivilegeGroup("", []*milvuspb.PrivilegeEntity{}, milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup)
+ assert.Error(t, err)
+ err = mt.OperatePrivilegeGroup("pg3", []*milvuspb.PrivilegeEntity{}, milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup)
+ assert.Error(t, err)
+ _, err = mt.GetPrivilegeGroupRoles("")
+ assert.Error(t, err)
+ _, err = mt.ListPrivilegeGroups()
+ assert.NoError(t, err)
+}
diff --git a/internal/rootcoord/mock_test.go b/internal/rootcoord/mock_test.go
index e0eb4db1d8711..a9cf579fe5e85 100644
--- a/internal/rootcoord/mock_test.go
+++ b/internal/rootcoord/mock_test.go
@@ -96,6 +96,11 @@ type mockMetaTable struct {
ListPolicyFunc func(tenant string) ([]string, error)
ListUserRoleFunc func(tenant string) ([]string, error)
DescribeDatabaseFunc func(ctx context.Context, dbName string) (*model.Database, error)
+ CreatePrivilegeGroupFunc func(groupName string) error
+ DropPrivilegeGroupFunc func(groupName string) error
+ ListPrivilegeGroupsFunc func() ([]*milvuspb.PrivilegeGroupInfo, error)
+ OperatePrivilegeGroupFunc func(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error
+ GetPrivilegeGroupRolesFunc func(groupName string) ([]*milvuspb.RoleEntity, error)
}
func (m mockMetaTable) GetDatabaseByName(ctx context.Context, dbName string, ts Timestamp) (*model.Database, error) {
@@ -250,6 +255,26 @@ func (m mockMetaTable) ListUserRole(tenant string) ([]string, error) {
return m.ListUserRoleFunc(tenant)
}
+func (m mockMetaTable) CreatePrivilegeGroup(groupName string) error {
+ return m.CreatePrivilegeGroupFunc(groupName)
+}
+
+func (m mockMetaTable) DropPrivilegeGroup(groupName string) error {
+ return m.DropPrivilegeGroupFunc(groupName)
+}
+
+func (m mockMetaTable) ListPrivilegeGroups() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ return m.ListPrivilegeGroupsFunc()
+}
+
+func (m mockMetaTable) OperatePrivilegeGroup(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error {
+ return m.OperatePrivilegeGroupFunc(groupName, privileges, operateType)
+}
+
+func (m mockMetaTable) GetPrivilegeGroupRoles(groupName string) ([]*milvuspb.RoleEntity, error) {
+ return m.GetPrivilegeGroupRolesFunc(groupName)
+}
+
func newMockMetaTable() *mockMetaTable {
return &mockMetaTable{}
}
@@ -524,6 +549,21 @@ func withInvalidMeta() Opt {
meta.DescribeDatabaseFunc = func(ctx context.Context, dbName string) (*model.Database, error) {
return nil, errors.New("error mock DescribeDatabase")
}
+ meta.CreatePrivilegeGroupFunc = func(groupName string) error {
+ return errors.New("error mock CreatePrivilegeGroup")
+ }
+ meta.DropPrivilegeGroupFunc = func(groupName string) error {
+ return errors.New("error mock DropPrivilegeGroup")
+ }
+ meta.ListPrivilegeGroupsFunc = func() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ return nil, errors.New("error mock ListPrivilegeGroups")
+ }
+ meta.OperatePrivilegeGroupFunc = func(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error {
+ return errors.New("error mock OperatePrivilegeGroup")
+ }
+ meta.GetPrivilegeGroupRolesFunc = func(groupName string) ([]*milvuspb.RoleEntity, error) {
+ return nil, errors.New("error mock GetPrivilegeGroupRoles")
+ }
return withMeta(meta)
}
diff --git a/internal/rootcoord/mocks/meta_table.go b/internal/rootcoord/mocks/meta_table.go
index 9dc0aee9c9e08..28f679f055991 100644
--- a/internal/rootcoord/mocks/meta_table.go
+++ b/internal/rootcoord/mocks/meta_table.go
@@ -570,6 +570,52 @@ func (_c *IMetaTable_CreateDatabase_Call) RunAndReturn(run func(context.Context,
return _c
}
+// CreatePrivilegeGroup provides a mock function with given fields: groupName
+func (_m *IMetaTable) CreatePrivilegeGroup(groupName string) error {
+ ret := _m.Called(groupName)
+
+ if len(ret) == 0 {
+ panic("no return value specified for CreatePrivilegeGroup")
+ }
+
+ var r0 error
+ if rf, ok := ret.Get(0).(func(string) error); ok {
+ r0 = rf(groupName)
+ } else {
+ r0 = ret.Error(0)
+ }
+
+ return r0
+}
+
+// IMetaTable_CreatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'CreatePrivilegeGroup'
+type IMetaTable_CreatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// CreatePrivilegeGroup is a helper method to define mock.On call
+// - groupName string
+func (_e *IMetaTable_Expecter) CreatePrivilegeGroup(groupName interface{}) *IMetaTable_CreatePrivilegeGroup_Call {
+ return &IMetaTable_CreatePrivilegeGroup_Call{Call: _e.mock.On("CreatePrivilegeGroup", groupName)}
+}
+
+func (_c *IMetaTable_CreatePrivilegeGroup_Call) Run(run func(groupName string)) *IMetaTable_CreatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(string))
+ })
+ return _c
+}
+
+func (_c *IMetaTable_CreatePrivilegeGroup_Call) Return(_a0 error) *IMetaTable_CreatePrivilegeGroup_Call {
+ _c.Call.Return(_a0)
+ return _c
+}
+
+func (_c *IMetaTable_CreatePrivilegeGroup_Call) RunAndReturn(run func(string) error) *IMetaTable_CreatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// CreateRole provides a mock function with given fields: tenant, entity
func (_m *IMetaTable) CreateRole(tenant string, entity *milvuspb.RoleEntity) error {
ret := _m.Called(tenant, entity)
@@ -842,6 +888,52 @@ func (_c *IMetaTable_DropGrant_Call) RunAndReturn(run func(string, *milvuspb.Rol
return _c
}
+// DropPrivilegeGroup provides a mock function with given fields: groupName
+func (_m *IMetaTable) DropPrivilegeGroup(groupName string) error {
+ ret := _m.Called(groupName)
+
+ if len(ret) == 0 {
+ panic("no return value specified for DropPrivilegeGroup")
+ }
+
+ var r0 error
+ if rf, ok := ret.Get(0).(func(string) error); ok {
+ r0 = rf(groupName)
+ } else {
+ r0 = ret.Error(0)
+ }
+
+ return r0
+}
+
+// IMetaTable_DropPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DropPrivilegeGroup'
+type IMetaTable_DropPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// DropPrivilegeGroup is a helper method to define mock.On call
+// - groupName string
+func (_e *IMetaTable_Expecter) DropPrivilegeGroup(groupName interface{}) *IMetaTable_DropPrivilegeGroup_Call {
+ return &IMetaTable_DropPrivilegeGroup_Call{Call: _e.mock.On("DropPrivilegeGroup", groupName)}
+}
+
+func (_c *IMetaTable_DropPrivilegeGroup_Call) Run(run func(groupName string)) *IMetaTable_DropPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(string))
+ })
+ return _c
+}
+
+func (_c *IMetaTable_DropPrivilegeGroup_Call) Return(_a0 error) *IMetaTable_DropPrivilegeGroup_Call {
+ _c.Call.Return(_a0)
+ return _c
+}
+
+func (_c *IMetaTable_DropPrivilegeGroup_Call) RunAndReturn(run func(string) error) *IMetaTable_DropPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// DropRole provides a mock function with given fields: tenant, roleName
func (_m *IMetaTable) DropRole(tenant string, roleName string) error {
ret := _m.Called(tenant, roleName)
@@ -1265,6 +1357,64 @@ func (_c *IMetaTable_GetDatabaseByName_Call) RunAndReturn(run func(context.Conte
return _c
}
+// GetPrivilegeGroupRoles provides a mock function with given fields: groupName
+func (_m *IMetaTable) GetPrivilegeGroupRoles(groupName string) ([]*milvuspb.RoleEntity, error) {
+ ret := _m.Called(groupName)
+
+ if len(ret) == 0 {
+ panic("no return value specified for GetPrivilegeGroupRoles")
+ }
+
+ var r0 []*milvuspb.RoleEntity
+ var r1 error
+ if rf, ok := ret.Get(0).(func(string) ([]*milvuspb.RoleEntity, error)); ok {
+ return rf(groupName)
+ }
+ if rf, ok := ret.Get(0).(func(string) []*milvuspb.RoleEntity); ok {
+ r0 = rf(groupName)
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).([]*milvuspb.RoleEntity)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func(string) error); ok {
+ r1 = rf(groupName)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// IMetaTable_GetPrivilegeGroupRoles_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetPrivilegeGroupRoles'
+type IMetaTable_GetPrivilegeGroupRoles_Call struct {
+ *mock.Call
+}
+
+// GetPrivilegeGroupRoles is a helper method to define mock.On call
+// - groupName string
+func (_e *IMetaTable_Expecter) GetPrivilegeGroupRoles(groupName interface{}) *IMetaTable_GetPrivilegeGroupRoles_Call {
+ return &IMetaTable_GetPrivilegeGroupRoles_Call{Call: _e.mock.On("GetPrivilegeGroupRoles", groupName)}
+}
+
+func (_c *IMetaTable_GetPrivilegeGroupRoles_Call) Run(run func(groupName string)) *IMetaTable_GetPrivilegeGroupRoles_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(string))
+ })
+ return _c
+}
+
+func (_c *IMetaTable_GetPrivilegeGroupRoles_Call) Return(_a0 []*milvuspb.RoleEntity, _a1 error) *IMetaTable_GetPrivilegeGroupRoles_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *IMetaTable_GetPrivilegeGroupRoles_Call) RunAndReturn(run func(string) ([]*milvuspb.RoleEntity, error)) *IMetaTable_GetPrivilegeGroupRoles_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// IsAlias provides a mock function with given fields: db, name
func (_m *IMetaTable) IsAlias(db string, name string) bool {
ret := _m.Called(db, name)
@@ -1308,6 +1458,62 @@ func (_c *IMetaTable_IsAlias_Call) RunAndReturn(run func(string, string) bool) *
return _c
}
+// IsCustomPrivilegeGroup provides a mock function with given fields: groupName
+func (_m *IMetaTable) IsCustomPrivilegeGroup(groupName string) (bool, error) {
+ ret := _m.Called(groupName)
+
+ if len(ret) == 0 {
+ panic("no return value specified for IsCustomPrivilegeGroup")
+ }
+
+ var r0 bool
+ var r1 error
+ if rf, ok := ret.Get(0).(func(string) (bool, error)); ok {
+ return rf(groupName)
+ }
+ if rf, ok := ret.Get(0).(func(string) bool); ok {
+ r0 = rf(groupName)
+ } else {
+ r0 = ret.Get(0).(bool)
+ }
+
+ if rf, ok := ret.Get(1).(func(string) error); ok {
+ r1 = rf(groupName)
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// IMetaTable_IsCustomPrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsCustomPrivilegeGroup'
+type IMetaTable_IsCustomPrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// IsCustomPrivilegeGroup is a helper method to define mock.On call
+// - groupName string
+func (_e *IMetaTable_Expecter) IsCustomPrivilegeGroup(groupName interface{}) *IMetaTable_IsCustomPrivilegeGroup_Call {
+ return &IMetaTable_IsCustomPrivilegeGroup_Call{Call: _e.mock.On("IsCustomPrivilegeGroup", groupName)}
+}
+
+func (_c *IMetaTable_IsCustomPrivilegeGroup_Call) Run(run func(groupName string)) *IMetaTable_IsCustomPrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(string))
+ })
+ return _c
+}
+
+func (_c *IMetaTable_IsCustomPrivilegeGroup_Call) Return(_a0 bool, _a1 error) *IMetaTable_IsCustomPrivilegeGroup_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *IMetaTable_IsCustomPrivilegeGroup_Call) RunAndReturn(run func(string) (bool, error)) *IMetaTable_IsCustomPrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// ListAliases provides a mock function with given fields: ctx, dbName, collectionName, ts
func (_m *IMetaTable) ListAliases(ctx context.Context, dbName string, collectionName string, ts uint64) ([]string, error) {
ret := _m.Called(ctx, dbName, collectionName, ts)
@@ -1715,6 +1921,63 @@ func (_c *IMetaTable_ListPolicy_Call) RunAndReturn(run func(string) ([]string, e
return _c
}
+// ListPrivilegeGroups provides a mock function with given fields:
+func (_m *IMetaTable) ListPrivilegeGroups() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ ret := _m.Called()
+
+ if len(ret) == 0 {
+ panic("no return value specified for ListPrivilegeGroups")
+ }
+
+ var r0 []*milvuspb.PrivilegeGroupInfo
+ var r1 error
+ if rf, ok := ret.Get(0).(func() ([]*milvuspb.PrivilegeGroupInfo, error)); ok {
+ return rf()
+ }
+ if rf, ok := ret.Get(0).(func() []*milvuspb.PrivilegeGroupInfo); ok {
+ r0 = rf()
+ } else {
+ if ret.Get(0) != nil {
+ r0 = ret.Get(0).([]*milvuspb.PrivilegeGroupInfo)
+ }
+ }
+
+ if rf, ok := ret.Get(1).(func() error); ok {
+ r1 = rf()
+ } else {
+ r1 = ret.Error(1)
+ }
+
+ return r0, r1
+}
+
+// IMetaTable_ListPrivilegeGroups_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ListPrivilegeGroups'
+type IMetaTable_ListPrivilegeGroups_Call struct {
+ *mock.Call
+}
+
+// ListPrivilegeGroups is a helper method to define mock.On call
+func (_e *IMetaTable_Expecter) ListPrivilegeGroups() *IMetaTable_ListPrivilegeGroups_Call {
+ return &IMetaTable_ListPrivilegeGroups_Call{Call: _e.mock.On("ListPrivilegeGroups")}
+}
+
+func (_c *IMetaTable_ListPrivilegeGroups_Call) Run(run func()) *IMetaTable_ListPrivilegeGroups_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run()
+ })
+ return _c
+}
+
+func (_c *IMetaTable_ListPrivilegeGroups_Call) Return(_a0 []*milvuspb.PrivilegeGroupInfo, _a1 error) *IMetaTable_ListPrivilegeGroups_Call {
+ _c.Call.Return(_a0, _a1)
+ return _c
+}
+
+func (_c *IMetaTable_ListPrivilegeGroups_Call) RunAndReturn(run func() ([]*milvuspb.PrivilegeGroupInfo, error)) *IMetaTable_ListPrivilegeGroups_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// ListUserRole provides a mock function with given fields: tenant
func (_m *IMetaTable) ListUserRole(tenant string) ([]string, error) {
ret := _m.Called(tenant)
@@ -1813,6 +2076,54 @@ func (_c *IMetaTable_OperatePrivilege_Call) RunAndReturn(run func(string, *milvu
return _c
}
+// OperatePrivilegeGroup provides a mock function with given fields: groupName, privileges, operateType
+func (_m *IMetaTable) OperatePrivilegeGroup(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error {
+ ret := _m.Called(groupName, privileges, operateType)
+
+ if len(ret) == 0 {
+ panic("no return value specified for OperatePrivilegeGroup")
+ }
+
+ var r0 error
+ if rf, ok := ret.Get(0).(func(string, []*milvuspb.PrivilegeEntity, milvuspb.OperatePrivilegeGroupType) error); ok {
+ r0 = rf(groupName, privileges, operateType)
+ } else {
+ r0 = ret.Error(0)
+ }
+
+ return r0
+}
+
+// IMetaTable_OperatePrivilegeGroup_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OperatePrivilegeGroup'
+type IMetaTable_OperatePrivilegeGroup_Call struct {
+ *mock.Call
+}
+
+// OperatePrivilegeGroup is a helper method to define mock.On call
+// - groupName string
+// - privileges []*milvuspb.PrivilegeEntity
+// - operateType milvuspb.OperatePrivilegeGroupType
+func (_e *IMetaTable_Expecter) OperatePrivilegeGroup(groupName interface{}, privileges interface{}, operateType interface{}) *IMetaTable_OperatePrivilegeGroup_Call {
+ return &IMetaTable_OperatePrivilegeGroup_Call{Call: _e.mock.On("OperatePrivilegeGroup", groupName, privileges, operateType)}
+}
+
+func (_c *IMetaTable_OperatePrivilegeGroup_Call) Run(run func(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType)) *IMetaTable_OperatePrivilegeGroup_Call {
+ _c.Call.Run(func(args mock.Arguments) {
+ run(args[0].(string), args[1].([]*milvuspb.PrivilegeEntity), args[2].(milvuspb.OperatePrivilegeGroupType))
+ })
+ return _c
+}
+
+func (_c *IMetaTable_OperatePrivilegeGroup_Call) Return(_a0 error) *IMetaTable_OperatePrivilegeGroup_Call {
+ _c.Call.Return(_a0)
+ return _c
+}
+
+func (_c *IMetaTable_OperatePrivilegeGroup_Call) RunAndReturn(run func(string, []*milvuspb.PrivilegeEntity, milvuspb.OperatePrivilegeGroupType) error) *IMetaTable_OperatePrivilegeGroup_Call {
+ _c.Call.Return(run)
+ return _c
+}
+
// OperateUserRole provides a mock function with given fields: tenant, userEntity, roleEntity, operateType
func (_m *IMetaTable) OperateUserRole(tenant string, userEntity *milvuspb.UserEntity, roleEntity *milvuspb.RoleEntity, operateType milvuspb.OperateUserRoleType) error {
ret := _m.Called(tenant, userEntity, roleEntity, operateType)
diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go
index 374cece06e9e0..27f66f13f56d6 100644
--- a/internal/rootcoord/root_coord.go
+++ b/internal/rootcoord/root_coord.go
@@ -612,7 +612,11 @@ func (c *Core) initBuiltinRoles() error {
for _, privilege := range privilegesJSON[util.RoleConfigPrivileges] {
privilegeName := privilege[util.RoleConfigPrivilege]
if !util.IsAnyWord(privilege[util.RoleConfigPrivilege]) {
- privilegeName = util.PrivilegeNameForMetastore(privilege[util.RoleConfigPrivilege])
+ dbPrivName, err := c.getMetastorePrivilegeName(privilege[util.RoleConfigPrivilege])
+ if err != nil {
+ return errors.Wrapf(err, "failed to get metastore privilege name for: %s", privilege[util.RoleConfigPrivilege])
+ }
+ privilegeName = dbPrivName
}
err := c.meta.OperatePrivilege(util.DefaultTenant, &milvuspb.GrantEntity{
Role: &milvuspb.RoleEntity{Name: role},
@@ -2491,11 +2495,8 @@ func (c *Core) isValidGrantor(entity *milvuspb.GrantorEntity, object string) err
if entity == nil {
return errors.New("the grantor entity is nil")
}
- if entity.User == nil {
- return errors.New("the user entity in the grantor entity is nil")
- }
- if entity.User.Name == "" {
- return errors.New("the name in the user entity of the grantor entity is empty")
+ if entity.User == nil || entity.User.Name == "" {
+ return errors.New("the user entity in the grantor entity is nil or empty")
}
if _, err := c.meta.SelectUser(util.DefaultTenant, &milvuspb.UserEntity{Name: entity.User.Name}, false); err != nil {
log.Warn("fail to select the user", zap.String("username", entity.User.Name), zap.Error(err))
@@ -2507,17 +2508,25 @@ func (c *Core) isValidGrantor(entity *milvuspb.GrantorEntity, object string) err
if util.IsAnyWord(entity.Privilege.Name) {
return nil
}
- if privilegeName := util.PrivilegeNameForMetastore(entity.Privilege.Name); privilegeName == "" {
- return fmt.Errorf("not found the privilege name[%s]", entity.Privilege.Name)
+ // check object privileges for built-in privileges
+ if util.IsPrivilegeNameDefined(entity.Privilege.Name) {
+ privileges, ok := util.ObjectPrivileges[object]
+ if !ok {
+ return fmt.Errorf("not found the object type[name: %s], supported the object types: %v", object, lo.Keys(commonpb.ObjectType_value))
+ }
+ for _, privilege := range privileges {
+ if privilege == entity.Privilege.Name {
+ return nil
+ }
+ }
}
- privileges, ok := util.ObjectPrivileges[object]
- if !ok {
- return fmt.Errorf("not found the object type[name: %s], supported the object types: %v", object, lo.Keys(commonpb.ObjectType_value))
+ // check if it is a custom privilege group
+ customPrivGroup, err := c.meta.IsCustomPrivilegeGroup(entity.Privilege.Name)
+ if err != nil {
+ return err
}
- for _, privilege := range privileges {
- if privilege == entity.Privilege.Name {
- return nil
- }
+ if customPrivGroup {
+ return nil
}
return fmt.Errorf("not found the privilege name[%s] in object[%s]", entity.Privilege.Name, object)
}
@@ -2562,11 +2571,18 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
return merr.StatusWithErrorCode(err, commonpb.ErrorCode_OperatePrivilegeFailure), nil
}
- ctxLog.Debug("before PrivilegeNameForMetastore", zap.String("privilege", in.Entity.Grantor.Privilege.Name))
- if !util.IsAnyWord(in.Entity.Grantor.Privilege.Name) {
- in.Entity.Grantor.Privilege.Name = util.PrivilegeNameForMetastore(in.Entity.Grantor.Privilege.Name)
+ // set up privilege name for metastore
+ privName := in.Entity.Grantor.Privilege.Name
+ ctxLog.Debug("before PrivilegeNameForMetastore", zap.String("privilege", privName))
+ if !util.IsAnyWord(privName) {
+ dbPrivName, err := c.getMetastorePrivilegeName(privName)
+ if err != nil {
+ return merr.StatusWithErrorCode(err, commonpb.ErrorCode_OperatePrivilegeFailure), nil
+ }
+ in.Entity.Grantor.Privilege.Name = dbPrivName
}
- ctxLog.Debug("after PrivilegeNameForMetastore", zap.String("privilege", in.Entity.Grantor.Privilege.Name))
+ ctxLog.Debug("after PrivilegeNameForMetastore", zap.String("privilege", privName))
+
if in.Entity.Object.Name == commonpb.ObjectType_Global.String() {
in.Entity.ObjectName = util.AnyWord
}
@@ -2614,6 +2630,22 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
return merr.Success(), nil
}
+func (c *Core) getMetastorePrivilegeName(privName string) (string, error) {
+ // if it is built-in privilege, return the privilege name directly
+ if util.IsPrivilegeNameDefined(privName) {
+ return util.PrivilegeNameForMetastore(privName), nil
+ }
+ // return the privilege group name if it is a custom privilege group
+ customGroup, err := c.meta.IsCustomPrivilegeGroup(privName)
+ if err != nil {
+ return "", err
+ }
+ if customGroup {
+ return util.PrivilegeGroupNameForMetastore(privName), nil
+ }
+ return "", errors.New("not found the privilege name")
+}
+
// SelectGrant select grant
// - check the node health
// - check if the principal entity is valid
@@ -2706,14 +2738,23 @@ func (c *Core) ListPolicy(ctx context.Context, in *internalpb.ListPolicyRequest)
Status: merr.StatusWithErrorCode(errors.New(errMsg), commonpb.ErrorCode_ListPolicyFailure),
}, nil
}
+ privGroups, err := c.meta.ListPrivilegeGroups()
+ if err != nil {
+ errMsg := "fail to list privilege groups"
+ ctxLog.Warn(errMsg, zap.Error(err))
+ return &internalpb.ListPolicyResponse{
+ Status: merr.StatusWithErrorCode(errors.New(errMsg), commonpb.ErrorCode_ListPolicyFailure),
+ }, nil
+ }
ctxLog.Debug(method + " success")
metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.SuccessLabel).Inc()
metrics.RootCoordDDLReqLatency.WithLabelValues(method).Observe(float64(tr.ElapseSpan().Milliseconds()))
return &internalpb.ListPolicyResponse{
- Status: merr.Success(),
- PolicyInfos: policies,
- UserRoles: userRoles,
+ Status: merr.Success(),
+ PolicyInfos: policies,
+ UserRoles: userRoles,
+ PrivilegeGroups: privGroups,
}, nil
}
@@ -2914,3 +2955,236 @@ func (c *Core) CheckHealth(ctx context.Context, in *milvuspb.CheckHealthRequest)
return &milvuspb.CheckHealthResponse{Status: merr.Success(), IsHealthy: true, Reasons: []string{}}, nil
}
+
+func (c *Core) CreatePrivilegeGroup(ctx context.Context, in *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ method := "CreatePrivilegeGroup"
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.TotalLabel).Inc()
+ tr := timerecord.NewTimeRecorder(method)
+ ctxLog := log.Ctx(ctx).With(zap.String("role", typeutil.RootCoordRole), zap.Any("in", in))
+ ctxLog.Debug(method)
+
+ if err := merr.CheckHealthy(c.GetStateCode()); err != nil {
+ return merr.Status(err), nil
+ }
+
+ if err := c.meta.CreatePrivilegeGroup(in.GroupName); err != nil {
+ ctxLog.Warn("fail to create privilege group", zap.Error(err))
+ return merr.Status(err), nil
+ }
+
+ ctxLog.Debug(method + " success")
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.SuccessLabel).Inc()
+ metrics.RootCoordDDLReqLatency.WithLabelValues(method).Observe(float64(tr.ElapseSpan().Milliseconds()))
+ metrics.RootCoordNumOfPrivilegeGroups.Inc()
+ return merr.Success(), nil
+}
+
+func (c *Core) DropPrivilegeGroup(ctx context.Context, in *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
+ method := "DropPrivilegeGroup"
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.TotalLabel).Inc()
+ tr := timerecord.NewTimeRecorder(method)
+ ctxLog := log.Ctx(ctx).With(zap.String("role", typeutil.RootCoordRole), zap.Any("in", in))
+ ctxLog.Debug(method)
+
+ if err := merr.CheckHealthy(c.GetStateCode()); err != nil {
+ return merr.Status(err), nil
+ }
+
+ if err := c.meta.DropPrivilegeGroup(in.GroupName); err != nil {
+ ctxLog.Warn("fail to drop privilege group", zap.Error(err))
+ return merr.Status(err), nil
+ }
+
+ ctxLog.Debug(method + " success")
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.SuccessLabel).Inc()
+ metrics.RootCoordDDLReqLatency.WithLabelValues(method).Observe(float64(tr.ElapseSpan().Milliseconds()))
+ metrics.RootCoordNumOfPrivilegeGroups.Desc()
+ return merr.Success(), nil
+}
+
+func (c *Core) ListPrivilegeGroups(ctx context.Context, in *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ method := "ListPrivilegeGroups"
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.TotalLabel).Inc()
+ tr := timerecord.NewTimeRecorder(method)
+ ctxLog := log.Ctx(ctx).With(zap.String("role", typeutil.RootCoordRole), zap.Any("in", in))
+ ctxLog.Debug(method)
+
+ if err := merr.CheckHealthy(c.GetStateCode()); err != nil {
+ return &milvuspb.ListPrivilegeGroupsResponse{
+ Status: merr.Status(err),
+ }, nil
+ }
+
+ privGroups, err := c.meta.ListPrivilegeGroups()
+ if err != nil {
+ ctxLog.Warn("fail to list privilege group", zap.Error(err))
+ return &milvuspb.ListPrivilegeGroupsResponse{
+ Status: merr.StatusWithErrorCode(err, commonpb.ErrorCode_ListPrivilegeGroupsFailure),
+ }, nil
+ }
+
+ ctxLog.Debug(method + " success")
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.SuccessLabel).Inc()
+ metrics.RootCoordDDLReqLatency.WithLabelValues(method).Observe(float64(tr.ElapseSpan().Milliseconds()))
+ return &milvuspb.ListPrivilegeGroupsResponse{
+ Status: merr.Success(),
+ PrivilegeGroups: privGroups,
+ }, nil
+}
+
+func (c *Core) OperatePrivilegeGroup(ctx context.Context, in *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
+ method := "OperatePrivilegeGroup-" + in.Type.String()
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.TotalLabel).Inc()
+ tr := timerecord.NewTimeRecorder(method)
+ ctxLog := log.Ctx(ctx).With(zap.String("role", typeutil.RootCoordRole), zap.Any("in", in))
+ ctxLog.Debug(method)
+
+ if err := merr.CheckHealthy(c.GetStateCode()); err != nil {
+ return merr.Status(err), nil
+ }
+
+ redoTask := newBaseRedoTask(c.stepExecutor)
+ redoTask.AddSyncStep(NewSimpleStep("operate privilege group", func(ctx context.Context) ([]nestedStep, error) {
+ groups, err := c.meta.ListPrivilegeGroups()
+ if err != nil && !common.IsIgnorableError(err) {
+ log.Warn("fail to list privilege groups", zap.Error(err))
+ return nil, err
+ }
+ currGroups := lo.SliceToMap(groups, func(group *milvuspb.PrivilegeGroupInfo) (string, []*milvuspb.PrivilegeEntity) {
+ return group.GroupName, group.Privileges
+ })
+
+ // get roles granted to the group
+ roles, err := c.meta.GetPrivilegeGroupRoles(in.GroupName)
+ if err != nil {
+ return nil, err
+ }
+
+ newGroups := make(map[string][]*milvuspb.PrivilegeEntity)
+ for k, v := range currGroups {
+ if k != in.GroupName {
+ newGroups[k] = v
+ continue
+ }
+ switch in.Type {
+ case milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup:
+ newPrivs := lo.Union(v, in.Privileges)
+ newGroups[k] = lo.UniqBy(newPrivs, func(p *milvuspb.PrivilegeEntity) string {
+ return p.Name
+ })
+ case milvuspb.OperatePrivilegeGroupType_RemovePrivilegesFromGroup:
+ newPrivs, _ := lo.Difference(v, in.Privileges)
+ newGroups[k] = newPrivs
+ default:
+ return nil, errors.New("invalid operate type")
+ }
+ }
+
+ rolesToRevoke := []*milvuspb.GrantEntity{}
+ rolesToGrant := []*milvuspb.GrantEntity{}
+ compareGrants := func(a, b *milvuspb.GrantEntity) bool {
+ return a.Role.GetName() == b.Role.GetName() &&
+ a.Object.GetName() == b.Object.GetName() &&
+ a.ObjectName == b.ObjectName &&
+ a.Grantor.GetUser().GetName() == b.Grantor.GetUser().GetName() &&
+ a.Grantor.GetPrivilege().GetName() == b.Grantor.GetPrivilege().GetName() &&
+ a.DbName == b.DbName
+ }
+ for _, role := range roles {
+ grants, err := c.meta.SelectGrant(util.DefaultTenant, &milvuspb.GrantEntity{
+ Role: role,
+ DbName: util.AnyWord,
+ })
+ if err != nil {
+ return nil, err
+ }
+ currGrants := c.expandPrivilegeGroups(grants, currGroups)
+ newGrants := c.expandPrivilegeGroups(grants, newGroups)
+
+ toRevoke := lo.Filter(currGrants, func(item *milvuspb.GrantEntity, _ int) bool {
+ return !lo.ContainsBy(newGrants, func(newItem *milvuspb.GrantEntity) bool {
+ return compareGrants(item, newItem)
+ })
+ })
+
+ toGrant := lo.Filter(newGrants, func(item *milvuspb.GrantEntity, _ int) bool {
+ return !lo.ContainsBy(currGrants, func(currItem *milvuspb.GrantEntity) bool {
+ return compareGrants(item, currItem)
+ })
+ })
+
+ rolesToRevoke = append(rolesToRevoke, toRevoke...)
+ rolesToGrant = append(rolesToGrant, toGrant...)
+ }
+
+ if len(rolesToRevoke) > 0 {
+ opType := int32(typeutil.CacheRevokePrivilege)
+ if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
+ OpType: opType,
+ OpKey: funcutil.PolicyForPrivileges(rolesToRevoke),
+ }); err != nil {
+ log.Warn("fail to refresh policy info cache for revoke privileges in operate privilege group", zap.Any("in", in), zap.Error(err))
+ return nil, err
+ }
+ }
+
+ if len(rolesToGrant) > 0 {
+ opType := int32(typeutil.CacheGrantPrivilege)
+ if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
+ OpType: opType,
+ OpKey: funcutil.PolicyForPrivileges(rolesToGrant),
+ }); err != nil {
+ log.Warn("fail to refresh policy info cache for grants privilege in operate privilege group", zap.Any("in", in), zap.Error(err))
+ return nil, err
+ }
+ }
+ return nil, nil
+ }))
+
+ redoTask.AddSyncStep(NewSimpleStep("operate privilege group meta data", func(ctx context.Context) ([]nestedStep, error) {
+ err := c.meta.OperatePrivilegeGroup(in.GroupName, in.Privileges, in.Type)
+ if err != nil && !common.IsIgnorableError(err) {
+ log.Warn("fail to operate privilege group", zap.Error(err))
+ }
+ return nil, err
+ }))
+
+ err := redoTask.Execute(ctx)
+ if err != nil {
+ errMsg := "fail to execute task when operate privilege group"
+ ctxLog.Warn(errMsg, zap.Error(err))
+ status := merr.StatusWithErrorCode(errors.New(errMsg), commonpb.ErrorCode_OperatePrivilegeGroupFailure)
+ return status, nil
+ }
+
+ ctxLog.Debug(method + " success")
+ metrics.RootCoordDDLReqCounter.WithLabelValues(method, metrics.SuccessLabel).Inc()
+ metrics.RootCoordDDLReqLatency.WithLabelValues(method).Observe(float64(tr.ElapseSpan().Milliseconds()))
+ return merr.Success(), nil
+}
+
+func (c *Core) expandPrivilegeGroups(grants []*milvuspb.GrantEntity, groups map[string][]*milvuspb.PrivilegeEntity) []*milvuspb.GrantEntity {
+ newGrants := []*milvuspb.GrantEntity{}
+ for _, grant := range grants {
+ if groups[grant.Grantor.Privilege.Name] == nil {
+ newGrants = append(newGrants, grant)
+ } else {
+ for _, priv := range groups[grant.Grantor.Privilege.Name] {
+ newGrants = append(newGrants, &milvuspb.GrantEntity{
+ Role: grant.Role,
+ Object: grant.Object,
+ ObjectName: grant.ObjectName,
+ Grantor: &milvuspb.GrantorEntity{
+ User: grant.Grantor.User,
+ Privilege: priv,
+ },
+ DbName: grant.DbName,
+ })
+ }
+ }
+ }
+ // uniq by role + object + object name + grantor user + privilege name + db name
+ return lo.UniqBy(newGrants, func(g *milvuspb.GrantEntity) string {
+ return fmt.Sprintf("%s-%s-%s-%s-%s-%s", g.Role, g.Object, g.ObjectName, g.Grantor.User, g.Grantor.Privilege.Name, g.DbName)
+ })
+}
diff --git a/internal/rootcoord/root_coord_test.go b/internal/rootcoord/root_coord_test.go
index 689bfee948a5a..bdf93e15a9a41 100644
--- a/internal/rootcoord/root_coord_test.go
+++ b/internal/rootcoord/root_coord_test.go
@@ -1748,6 +1748,9 @@ func TestRootCoord_RBACError(t *testing.T) {
mockMeta.SelectRoleFunc = func(tenant string, entity *milvuspb.RoleEntity, includeUserInfo bool) ([]*milvuspb.RoleResult, error) {
return nil, nil
}
+ mockMeta.ListPrivilegeGroupsFunc = func() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ return nil, nil
+ }
{
resp, err := c.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{Entity: &milvuspb.GrantEntity{
Role: &milvuspb.RoleEntity{Name: "foo"},
@@ -1784,6 +1787,39 @@ func TestRootCoord_RBACError(t *testing.T) {
}
})
+ t.Run("operate privilege group failed", func(t *testing.T) {
+ mockMeta := c.meta.(*mockMetaTable)
+ mockMeta.ListPrivilegeGroupsFunc = func() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ return nil, errors.New("mock error")
+ }
+ mockMeta.CreatePrivilegeGroupFunc = func(groupName string) error {
+ return errors.New("mock error")
+ }
+ mockMeta.GetPrivilegeGroupRolesFunc = func(groupName string) ([]*milvuspb.RoleEntity, error) {
+ return nil, errors.New("mock error")
+ }
+ {
+ resp, err := c.OperatePrivilegeGroup(ctx, &milvuspb.OperatePrivilegeGroupRequest{})
+ assert.NoError(t, err)
+ assert.NotEqual(t, commonpb.ErrorCode_Success, resp.GetErrorCode())
+ }
+ {
+ resp, err := c.ListPrivilegeGroups(ctx, &milvuspb.ListPrivilegeGroupsRequest{})
+ assert.NoError(t, err)
+ assert.NotEqual(t, commonpb.ErrorCode_Success, resp.GetStatus().GetErrorCode())
+ }
+ {
+ resp, err := c.OperatePrivilegeGroup(ctx, &milvuspb.OperatePrivilegeGroupRequest{})
+ assert.NoError(t, err)
+ assert.NotEqual(t, commonpb.ErrorCode_Success, resp.GetErrorCode())
+ }
+ {
+ resp, err := c.CreatePrivilegeGroup(ctx, &milvuspb.CreatePrivilegeGroupRequest{})
+ assert.NoError(t, err)
+ assert.NotEqual(t, commonpb.ErrorCode_Success, resp.GetErrorCode())
+ }
+ })
+
t.Run("select grant failed", func(t *testing.T) {
{
resp, err := c.SelectGrant(ctx, &milvuspb.SelectGrantRequest{})
@@ -1879,6 +1915,9 @@ func TestRootCoord_BuiltinRoles(t *testing.T) {
mockMeta.OperatePrivilegeFunc = func(tenant string, entity *milvuspb.GrantEntity, operateType milvuspb.OperatePrivilegeType) error {
return nil
}
+ mockMeta.ListPrivilegeGroupsFunc = func() ([]*milvuspb.PrivilegeGroupInfo, error) {
+ return nil, nil
+ }
err := c.initBuiltinRoles()
assert.Equal(t, nil, err)
assert.True(t, util.IsBuiltinRole(roleDbAdmin))
diff --git a/internal/util/mock/grpc_rootcoord_client.go b/internal/util/mock/grpc_rootcoord_client.go
index bc80d954ae250..0c5d431af4bd8 100644
--- a/internal/util/mock/grpc_rootcoord_client.go
+++ b/internal/util/mock/grpc_rootcoord_client.go
@@ -270,6 +270,22 @@ func (m *GrpcRootCoordClient) RestoreRBAC(ctx context.Context, in *milvuspb.Rest
return &commonpb.Status{}, m.Err
}
+func (m *GrpcRootCoordClient) CreatePrivilegeGroup(ctx context.Context, in *milvuspb.CreatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ return &commonpb.Status{}, m.Err
+}
+
+func (m *GrpcRootCoordClient) DropPrivilegeGroup(ctx context.Context, in *milvuspb.DropPrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ return &commonpb.Status{}, m.Err
+}
+
+func (m *GrpcRootCoordClient) ListPrivilegeGroups(ctx context.Context, in *milvuspb.ListPrivilegeGroupsRequest, opts ...grpc.CallOption) (*milvuspb.ListPrivilegeGroupsResponse, error) {
+ return &milvuspb.ListPrivilegeGroupsResponse{}, m.Err
+}
+
+func (m *GrpcRootCoordClient) OperatePrivilegeGroup(ctx context.Context, in *milvuspb.OperatePrivilegeGroupRequest, opts ...grpc.CallOption) (*commonpb.Status, error) {
+ return &commonpb.Status{}, m.Err
+}
+
func (m *GrpcRootCoordClient) Close() error {
return nil
}
diff --git a/pkg/go.mod b/pkg/go.mod
index b3fa9deb7ac49..17192fed58738 100644
--- a/pkg/go.mod
+++ b/pkg/go.mod
@@ -12,7 +12,7 @@ require (
github.com/expr-lang/expr v1.15.7
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
github.com/klauspost/compress v1.17.7
- github.com/milvus-io/milvus-proto/go-api/v2 v2.4.15
+ github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241110064419-549e4694a7e7
github.com/nats-io/nats-server/v2 v2.10.12
github.com/nats-io/nats.go v1.34.1
github.com/panjf2000/ants/v2 v2.7.2
diff --git a/pkg/go.sum b/pkg/go.sum
index c41940317fa8b..3daf8119ee54c 100644
--- a/pkg/go.sum
+++ b/pkg/go.sum
@@ -503,8 +503,8 @@ github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119 h1:9VXijWu
github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119/go.mod h1:DvXTE/K/RtHehxU8/GtDs4vFtfw64jJ3PaCnFri8CRg=
github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.15 h1:1y+hkeGh7zaD5ZasWjfKNZYWdH8VlLKcjoeyFiSh/I8=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.15/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241110064419-549e4694a7e7 h1:gq5xxDS2EIYVk3ujO+sQgDWrhTTpsmV+r6Gm7dfFrt8=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.16-0.20241110064419-549e4694a7e7/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
github.com/milvus-io/pulsar-client-go v0.6.10/go.mod h1:lQqCkgwDF8YFYjKA+zOheTk1tev2B+bKj5j7+nm8M1w=
github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
diff --git a/pkg/metrics/rootcoord_metrics.go b/pkg/metrics/rootcoord_metrics.go
index 582207c61b0e9..90ed0b6b7abe5 100644
--- a/pkg/metrics/rootcoord_metrics.go
+++ b/pkg/metrics/rootcoord_metrics.go
@@ -146,6 +146,15 @@ var (
Help: "The number of roles",
})
+ // RootCoordNumOfPrivilegeGroups counts the number of credentials.
+ RootCoordNumOfPrivilegeGroups = prometheus.NewGauge(
+ prometheus.GaugeOpts{
+ Namespace: milvusNamespace,
+ Subsystem: typeutil.RootCoordRole,
+ Name: "num_of_privilege_groups",
+ Help: "The number of privilege groups",
+ })
+
// RootCoordTtDelay records the max time tick delay of flow graphs in DataNodes and QueryNodes.
RootCoordTtDelay = prometheus.NewGaugeVec(
prometheus.GaugeOpts{
diff --git a/pkg/util/constant.go b/pkg/util/constant.go
index e51206875a2d4..d68ac7fce276a 100644
--- a/pkg/util/constant.go
+++ b/pkg/util/constant.go
@@ -21,6 +21,7 @@ import (
"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
"github.com/milvus-io/milvus/pkg/common"
+ "github.com/milvus-io/milvus/pkg/util/typeutil"
)
// Meta Prefix consts
@@ -114,6 +115,10 @@ var (
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGetFlushState.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupReadOnly.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupReadWrite.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePrivilegeGroup.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()),
},
commonpb.ObjectType_Global.String(): {
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeAll.String()),
@@ -151,6 +156,10 @@ var (
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeAlias.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListAliases.String()),
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupAdmin.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePrivilegeGroup.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()),
+ MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()),
},
commonpb.ObjectType_User.String(): {
MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),
@@ -306,6 +315,9 @@ func MetaStore2API(name string) string {
func PrivilegeNameForAPI(name string) string {
_, ok := commonpb.ObjectPrivilege_value[name]
if !ok {
+ if strings.HasPrefix(name, PrivilegeGroupWord) {
+ return typeutil.After(name, PrivilegeGroupWord)
+ }
return ""
}
return MetaStore2API(name)
@@ -327,6 +339,15 @@ func PrivilegeNameForMetastore(name string) string {
return dbPrivilege
}
+// check if the name is defined by built in privileges or privilege groups in system
+func IsPrivilegeNameDefined(name string) bool {
+ return PrivilegeNameForMetastore(name) != ""
+}
+
+func PrivilegeGroupNameForMetastore(name string) string {
+ return PrivilegeGroupWord + name
+}
+
func IsAnyWord(word string) bool {
return word == AnyWord
}
diff --git a/pkg/util/funcutil/policy.go b/pkg/util/funcutil/policy.go
index 384d3a436f1b8..bdf2650a51dab 100644
--- a/pkg/util/funcutil/policy.go
+++ b/pkg/util/funcutil/policy.go
@@ -5,6 +5,7 @@ import (
"strings"
"github.com/cockroachdb/errors"
+ "github.com/samber/lo"
"go.uber.org/zap"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/reflect/protoreflect"
@@ -114,6 +115,16 @@ func PolicyForPrivilege(roleName string, objectType string, objectName string, p
return fmt.Sprintf(`{"PType":"p","V0":"%s","V1":"%s","V2":"%s"}`, roleName, PolicyForResource(dbName, objectType, objectName), privilege)
}
+func PolicyForPrivileges(grants []*milvuspb.GrantEntity) string {
+ return strings.Join(lo.Map(grants, func(r *milvuspb.GrantEntity, _ int) string {
+ return PolicyForPrivilege(r.Role.Name, r.Object.Name, r.ObjectName, r.Grantor.Privilege.Name, r.DbName)
+ }), "|")
+}
+
+func PrivilegesForPolicy(policy string) []string {
+ return strings.Split(policy, "|")
+}
+
func PolicyForResource(dbName string, objectType string, objectName string) string {
return fmt.Sprintf("%s-%s", objectType, CombineObjectName(dbName, objectName))
}
diff --git a/tests/integration/rbac/privilege_group_test.go b/tests/integration/rbac/privilege_group_test.go
index da89b603a472e..bea3af0514737 100644
--- a/tests/integration/rbac/privilege_group_test.go
+++ b/tests/integration/rbac/privilege_group_test.go
@@ -17,6 +17,7 @@ package rbac
import (
"context"
+ "fmt"
"testing"
"github.com/stretchr/testify/suite"
@@ -41,94 +42,229 @@ func (s *PrivilegeGroupTestSuite) SetupSuite() {
paramtable.Get().Save(paramtable.Get().CommonCfg.AuthorizationEnabled.Key, "true")
}
-func (s *PrivilegeGroupTestSuite) TestPrivilegeGroup() {
+func (s *PrivilegeGroupTestSuite) TestBuiltinPrivilegeGroup() {
ctx := GetContext(context.Background(), "root:123456")
- // test empty rbac content
+
+ // Test empty RBAC content
resp, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
s.NoError(err)
s.True(merr.Ok(resp.GetStatus()))
s.Equal("", resp.GetRBACMeta().String())
- // generate some rbac content
+ // Generate some RBAC content
roleName := "test_role"
- resp1, err := s.Cluster.Proxy.CreateRole(ctx, &milvuspb.CreateRoleRequest{
- Entity: &milvuspb.RoleEntity{
- Name: roleName,
- },
+ createRoleResp, err := s.Cluster.Proxy.CreateRole(ctx, &milvuspb.CreateRoleRequest{
+ Entity: &milvuspb.RoleEntity{Name: roleName},
})
s.NoError(err)
- s.True(merr.Ok(resp1))
- resp2, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
- Type: milvuspb.OperatePrivilegeType_Grant,
- Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
- ObjectName: util.AnyWord,
- DbName: util.AnyWord,
- Grantor: &milvuspb.GrantorEntity{
- User: &milvuspb.UserEntity{Name: util.UserRoot},
- Privilege: &milvuspb.PrivilegeEntity{Name: "ReadOnly"},
- },
- },
+ s.True(merr.Ok(createRoleResp))
+
+ s.operatePrivilege(ctx, roleName, "ReadOnly", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Grant)
+ s.operatePrivilege(ctx, roleName, "ReadWrite", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Grant)
+ s.operatePrivilege(ctx, roleName, "Admin", commonpb.ObjectType_Global.String(), milvuspb.OperatePrivilegeType_Grant)
+
+ s.validateGrants(ctx, roleName, commonpb.ObjectType_Global.String(), 1)
+ s.validateGrants(ctx, roleName, commonpb.ObjectType_Collection.String(), 2)
+}
+
+/*
+create group1: query, search
+grant insert to role -> role: insert
+grant group1 to role -> role: insert, group1(query, search)
+create group2: query, delete
+grant group2 to role -> role: insert, group1(query, search), group2(query, delete)
+add query, load to group1 -> group1: query, search, load -> role: insert, group1(query, search, load), group2(query, delete)
+remove query from group1 -> group1: search, load -> role: insert, group1(search, load), group2(query, delete), role still have query privilege because of group2 granted.
+*/
+func (s *PrivilegeGroupTestSuite) TestCustomPrivilegeGroup() {
+ ctx := GetContext(context.Background(), "root:123456")
+
+ // Helper function to operate on privilege groups
+ operatePrivilegeGroup := func(groupName string, operateType milvuspb.OperatePrivilegeGroupType, privileges []*milvuspb.PrivilegeEntity) {
+ resp, err := s.Cluster.Proxy.OperatePrivilegeGroup(ctx, &milvuspb.OperatePrivilegeGroupRequest{
+ GroupName: groupName,
+ Type: operateType,
+ Privileges: privileges,
+ })
+ s.NoError(err)
+ s.True(merr.Ok(resp))
+ }
+
+ // Helper function to list privilege groups and return the target group and its privileges
+ validatePrivilegeGroup := func(groupName string, privileges int) []*milvuspb.PrivilegeEntity {
+ resp, err := s.Cluster.Proxy.ListPrivilegeGroups(ctx, &milvuspb.ListPrivilegeGroupsRequest{})
+ s.NoError(err)
+ for _, privGroup := range resp.PrivilegeGroups {
+ if privGroup.GroupName == groupName {
+ s.Equal(privileges, len(privGroup.Privileges))
+ return privGroup.Privileges
+ }
+ }
+ return nil
+ }
+
+ // create group1: query, search
+ createResp, err := s.Cluster.Proxy.CreatePrivilegeGroup(ctx, &milvuspb.CreatePrivilegeGroupRequest{
+ GroupName: "group1",
})
s.NoError(err)
- s.True(merr.Ok(resp2))
+ s.True(merr.Ok(createResp))
+ validatePrivilegeGroup("group1", 0)
+ operatePrivilegeGroup("group1", milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup, []*milvuspb.PrivilegeEntity{
+ {Name: "Query"},
+ {Name: "Search"},
+ })
+ validatePrivilegeGroup("group1", 2)
- resp3, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
- Type: milvuspb.OperatePrivilegeType_Grant,
- Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
- ObjectName: util.AnyWord,
- DbName: util.AnyWord,
- Grantor: &milvuspb.GrantorEntity{
- User: &milvuspb.UserEntity{Name: util.UserRoot},
- Privilege: &milvuspb.PrivilegeEntity{Name: "ReadWrite"},
- },
- },
+ // grant insert to role -> role: insert
+ role := "role1"
+ createRoleResp, err := s.Cluster.Proxy.CreateRole(ctx, &milvuspb.CreateRoleRequest{
+ Entity: &milvuspb.RoleEntity{Name: role},
})
s.NoError(err)
- s.True(merr.Ok(resp3))
+ s.True(merr.Ok(createRoleResp))
+ s.operatePrivilege(ctx, role, "Insert", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Grant)
+ s.validateGrants(ctx, role, commonpb.ObjectType_Collection.String(), 1)
- resp4, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
- Type: milvuspb.OperatePrivilegeType_Grant,
- Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Global.String()},
- ObjectName: util.AnyWord,
- DbName: util.AnyWord,
- Grantor: &milvuspb.GrantorEntity{
- User: &milvuspb.UserEntity{Name: util.UserRoot},
- Privilege: &milvuspb.PrivilegeEntity{Name: "Admin"},
- },
- },
+ // grant group1 to role -> role: insert, group1(query, search)
+ s.operatePrivilege(ctx, role, "group1", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Grant)
+ s.validateGrants(ctx, role, commonpb.ObjectType_Collection.String(), 2)
+
+ // create group2: query, delete
+ createResp2, err := s.Cluster.Proxy.CreatePrivilegeGroup(ctx, &milvuspb.CreatePrivilegeGroupRequest{
+ GroupName: "group2",
})
s.NoError(err)
- s.True(merr.Ok(resp4))
+ s.True(merr.Ok(createResp2))
+ validatePrivilegeGroup("group2", 0)
+ operatePrivilegeGroup("group2", milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup, []*milvuspb.PrivilegeEntity{
+ {Name: "Query"},
+ {Name: "Delete"},
+ })
+ validatePrivilegeGroup("group2", 2)
+
+ // grant group2 to role -> role: insert, group1(query, search), group2(query, delete)
+ s.operatePrivilege(ctx, role, "group2", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Grant)
+ s.validateGrants(ctx, role, commonpb.ObjectType_Collection.String(), 3)
- resp5, err := s.Cluster.Proxy.SelectGrant(ctx, &milvuspb.SelectGrantRequest{
+ // add query, load to group1 -> group1: query, search, load -> role: insert, group1(query, search, load), group2(query, delete)
+ operatePrivilegeGroup("group1", milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup, []*milvuspb.PrivilegeEntity{
+ {Name: "Query"},
+ {Name: "Load"},
+ })
+ validatePrivilegeGroup("group1", 3)
+ s.validateGrants(ctx, role, commonpb.ObjectType_Collection.String(), 3)
+
+ // remove query from group1 -> group1: search, load -> role: insert, group1(search, load), group2(query, delete), role still have query privilege because of group2 granted.
+ operatePrivilegeGroup("group1", milvuspb.OperatePrivilegeGroupType_RemovePrivilegesFromGroup, []*milvuspb.PrivilegeEntity{
+ {Name: "Query"},
+ })
+ validatePrivilegeGroup("group1", 2)
+ s.validateGrants(ctx, role, commonpb.ObjectType_Collection.String(), 3)
+
+ // Drop the group during any role usage will cause error
+ dropResp, _ := s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: "group1",
+ })
+ s.Error(merr.Error(dropResp))
+
+ // Revoke privilege group and privileges
+ s.operatePrivilege(ctx, role, "group1", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Revoke)
+ s.operatePrivilege(ctx, role, "group2", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Revoke)
+ s.operatePrivilege(ctx, role, "Insert", commonpb.ObjectType_Collection.String(), milvuspb.OperatePrivilegeType_Revoke)
+
+ // Drop the privilege group after revoking the privilege will succeed
+ dropResp, err = s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: "group1",
+ })
+ s.NoError(err)
+ s.True(merr.Ok(dropResp))
+
+ dropResp, err = s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: "group2",
+ })
+ s.NoError(err)
+ s.True(merr.Ok(dropResp))
+
+ // Validate the group was dropped
+ resp, err := s.Cluster.Proxy.ListPrivilegeGroups(ctx, &milvuspb.ListPrivilegeGroupsRequest{})
+ s.NoError(err)
+ s.Equal(0, len(resp.PrivilegeGroups))
+
+ // Drop the role
+ dropRoleResp, err := s.Cluster.Proxy.DropRole(ctx, &milvuspb.DropRoleRequest{
+ RoleName: role,
+ })
+ s.NoError(err)
+ s.True(merr.Ok(dropRoleResp))
+}
+
+func (s *PrivilegeGroupTestSuite) TestInvalidPrivilegeGroup() {
+ ctx := GetContext(context.Background(), "root:123456")
+
+ createResp, err := s.Cluster.Proxy.CreatePrivilegeGroup(ctx, &milvuspb.CreatePrivilegeGroupRequest{
+ GroupName: "",
+ })
+ s.NoError(err)
+ s.False(merr.Ok(createResp))
+
+ dropResp, err := s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: "group1",
+ })
+ s.NoError(err)
+ s.True(merr.Ok(dropResp))
+
+ dropResp, err = s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: "",
+ })
+ s.NoError(err)
+ s.False(merr.Ok(dropResp))
+
+ operateResp, err := s.Cluster.Proxy.OperatePrivilegeGroup(ctx, &milvuspb.OperatePrivilegeGroupRequest{
+ GroupName: "",
+ })
+ s.NoError(err)
+ s.False(merr.Ok(operateResp))
+
+ operateResp, err = s.Cluster.Proxy.OperatePrivilegeGroup(ctx, &milvuspb.OperatePrivilegeGroupRequest{
+ GroupName: "group1",
+ Privileges: []*milvuspb.PrivilegeEntity{{Name: "123"}},
+ })
+ s.NoError(err)
+ s.False(merr.Ok(operateResp))
+}
+
+func (s *PrivilegeGroupTestSuite) operatePrivilege(ctx context.Context, role, privilege, objectType string, operateType milvuspb.OperatePrivilegeType) {
+ resp, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
+ Type: operateType,
Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Global.String()},
+ Role: &milvuspb.RoleEntity{Name: role},
+ Object: &milvuspb.ObjectEntity{Name: objectType},
ObjectName: util.AnyWord,
DbName: util.AnyWord,
+ Grantor: &milvuspb.GrantorEntity{
+ User: &milvuspb.UserEntity{Name: util.UserRoot},
+ Privilege: &milvuspb.PrivilegeEntity{Name: privilege},
+ },
},
})
s.NoError(err)
- s.True(merr.Ok(resp5.GetStatus()))
- s.Len(resp5.GetEntities(), 1)
+ s.True(merr.Ok(resp))
+}
- resp6, err := s.Cluster.Proxy.SelectGrant(ctx, &milvuspb.SelectGrantRequest{
+func (s *PrivilegeGroupTestSuite) validateGrants(ctx context.Context, roleName, objectType string, expectedCount int) {
+ resp, err := s.Cluster.Proxy.SelectGrant(ctx, &milvuspb.SelectGrantRequest{
Entity: &milvuspb.GrantEntity{
Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
+ Object: &milvuspb.ObjectEntity{Name: objectType},
ObjectName: util.AnyWord,
DbName: util.AnyWord,
},
})
+ fmt.Println("!!!validateGrants: ", resp)
s.NoError(err)
- s.True(merr.Ok(resp6.GetStatus()))
- s.Len(resp6.GetEntities(), 2)
+ s.True(merr.Ok(resp.GetStatus()))
+ s.Len(resp.GetEntities(), expectedCount)
}
func TestPrivilegeGroup(t *testing.T) {
diff --git a/tests/integration/rbac/rbac_backup_test.go b/tests/integration/rbac/rbac_backup_test.go
index de4e271e9163a..5bb1e2adb7260 100644
--- a/tests/integration/rbac/rbac_backup_test.go
+++ b/tests/integration/rbac/rbac_backup_test.go
@@ -20,6 +20,7 @@ import (
"strings"
"testing"
+ "github.com/samber/lo"
"github.com/stretchr/testify/suite"
"google.golang.org/grpc/metadata"
@@ -63,131 +64,161 @@ func GetContext(ctx context.Context, originValue string) context.Context {
func (s *RBACBackupTestSuite) TestBackup() {
ctx := GetContext(context.Background(), "root:123456")
+
+ createRole := func(name string) {
+ resp, err := s.Cluster.Proxy.CreateRole(ctx, &milvuspb.CreateRoleRequest{
+ Entity: &milvuspb.RoleEntity{Name: name},
+ })
+ s.NoError(err)
+ s.True(merr.Ok(resp))
+ }
+
+ operatePrivilege := func(role, privilege, objectName, dbName string, operateType milvuspb.OperatePrivilegeType) {
+ resp, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
+ Type: operateType,
+ Entity: &milvuspb.GrantEntity{
+ Role: &milvuspb.RoleEntity{Name: role},
+ Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
+ ObjectName: objectName,
+ DbName: dbName,
+ Grantor: &milvuspb.GrantorEntity{User: &milvuspb.UserEntity{Name: util.UserRoot}, Privilege: &milvuspb.PrivilegeEntity{Name: privilege}},
+ },
+ })
+ s.NoError(err)
+ s.True(merr.Ok(resp))
+ }
+
// test empty rbac content
- resp, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
+ emptyBackupRBACResp, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
s.NoError(err)
- s.True(merr.Ok(resp.GetStatus()))
- s.Equal("", resp.GetRBACMeta().String())
+ s.True(merr.Ok(emptyBackupRBACResp.GetStatus()))
+ s.Equal("", emptyBackupRBACResp.GetRBACMeta().String())
// generate some rbac content
+ // create role test_role
roleName := "test_role"
- resp1, err := s.Cluster.Proxy.CreateRole(ctx, &milvuspb.CreateRoleRequest{
- Entity: &milvuspb.RoleEntity{
- Name: roleName,
- },
+ createRole(roleName)
+
+ // grant collection level search privilege to role test_role
+ operatePrivilege(roleName, "Search", util.AnyWord, util.AnyWord, milvuspb.OperatePrivilegeType_Grant)
+
+ // create privielge group test_group
+ groupName := "test_group"
+ createPrivGroupResp, err := s.Cluster.Proxy.CreatePrivilegeGroup(ctx, &milvuspb.CreatePrivilegeGroupRequest{
+ GroupName: groupName,
})
s.NoError(err)
- s.True(merr.Ok(resp1))
- resp2, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
- Type: milvuspb.OperatePrivilegeType_Grant,
- Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
- ObjectName: util.AnyWord,
- DbName: util.AnyWord,
- Grantor: &milvuspb.GrantorEntity{
- User: &milvuspb.UserEntity{Name: util.UserRoot},
- Privilege: &milvuspb.PrivilegeEntity{Name: "Search"},
- },
- },
+ s.True(merr.Ok(createPrivGroupResp))
+
+ // add query and insert privilege to group test_group
+ addPrivsToGroupResp, err := s.Cluster.Proxy.OperatePrivilegeGroup(ctx, &milvuspb.OperatePrivilegeGroupRequest{
+ GroupName: groupName,
+ Privileges: []*milvuspb.PrivilegeEntity{{Name: "Query"}, {Name: "Insert"}},
+ Type: milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup,
})
s.NoError(err)
- s.True(merr.Ok(resp2))
- s.Equal("", resp2.GetReason())
+ s.True(merr.Ok(addPrivsToGroupResp))
+
+ // grant privilege group test_group to role test_role
+ operatePrivilege(roleName, groupName, util.AnyWord, util.AnyWord, milvuspb.OperatePrivilegeType_Grant)
+
userName := "test_user"
passwd := "test_passwd"
- resp3, err := s.Cluster.Proxy.CreateCredential(ctx, &milvuspb.CreateCredentialRequest{
+ createCredResp, err := s.Cluster.Proxy.CreateCredential(ctx, &milvuspb.CreateCredentialRequest{
Username: userName,
Password: crypto.Base64Encode(passwd),
})
s.NoError(err)
- s.True(merr.Ok(resp3))
- resp4, err := s.Cluster.Proxy.OperateUserRole(ctx, &milvuspb.OperateUserRoleRequest{
+ s.True(merr.Ok(createCredResp))
+ operateUserRoleResp, err := s.Cluster.Proxy.OperateUserRole(ctx, &milvuspb.OperateUserRoleRequest{
Username: userName,
RoleName: roleName,
})
s.NoError(err)
- s.True(merr.Ok(resp4))
+ s.True(merr.Ok(operateUserRoleResp))
- // test back up rbac
- resp5, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
+ // test back up rbac, grants should contain
+ backupRBACResp, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
s.NoError(err)
- s.True(merr.Ok(resp5.GetStatus()))
+ s.True(merr.Ok(backupRBACResp.GetStatus()))
+ s.Equal(2, len(backupRBACResp.GetRBACMeta().Grants))
+ grants := lo.SliceToMap(backupRBACResp.GetRBACMeta().Grants, func(g *milvuspb.GrantEntity) (string, *milvuspb.GrantEntity) {
+ return g.Grantor.Privilege.Name, g
+ })
+ s.True(grants["Search"] != nil)
+ s.True(grants[groupName] != nil)
+ s.Equal(groupName, backupRBACResp.GetRBACMeta().PrivilegeGroups[0].GroupName)
+ s.Equal(2, len(backupRBACResp.GetRBACMeta().PrivilegeGroups[0].Privileges))
// test restore, expect to failed due to role/user already exist
- resp6, err := s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{
- RBACMeta: resp5.GetRBACMeta(),
+ restoreRBACResp, err := s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{
+ RBACMeta: backupRBACResp.GetRBACMeta(),
})
s.NoError(err)
- s.False(merr.Ok(resp6))
-
- // drop exist role/user, successful to restore
- resp7, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
- Type: milvuspb.OperatePrivilegeType_Revoke,
- Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
- ObjectName: util.AnyWord,
- DbName: util.AnyWord,
- Grantor: &milvuspb.GrantorEntity{
- User: &milvuspb.UserEntity{Name: util.UserRoot},
- Privilege: &milvuspb.PrivilegeEntity{Name: "Search"},
- },
- },
+ s.False(merr.Ok(restoreRBACResp))
+
+ // revoke privilege search from role test_role before dropping the role
+ operatePrivilege(roleName, "Search", util.AnyWord, util.AnyWord, milvuspb.OperatePrivilegeType_Revoke)
+
+ // revoke privilege group test_group from role test_role before dropping the role
+ operatePrivilege(roleName, groupName, util.AnyWord, util.AnyWord, milvuspb.OperatePrivilegeType_Revoke)
+
+ // drop privilege group test_group
+ dropPrivGroupResp, err := s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: groupName,
})
s.NoError(err)
- s.True(merr.Ok(resp7))
- resp8, err := s.Cluster.Proxy.DropRole(ctx, &milvuspb.DropRoleRequest{
+ s.True(merr.Ok(dropPrivGroupResp))
+
+ // drop role test_role
+ dropRoleResp, err := s.Cluster.Proxy.DropRole(ctx, &milvuspb.DropRoleRequest{
RoleName: roleName,
})
s.NoError(err)
- s.True(merr.Ok(resp8))
- resp9, err := s.Cluster.Proxy.DeleteCredential(ctx, &milvuspb.DeleteCredentialRequest{
+ s.True(merr.Ok(dropRoleResp))
+
+ // delete credential
+ delCredResp, err := s.Cluster.Proxy.DeleteCredential(ctx, &milvuspb.DeleteCredentialRequest{
Username: userName,
})
s.NoError(err)
- s.True(merr.Ok(resp9))
+ s.True(merr.Ok(delCredResp))
- resp10, err := s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{
- RBACMeta: resp5.GetRBACMeta(),
+ // restore rbac
+ restoreRBACResp, err = s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{
+ RBACMeta: backupRBACResp.GetRBACMeta(),
})
s.NoError(err)
- s.True(merr.Ok(resp10))
+ s.True(merr.Ok(restoreRBACResp))
// check the restored rbac, should be same as the original one
- resp11, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
+ backupRBACResp2, err := s.Cluster.Proxy.BackupRBAC(ctx, &milvuspb.BackupRBACMetaRequest{})
s.NoError(err)
- s.True(merr.Ok(resp11.GetStatus()))
- s.Equal(resp11.GetRBACMeta().String(), resp5.GetRBACMeta().String())
+ s.True(merr.Ok(backupRBACResp2.GetStatus()))
+ s.Equal(backupRBACResp2.GetRBACMeta().String(), backupRBACResp.GetRBACMeta().String())
// clean rbac meta
- resp12, err := s.Cluster.Proxy.OperatePrivilege(ctx, &milvuspb.OperatePrivilegeRequest{
- Type: milvuspb.OperatePrivilegeType_Revoke,
- Entity: &milvuspb.GrantEntity{
- Role: &milvuspb.RoleEntity{Name: roleName},
- Object: &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Collection.String()},
- ObjectName: util.AnyWord,
- DbName: util.AnyWord,
- Grantor: &milvuspb.GrantorEntity{
- User: &milvuspb.UserEntity{Name: util.UserRoot},
- Privilege: &milvuspb.PrivilegeEntity{Name: "Search"},
- },
- },
+ operatePrivilege(roleName, "Search", util.AnyWord, util.AnyWord, milvuspb.OperatePrivilegeType_Revoke)
+
+ operatePrivilege(roleName, groupName, util.AnyWord, util.AnyWord, milvuspb.OperatePrivilegeType_Revoke)
+
+ dropPrivGroupResp2, err := s.Cluster.Proxy.DropPrivilegeGroup(ctx, &milvuspb.DropPrivilegeGroupRequest{
+ GroupName: groupName,
})
s.NoError(err)
- s.True(merr.Ok(resp12))
+ s.True(merr.Ok(dropPrivGroupResp2))
- resp13, err := s.Cluster.Proxy.DropRole(ctx, &milvuspb.DropRoleRequest{
+ dropRoleResp2, err := s.Cluster.Proxy.DropRole(ctx, &milvuspb.DropRoleRequest{
RoleName: roleName,
})
s.NoError(err)
- s.True(merr.Ok(resp13))
+ s.True(merr.Ok(dropRoleResp2))
- resp14, err := s.Cluster.Proxy.DeleteCredential(ctx, &milvuspb.DeleteCredentialRequest{
+ delCredResp2, err := s.Cluster.Proxy.DeleteCredential(ctx, &milvuspb.DeleteCredentialRequest{
Username: userName,
})
s.NoError(err)
- s.True(merr.Ok(resp14))
+ s.True(merr.Ok(delCredResp2))
}
func TestRBACBackup(t *testing.T) {