[Bug]: [GoSDk] Failed to revoke revoke privilege that granted by the grant_v2

[ThreadDao]

Is there an existing issue for this?

• I have searched the existing issues

Environment

- Milvus version: master-20250228-762a644d-amd64
- Deployment mode(standalone or cluster): standalone
- MQ type(rocksmq, pulsar or kafka):    
- SDK version(e.g. pymilvus v2.0.0rc2): pymilvus
- OS(Ubuntu or CentOS): 
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

1. Create a role and grant some privileges by `grant_v2'

- GrantItem: <object:Global>, <object_name:*>, <db_name:default>, <role_name:role_OqQtuS>, <grantor_name:root>, <privilege:CollectionAdmin>

2. try to drop role and it reminds me revoke privilege fitst. ok, But revoke privilege by v1 revoke is not permitted ?

role.drop()
fail to drop the role that it has privileges. Use REVOKE API to revoke privileges

role.revoke("Global", "*", "CollectionAdmin", "default")
can not operate the built-in privilege group [CollectionAdmin])

By the way, used revoke_v2() to revoke privilege granted by v1 grant() successfully

Expected Behavior

No response

Steps To Reproduce

Milvus Log

pod:
zong-debug-milvus-standalone-764bc69867-lvb7w

Anything else?

No response

[dosubot]

The issue you're encountering seems to be related to the compatibility between the grant_v2 and revoke methods in the Milvus Go SDK. Specifically, it appears that privileges granted using grant_v2 cannot be revoked using the revoke method, which is likely due to differences in how these methods handle privilege groups or specific privilege attributes.

Here are some key points to consider:

1. Error Message: The error message you received indicates that the revoke method cannot operate on the built-in privilege group CollectionAdmin. This suggests that there might be a limitation or a specific requirement when using revoke to handle privileges granted by grant_v2.

2. RevokeV2 Method: Since you mentioned that using revoke_v2() successfully revokes privileges granted by grant(), it might be necessary to use revoke_v2() consistently for privileges granted with grant_v2. This could be due to differences in how these methods manage privilege hierarchies or metadata.

3. Compatibility: It seems there might be a compatibility issue between the grant_v2 and revoke methods. If revoke_v2() works for both grant() and grant_v2, it might be advisable to use revoke_v2() for revoking privileges in your current setup.

To resolve this, you should use the revoke_v2() method to revoke privileges that were granted using grant_v2. This approach should align with the behavior you've observed and avoid the error related to built-in privilege groups.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[xiaofan-luan]

Is there an existing issue for this?

• I have searched the existing issues

Environment

• Milvus version: master-20250228-762a644d-amd64
• Deployment mode(standalone or cluster): standalone
• MQ type(rocksmq, pulsar or kafka):
• SDK version(e.g. pymilvus v2.0.0rc2): pymilvus
• OS(Ubuntu or CentOS):
• CPU/Memory:
• GPU:
• Others:

Current Behavior

1. Create a role and grant some privileges by `grant_v2'

- GrantItem: <object:Global>, <object_name:*>, <db_name:default>, <role_name:role_OqQtuS>, <grantor_name:root>, <privilege:CollectionAdmin>

2. try to drop role and it reminds me revoke privilege fitst. ok, But revoke privilege by v1 revoke is not permitted ?

role.drop()
fail to drop the role that it has privileges. Use REVOKE API to revoke privileges

role.revoke("Global", "*", "CollectionAdmin", "default")
can not operate the built-in privilege group [CollectionAdmin])

By the way, used revoke_v2() to revoke privilege granted by v1 grant() successfully

Expected Behavior

No response

Steps To Reproduce

Milvus Log

pod: zong-debug-milvus-standalone-764bc69867-lvb7w

Anything else?

No response

I don't think you can grant with V2 and revoke with V1?

V2 has backward compatibility but you can't revoke with v1

[shaoting-huang]

There is no privilege group idea in v1. Therefore, you can only use V2 to revoke privileges granted with V1. But can not use V1 to revoke privileges granted with V2.

[ThreadDao]

@shaoting-huang @xiaofan-luan I see. But the error message is not very instructive. Maybe you can suggest using the revoke_v2 api?