Skip to content

Commit

Permalink
enhance: [2.4] RBAC privielge group and grant v2 api (#849)
Browse files Browse the repository at this point in the history
cherry-pick from master:
#845,
#847
issue: milvus-io/milvus#37031

Signed-off-by: shaoting-huang <[email protected]>
  • Loading branch information
shaoting-huang authored Nov 26, 2024
1 parent fc46c0c commit 564e928
Show file tree
Hide file tree
Showing 7 changed files with 533 additions and 8 deletions.
15 changes: 15 additions & 0 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,17 @@ type Client interface {
BackupRBAC(ctx context.Context) (*entity.RBACMeta, error)
RestoreRBAC(ctx context.Context, meta *entity.RBACMeta) error

// CreatePrivilegeGroup creates a privilege group
CreatePrivilegeGroup(ctx context.Context, groupName string) error
// DropPrivilegeGroup drops the specified privilege group
DropPrivilegeGroup(ctx context.Context, groupName string) error
// ListPrivilegeGroups lists all privilege groups
ListPrivilegeGroups(ctx context.Context) ([]*entity.PrivilegeGroup, error)
// AddPrivilegeToGroup adds privileges to a privilege group
AddPrivilegesToGroup(ctx context.Context, groupName string, privileges []string) error
// RemovePrivilegesFromGroup removes privileges from a privilege group
RemovePrivilegesFromGroup(ctx context.Context, groupName string, privileges []string) error

// -- authentication --

// CreateCredential create new user and password
Expand Down Expand Up @@ -215,6 +226,10 @@ type Client interface {
Grant(ctx context.Context, role string, objectType entity.PriviledgeObjectType, object string, privilege string, options ...entity.OperatePrivilegeOption) error
// Revoke removes privilege from role.
Revoke(ctx context.Context, role string, objectType entity.PriviledgeObjectType, object string, privilege string, options ...entity.OperatePrivilegeOption) error
// GrantV2 adds privilege for role.
GrantV2(ctx context.Context, role string, privilege string, dbName string, colName string) error
// RevokeV2 removes privilege from role.
RevokeV2(ctx context.Context, role string, privilege string, dbName string, colName string) error

// GetLoadingProgress get the collection or partitions loading progress
GetLoadingProgress(ctx context.Context, collectionName string, partitionNames []string) (int64, error)
Expand Down
52 changes: 52 additions & 0 deletions client/client_mock_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,7 @@ const (
MAlterCollection ServiceMethod = 109
MGetLoadingProgress ServiceMethod = 110
MGetLoadState ServiceMethod = 111
MOperatePrivilegeV2 ServiceMethod = 112

MCreatePartition ServiceMethod = 201
MDropPartition ServiceMethod = 202
Expand Down Expand Up @@ -312,6 +313,11 @@ const (
MReplicateMessage ServiceMethod = 1100
MBackupRBAC ServiceMethod = 1101
MRestoreRBAC ServiceMethod = 1102

MCreatePrivilegeGroup ServiceMethod = 1200
MDropPrivilegeGroup ServiceMethod = 1201
MListPrivilegeGroups ServiceMethod = 1202
MOperatePrivilegeGroup ServiceMethod = 1203
)

// injection function definition
Expand Down Expand Up @@ -495,6 +501,15 @@ func (m *MockServer) AlterCollection(ctx context.Context, req *milvuspb.AlterCol
return SuccessStatus()
}

func (m *MockServer) OperatePrivilegeV2(ctx context.Context, req *milvuspb.OperatePrivilegeV2Request) (*commonpb.Status, error) {
f := m.GetInjection(MOperatePrivilegeV2)
if f != nil {
r, err := f(ctx, req)
return r.(*commonpb.Status), err
}
return SuccessStatus()
}

func (m *MockServer) CreatePartition(ctx context.Context, req *milvuspb.CreatePartitionRequest) (*commonpb.Status, error) {
f := m.GetInjection(MCreatePartition)
if f != nil {
Expand Down Expand Up @@ -1079,3 +1094,40 @@ func (m *MockServer) RestoreRBAC(ctx context.Context, req *milvuspb.RestoreRBACM
}
return SuccessStatus()
}

func (m *MockServer) CreatePrivilegeGroup(ctx context.Context, req *milvuspb.CreatePrivilegeGroupRequest) (*commonpb.Status, error) {
f := m.GetInjection(MCreatePrivilegeGroup)
if f != nil {
r, err := f(ctx, req)
return r.(*commonpb.Status), err
}
return SuccessStatus()
}

func (m *MockServer) DropPrivilegeGroup(ctx context.Context, req *milvuspb.DropPrivilegeGroupRequest) (*commonpb.Status, error) {
f := m.GetInjection(MDropPrivilegeGroup)
if f != nil {
r, err := f(ctx, req)
return r.(*commonpb.Status), err
}
return SuccessStatus()
}

func (m *MockServer) ListPrivilegeGroups(ctx context.Context, req *milvuspb.ListPrivilegeGroupsRequest) (*milvuspb.ListPrivilegeGroupsResponse, error) {
f := m.GetInjection(MListPrivilegeGroups)
if f != nil {
r, err := f(ctx, req)
return r.(*milvuspb.ListPrivilegeGroupsResponse), err
}
s, err := SuccessStatus()
return &milvuspb.ListPrivilegeGroupsResponse{Status: s}, err
}

func (m *MockServer) OperatePrivilegeGroup(ctx context.Context, req *milvuspb.OperatePrivilegeGroupRequest) (*commonpb.Status, error) {
f := m.GetInjection(MOperatePrivilegeGroup)
if f != nil {
r, err := f(ctx, req)
return r.(*commonpb.Status), err
}
return SuccessStatus()
}
180 changes: 180 additions & 0 deletions client/rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,62 @@ func (c *GrpcClient) Revoke(ctx context.Context, role string, objectType entity.
return handleRespStatus(resp)
}

// GrantV2 adds object privilege for role without object type
func (c *GrpcClient) GrantV2(ctx context.Context, role string, privilege string, dbName string, colName string) error {
if c.Service == nil {
return ErrClientNotReady
}

req := &milvuspb.OperatePrivilegeV2Request{
Role: &milvuspb.RoleEntity{
Name: role,
},
Grantor: &milvuspb.GrantorEntity{
Privilege: &milvuspb.PrivilegeEntity{
Name: privilege,
},
},
Type: milvuspb.OperatePrivilegeType_Grant,
DbName: dbName,
CollectionName: colName,
}

resp, err := c.Service.OperatePrivilegeV2(ctx, req)
if err != nil {
return err
}

return handleRespStatus(resp)
}

// Revoke removes privilege from role without object type
func (c *GrpcClient) RevokeV2(ctx context.Context, role string, privilege string, dbName string, colName string) error {
if c.Service == nil {
return ErrClientNotReady
}

req := &milvuspb.OperatePrivilegeV2Request{
Role: &milvuspb.RoleEntity{
Name: role,
},
Grantor: &milvuspb.GrantorEntity{
Privilege: &milvuspb.PrivilegeEntity{
Name: privilege,
},
},
Type: milvuspb.OperatePrivilegeType_Revoke,
DbName: dbName,
CollectionName: colName,
}

resp, err := c.Service.OperatePrivilegeV2(ctx, req)
if err != nil {
return err
}

return handleRespStatus(resp)
}

func (c *GrpcClient) BackupRBAC(ctx context.Context) (*entity.RBACMeta, error) {
if c.Service == nil {
return nil, ErrClientNotReady
Expand Down Expand Up @@ -521,3 +577,127 @@ func (c *GrpcClient) RestoreRBAC(ctx context.Context, meta *entity.RBACMeta) err

return handleRespStatus(resp)
}

func (c *GrpcClient) CreatePrivilegeGroup(ctx context.Context, groupName string) error {
if c.Service == nil {
return ErrClientNotReady
}

req := &milvuspb.CreatePrivilegeGroupRequest{
GroupName: groupName,
}

resp, err := c.Service.CreatePrivilegeGroup(ctx, req)
if err != nil {
return err
}

return handleRespStatus(resp)
}

func (c *GrpcClient) DropPrivilegeGroup(ctx context.Context, groupName string) error {
if c.Service == nil {
return ErrClientNotReady
}

req := &milvuspb.DropPrivilegeGroupRequest{
GroupName: groupName,
}

resp, err := c.Service.DropPrivilegeGroup(ctx, req)
if err != nil {
return err
}

return handleRespStatus(resp)
}

func (c *GrpcClient) ListPrivilegeGroups(ctx context.Context) ([]*entity.PrivilegeGroup, error) {
PrivilegeGroupList := make([]*entity.PrivilegeGroup, 0)
if c.Service == nil {
return PrivilegeGroupList, ErrClientNotReady
}

req := &milvuspb.ListPrivilegeGroupsRequest{}

resp, err := c.Service.ListPrivilegeGroups(ctx, req)
if err != nil {
return PrivilegeGroupList, err
}

if err = handleRespStatus(resp.GetStatus()); err != nil {
return PrivilegeGroupList, err
}

results := resp.GetPrivilegeGroups()

if len(results) == 0 {
return PrivilegeGroupList, nil
}

for _, pg := range results {
privs := make([]string, 0, len(pg.Privileges))
for _, p := range pg.Privileges {
privs = append(privs, p.GetName())
}
PrivilegeGroup := &entity.PrivilegeGroup{
GroupName: pg.GroupName,
Privileges: privs,
}
PrivilegeGroupList = append(PrivilegeGroupList, PrivilegeGroup)
}

return PrivilegeGroupList, nil
}

func (c *GrpcClient) AddPrivilegesToGroup(ctx context.Context, groupName string, privileges []string) error {
if c.Service == nil {
return ErrClientNotReady
}

privs := make([]*milvuspb.PrivilegeEntity, 0, len(privileges))
for _, p := range privileges {
privs = append(privs, &milvuspb.PrivilegeEntity{
Name: p,
})
}

req := &milvuspb.OperatePrivilegeGroupRequest{
GroupName: groupName,
Privileges: privs,
Type: milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup,
}

resp, err := c.Service.OperatePrivilegeGroup(ctx, req)
if err != nil {
return err
}

return handleRespStatus(resp)
}

func (c *GrpcClient) RemovePrivilegesFromGroup(ctx context.Context, groupName string, privileges []string) error {
if c.Service == nil {
return ErrClientNotReady
}

privs := make([]*milvuspb.PrivilegeEntity, 0, len(privileges))
for _, p := range privileges {
privs = append(privs, &milvuspb.PrivilegeEntity{
Name: p,
})
}

req := &milvuspb.OperatePrivilegeGroupRequest{
GroupName: groupName,
Privileges: privs,
Type: milvuspb.OperatePrivilegeGroupType_RemovePrivilegesFromGroup,
}

resp, err := c.Service.OperatePrivilegeGroup(ctx, req)
if err != nil {
return err
}

return handleRespStatus(resp)
}
5 changes: 5 additions & 0 deletions entity/rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,3 +72,8 @@ type RBACMeta struct {
Roles []*Role
RoleGrants []*RoleGrants
}

type PrivilegeGroup struct {
GroupName string
Privileges []string
}
3 changes: 2 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ require (
github.com/go-faker/faker/v4 v4.1.0
github.com/golang/protobuf v1.5.2
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a
github.com/milvus-io/milvus-proto/go-api/v2 v2.4.17-0.20241120092224-a1c2ac2fd2c1
github.com/stretchr/testify v1.8.1
github.com/tidwall/gjson v1.14.4
github.com/x448/float16 v0.8.4
Expand All @@ -22,6 +22,7 @@ require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/getsentry/sentry-go v0.12.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/kr/pretty v0.3.0 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
Expand Down
11 changes: 4 additions & 7 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -99,8 +99,9 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
Expand Down Expand Up @@ -157,8 +158,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
github.com/mediocregopher/radix/v3 v3.4.2/go.mod h1:8FL3F6UQRXHXIBSPUs5h0RybMF8i4n7wVopoX3x7Bv8=
github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a h1:0B/8Fo66D8Aa23Il0yrQvg1KKz92tE/BJ5BvkUxxAAk=
github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
github.com/milvus-io/milvus-proto/go-api/v2 v2.4.17-0.20241120092224-a1c2ac2fd2c1 h1:WLm5qrm6vPAnuhrKcA0htuaDboG5YOvgzfZgMKEzsGc=
github.com/milvus-io/milvus-proto/go-api/v2 v2.4.17-0.20241120092224-a1c2ac2fd2c1/go.mod h1:/6UT4zZl6awVeXLeE7UGDWZvXj3IWkRsh3mqsn0DiAs=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
Expand Down Expand Up @@ -289,7 +290,6 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20211008194852-3b03d305991f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
Expand Down Expand Up @@ -332,9 +332,7 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
Expand Down Expand Up @@ -375,7 +373,6 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
Expand Down
Loading

0 comments on commit 564e928

Please sign in to comment.