Files
wehub-resource-sync 498b235461
Build and test / Build and test AMD64 Ubuntu 22.04 (push) Failing after 0s
Publish Builder / amazonlinux2023 (push) Failing after 1s
Build and test / UT for Go (push) Has been skipped
Publish KRTE Images / KRTE (push) Failing after 1s
Build and test / Integration Test (push) Has been skipped
Build and test / Upload Code Coverage (push) Has been skipped
Publish Builder / rockylinux9 (push) Failing after 1s
Publish Builder / ubuntu22.04 (push) Failing after 0s
Publish Builder / ubuntu24.04 (push) Failing after 0s
Publish Gpu Builder / publish-gpu-builder (push) Failing after 1s
Publish Test Images / PyTest (push) Failing after 0s
Build and test / UT for Cpp (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:31:17 +08:00

240 lines
8.8 KiB
Go

package proxy
import (
"context"
"fmt"
"reflect"
"sync"
"golang.org/x/time/rate"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"github.com/milvus-io/milvus-proto/go-api/v3/commonpb"
"github.com/milvus-io/milvus-proto/go-api/v3/hook"
"github.com/milvus-io/milvus-proto/go-api/v3/milvuspb"
"github.com/milvus-io/milvus/internal/proxy/privilege"
"github.com/milvus-io/milvus/internal/util/hookutil"
"github.com/milvus-io/milvus/pkg/v3/mlog"
"github.com/milvus-io/milvus/pkg/v3/util"
"github.com/milvus-io/milvus/pkg/v3/util/contextutil"
"github.com/milvus-io/milvus/pkg/v3/util/funcutil"
"github.com/milvus-io/milvus/pkg/v3/util/merr"
)
type PrivilegeFunc func(ctx context.Context, req interface{}) (context.Context, error)
const RBACRoleContextKey = hook.HookContextKeyType("rbac-role")
var (
initOnce sync.Once
initPrivilegeGroupsOnce sync.Once
)
var roPrivileges, rwPrivileges, adminPrivileges map[string]struct{}
func SetRBACRolesToContext(ctx context.Context, roles []string) context.Context {
rolesCopy := append([]string(nil), roles...)
return context.WithValue(ctx, RBACRoleContextKey, rolesCopy)
}
// UnaryServerInterceptor returns a new unary server interceptors that performs per-request privilege access.
func UnaryServerInterceptor(privilegeFunc PrivilegeFunc) grpc.UnaryServerInterceptor {
privilege.InitPrivilegeGroups()
return func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
newCtx, err := privilegeFunc(ctx, req)
if err != nil {
hookutil.GetExtension().ReportAction(newCtx, req, &milvuspb.BoolResponse{
Status: merr.Status(err),
}, err, info.FullMethod, hookutil.ActionAuthorize)
return nil, err
}
return handler(newCtx, req)
}
}
func PrivilegeInterceptor(ctx context.Context, req interface{}) (context.Context, error) {
if !Params.CommonCfg.AuthorizationEnabled.GetAsBool() {
return ctx, nil
}
mlog.RatedDebug(ctx, rate.Limit(60), "PrivilegeInterceptor", mlog.String("type", reflect.TypeOf(req).String()))
privilegeExt, err := funcutil.GetPrivilegeExtObj(req)
if err != nil {
mlog.RatedInfo(ctx, rate.Limit(60), "GetPrivilegeExtObj err", mlog.Err(err))
return ctx, nil
}
username, password, err := contextutil.GetAuthInfoFromContext(ctx)
if err != nil {
mlog.Warn(ctx, "GetCurUserFromContext fail", mlog.Err(err))
return ctx, err
}
if !Params.CommonCfg.RootShouldBindRole.GetAsBool() && username == util.UserRoot {
return ctx, nil
}
roleNames, err := GetRole(username)
if err != nil {
mlog.Warn(ctx, "GetRole fail", mlog.String("username", username), mlog.Err(err))
return ctx, err
}
roleNames = append(roleNames, util.RolePublic)
ctx = SetRBACRolesToContext(ctx, roleNames)
objectType := privilegeExt.ObjectType.String()
objectNameIndex := privilegeExt.ObjectNameIndex
objectName := funcutil.GetObjectName(req, objectNameIndex)
objectPrivilege := privilegeExt.ObjectPrivilege.String()
// Authorize against the db the request actually operates on, resolved by
// privilege level (mirrors the grant-side validation; see
// milvus-io/milvus#50678):
// - Cluster-level privileges (CreateDatabase/ResourceGroup/...) are not
// scoped to a database, so authorize them globally (AnyWord),
// independent of the connection namespace.
// - Database-/Collection-level privileges are scoped to the db the request
// targets: the request-body DbName takes precedence, falling back to the
// connection-context db.
dbName := GetCurDBNameFromRequestOrContext(ctx, req)
if util.GetPrivilegeLevel(util.MetaStore2API(objectPrivilege)) == milvuspb.PrivilegeLevel_Cluster.String() {
dbName = util.AnyWord
}
// RenameCollection is a database-admin privilege: a same-db rename is
// authorized against the target db (database level, handled above), while a
// cross-db rename additionally requires a cluster-scoped (global) grant.
if r, ok := req.(*milvuspb.RenameCollectionRequest); ok && r.GetDbName() != r.GetNewDBName() {
dbName = util.AnyWord
}
// Resolve alias to actual collection name for RBAC checks
if Params.ProxyCfg.ResolveAliasForPrivilege.GetAsBool() && objectType == commonpb.ObjectType_Collection.String() && objectNameIndex != 0 {
if objectName != util.AnyWord && objectName != "" {
if actualCollectionName, resolveErr := resolveCollectionAlias(ctx, dbName, objectName); resolveErr != nil {
mlog.RatedWarn(ctx, rate.Limit(60), "failed to resolve collection alias for RBAC, using original name",
mlog.String("objectName", objectName), mlog.FieldDbName(dbName), mlog.Err(resolveErr))
} else {
objectName = actualCollectionName
}
}
}
if isCurUserObject(objectType, username, objectName) {
return ctx, nil
}
if isSelectMyRoleGrants(req, roleNames) {
return ctx, nil
}
objectNameIndexs := privilegeExt.ObjectNameIndexs
objectNames := funcutil.GetObjectNames(req, objectNameIndexs)
// Resolve aliases for operations that refer to multiple resources
if Params.ProxyCfg.ResolveAliasForPrivilege.GetAsBool() && objectType == commonpb.ObjectType_Collection.String() && objectNameIndexs != 0 && len(objectNames) > 0 {
resolvedNames := make([]string, 0, len(objectNames))
for _, name := range objectNames {
if name == util.AnyWord || name == "" {
resolvedNames = append(resolvedNames, name)
continue
}
if actualName, resolveErr := resolveCollectionAlias(ctx, dbName, name); resolveErr != nil {
mlog.RatedWarn(ctx, rate.Limit(60), "failed to resolve collection alias for RBAC, using original name",
mlog.String("objectName", name), mlog.FieldDbName(dbName), mlog.Err(resolveErr))
resolvedNames = append(resolvedNames, name)
} else {
resolvedNames = append(resolvedNames, actualName)
}
}
objectNames = resolvedNames
}
log := mlog.With(mlog.String("username", username), mlog.Strings("role_names", roleNames),
mlog.String("object_type", objectType), mlog.String("object_privilege", objectPrivilege),
mlog.FieldDbName(dbName),
mlog.Int32("object_index", objectNameIndex), mlog.String("object_name", objectName),
mlog.Int32("object_indexs", objectNameIndexs), mlog.Strings("object_names", objectNames))
e := privilege.GetEnforcer()
for _, roleName := range roleNames {
permitFunc := func(objectName string) (bool, error) {
object := funcutil.PolicyForResource(dbName, objectType, objectName)
isPermit, cached, version := privilege.GetResultCache(roleName, object, objectPrivilege)
if cached {
return isPermit, nil
}
isPermit, err := e.Enforce(roleName, object, objectPrivilege)
if err != nil {
return false, err
}
privilege.SetResultCache(roleName, object, objectPrivilege, isPermit, version)
return isPermit, nil
}
if objectNameIndex != 0 {
// handle the api which refers one resource
permitObject, err := permitFunc(objectName)
if err != nil {
log.Warn(ctx, "fail to execute permit func", mlog.String("name", objectName), mlog.Err(err))
return ctx, err
}
if permitObject {
return ctx, nil
}
}
if objectNameIndexs != 0 {
// handle the api which refers many resources
permitObjects := true
for _, name := range objectNames {
p, err := permitFunc(name)
if err != nil {
log.Warn(ctx, "fail to execute permit func", mlog.String("name", name), mlog.Err(err))
return ctx, err
}
if !p {
permitObjects = false
break
}
}
if permitObjects && len(objectNames) != 0 {
return ctx, nil
}
}
}
log.Info(ctx, "permission deny", mlog.Strings("roles", roleNames))
if password == util.PasswordHolder {
username = "apikey user"
}
return ctx, status.Error(codes.PermissionDenied,
fmt.Sprintf("%s: permission deny to %s in the `%s` database", objectPrivilege, username, dbName))
}
// isCurUserObject Determine whether it is an Object of type User that operates on its own user information,
// like updating password or viewing your own role information.
// make users operate their own user information when the related privileges are not granted.
func isCurUserObject(objectType string, curUser string, object string) bool {
if objectType != commonpb.ObjectType_User.String() {
return false
}
return curUser == object
}
func isSelectMyRoleGrants(req interface{}, roleNames []string) bool {
selectGrantReq, ok := req.(*milvuspb.SelectGrantRequest)
if !ok {
return false
}
filterGrantEntity := selectGrantReq.GetEntity()
roleName := filterGrantEntity.GetRole().GetName()
return funcutil.SliceContain(roleNames, roleName)
}
// resolveCollectionAlias resolves an alias to its actual collection name
func resolveCollectionAlias(ctx context.Context, dbName, nameOrAlias string) (string, error) {
cache := globalMetaCache
if cache == nil {
return nameOrAlias, merr.WrapErrServiceInternal("meta cache not initialized")
}
return cache.ResolveCollectionAlias(ctx, dbName, nameOrAlias)
}