Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: The role could be dropped in the database if the role is granted with no privilege in this database but with privilege in another database #38325

Closed
1 task done
binbinlv opened this issue Dec 10, 2024 · 5 comments
Assignees
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Milestone

Comments

@binbinlv
Copy link
Contributor

binbinlv commented Dec 10, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Environment

- Milvus version: master-20241209-224c2c8e-amd64
- Deployment mode(standalone or cluster): both
- MQ type(rocksmq, pulsar or kafka):    all
- SDK version(e.g. pymilvus v2.0.0rc2):
- OS(Ubuntu or CentOS): 
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

The role could be dropped in the database if the role is granted no privilege in this database but with privilege in another database

>>> db.using_database("db1")
>>> role = Role("binbin")
>>> role.create()
>>>
>>>
>>> role.grant("Collection", "collection1", "Insert")
>>> role.list_grants()
- GrantItem: <object:Collection>, <object_name:collection1>, <db_name:db1>, <role_name:binbin>, <grantor_name:root>, <privilege:Insert>

>>> db.using_database("default")
>>> role.name
'binbin'
>>> role.list_grants()
GrantInfo groups:
>>>
>>>
>>> role.drop()
>>>
>>>

Expected Behavior

The role could not be dropped in the database if the role is granted with privilege in any databases

Steps To Reproduce

from pymilvus import CollectionSchema, FieldSchema
from pymilvus import Collection
from pymilvus import connections
from pymilvus import DataType
from pymilvus import Partition
from pymilvus import utility
from pymilvus import MilvusClient
from pymilvus import Role
from pymilvus import db

connections.connect(host="***", user="root", password="Milvus)
utility.create_user("user1", "Milvus")
client = MilvusClient(uri="http://***:19530", user="root", password="Milvus")
client.create_collection("collection1", dimension=128)
client.create_collection("collection2", dimension=128)
db.create_database("db1")
db.using_database("db1")
role = Role("binbin")
role.create()
role.grant("Collection", "collection1", "Insert")
role.list_grants()
db.using_database("default")
role.list_grants()
role.drop()

Milvus Log

https://grafana-4am.zilliz.cc/explore?orgId=1&panes=%7B%22Vco%22:%7B%22datasource%22:%22vhI6Vw67k%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22expr%22:%22%7Bcluster%3D%5C%22devops%5C%22,namespace%3D%5C%22chaos-testing%5C%22,pod%3D~%5C%22rbac-master-latest-bogwk.%2A%5C%22%7D%22,%22datasource%22:%7B%22type%22:%22loki%22,%22uid%22:%22vhI6Vw67k%22%7D%7D%5D,%22range%22:%7B%22from%22:%22now-1h%22,%22to%22:%22now%22%7D%7D%7D&schemaVersion=1

Anything else?

No response

@binbinlv binbinlv added kind/bug Issues or changes related a bug needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 10, 2024
@binbinlv binbinlv added this to the 2.5.0 milestone Dec 10, 2024
@binbinlv binbinlv changed the title [Bug]: The role could be dropped in the database if the role is granted no privilege in this database but with privilege in another database [Bug]: The role could be dropped in the database if the role is granted with no privilege in this database but with privilege in another database Dec 10, 2024
@yanliang567
Copy link
Contributor

/assign @shaoting-huang
/unassign

@sre-ci-robot
Copy link
Contributor

@yanliang567: GitHub didn't allow me to assign the following users: shaoting-huang.

Note that only milvus-io members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @shaoting-huang
/unassign

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@yanliang567 yanliang567 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 10, 2024
@binbinlv
Copy link
Contributor Author

/assign @weiliu1031

sre-ci-robot pushed a commit that referenced this issue Dec 11, 2024
issue: #38325
the old impl only to check grant in default db before drop role, which
may cause role be dropped when grant still exist.

Signed-off-by: Wei Liu <[email protected]>
weiliu1031 added a commit to weiliu1031/milvus that referenced this issue Dec 11, 2024
issue: milvus-io#38325
the old impl only to check grant in default db before drop role, which
may cause role be dropped when grant still exist.

Signed-off-by: Wei Liu <[email protected]>
sre-ci-robot pushed a commit that referenced this issue Dec 11, 2024
issue: #38325
pr: #38342
the old impl only to check grant in default db before drop role, which
may cause role be dropped when grant still exist.

Signed-off-by: Wei Liu <[email protected]>
@binbinlv
Copy link
Contributor Author

working on verification.

@binbinlv
Copy link
Contributor Author

binbinlv commented Dec 12, 2024

verified and fixed.

milvus:master-20241211-a118ca14-amd64
pymilvus: 2.6.0rc12

results:

>>> db.create_database("db1")
>>> db.using_database("db1")
>>> role = Role("binbin")
>>> role.create()
>>> role.grant("Collection", "collection1", "Insert")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Collection>, <object_name:collection1>, <db_name:db1>, <role_name:binbin>, <grantor_name:root>, <privilege:Insert>
>>> db.using_database("default")
>>> role.list_grants()
GrantInfo groups:
>>> role.drop()
2024-12-12 11:24:15,809 [ERROR][handler]: RPC error: [drop_role], <MilvusException: (code=65535, message=fail to drop the role that it has privileges. Use REVOKE API to revoke privileges)>, <Time:{'RPC start': '2024-12-12 11:24:15.741652', 'RPC error': '2024-12-12 11:24:15.809774'}> (decorators.py:140)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/orm/role.py", line 67, in drop
    return self._get_connection().drop_role(self._name)
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/decorators.py", line 141, in handler
    raise e from e
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/decorators.py", line 137, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/decorators.py", line 176, in handler
    return func(self, *args, **kwargs)
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/decorators.py", line 116, in handler
    raise e from e
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/decorators.py", line 86, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/client/grpc_handler.py", line 1825, in drop_role
    check_status(resp)
  File "/Users/binbin/milvus_rbac/lib/python3.8/site-packages/pymilvus/client/utils.py", line 63, in check_status
    raise MilvusException(status.code, status.reason, status.error_code)
pymilvus.exceptions.MilvusException: <MilvusException: (code=65535, message=fail to drop the role that it has privileges. Use REVOKE API to revoke privileges)>
>>> db.using_database("db1")
>>> role = Role("binbin")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Collection>, <object_name:collection1>, <db_name:db1>, <role_name:binbin>, <grantor_name:root>, <privilege:Insert>
>>> role.revoke_v2("Insert", "collection1", "db1")
>>> role.list_grants()
GrantInfo groups:
>>>
>>> db.using_database("default")
>>> role = Role("binbin")
>>> role.drop()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

No branches or pull requests

4 participants