Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: CreatePrivilegeGroup permission denied after revoking the privilege but there is still ClusterAdmin granted #38557

Closed
1 task done
shaoting-huang opened this issue Dec 18, 2024 · 4 comments
Closed
1 task done

[Bug]: CreatePrivilegeGroup permission denied after revoking the privilege but there is still ClusterAdmin granted #38557

shaoting-huang opened this issue Dec 18, 2024 · 4 comments
Assignees
@shaoting-huang
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Milestone
2.4.18

Comments

@shaoting-huang
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Environment

- Milvus version:master
- Deployment mode(standalone or cluster):
- MQ type(rocksmq, pulsar or kafka):    
- SDK version(e.g. pymilvus v2.0.0rc2):
- OS(Ubuntu or CentOS): 
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

  1. grant CreatePrivilegeGroup and ClusterAdmin to the role at the same time
  2. revoke CreatePrivilegeGroup from the role
  3. try to operate CreatePrivilegeGroup

Expected Behavior

should have permission since there is still ClusterAdmin granted.

Steps To Reproduce

>>> role.grant_v2("CreatePrivilegeGroup", "*", db_name="*")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:*>, <db_name:*>, <role_name:role>, <grantor_name:root>, <privilege:CreatePrivilegeGroup>
- GrantItem: <object:Global>, <object_name:*>, <db_name:*>, <role_name:role>, <grantor_name:root>, <privilege:ClusterAdmin>
>>> connections.disconnect('default')
>>> connections.connect(host="localhost", user="user1", password="Milvus")
>>> role.create_privilege_group("pg")
>>> connections.connect(host="localhost", user="root", password="Milvus")
>>> client = MilvusClient(uri="http://localhost:19530", user="root", password="Milvus")
>>> role.revoke_v2("CreatePrivilegeGroup", "*", db_name="*")
>>> connections.disconnect('default')
>>> connections.connect(host="localhost", user="user1", password="Milvus")
>>> role.create_privilege_group("pg2")

Milvus Log

grpc RpcError: [create_privilege_group], <_InactiveRpcError: StatusCode.PERMISSION_DENIED, PrivilegeCreatePrivilegeGroup: permission deny to user1 in the default database>, <Time:{'RPC start': '2024-12-18 16:29:35.182185', 'gRPC error': '2024-12-18 16:29:35.183008'}>

Anything else?

No response
@shaoting-huang shaoting-huang added kind/bug Issues or changes related a bug needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 18, 2024
This was referenced Dec 18, 2024
Merged
Merged
@yanliang567
Copy link
Contributor

/assign @shaoting-huang
/unassign

@yanliang567 yanliang567 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 18, 2024
@yanliang567 yanliang567 added this to the 2.4.18 milestone Dec 18, 2024
sre-ci-robot pushed a commit that referenced this issue Dec 18, 2024
@shaoting-huang
fix: rbac revoke check if there is same privilege in other privilege …
de88589 
…groups granted (#38558)

related: #38557

Signed-off-by: shaoting-huang <[email protected]>
sre-ci-robot pushed a commit that referenced this issue Dec 18, 2024
@shaoting-huang
fix: [2.4] rbac revoke check if there is same privilege in other priv…
d84e4f6 
…ilege groups granted (#38559)

cherry-pick from master: #38558
related: #38557

Signed-off-by: shaoting-huang <[email protected]>
@binbinlv
Copy link
Contributor

binbinlv commented Dec 18, 2024
edited
Loading

Verified and fixed in 2.4 branch:
milvus: 2.4-20241218-d84e4f6e-amd64

results:

>>> role.revoke_v2("CreatePrivilegeGroup", "*", db_name="*")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:*>, <db_name:*>, <role_name:role1>, <grantor_name:root>, <privilege:ClusterAdmin>
>>>
>>>
>>> connections.disconnect('default')
>>> connections.connect(host="10.101.85.251", user="user1", password="Milvus")
>>>
>>> role.create_privilege_group("pg2")
>>>
>>>

@binbinlv
Copy link
Contributor

Verifying in master branch.

@binbinlv
Copy link
Contributor

Verified and fixed in master branch:
milvus: master-20241218-de885893-amd64

results:

>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:*>, <db_name:*>, <role_name:role_1>, <grantor_name:root>, <privilege:CreatePrivilegeGroup>
- GrantItem: <object:Global>, <object_name:*>, <db_name:*>, <role_name:role_1>, <grantor_name:root>, <privilege:ClusterAdmin>
>>>
>>>
>>> connections.disconnect('default')
>>> connections.connect(host="***", user="user1", password="Milvus")
>>>
>>>
>>> role.create_privilege_group("pg")
>>> connections.connect(host="***", user="root", password="Milvus")
>>> role.revoke_v2("CreatePrivilegeGroup", "*", db_name="*")
>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:*>, <db_name:*>, <role_name:role_1>, <grantor_name:root>, <privilege:ClusterAdmin>
>>>
>>>
>>> connections.disconnect('default')
>>> connections.connect(host="***", user="user1", password="Milvus")
>>>
>>>
>>> role.create_privilege_group("pg2")
>>> role.drop_privilege_group("pg2")
>>>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shaoting-huang shaoting-huang

Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
2.4.18
Development

No branches or pull requests
3 participants
@yanliang567 @binbinlv @shaoting-huang