Skip to content

Commit

Permalink
rbac revoke check with meta
Browse files Browse the repository at this point in the history
Signed-off-by: shaoting-huang <[email protected]>
  • Loading branch information
shaoting-huang committed Dec 18, 2024
1 parent b469999 commit 2a9f982
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions internal/rootcoord/root_coord.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
clientv3 "go.etcd.io/etcd/client/v3"
"go.uber.org/atomic"
"go.uber.org/zap"
"google.golang.org/protobuf/proto"

"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
Expand Down Expand Up @@ -2741,6 +2742,33 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
if err != nil {
return nil, err
}
// if there is same grant in the other privilege groups, the grant should not be removed from the cache
if in.Type == milvuspb.OperatePrivilegeType_Revoke {
metaGrants, err := c.meta.SelectGrant(ctx, util.DefaultTenant, &milvuspb.GrantEntity{
Role: in.Entity.Role,
DbName: in.Entity.DbName,
})
if err != nil {
return nil, err
}
metaExpandGrants, err := c.expandPrivilegeGroups(ctx, metaGrants, groups)
if err != nil {
return nil, err
}
expandGrants = lo.Filter(expandGrants, func(g1 *milvuspb.GrantEntity, _ int) bool {
return !lo.ContainsBy(metaExpandGrants, func(g2 *milvuspb.GrantEntity) bool {
m1, err := proto.Marshal(g1)
if err != nil {
return false
}
m2, err := proto.Marshal(g2)
if err != nil {
return false
}
return string(m1) == string(m2)
})
})
}
if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
OpType: opType,
OpKey: funcutil.PolicyForPrivileges(expandGrants),
Expand Down

0 comments on commit 2a9f982

Please sign in to comment.