RBAC grant v2

Signed-off-by: shaoting-huang <[email protected]>

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/klauspost/compress v1.17.9
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
-	github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20241114133823-d3506c6f465c
+	github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20241117094023-0b114b4abcbc
 	github.com/minio/minio-go/v7 v7.0.73
 	github.com/pingcap/log v1.1.1-0.20221015072633-39906604fb81
 	github.com/prometheus/client_golang v1.14.0

go.sum

@@ -628,8 +628,8 @@ github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119 h1:9VXijWu
 github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119/go.mod h1:DvXTE/K/RtHehxU8/GtDs4vFtfw64jJ3PaCnFri8CRg=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20241114133823-d3506c6f465c h1:Ay5w6sTE1QxCydCqqW5N44EcJrMqaqbL5zcp2vclkOw=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20241114133823-d3506c6f465c/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20241117094023-0b114b4abcbc h1:0D01wW+mjwYghHFVloFiiHOntkq/+JihBn3OyzM6qGM=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.3.4-0.20241117094023-0b114b4abcbc/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
 github.com/milvus-io/pulsar-client-go v0.12.1 h1:O2JZp1tsYiO7C0MQ4hrUY/aJXnn2Gry6hpm7UodghmE=
 github.com/milvus-io/pulsar-client-go v0.12.1/go.mod h1:dkutuH4oS2pXiGm+Ti7fQZ4MRjrMPZ8IJeEGAWMeckk=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=

internal/distributed/proxy/httpserver/constant.go

@@ -43,6 +43,8 @@ const (
 	RevokeRoleAction                = "revoke_role"
 	GrantPrivilegeAction            = "grant_privilege"
 	RevokePrivilegeAction           = "revoke_privilege"
+	GrantActionV2                   = "grant_v2"
+	RevokeActionV2                  = "revoke_v2"
 	AlterAction                     = "alter"
 	GetProgressAction               = "get_progress" // deprecated, keep it for compatibility, use `/v2/vectordb/jobs/import/describe` instead
 	AddPrivilegesToGroupAction      = "add_privileges_to_group"

internal/distributed/proxy/httpserver/handler_v2.go

@@ -131,6 +131,8 @@ func (h *HandlersV2) RegisterRoutesToV2(router gin.IRouter) {
 	router.POST(RoleCategory+DropAction, timeoutMiddleware(wrapperPost(func() any { return &RoleReq{} }, wrapperTraceLog(h.dropRole))))
 	router.POST(RoleCategory+GrantPrivilegeAction, timeoutMiddleware(wrapperPost(func() any { return &GrantReq{} }, wrapperTraceLog(h.addPrivilegeToRole))))
 	router.POST(RoleCategory+RevokePrivilegeAction, timeoutMiddleware(wrapperPost(func() any { return &GrantReq{} }, wrapperTraceLog(h.removePrivilegeFromRole))))
+	router.POST(RoleCategory+GrantActionV2, timeoutMiddleware(wrapperPost(func() any { return &GrantV2Req{} }, wrapperTraceLog(h.grantV2))))
+	router.POST(RoleCategory+RevokeActionV2, timeoutMiddleware(wrapperPost(func() any { return &GrantV2Req{} }, wrapperTraceLog(h.revokeV2))))
 
 	// privilege group
 	router.POST(PrivilegeGroupCategory+CreateAction, timeoutMiddleware(wrapperPost(func() any { return &PrivilegeGroupReq{} }, wrapperTraceLog(h.createPrivilegeGroup))))
@@ -1791,6 +1793,37 @@ func (h *HandlersV2) operatePrivilegeToRole(ctx context.Context, c *gin.Context,
 	return resp, err
 }
 
+func (h *HandlersV2) operatePrivilegeToRoleV2(ctx context.Context, c *gin.Context, httpReq *GrantV2Req, operateType milvuspb.OperatePrivilegeType) (interface{}, error) {
+	req := &milvuspb.OperatePrivilegeRequest{
+		Entity: &milvuspb.GrantEntity{
+			Role:       &milvuspb.RoleEntity{Name: httpReq.RoleName},
+			Object:     &milvuspb.ObjectEntity{Name: commonpb.ObjectType_Global.String()},
+			ObjectName: httpReq.CollectionName,
+			DbName:     httpReq.DbName,
+			Grantor: &milvuspb.GrantorEntity{
+				Privilege: &milvuspb.PrivilegeEntity{Name: httpReq.Privilege},
+			},
+		},
+		Type:    operateType,
+		Version: "v2",
+	}
+	resp, err := wrapperProxy(ctx, c, req, h.checkAuth, false, "/milvus.proto.milvus.MilvusService/OperatePrivilege", func(reqCtx context.Context, req any) (interface{}, error) {
+		return h.proxy.OperatePrivilege(reqCtx, req.(*milvuspb.OperatePrivilegeRequest))
+	})
+	if err == nil {
+		HTTPReturn(c, http.StatusOK, wrapperReturnDefault())
+	}
+	return resp, err
+}
+
+func (h *HandlersV2) grantV2(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+	return h.operatePrivilegeToRoleV2(ctx, c, anyReq.(*GrantV2Req), milvuspb.OperatePrivilegeType_Grant)
+}
+
+func (h *HandlersV2) revokeV2(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
+	return h.operatePrivilegeToRoleV2(ctx, c, anyReq.(*GrantV2Req), milvuspb.OperatePrivilegeType_Revoke)
+}
+
 func (h *HandlersV2) addPrivilegeToRole(ctx context.Context, c *gin.Context, anyReq any, dbName string) (interface{}, error) {
 	return h.operatePrivilegeToRole(ctx, c, anyReq.(*GrantReq), milvuspb.OperatePrivilegeType_Grant, dbName)
 }

internal/distributed/proxy/httpserver/request_v2.go

@@ -278,6 +278,13 @@ type PrivilegeGroupReq struct {
 	Privileges         []string `json:"privileges"`
 }
 
+type GrantV2Req struct {
+	RoleName       string `json:"roleName" binding:"required"`
+	DbName         string `json:"dbName"`
+	CollectionName string `json:"collectionName"`
+	Privilege      string `json:"privilege" binding:"required"`
+}
+
 type GrantReq struct {
 	RoleName   string `json:"roleName" binding:"required"`
 	ObjectType string `json:"objectType" binding:"required"`

internal/proxy/privilege_interceptor.go

@@ -162,8 +162,8 @@ func PrivilegeInterceptor(ctx context.Context, req interface{}) (context.Context
 
 	e := getEnforcer()
 	for _, roleName := range roleNames {
-		permitFunc := func(resName string) (bool, error) {
-			object := funcutil.PolicyForResource(dbName, objectType, resName)
+		permitFunc := func(objectName string) (bool, error) {
+			object := funcutil.PolicyForResource(dbName, objectType, objectName)
 			isPermit, cached, version := GetPrivilegeCache(roleName, object, objectPrivilege)
 			if cached {
 				return isPermit, nil

internal/proxy/privilege_interceptor_test.go

@@ -563,3 +563,45 @@ func TestPrivilegeGroup(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestBuiltinPrivilegeGroup(t *testing.T) {
+	t.Run("ClusterAdmin", func(t *testing.T) {
+		paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
+		initPrivilegeGroups()
+
+		var err error
+		ctx := GetContext(context.Background(), "fooo:123456")
+		client := &MockRootCoordClientInterface{}
+		queryCoord := &mocks.MockQueryCoordClient{}
+		mgr := newShardClientMgr()
+
+		policies := []string{}
+		for _, priv := range util.BuiltinPrivilegeGroups["ClusterReadOnly"] {
+			objectType := util.GetObjectType(priv)
+			policies = append(policies, funcutil.PolicyForPrivilege("role1", objectType, "*", util.PrivilegeNameForMetastore(priv), "default"))
+		}
+		client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
+			return &internalpb.ListPolicyResponse{
+				Status:      merr.Success(),
+				PolicyInfos: policies,
+				UserRoles: []string{
+					funcutil.EncodeUserRoleCache("fooo", "role1"),
+				},
+			}, nil
+		}
+		InitMetaCache(ctx, client, queryCoord, mgr)
+		defer CleanPrivilegeCache()
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.SelectUserRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DescribeResourceGroupRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.ListResourceGroupsRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{})
+		assert.Error(t, err)
+	})
+}

internal/rootcoord/meta_table.go

@@ -100,7 +100,7 @@ type IMetaTable interface {
 	BackupRBAC(ctx context.Context, tenant string) (*milvuspb.RBACMeta, error)
 	RestoreRBAC(ctx context.Context, tenant string, meta *milvuspb.RBACMeta) error
 	IsCustomPrivilegeGroup(groupName string) (bool, error)
-	CreatePrivilegeGroup(groupName string) error
+	CreatePrivilegeGroup(groupName string, options ...bool) error
 	DropPrivilegeGroup(groupName string) error
 	ListPrivilegeGroups() ([]*milvuspb.PrivilegeGroupInfo, error)
 	OperatePrivilegeGroup(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error
@@ -1477,22 +1477,28 @@ func (mt *MetaTable) IsCustomPrivilegeGroup(groupName string) (bool, error) {
 	return false, nil
 }
 
-func (mt *MetaTable) CreatePrivilegeGroup(groupName string) error {
+func (mt *MetaTable) CreatePrivilegeGroup(groupName string, options ...bool) error {
 	if funcutil.IsEmptyString(groupName) {
 		return fmt.Errorf("the privilege group name is empty")
 	}
+	skipValidation := false
+	if len(options) > 0 {
+		skipValidation = options[0]
+	}
 	mt.permissionLock.Lock()
 	defer mt.permissionLock.Unlock()
 
-	definedByUsers, err := mt.IsCustomPrivilegeGroup(groupName)
-	if err != nil {
-		return err
-	}
-	if definedByUsers {
-		return merr.WrapErrParameterInvalidMsg("privilege group name [%s] is defined by users", groupName)
-	}
-	if util.IsPrivilegeNameDefined(groupName) {
-		return merr.WrapErrParameterInvalidMsg("privilege group name [%s] is defined by built in privileges or privilege groups in system", groupName)
+	if !skipValidation {
+		definedByUsers, err := mt.IsCustomPrivilegeGroup(groupName)
+		if err != nil {
+			return err
+		}
+		if definedByUsers {
+			return merr.WrapErrParameterInvalidMsg("privilege group name [%s] is defined by users", groupName)
+		}
+		if util.IsPrivilegeNameDefined(groupName) {
+			return merr.WrapErrParameterInvalidMsg("privilege group name [%s] is defined by built in privileges or privilege groups in system", groupName)
+		}
 	}
 	data := &milvuspb.PrivilegeGroupInfo{
 		GroupName:  groupName,

internal/rootcoord/mock_test.go

@@ -97,7 +97,7 @@ type mockMetaTable struct {
 	ListPolicyFunc                   func(tenant string) ([]string, error)
 	ListUserRoleFunc                 func(tenant string) ([]string, error)
 	DescribeDatabaseFunc             func(ctx context.Context, dbName string) (*model.Database, error)
-	CreatePrivilegeGroupFunc         func(groupName string) error
+	CreatePrivilegeGroupFunc         func(groupName string, options ...bool) error
 	DropPrivilegeGroupFunc           func(groupName string) error
 	ListPrivilegeGroupsFunc          func() ([]*milvuspb.PrivilegeGroupInfo, error)
 	OperatePrivilegeGroupFunc        func(groupName string, privileges []*milvuspb.PrivilegeEntity, operateType milvuspb.OperatePrivilegeGroupType) error
@@ -256,8 +256,8 @@ func (m mockMetaTable) ListUserRole(tenant string) ([]string, error) {
 	return m.ListUserRoleFunc(tenant)
 }
 
-func (m mockMetaTable) CreatePrivilegeGroup(groupName string) error {
-	return m.CreatePrivilegeGroupFunc(groupName)
+func (m mockMetaTable) CreatePrivilegeGroup(groupName string, options ...bool) error {
+	return m.CreatePrivilegeGroupFunc(groupName, options...)
 }
 
 func (m mockMetaTable) DropPrivilegeGroup(groupName string) error {
@@ -552,7 +552,7 @@ func withInvalidMeta() Opt {
 	meta.DescribeDatabaseFunc = func(ctx context.Context, dbName string) (*model.Database, error) {
 		return nil, errors.New("error mock DescribeDatabase")
 	}
-	meta.CreatePrivilegeGroupFunc = func(groupName string) error {
+	meta.CreatePrivilegeGroupFunc = func(groupName string, options ...bool) error {
 		return errors.New("error mock CreatePrivilegeGroup")
 	}
 	meta.DropPrivilegeGroupFunc = func(groupName string) error {