From a08aeaf52cda594105a756c6a7184895a982992a Mon Sep 17 00:00:00 2001 From: shaoting-huang Date: Tue, 21 Jan 2025 11:10:12 +0800 Subject: [PATCH] metastore privielge name check with privilege name all Signed-off-by: shaoting-huang --- internal/rootcoord/rbac_task.go | 14 ++++++-------- internal/rootcoord/root_coord.go | 19 ++++++++++--------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/internal/rootcoord/rbac_task.go b/internal/rootcoord/rbac_task.go index 9bb0c38fdb90c..6b8ea05a4ed87 100644 --- a/internal/rootcoord/rbac_task.go +++ b/internal/rootcoord/rbac_task.go @@ -148,16 +148,14 @@ func executeOperatePrivilegeTaskSteps(ctx context.Context, core *Core, in *milvu privName := in.Entity.Grantor.Privilege.Name redoTask := newBaseRedoTask(core.stepExecutor) redoTask.AddSyncStep(NewSimpleStep("operate privilege meta data", func(ctx context.Context) ([]nestedStep, error) { - if !util.IsAnyWord(privName) { - // set up privilege name for metastore - dbPrivName, err := core.getMetastorePrivilegeName(ctx, privName) - if err != nil { - return nil, err - } - in.Entity.Grantor.Privilege.Name = dbPrivName + // set up privilege name for metastore + dbPrivName, err := core.getMetastorePrivilegeName(ctx, privName) + if err != nil { + return nil, err } + in.Entity.Grantor.Privilege.Name = dbPrivName - err := core.meta.OperatePrivilege(ctx, util.DefaultTenant, in.Entity, in.Type) + err = core.meta.OperatePrivilege(ctx, util.DefaultTenant, in.Entity, in.Type) if err != nil && !common.IsIgnorableError(err) { log.Ctx(ctx).Warn("fail to operate the privilege", zap.Any("in", in), zap.Error(err)) return nil, err diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go index ec8fd93ac8628..b0c6627788112 100644 --- a/internal/rootcoord/root_coord.go +++ b/internal/rootcoord/root_coord.go @@ -660,15 +660,12 @@ func (c *Core) initBuiltinRoles() error { return errors.Wrapf(err, "failed to create a builtin role: %s", role) } for _, privilege := range privilegesJSON[util.RoleConfigPrivileges] { - privilegeName := privilege[util.RoleConfigPrivilege] - if !util.IsAnyWord(privilege[util.RoleConfigPrivilege]) { - dbPrivName, err := c.getMetastorePrivilegeName(c.ctx, privilege[util.RoleConfigPrivilege]) - if err != nil { - return errors.Wrapf(err, "failed to get metastore privilege name for: %s", privilege[util.RoleConfigPrivilege]) - } - privilegeName = dbPrivName + privilegeName, err := c.getMetastorePrivilegeName(c.ctx, privilege[util.RoleConfigPrivilege]) + if err != nil { + return errors.Wrapf(err, "failed to get metastore privilege name for: %s", privilege[util.RoleConfigPrivilege]) } - err := c.meta.OperatePrivilege(c.ctx, util.DefaultTenant, &milvuspb.GrantEntity{ + + err = c.meta.OperatePrivilege(c.ctx, util.DefaultTenant, &milvuspb.GrantEntity{ Role: &milvuspb.RoleEntity{Name: role}, Object: &milvuspb.ObjectEntity{Name: privilege[util.RoleConfigObjectType]}, ObjectName: privilege[util.RoleConfigObjectName], @@ -2702,6 +2699,10 @@ func (c *Core) validatePrivilegeGroupParams(ctx context.Context, entity string, } func (c *Core) getMetastorePrivilegeName(ctx context.Context, privName string) (string, error) { + // if it is '*', return directly + if util.IsAnyWord(privName) { + return privName, nil + } // if it is built-in privilege, return the privilege name directly if util.IsPrivilegeNameDefined(privName) { return util.PrivilegeNameForMetastore(privName), nil @@ -2714,7 +2715,7 @@ func (c *Core) getMetastorePrivilegeName(ctx context.Context, privName string) ( if customGroup { return util.PrivilegeGroupNameForMetastore(privName), nil } - return "", errors.New("not found the privilege name") + return "", errors.Newf("not found the privilege name [%s] from metastore", privName) } // SelectGrant select grant