2022-08-04 11:04:34 +08:00
|
|
|
package proxy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2022-12-14 10:29:22 +08:00
|
|
|
"sync"
|
2022-08-04 11:04:34 +08:00
|
|
|
"testing"
|
|
|
|
|
2023-06-09 01:28:37 +08:00
|
|
|
"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
|
|
|
|
"github.com/milvus-io/milvus-proto/go-api/v2/milvuspb"
|
2022-08-04 11:04:34 +08:00
|
|
|
"github.com/milvus-io/milvus/internal/proto/internalpb"
|
2023-02-16 15:38:34 +08:00
|
|
|
"github.com/milvus-io/milvus/internal/types"
|
2023-04-06 19:14:32 +08:00
|
|
|
"github.com/milvus-io/milvus/pkg/util/funcutil"
|
|
|
|
"github.com/milvus-io/milvus/pkg/util/paramtable"
|
2022-08-04 11:04:34 +08:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestUnaryServerInterceptor(t *testing.T) {
|
|
|
|
interceptor := UnaryServerInterceptor(PrivilegeInterceptor)
|
|
|
|
assert.NotNil(t, interceptor)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestPrivilegeInterceptor(t *testing.T) {
|
|
|
|
ctx := context.Background()
|
2022-12-08 19:43:23 +08:00
|
|
|
|
2022-08-04 11:04:34 +08:00
|
|
|
t.Run("Authorization Disabled", func(t *testing.T) {
|
2022-12-07 18:01:19 +08:00
|
|
|
paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "false")
|
2022-08-04 11:04:34 +08:00
|
|
|
_, err := PrivilegeInterceptor(ctx, &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Authorization Enabled", func(t *testing.T) {
|
2022-12-07 18:01:19 +08:00
|
|
|
paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
|
2022-08-04 11:04:34 +08:00
|
|
|
|
|
|
|
_, err := PrivilegeInterceptor(ctx, &milvuspb.HasCollectionRequest{})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
|
|
|
|
ctx = GetContext(context.Background(), "alice:123456")
|
|
|
|
client := &MockRootCoordClientInterface{}
|
2023-02-16 15:38:34 +08:00
|
|
|
queryCoord := &types.MockQueryCoord{}
|
2022-08-04 11:04:34 +08:00
|
|
|
mgr := newShardClientMgr()
|
|
|
|
|
|
|
|
client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
|
|
|
|
return &internalpb.ListPolicyResponse{
|
|
|
|
Status: &commonpb.Status{
|
|
|
|
ErrorCode: commonpb.ErrorCode_Success,
|
|
|
|
},
|
|
|
|
PolicyInfos: []string{
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Collection.String(), "col1", commonpb.ObjectPrivilege_PrivilegeLoad.String()),
|
2022-09-05 21:05:11 +08:00
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Collection.String(), "col1", commonpb.ObjectPrivilege_PrivilegeFlush.String()),
|
2023-02-22 20:37:45 +08:00
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Collection.String(), "col1", commonpb.ObjectPrivilege_PrivilegeGetLoadState.String()),
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Collection.String(), "col1", commonpb.ObjectPrivilege_PrivilegeGetLoadingProgress.String()),
|
2022-09-05 21:05:11 +08:00
|
|
|
funcutil.PolicyForPrivilege("role2", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeAll.String()),
|
2022-08-04 11:04:34 +08:00
|
|
|
},
|
|
|
|
UserRoles: []string{
|
|
|
|
funcutil.EncodeUserRoleCache("alice", "role1"),
|
2022-09-05 21:05:11 +08:00
|
|
|
funcutil.EncodeUserRoleCache("fooo", "role2"),
|
2022-08-04 11:04:34 +08:00
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "foo:123456"), &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
|
2022-08-15 16:40:48 +08:00
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "root:123456"), &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-08-15 16:40:48 +08:00
|
|
|
|
2022-08-04 11:04:34 +08:00
|
|
|
err = InitMetaCache(ctx, client, queryCoord, mgr)
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.HasCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-22 20:37:45 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.GetLoadingProgressRequest{
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-22 20:37:45 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.GetLoadStateRequest{
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
|
2023-02-22 20:37:45 +08:00
|
|
|
fooCtx := GetContext(context.Background(), "foo:123456")
|
|
|
|
_, err = PrivilegeInterceptor(fooCtx, &milvuspb.LoadCollectionRequest{
|
2022-08-04 11:04:34 +08:00
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.InsertRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2023-05-31 19:01:09 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.UpsertRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2023-02-22 20:37:45 +08:00
|
|
|
_, err = PrivilegeInterceptor(fooCtx, &milvuspb.GetLoadingProgressRequest{
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2023-02-22 20:37:45 +08:00
|
|
|
_, err = PrivilegeInterceptor(fooCtx, &milvuspb.GetLoadStateRequest{
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2022-08-04 11:04:34 +08:00
|
|
|
|
2022-09-05 21:05:11 +08:00
|
|
|
_, err = PrivilegeInterceptor(ctx, &milvuspb.FlushRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionNames: []string{"col1"},
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-09-05 21:05:11 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2022-12-08 19:43:23 +08:00
|
|
|
|
2022-12-14 10:29:22 +08:00
|
|
|
g := sync.WaitGroup{}
|
|
|
|
for i := 0; i < 20; i++ {
|
|
|
|
g.Add(1)
|
|
|
|
go func() {
|
|
|
|
defer g.Done()
|
|
|
|
assert.NotPanics(t, func() {
|
|
|
|
PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.LoadCollectionRequest{
|
|
|
|
DbName: "db_test",
|
|
|
|
CollectionName: "col1",
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}()
|
|
|
|
}
|
|
|
|
g.Wait()
|
|
|
|
|
2022-12-08 19:43:23 +08:00
|
|
|
assert.Panics(t, func() {
|
2022-12-14 10:29:22 +08:00
|
|
|
getPolicyModel("foo")
|
2022-12-08 19:43:23 +08:00
|
|
|
})
|
2022-08-04 11:04:34 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
}
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
func TestResourceGroupPrivilege(t *testing.T) {
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
t.Run("Resource Group Privilege", func(t *testing.T) {
|
|
|
|
paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
|
|
|
|
|
|
|
|
_, err := PrivilegeInterceptor(ctx, &milvuspb.ListResourceGroupsRequest{})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.Error(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
ctx = GetContext(context.Background(), "fooo:123456")
|
|
|
|
client := &MockRootCoordClientInterface{}
|
2023-02-16 15:38:34 +08:00
|
|
|
queryCoord := &types.MockQueryCoord{}
|
2023-02-10 10:54:33 +08:00
|
|
|
mgr := newShardClientMgr()
|
|
|
|
|
|
|
|
client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
|
|
|
|
return &internalpb.ListPolicyResponse{
|
|
|
|
Status: &commonpb.Status{
|
|
|
|
ErrorCode: commonpb.ErrorCode_Success,
|
|
|
|
},
|
|
|
|
PolicyInfos: []string{
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String()),
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeTransferNode.String()),
|
|
|
|
funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeTransferReplica.String()),
|
|
|
|
},
|
|
|
|
UserRoles: []string{
|
|
|
|
funcutil.EncodeUserRoleCache("fooo", "role1"),
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
InitMetaCache(ctx, client, queryCoord, mgr)
|
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{
|
|
|
|
ResourceGroup: "rg",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DropResourceGroupRequest{
|
|
|
|
ResourceGroup: "rg",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DescribeResourceGroupRequest{
|
|
|
|
ResourceGroup: "rg",
|
|
|
|
})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.ListResourceGroupsRequest{})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.TransferNodeRequest{})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
|
|
|
|
_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.TransferReplicaRequest{})
|
2023-06-08 15:36:36 +08:00
|
|
|
assert.NoError(t, err)
|
2023-02-10 10:54:33 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
}
|