Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: [privilege_group] The "PrivilegeCompaction" is forbidden when login with the user added in the role granted with the privilege "Compaction" #38003

Closed
1 task done
binbinlv opened this issue Nov 25, 2024 · 13 comments
Closed
1 task done

[Bug]: [privilege_group] The "PrivilegeCompaction" is forbidden when login with the user added in the role granted with the privilege "Compaction" #38003

binbinlv opened this issue Nov 25, 2024 · 13 comments
Assignees
@weiliu1031
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Milestone
2.5.0

Comments

@binbinlv
Copy link
Contributor

binbinlv commented Nov 25, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Environment

- Milvus version: master-20241125-0b9edb62-amd64
- Deployment mode(standalone or cluster): both
- MQ type(rocksmq, pulsar or kafka):    all
- SDK version(e.g. pymilvus v2.0.0rc2): 2.5.0rc126
- OS(Ubuntu or CentOS): 
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

The "PrivilegeRenameCollection" is forbidden when login with the user added in the role granted with the built-in privilege group "CollectionReadWrite"

Expected Behavior

The "PrivilegeRenameCollection" is not forbidden when login with the user added in the role granted with the built-in privilege group "CollectionReadWrite"

Steps To Reproduce

1. connect with "root" user
2. create a role
2. grant the role with "CollectionReadWrite" privilege group
3. create a user "user1"
4. add this user to the role
5. create the collection "collection_1"
6. disconnect milvus
7. connect with "user1" user
8. rename collection "collection_1"

Reproduced script:

from pymilvus import connections
from pymilvus import CollectionSchema, FieldSchema
from pymilvus import Collection
from pymilvus import connections
from pymilvus import DataType
from pymilvus import Partition
from pymilvus import utility
from pymilvus import MilvusClient
from pymilvus import Role

connections.connect(host="***", user="root", password="Milvus")
client = MilvusClient(uri="http://***:19530", user="root", password="Milvus")
client.create_collection("binbin_new", dimension=128)
role = Role("binbin")
role.create()
utility.list_roles(True)
utility.create_user(user="user1", password="Milvus")
role.add_user("user1")
utility.list_roles(True)
role.list_grants()
role.grant_v2(privilege="CollectionReadWrite", db_name="default", collection_name="binbin_new")
role.list_grants()

connections.disconnect('default')
connections.connect(host="", user="user1", password="Milvus")
c = Collection("binbin_new")
utility.rename_collection("binbin_new", "binbin_new_1")

Milvus Log

No response

Anything else?

No response
@binbinlv binbinlv added kind/bug Issues or changes related a bug needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 25, 2024
@binbinlv
Copy link
Contributor Author

For the built-in privilege group "CollectionReadWrite":

1 "PrivilegeCompaction" and "PrivilegeRenameCollection" are forbidden, which should not

  1. "PrivilegeUpdateUser" is not forbidden, which should be forbidden

@binbinlv
Copy link
Contributor Author

/assign @shaoting-huang

@sre-ci-robot
Copy link
Contributor

@binbinlv: GitHub didn't allow me to assign the following users: shaoting-huang.

Note that only milvus-io members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @shaoting-huang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yanliang567
Copy link
Contributor

/unassign

@yanliang567 yanliang567 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 26, 2024
@yanliang567 yanliang567 added this to the 2.5.0 milestone Nov 26, 2024
@shaoting-huang
Copy link
Contributor

/assign

@shaoting-huang shaoting-huang mentioned this issue Nov 26, 2024
Closed
@binbinlv
Copy link
Contributor Author

binbinlv commented Nov 26, 2024
edited
Loading

Using the latest dev image: shaoting-huang-rbacv2fix-99f4f88-20241126
rename collection is ok now:

>>> utility.rename_collection("binbin_new", "binbin_new_1")
>>>

but compact is still be forbidden:

>>> c.compact()
grpc RpcError: [compact], <_MultiThreadedRendezvous: StatusCode.PERMISSION_DENIED, PrivilegeCompaction: permission deny to user1 in the `default` database>, <Time:{'RPC start': '2024-11-26 19:08:19.705037', 'gRPC error': '2024-11-26 19:08:19.770591'}>
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/orm/collection.py", line 1515, in compact
    self.compaction_id = conn.compact(
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 155, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 137, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 176, in handler
    return func(self, *args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 90, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 86, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/grpc_handler.py", line 1600, in compact
    response = future.result()
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/grpc/_channel.py", line 881, in result
    raise self
grpc._channel._MultiThreadedRendezvous: <_MultiThreadedRendezvous of RPC that terminated with:
	status = StatusCode.PERMISSION_DENIED
	details = "PrivilegeCompaction: permission deny to user1 in the `default` database"
	debug_error_string = "UNKNOWN:Error received from peer  {created_time:"2024-11-26T19:08:19.77028+08:00", grpc_status:7, grpc_message:"PrivilegeCompaction: permission deny to user1 in the `default` database"}"
>

script:

connections.connect(host="", user="root", password="Milvus")
client = MilvusClient(uri="http://:19530", user="root", password="Milvus")
client.create_collection("binbin_new", dimension=128)
role = Role("binbin")
role.create()
utility.list_roles(True)
utility.create_user(user="user1", password="Milvus")
role.add_user("user1")
utility.list_roles(True)
role.list_grants()
role.grant_v2(privilege="CollectionReadWrite", db_name="default", collection_name="binbin_new")
connections.disconnect('default')
connections.connect(host="10.101.182.121", user="user1", password="Milvus")
c = Collection("binbin_new")
c.compact()

@binbinlv
Copy link
Contributor Author

binbinlv commented Nov 26, 2024
edited
Loading

Using grant v1 interface, compact is forbidden too when the collection is granted "Compaction" privilege:

connections.connect(host="", user="root", password="Milvus")
role.grant("Collection", "col1", "Compaction")
connections.connect(host="", user="user1", password="Milvus1")
>>> c = Collection("col1")
>>> c.compact()
grpc RpcError: [compact], <_MultiThreadedRendezvous: StatusCode.PERMISSION_DENIED, PrivilegeCompaction: permission deny to user1 in the `default` database>, <Time:{'RPC start': '2024-11-26 21:20:53.161300', 'gRPC error': '2024-11-26 21:20:53.226722'}>
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/orm/collection.py", line 1515, in compact
    self.compaction_id = conn.compact(
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 155, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 137, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 176, in handler
    return func(self, *args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 90, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 86, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/grpc_handler.py", line 1600, in compact
    response = future.result()
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/grpc/_channel.py", line 881, in result
    raise self
grpc._channel._MultiThreadedRendezvous: <_MultiThreadedRendezvous of RPC that terminated with:
	status = StatusCode.PERMISSION_DENIED
	details = "PrivilegeCompaction: permission deny to user1 in the `default` database"
	debug_error_string = "UNKNOWN:Error received from peer  {created_time:"2024-11-26T21:20:53.226424+08:00", grpc_status:7, grpc_message:"PrivilegeCompaction: permission deny to user1 in the `default` database"}"

@shaoting-huang
Copy link
Contributor

legacy issue not for grant v2. Milvus writes collection name into meta but Proxy check with collection id. The grant v1 is not working, neither.

>>> connections.disconnect('default')
>>> connections.connect(host="localhost", user="root", password="Milvus")
>>> role.grant("Collection", "binbin_new", "Compaction")
>>> connections.disconnect('default')
>>> connections.connect(host="localhost", user="user1", password="Milvus")
>>> c = Collection("binbin_new")
>>> 
>>> c.compact()
grpc RpcError: [compact], <_MultiThreadedRendezvous: StatusCode.PERMISSION_DENIED, PrivilegeCompaction: permission deny to user1 in the `default` database>, <Time:{'RPC start': '2024-11-27 20:49:22.277471', 'gRPC error': '2024-11-27 20:49:22.286226'}>

["permission deny"] [username=user1] [role_names="[binbin,public]"] [object_type=Collection] [object_privilege=PrivilegeCompaction] [db_name=default] [object_index=1] [object_name=454219819725881553] [object_indexs=0] [object_names="[]"] [roles="[binbin,public]"]

@binbinlv binbinlv changed the title [Bug]: [privilege_group] The "PrivilegeRenameCollection" is forbidden when login with the user added in the role granted with the built-in privilege group "CollectionReadWrite" [Bug]: [privilege_group] The "PrivilegeCompaction" is forbidden when login with the user added in the role granted with the privilege "Compact" Nov 28, 2024
@binbinlv binbinlv changed the title [Bug]: [privilege_group] The "PrivilegeCompaction" is forbidden when login with the user added in the role granted with the privilege "Compact" [Bug]: [privilege_group] The "PrivilegeCompaction" is forbidden when login with the user added in the role granted with the privilege "Compaction" Nov 28, 2024
@weiliu1031 weiliu1031 mentioned this issue Nov 28, 2024
Merged
@SimFG SimFG mentioned this issue Nov 29, 2024
Merged
@shaoting-huang
Copy link
Contributor

/unassign

@shaoting-huang
Copy link
Contributor

/assign @weiliu1031

@binbinlv
Copy link
Contributor Author

binbinlv commented Dec 2, 2024

working on verification.

@binbinlv
Copy link
Contributor Author

binbinlv commented Dec 3, 2024

Verified and fixed:
milvus: master-20241203-e09f4318-amd64
pymilvus: 2.6.0rc8

results:

  1. CollectionReadWrite
>>> role.grant_v2("CollectionReadWrite", "default", "binbin_new")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:binbin_new>, <db_name:default>, <role_name:binbin>, <grantor_name:root>, <privilege:CollectionReadWrite>
>>>
>>>
>>> connections.connect(host="", user="user1", password="Milvus")
>>> c = Collection("binbin_new")
>>> c.compact()
>>>
>>>
  1. CollectionAdmin
>>> role.grant_v2("CollectionAdmin", "default", "binbin_new")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:binbin_new>, <db_name:default>, <role_name:binbin>, <grantor_name:root>, <privilege:CollectionAdmin>
>>>
>>>
>>> connections.connect(host="", user="user1", password="Milvus")
>>>
>>>
>>> c = Collection("binbin_new")
>>> c.compact()
>>>
>>>
>>>
  1. CollectionReadOnly
>>> role.grant_v2("CollectionReadOnly", "default", "binbin_new")
>>>
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:binbin_new>, <db_name:default>, <role_name:binbin>, <grantor_name:root>, <privilege:CollectionReadOnly>
>>>
>>>
>>> connections.connect(host="", user="user1", password="Milvus")
>>>
>>>
>>> c = Collection("binbin_new")
>>> c.compact()
2024-12-03 14:28:09,644 [ERROR][handler]: grpc RpcError: [compact], <_MultiThreadedRendezvous: StatusCode.PERMISSION_DENIED, PrivilegeCompaction: permission deny to user1 in the `default` database>, <Time:{'RPC start': '2024-12-03 14:28:09.593375', 'gRPC error': '2024-12-03 14:28:09.644924'}> (decorators.py:151)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/orm/collection.py", line 1515, in compact
    self.compaction_id = conn.compact(
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 155, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 137, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 176, in handler
    return func(self, *args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 90, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 86, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/grpc_handler.py", line 1600, in compact
    response = future.result()
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/grpc/_channel.py", line 881, in result
    raise self
grpc._channel._MultiThreadedRendezvous: <_MultiThreadedRendezvous of RPC that terminated with:
	status = StatusCode.PERMISSION_DENIED
	details = "PrivilegeCompaction: permission deny to user1 in the `default` database"
	debug_error_string = "UNKNOWN:Error received from peer  {grpc_message:"PrivilegeCompaction: permission deny to user1 in the `default` database", grpc_status:7, created_time:"2024-12-03T14:28:09.644464+08:00"}"
>
>>>
>>>
  1. Compaction directly:
>>> role.grant("Collection", "binbin_new", "Compaction")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Collection>, <object_name:binbin_new>, <db_name:default>, <role_name:binbin>, <grantor_name:root>, <privilege:Compaction>
>>>
>>>
>>> connections.connect(host="", user="user1", password="Milvus")
>>> c = Collection("binbin_new")
>>> c.compact()
>>>
>>>

@binbinlv
Copy link
Contributor Author

binbinlv commented Dec 3, 2024

And do upgrade tests:

  1. 2.5.0-beta, "compaction" is permission denied.
  2. upgrade 2.5.0-beta to master-20241203-9e008685-amd64, the user is granted "compaction" previlige could do compact successfully.

So close this issue.

@binbinlv binbinlv closed this as completed Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weiliu1031 weiliu1031

Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
2.5.0
Development

No branches or pull requests
5 participants
@sre-ci-robot @yanliang567 @binbinlv @weiliu1031 @shaoting-huang