Files
wehub-resource-sync 498b235461
Build and test / Build and test AMD64 Ubuntu 22.04 (push) Failing after 0s
Publish Builder / amazonlinux2023 (push) Failing after 1s
Build and test / UT for Go (push) Has been skipped
Publish KRTE Images / KRTE (push) Failing after 1s
Build and test / Integration Test (push) Has been skipped
Build and test / Upload Code Coverage (push) Has been skipped
Publish Builder / rockylinux9 (push) Failing after 1s
Publish Builder / ubuntu22.04 (push) Failing after 0s
Publish Builder / ubuntu24.04 (push) Failing after 0s
Publish Gpu Builder / publish-gpu-builder (push) Failing after 1s
Publish Test Images / PyTest (push) Failing after 0s
Build and test / UT for Cpp (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:31:17 +08:00

228 lines
7.9 KiB
Go

/*
* Licensed to the LF AI & Data foundation under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package rootcoord
import (
"context"
"github.com/samber/lo"
"google.golang.org/protobuf/proto"
"github.com/milvus-io/milvus-proto/go-api/v3/milvuspb"
"github.com/milvus-io/milvus/pkg/v3/common"
"github.com/milvus-io/milvus/pkg/v3/mlog"
"github.com/milvus-io/milvus/pkg/v3/proto/proxypb"
"github.com/milvus-io/milvus/pkg/v3/util"
"github.com/milvus-io/milvus/pkg/v3/util/funcutil"
"github.com/milvus-io/milvus/pkg/v3/util/merr"
"github.com/milvus-io/milvus/pkg/v3/util/typeutil"
)
func executeOperatePrivilegeTaskSteps(ctx context.Context, core *Core, entity *milvuspb.GrantEntity, operateType milvuspb.OperatePrivilegeType) error {
privName := entity.Grantor.Privilege.Name
if err := func() error {
// set up privilege name for metastore
dbPrivName, err := core.getMetastorePrivilegeName(ctx, privName)
if err != nil {
return err
}
entity.Grantor.Privilege.Name = dbPrivName
err = core.meta.OperatePrivilege(ctx, util.DefaultTenant, entity, operateType)
if err != nil && !common.IsIgnorableError(err) {
mlog.Warn(ctx, "fail to operate the privilege", mlog.Any("in", entity), mlog.Err(err))
return err
}
return nil
}(); err != nil {
return merr.Wrap(err, "failed to operate the privilege")
}
if err := func() error {
// set back to expand privilege group
entity.Grantor.Privilege.Name = privName
var opType int32
switch operateType {
case milvuspb.OperatePrivilegeType_Grant:
opType = int32(typeutil.CacheGrantPrivilege)
case milvuspb.OperatePrivilegeType_Revoke:
opType = int32(typeutil.CacheRevokePrivilege)
default:
mlog.Warn(ctx, "invalid operate type for the OperatePrivilege api", mlog.Any("operate_type", operateType))
return merr.WrapErrParameterInvalidMsg("invalid operate type for the OperatePrivilege api")
}
grants := []*milvuspb.GrantEntity{entity}
allGroups, err := core.getDefaultAndCustomPrivilegeGroups(ctx)
if err != nil {
return err
}
groups := lo.SliceToMap(allGroups, func(group *milvuspb.PrivilegeGroupInfo) (string, []*milvuspb.PrivilegeEntity) {
return group.GroupName, group.Privileges
})
expandGrants, err := core.expandPrivilegeGroups(ctx, grants, groups)
if err != nil {
return err
}
// if there is same grant in the other privilege groups, the grant should not be removed from the cache
if operateType == milvuspb.OperatePrivilegeType_Revoke {
metaGrants, err := core.meta.SelectGrant(ctx, util.DefaultTenant, &milvuspb.GrantEntity{
Role: entity.Role,
DbName: entity.DbName,
})
if err != nil {
return err
}
metaExpandGrants, err := core.expandPrivilegeGroups(ctx, metaGrants, groups)
if err != nil {
return err
}
expandGrants = lo.Filter(expandGrants, func(g1 *milvuspb.GrantEntity, _ int) bool {
return !lo.ContainsBy(metaExpandGrants, func(g2 *milvuspb.GrantEntity) bool {
return proto.Equal(g1, g2)
})
})
}
if len(expandGrants) > 0 {
if err := core.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
OpType: opType,
OpKey: funcutil.PolicyForPrivileges(expandGrants),
}); err != nil {
mlog.Warn(ctx, "fail to refresh policy info cache", mlog.Any("in", entity), mlog.Err(err))
return err
}
}
return nil
}(); err != nil {
return merr.Wrap(err, "failed to refresh policy info cache")
}
return nil
}
func executeOperatePrivilegeGroupTaskSteps(ctx context.Context, core *Core, in *milvuspb.PrivilegeGroupInfo, operateType milvuspb.OperatePrivilegeGroupType) error {
if err := func() error {
groups, err := core.meta.ListPrivilegeGroups(ctx)
if err != nil && !common.IsIgnorableError(err) {
mlog.Warn(ctx, "fail to list privilege groups", mlog.Err(err))
return err
}
currGroups := lo.SliceToMap(groups, func(group *milvuspb.PrivilegeGroupInfo) (string, []*milvuspb.PrivilegeEntity) {
return group.GroupName, group.Privileges
})
// get roles granted to the group
roles, err := core.meta.GetPrivilegeGroupRoles(ctx, in.GroupName)
if err != nil {
return err
}
newGroups := make(map[string][]*milvuspb.PrivilegeEntity)
for k, v := range currGroups {
if k != in.GroupName {
newGroups[k] = v
continue
}
switch operateType {
case milvuspb.OperatePrivilegeGroupType_AddPrivilegesToGroup:
newPrivs := lo.Union(v, in.Privileges)
newGroups[k] = lo.UniqBy(newPrivs, func(p *milvuspb.PrivilegeEntity) string {
return p.Name
})
case milvuspb.OperatePrivilegeGroupType_RemovePrivilegesFromGroup:
newPrivs, _ := lo.Difference(v, in.Privileges)
newGroups[k] = newPrivs
default:
return merr.WrapErrParameterInvalidMsg("invalid operate type")
}
}
var rolesToRevoke []*milvuspb.GrantEntity
var rolesToGrant []*milvuspb.GrantEntity
compareGrants := func(a, b *milvuspb.GrantEntity) bool {
return a.Role.Name == b.Role.Name &&
a.Object.Name == b.Object.Name &&
a.ObjectName == b.ObjectName &&
a.Grantor.User.Name == b.Grantor.User.Name &&
a.Grantor.Privilege.Name == b.Grantor.Privilege.Name &&
a.DbName == b.DbName
}
for _, role := range roles {
grants, err := core.meta.SelectGrant(ctx, util.DefaultTenant, &milvuspb.GrantEntity{
Role: role,
DbName: util.AnyWord,
})
if err != nil {
return err
}
currGrants, err := core.expandPrivilegeGroups(ctx, grants, currGroups)
if err != nil {
return err
}
newGrants, err := core.expandPrivilegeGroups(ctx, grants, newGroups)
if err != nil {
return err
}
toRevoke := lo.Filter(currGrants, func(item *milvuspb.GrantEntity, _ int) bool {
return !lo.ContainsBy(newGrants, func(newItem *milvuspb.GrantEntity) bool {
return compareGrants(item, newItem)
})
})
toGrant := lo.Filter(newGrants, func(item *milvuspb.GrantEntity, _ int) bool {
return !lo.ContainsBy(currGrants, func(currItem *milvuspb.GrantEntity) bool {
return compareGrants(item, currItem)
})
})
rolesToRevoke = append(rolesToRevoke, toRevoke...)
rolesToGrant = append(rolesToGrant, toGrant...)
}
if len(rolesToRevoke) > 0 {
opType := int32(typeutil.CacheRevokePrivilege)
if err := core.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
OpType: opType,
OpKey: funcutil.PolicyForPrivileges(rolesToRevoke),
}); err != nil {
mlog.Warn(ctx, "fail to refresh policy info cache for revoke privileges in operate privilege group", mlog.Any("in", in), mlog.Err(err))
return err
}
}
if len(rolesToGrant) > 0 {
opType := int32(typeutil.CacheGrantPrivilege)
if err := core.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
OpType: opType,
OpKey: funcutil.PolicyForPrivileges(rolesToGrant),
}); err != nil {
mlog.Warn(ctx, "fail to refresh policy info cache for grants privilege in operate privilege group", mlog.Any("in", in), mlog.Err(err))
return err
}
}
return nil
}(); err != nil {
return merr.Wrap(err, "failed to refresh policy info cache")
}
if err := core.meta.OperatePrivilegeGroup(ctx, in.GroupName, in.Privileges, operateType); err != nil && !common.IsIgnorableError(err) {
mlog.Warn(ctx, "fail to operate privilege group", mlog.Err(err))
return merr.Wrap(err, "failed to operate privilege group")
}
return nil
}