From de8858931ac906e0e79ab2d19c03aa5d9914fed0 Mon Sep 17 00:00:00 2001 From: sthuang <167743503+shaoting-huang@users.noreply.github.com> Date: Wed, 18 Dec 2024 18:46:45 +0800 Subject: [PATCH] fix: rbac revoke check if there is same privilege in other privilege groups granted (#38558) related: https://github.com/milvus-io/milvus/issues/38557 Signed-off-by: shaoting-huang --- internal/rootcoord/root_coord.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go index f03a2bd91e4c3..d4ac677b6e038 100644 --- a/internal/rootcoord/root_coord.go +++ b/internal/rootcoord/root_coord.go @@ -32,6 +32,7 @@ import ( clientv3 "go.etcd.io/etcd/client/v3" "go.uber.org/atomic" "go.uber.org/zap" + "google.golang.org/protobuf/proto" "github.com/milvus-io/milvus-proto/go-api/v2/commonpb" "github.com/milvus-io/milvus-proto/go-api/v2/milvuspb" @@ -2775,6 +2776,25 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile if err != nil { return nil, err } + // if there is same grant in the other privilege groups, the grant should not be removed from the cache + if in.Type == milvuspb.OperatePrivilegeType_Revoke { + metaGrants, err := c.meta.SelectGrant(ctx, util.DefaultTenant, &milvuspb.GrantEntity{ + Role: in.Entity.Role, + DbName: in.Entity.DbName, + }) + if err != nil { + return nil, err + } + metaExpandGrants, err := c.expandPrivilegeGroups(ctx, metaGrants, groups) + if err != nil { + return nil, err + } + expandGrants = lo.Filter(expandGrants, func(g1 *milvuspb.GrantEntity, _ int) bool { + return !lo.ContainsBy(metaExpandGrants, func(g2 *milvuspb.GrantEntity) bool { + return proto.Equal(g1, g2) + }) + }) + } if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{ OpType: opType, OpKey: funcutil.PolicyForPrivileges(expandGrants),