From 01b5b060ccc995436c520111106ee5504e4e2f3b Mon Sep 17 00:00:00 2001
From: shaoting-huang <shaoting.huang@zilliz.com>
Date: Wed, 18 Dec 2024 16:38:45 +0800
Subject: [PATCH] rbac revoke check with meta

Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
---
 internal/rootcoord/root_coord.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go
index f03a2bd91e4c3..d4ac677b6e038 100644
--- a/internal/rootcoord/root_coord.go
+++ b/internal/rootcoord/root_coord.go
@@ -32,6 +32,7 @@ import (
 	clientv3 "go.etcd.io/etcd/client/v3"
 	"go.uber.org/atomic"
 	"go.uber.org/zap"
+	"google.golang.org/protobuf/proto"
 
 	"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
 	"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
@@ -2775,6 +2776,25 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
 		if err != nil {
 			return nil, err
 		}
+		// if there is same grant in the other privilege groups, the grant should not be removed from the cache
+		if in.Type == milvuspb.OperatePrivilegeType_Revoke {
+			metaGrants, err := c.meta.SelectGrant(ctx, util.DefaultTenant, &milvuspb.GrantEntity{
+				Role:   in.Entity.Role,
+				DbName: in.Entity.DbName,
+			})
+			if err != nil {
+				return nil, err
+			}
+			metaExpandGrants, err := c.expandPrivilegeGroups(ctx, metaGrants, groups)
+			if err != nil {
+				return nil, err
+			}
+			expandGrants = lo.Filter(expandGrants, func(g1 *milvuspb.GrantEntity, _ int) bool {
+				return !lo.ContainsBy(metaExpandGrants, func(g2 *milvuspb.GrantEntity) bool {
+					return proto.Equal(g1, g2)
+				})
+			})
+		}
 		if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
 			OpType: opType,
 			OpKey:  funcutil.PolicyForPrivileges(expandGrants),