From 6890d788d8cd6becaa99ead2dec01212deb7809a Mon Sep 17 00:00:00 2001 From: shaoting-huang Date: Thu, 12 Dec 2024 11:33:29 +0800 Subject: [PATCH] add privilege group privilege into built-in privilege group Signed-off-by: shaoting-huang --- configs/milvus.yaml | 6 +++--- pkg/util/constant.go | 14 ++++++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/configs/milvus.yaml b/configs/milvus.yaml index 70e2285c1d385..69f4c4a4d9099 100644 --- a/configs/milvus.yaml +++ b/configs/milvus.yaml @@ -831,11 +831,11 @@ common: enabled: false # Whether to override build-in privilege groups cluster: readonly: - privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups # Cluster level readonly privileges + privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups # Cluster level readonly privileges readwrite: - privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges + privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges admin: - privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection # Cluster level admin privileges + privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection,CreatePrivilegeGroup,DropPrivilegeGroup,OperatePrivilegeGroup # Cluster level admin privileges database: readonly: privileges: ShowCollections,DescribeDatabase # Database level readonly privileges diff --git a/pkg/util/constant.go b/pkg/util/constant.go index c762009d51fd9..51d12c673d8fc 100644 --- a/pkg/util/constant.go +++ b/pkg/util/constant.go @@ -363,6 +363,7 @@ var ( MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectUser.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()), } ClusterReadWritePrivilegeGroup = append(ClusterReadOnlyPrivilegeGroup, @@ -384,6 +385,9 @@ var ( MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRenameCollection.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePrivilegeGroup.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()), ) ) @@ -407,11 +411,13 @@ func StringList(stringMap map[string]struct{}) []string { // MetaStore2API convert meta-store's privilege name to api's // example: PrivilegeAll -> All func MetaStore2API(name string) string { - prefix := PrivilegeWord - if strings.Contains(name, PrivilegeGroupWord) { - prefix = PrivilegeGroupWord + if strings.HasPrefix(name, PrivilegeGroupWord) { + return name[len(PrivilegeGroupWord):] } - return name[strings.Index(name, prefix)+len(prefix):] + if strings.HasPrefix(name, PrivilegeWord) { + return name[len(PrivilegeWord):] + } + return name } func PrivilegeNameForAPI(name string) string {