Skip to content

Commit

Permalink
enhance: support to config root user's password
Browse files Browse the repository at this point in the history
Signed-off-by: SimFG <[email protected]>
  • Loading branch information
SimFG committed Jul 17, 2024
1 parent ca758c3 commit e694806
Show file tree
Hide file tree
Showing 7 changed files with 50 additions and 31 deletions.
1 change: 1 addition & 0 deletions configs/milvus.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -636,6 +636,7 @@ common:
# like the old password verification when updating the credential
superUsers:
tlsMode: 0
defaultRootPassword: Milvus
session:
ttl: 30 # ttl value when session granting a lease to register service
retryTimes: 30 # retry times when session sending etcd requests
Expand Down
59 changes: 32 additions & 27 deletions internal/distributed/proxy/httpserver/handler_v1_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,11 @@ var DefaultFalseResp = milvuspb.BoolResponse{
Value: false,
}

func getDefaultRootPassword() string {
paramtable.Init()
return paramtable.Get().CommonCfg.DefaultRootPassword.GetValue()
}

func versional(path string) string {
return URIPrefixV1 + path
}
Expand Down Expand Up @@ -128,7 +133,7 @@ func genAuthMiddleWare(needAuth bool) gin.HandlerFunc {
username, password, ok := ParseUsernamePassword(c)
if !ok {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{HTTPReturnCode: merr.Code(merr.ErrNeedAuthenticate), HTTPReturnMessage: merr.ErrNeedAuthenticate.Error()})
} else if username == util.UserRoot && password != util.DefaultRootPassword {
} else if username == util.UserRoot && password != getDefaultRootPassword() {
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{HTTPReturnCode: merr.Code(merr.ErrNeedAuthenticate), HTTPReturnMessage: merr.ErrNeedAuthenticate.Error()})
} else {
c.Set(ContextUsername, username)
Expand Down Expand Up @@ -183,7 +188,7 @@ func TestVectorAuthenticate(t *testing.T) {

t.Run("root's password correct", func(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsPath), nil)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -237,7 +242,7 @@ func TestVectorListCollection(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
testEngine := initHTTPServer(tt.mp, true)
req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsPath), nil)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -301,7 +306,7 @@ func TestVectorCollectionsDescribe(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
testEngine := initHTTPServer(tt.mp, true)
req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsDescribePath)+"?collectionName="+DefaultCollectionName, nil)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand All @@ -315,7 +320,7 @@ func TestVectorCollectionsDescribe(t *testing.T) {
t.Run("need collectionName", func(t *testing.T) {
testEngine := initHTTPServer(mocks.NewMockProxy(t), true)
req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsDescribePath)+"?"+DefaultCollectionName, nil)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -384,7 +389,7 @@ func TestVectorCreateCollection(t *testing.T) {
jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `", "dimension": 2}`)
bodyReader := bytes.NewReader(jsonBody)
req := httptest.NewRequest(http.MethodPost, versional(VectorCollectionsCreatePath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -441,7 +446,7 @@ func TestVectorDropCollection(t *testing.T) {
jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `"}`)
bodyReader := bytes.NewReader(jsonBody)
req := httptest.NewRequest(http.MethodPost, versional(VectorCollectionsDropPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -517,7 +522,7 @@ func TestQuery(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
testEngine := initHTTPServer(tt.mp, true)
for _, req := range reqs {
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -602,7 +607,7 @@ func TestDelete(t *testing.T) {
jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `" , "id": [1,2,3]}`)
bodyReader := bytes.NewReader(jsonBody)
req := httptest.NewRequest(http.MethodPost, versional(VectorDeletePath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -634,7 +639,7 @@ func TestDeleteForFilter(t *testing.T) {
testEngine := initHTTPServer(mp, true)
bodyReader := bytes.NewReader(jsonBody)
req := httptest.NewRequest(http.MethodPost, versional(VectorDeletePath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -726,7 +731,7 @@ func TestInsert(t *testing.T) {
testEngine := initHTTPServer(tt.mp, true)
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand All @@ -747,7 +752,7 @@ func TestInsert(t *testing.T) {
testEngine := initHTTPServer(mp, true)
bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "data": {}}`))
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -788,7 +793,7 @@ func TestInsertForDataType(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand All @@ -813,7 +818,7 @@ func TestInsertForDataType(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -856,7 +861,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -887,7 +892,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -918,7 +923,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
req.Header.Set(HTTPHeaderAllowInt64, "true")
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
Expand Down Expand Up @@ -950,7 +955,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
req.Header.Set(HTTPHeaderAllowInt64, "true")
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
Expand Down Expand Up @@ -983,7 +988,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -1014,7 +1019,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -1045,7 +1050,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
req.Header.Set(HTTPHeaderAllowInt64, "false")
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
Expand Down Expand Up @@ -1077,7 +1082,7 @@ func TestReturnInt64(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
req.Header.Set(HTTPHeaderAllowInt64, "false")
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
Expand Down Expand Up @@ -1167,7 +1172,7 @@ func TestUpsert(t *testing.T) {
testEngine := initHTTPServer(tt.mp, true)
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand All @@ -1188,7 +1193,7 @@ func TestUpsert(t *testing.T) {
testEngine := initHTTPServer(mp, true)
bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "data": {}}`))
req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -1271,7 +1276,7 @@ func TestSearch(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorSearchPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -1319,7 +1324,7 @@ func TestSearch(t *testing.T) {
})
bodyReader := bytes.NewReader(data)
req := httptest.NewRequest(http.MethodPost, versional(VectorSearchPath), bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, tt.exceptCode, w.Code)
Expand Down Expand Up @@ -1481,7 +1486,7 @@ func TestHttpRequestFormat(t *testing.T) {
testEngine := initHTTPServer(mocks.NewMockProxy(t), true)
bodyReader := bytes.NewReader(requestJsons[i])
req := httptest.NewRequest(http.MethodPost, path, bodyReader)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
testEngine.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down
4 changes: 2 additions & 2 deletions internal/distributed/proxy/httpserver/handler_v2_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ func TestGrpcWrapper(t *testing.T) {
for _, testcase := range getTestCasesNeedAuth {
t.Run("get"+testcase.path, func(t *testing.T) {
req := httptest.NewRequest(http.MethodGet, testcase.path, nil)
req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
w := httptest.NewRecorder()
ginHandler.ServeHTTP(w, req)
assert.Equal(t, http.StatusOK, w.Code)
Expand Down Expand Up @@ -311,7 +311,7 @@ func TestGrpcWrapper(t *testing.T) {

paramtable.Get().Save(proxy.Params.CommonCfg.AuthorizationEnabled.Key, "true")
req = httptest.NewRequest(http.MethodGet, needAuthPrefix+path, nil)
req.SetBasicAuth("test", util.DefaultRootPassword)
req.SetBasicAuth("test", getDefaultRootPassword())
w = httptest.NewRecorder()
ginHandler.ServeHTTP(w, req)
assert.Equal(t, http.StatusForbidden, w.Code)
Expand Down
2 changes: 1 addition & 1 deletion internal/rootcoord/root_coord.go
Original file line number Diff line number Diff line change
Expand Up @@ -528,7 +528,7 @@ func (c *Core) initCredentials() error {
credInfo, _ := c.meta.GetCredential(util.UserRoot)
if credInfo == nil {
log.Debug("RootCoord init user root")
encryptedRootPassword, _ := crypto.PasswordEncrypt(util.DefaultRootPassword)
encryptedRootPassword, _ := crypto.PasswordEncrypt(Params.CommonCfg.DefaultRootPassword.GetValue())
err := c.meta.AddCredential(&internalpb.CredentialInfo{Username: util.UserRoot, EncryptedPassword: encryptedRootPassword})
return err
}
Expand Down
1 change: 0 additions & 1 deletion pkg/util/constant.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ const (
MemberCredID = "@@milvus-member@@"
CredentialSeperator = ":"
UserRoot = "root"
DefaultRootPassword = "Milvus"
PasswordHolder = "___"
DefaultTenant = ""
RoleAdmin = "admin"
Expand Down
10 changes: 10 additions & 0 deletions pkg/util/paramtable/component_param.go
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ type commonConfig struct {

AuthorizationEnabled ParamItem `refreshable:"false"`
SuperUsers ParamItem `refreshable:"true"`
DefaultRootPassword ParamItem `refreshable:"false"`

ClusterName ParamItem `refreshable:"false"`

Expand Down Expand Up @@ -615,6 +616,15 @@ like the old password verification when updating the credential`,
}
p.SuperUsers.Init(base.mgr)

p.DefaultRootPassword = ParamItem{
Key: "common.security.defaultRootPassword",
Version: "2.4.7",
Doc: "default password for root user",
DefaultValue: "Milvus",
Export: true,
}
p.DefaultRootPassword.Init(base.mgr)

p.ClusterName = ParamItem{
Key: "common.cluster.name",
Version: "2.0.0",
Expand Down
4 changes: 4 additions & 0 deletions pkg/util/paramtable/component_param_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,10 @@ func TestComponentParam(t *testing.T) {
params.Save("common.security.superUsers", "super1,super2,super3")
assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers.GetAsStrings())

assert.Equal(t, "Milvus", Params.SuperUsers.GetAsStrings())
params.Save("common.security.defaultRootPassword", "defaultMilvus")
assert.Equal(t, "defaultMilvus", Params.SuperUsers.GetAsStrings())

params.Save("common.security.superUsers", "")
assert.Equal(t, []string{""}, Params.SuperUsers.GetAsStrings())

Expand Down

0 comments on commit e694806

Please sign in to comment.