From 59c9299f4af910ca0b0cc80267ec1503241d54c4 Mon Sep 17 00:00:00 2001 From: sthuang <167743503+shaoting-huang@users.noreply.github.com> Date: Thu, 12 Dec 2024 17:20:42 +0800 Subject: [PATCH] enhance: add privilege group privilege into built-in privilege group (#38393) related issue: https://github.com/milvus-io/milvus/issues/37031 Signed-off-by: shaoting-huang --- configs/milvus.yaml | 6 +++--- pkg/util/constant.go | 14 ++++++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/configs/milvus.yaml b/configs/milvus.yaml index 44eb6001dcf19..d265b4d269513 100644 --- a/configs/milvus.yaml +++ b/configs/milvus.yaml @@ -802,11 +802,11 @@ common: enabled: false # Whether to override build-in privilege groups cluster: readonly: - privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups # Cluster level readonly privileges + privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups # Cluster level readonly privileges readwrite: - privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges + privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges admin: - privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection # Cluster level admin privileges + privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection,CreatePrivilegeGroup,DropPrivilegeGroup,OperatePrivilegeGroup # Cluster level admin privileges database: readonly: privileges: ShowCollections,DescribeDatabase # Database level readonly privileges diff --git a/pkg/util/constant.go b/pkg/util/constant.go index c762009d51fd9..51d12c673d8fc 100644 --- a/pkg/util/constant.go +++ b/pkg/util/constant.go @@ -363,6 +363,7 @@ var ( MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectUser.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()), } ClusterReadWritePrivilegeGroup = append(ClusterReadOnlyPrivilegeGroup, @@ -384,6 +385,9 @@ var ( MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()), MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRenameCollection.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePrivilegeGroup.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()), + MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()), ) ) @@ -407,11 +411,13 @@ func StringList(stringMap map[string]struct{}) []string { // MetaStore2API convert meta-store's privilege name to api's // example: PrivilegeAll -> All func MetaStore2API(name string) string { - prefix := PrivilegeWord - if strings.Contains(name, PrivilegeGroupWord) { - prefix = PrivilegeGroupWord + if strings.HasPrefix(name, PrivilegeGroupWord) { + return name[len(PrivilegeGroupWord):] } - return name[strings.Index(name, prefix)+len(prefix):] + if strings.HasPrefix(name, PrivilegeWord) { + return name[len(PrivilegeWord):] + } + return name } func PrivilegeNameForAPI(name string) string {