enhance: Enable ReadOnly/ReadWrite/Admin Privilege Group to simplify RBAC grant progress (#35472) (#35543)

issue: #35471 pr: #35472 #35515 --------- --------- Signed-off-by: Wei Liu <wei.liu@zilliz.com>
2024-12-02 11:59:00 +08:00 · 2024-08-19 16:24:54 +08:00 · 2024-08-19 16:24:54 +08:00 · 14ec3dc357
commit 14ec3dc357
parent 4a5e6bc6f6
9 changed files with 309 additions and 9 deletions
--- a/go.mod
+++ b/go.mod
@ -26,7 +26,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/klauspost/compress v1.17.7
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
-	github.com/milvus-io/milvus-proto/go-api/v2 v2.4.9-0.20240816062459-7b3eea802adb
+	github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a
 	github.com/minio/minio-go/v7 v7.0.61
 	github.com/pingcap/log v1.1.1-0.20221015072633-39906604fb81
 	github.com/prometheus/client_golang v1.14.0
--- a/go.sum
+++ b/go.sum
@ -606,8 +606,8 @@ github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119 h1:9VXijWu
 github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119/go.mod h1:DvXTE/K/RtHehxU8/GtDs4vFtfw64jJ3PaCnFri8CRg=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.9-0.20240816062459-7b3eea802adb h1:DA2PyjTVCA7c23x0UBqzL2+lBrLVH6zP2VPR8yDagr4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.9-0.20240816062459-7b3eea802adb/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a h1:0B/8Fo66D8Aa23Il0yrQvg1KKz92tE/BJ5BvkUxxAAk=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
 github.com/milvus-io/milvus-storage/go v0.0.0-20231227072638-ebd0b8e56d70 h1:Z+sp64fmAOxAG7mU0dfVOXvAXlwRB0c8a96rIM5HevI=
 github.com/milvus-io/milvus-storage/go v0.0.0-20231227072638-ebd0b8e56d70/go.mod h1:GPETMcTZq1gLY1WA6Na5kiNAKnq8SEMMiVKUZrM3sho=
 github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
--- a/internal/proxy/privilege_interceptor.go
+++ b/internal/proxy/privilege_interceptor.go
@ -9,6 +9,7 @@ import (

 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
+	"github.com/samber/lo"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@ -20,6 +21,7 @@ import (
 	"github.com/milvus-io/milvus/pkg/util"
 	"github.com/milvus-io/milvus/pkg/util/contextutil"
 	"github.com/milvus-io/milvus/pkg/util/funcutil"
+	"github.com/milvus-io/milvus/pkg/util/paramtable"
 )

 type PrivilegeFunc func(ctx context.Context, req interface{}) (context.Context, error)
@ -39,17 +41,42 @@ p = sub, obj, act
 e = some(where (p.eft == allow))

 [matchers]
-m = r.sub == p.sub && globMatch(r.obj, p.obj) && globMatch(r.act, p.act) || r.sub == "admin" || (r.sub == p.sub && dbMatch(r.obj, p.obj) && p.act == "PrivilegeAll")
+m = r.sub == p.sub && globMatch(r.obj, p.obj) && globMatch(r.act, p.act) || r.sub == "admin" || (r.sub == p.sub && dbMatch(r.obj, p.obj) && privilegeGroupContains(r.act, p.act))
 `
 )

 var templateModel = getPolicyModel(ModelStr)

 var (
-	enforcer *casbin.SyncedEnforcer
-	initOnce sync.Once
+	enforcer                *casbin.SyncedEnforcer
+	initOnce                sync.Once
+	initPrivilegeGroupsOnce sync.Once
 )

+var roPrivileges, rwPrivileges, adminPrivileges map[string]struct{}
+
+func initPrivilegeGroups() {
+	initPrivilegeGroupsOnce.Do(func() {
+		roGroup := paramtable.Get().CommonCfg.ReadOnlyPrivileges.GetAsStrings()
+		if len(roGroup) == 0 {
+			roGroup = util.ReadOnlyPrivilegeGroup
+		}
+		roPrivileges = lo.SliceToMap(roGroup, func(item string) (string, struct{}) { return item, struct{}{} })
+
+		rwGroup := paramtable.Get().CommonCfg.ReadWritePrivileges.GetAsStrings()
+		if len(rwGroup) == 0 {
+			rwGroup = util.ReadWritePrivilegeGroup
+		}
+		rwPrivileges = lo.SliceToMap(rwGroup, func(item string) (string, struct{}) { return item, struct{}{} })
+
+		adminGroup := paramtable.Get().CommonCfg.AdminPrivileges.GetAsStrings()
+		if len(adminGroup) == 0 {
+			adminGroup = util.AdminPrivilegeGroup
+		}
+		adminPrivileges = lo.SliceToMap(adminGroup, func(item string) (string, struct{}) { return item, struct{}{} })
+	})
+}
+
 func getEnforcer() *casbin.SyncedEnforcer {
 	initOnce.Do(func() {
 		e, err := casbin.NewSyncedEnforcer()
@ -60,6 +87,7 @@ func getEnforcer() *casbin.SyncedEnforcer {
 		adapter := NewMetaCacheCasbinAdapter(func() Cache { return globalMetaCache })
 		e.InitWithModelAndAdapter(casbinModel, adapter)
 		e.AddFunction("dbMatch", DBMatchFunc)
+		e.AddFunction("privilegeGroupContains", PrivilegeGroupContains)
 		enforcer = e
 	})
 	return enforcer
@ -75,6 +103,7 @@ func getPolicyModel(modelString string) model.Model {

 // UnaryServerInterceptor returns a new unary server interceptors that performs per-request privilege access.
 func UnaryServerInterceptor(privilegeFunc PrivilegeFunc) grpc.UnaryServerInterceptor {
+	initPrivilegeGroups()
 	return func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
 		newCtx, err := privilegeFunc(ctx, req)
 		if err != nil {
@ -218,3 +247,24 @@ func DBMatchFunc(args ...interface{}) (interface{}, error) {

 	return db1 == db2, nil
 }
+
+func PrivilegeGroupContains(args ...interface{}) (interface{}, error) {
+	requestPrivilege := args[0].(string)
+	policyPrivilege := args[1].(string)
+
+	switch policyPrivilege {
+	case commonpb.ObjectPrivilege_PrivilegeAll.String():
+		return true, nil
+	case commonpb.ObjectPrivilege_PrivilegeGroupReadOnly.String():
+		_, ok := roPrivileges[requestPrivilege]
+		return ok, nil
+	case commonpb.ObjectPrivilege_PrivilegeGroupReadWrite.String():
+		_, ok := rwPrivileges[requestPrivilege]
+		return ok, nil
+	case commonpb.ObjectPrivilege_PrivilegeGroupAdmin.String():
+		_, ok := adminPrivileges[requestPrivilege]
+		return ok, nil
+	default:
+		return false, nil
+	}
+}
--- a/internal/proxy/privilege_interceptor_test.go
+++ b/internal/proxy/privilege_interceptor_test.go
@ -231,3 +231,118 @@ func TestResourceGroupPrivilege(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestPrivilegeGroup(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("Read Only", func(t *testing.T) {
+		paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
+
+		var err error
+		ctx = GetContext(context.Background(), "fooo:123456")
+		client := &MockRootCoordClientInterface{}
+		queryCoord := &mocks.MockQueryCoordClient{}
+		mgr := newShardClientMgr()
+
+		client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
+			return &internalpb.ListPolicyResponse{
+				Status: merr.Success(),
+				PolicyInfos: []string{
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeGroupReadOnly.String(), "default"),
+				},
+				UserRoles: []string{
+					funcutil.EncodeUserRoleCache("fooo", "role1"),
+				},
+			}, nil
+		}
+		InitMetaCache(ctx, client, queryCoord, mgr)
+		defer CleanPrivilegeCache()
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.QueryRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.SearchRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.InsertRequest{})
+		assert.Error(t, err)
+	})
+
+	t.Run("Read Write", func(t *testing.T) {
+		paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
+
+		var err error
+		ctx = GetContext(context.Background(), "fooo:123456")
+		client := &MockRootCoordClientInterface{}
+		queryCoord := &mocks.MockQueryCoordClient{}
+		mgr := newShardClientMgr()
+
+		client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
+			return &internalpb.ListPolicyResponse{
+				Status: merr.Success(),
+				PolicyInfos: []string{
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeGroupReadWrite.String(), "default"),
+				},
+				UserRoles: []string{
+					funcutil.EncodeUserRoleCache("fooo", "role1"),
+				},
+			}, nil
+		}
+		InitMetaCache(ctx, client, queryCoord, mgr)
+		defer CleanPrivilegeCache()
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.QueryRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.SearchRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.InsertRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DeleteRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{})
+		assert.Error(t, err)
+	})
+
+	t.Run("Admin", func(t *testing.T) {
+		paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
+
+		var err error
+		ctx = GetContext(context.Background(), "fooo:123456")
+		client := &MockRootCoordClientInterface{}
+		queryCoord := &mocks.MockQueryCoordClient{}
+		mgr := newShardClientMgr()
+
+		client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
+			return &internalpb.ListPolicyResponse{
+				Status: merr.Success(),
+				PolicyInfos: []string{
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeGroupAdmin.String(), "default"),
+				},
+				UserRoles: []string{
+					funcutil.EncodeUserRoleCache("fooo", "role1"),
+				},
+			}, nil
+		}
+		InitMetaCache(ctx, client, queryCoord, mgr)
+		defer CleanPrivilegeCache()
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.QueryRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.SearchRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.InsertRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DeleteRequest{})
+		assert.NoError(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{})
+		assert.NoError(t, err)
+	})
+}
--- a/pkg/go.mod
+++ b/pkg/go.mod
@ -13,7 +13,7 @@ require (
 	github.com/golang/protobuf v1.5.4
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/klauspost/compress v1.17.7
-	github.com/milvus-io/milvus-proto/go-api/v2 v2.4.9-0.20240816062459-7b3eea802adb
+	github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a
 	github.com/nats-io/nats-server/v2 v2.10.12
 	github.com/nats-io/nats.go v1.34.1
 	github.com/panjf2000/ants/v2 v2.7.2
--- a/pkg/go.sum
+++ b/pkg/go.sum
@ -503,8 +503,8 @@ github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119 h1:9VXijWu
 github.com/milvus-io/cgosymbolizer v0.0.0-20240722103217-b7dee0e50119/go.mod h1:DvXTE/K/RtHehxU8/GtDs4vFtfw64jJ3PaCnFri8CRg=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.9-0.20240816062459-7b3eea802adb h1:DA2PyjTVCA7c23x0UBqzL2+lBrLVH6zP2VPR8yDagr4=
-github.com/milvus-io/milvus-proto/go-api/v2 v2.4.9-0.20240816062459-7b3eea802adb/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a h1:0B/8Fo66D8Aa23Il0yrQvg1KKz92tE/BJ5BvkUxxAAk=
+github.com/milvus-io/milvus-proto/go-api/v2 v2.4.10-0.20240819025435-512e3b98866a/go.mod h1:1OIl0v5PQeNxIJhCvY+K55CBUOYDZevw9g9380u1Wek=
 github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
 github.com/milvus-io/pulsar-client-go v0.6.10/go.mod h1:lQqCkgwDF8YFYjKA+zOheTk1tev2B+bKj5j7+nm8M1w=
 github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
--- a/pkg/util/constant.go
+++ b/pkg/util/constant.go
@ -162,6 +162,113 @@ var (
 			commonpb.ObjectPrivilege_PrivilegeGetFlushState.String(),
 		},
 	}
+
+	ReadOnlyPrivilegeGroup = []string{
+		commonpb.ObjectPrivilege_PrivilegeQuery.String(),
+		commonpb.ObjectPrivilege_PrivilegeSearch.String(),
+		commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetFlushState.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetLoadState.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetLoadingProgress.String(),
+		commonpb.ObjectPrivilege_PrivilegeHasPartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeShowPartitions.String(),
+		commonpb.ObjectPrivilege_PrivilegeShowCollections.String(),
+		commonpb.ObjectPrivilege_PrivilegeListAliases.String(),
+		commonpb.ObjectPrivilege_PrivilegeListDatabases.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeDatabase.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeAlias.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetStatistics.String(),
+	}
+	ReadWritePrivilegeGroup = []string{
+		commonpb.ObjectPrivilege_PrivilegeQuery.String(),
+		commonpb.ObjectPrivilege_PrivilegeSearch.String(),
+		commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetFlushState.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetLoadState.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetLoadingProgress.String(),
+		commonpb.ObjectPrivilege_PrivilegeHasPartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeShowPartitions.String(),
+		commonpb.ObjectPrivilege_PrivilegeShowCollections.String(),
+		commonpb.ObjectPrivilege_PrivilegeListAliases.String(),
+		commonpb.ObjectPrivilege_PrivilegeListDatabases.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeDatabase.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeAlias.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetStatistics.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateIndex.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropIndex.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreatePartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropPartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeLoad.String(),
+		commonpb.ObjectPrivilege_PrivilegeRelease.String(),
+		commonpb.ObjectPrivilege_PrivilegeInsert.String(),
+		commonpb.ObjectPrivilege_PrivilegeDelete.String(),
+		commonpb.ObjectPrivilege_PrivilegeUpsert.String(),
+		commonpb.ObjectPrivilege_PrivilegeImport.String(),
+		commonpb.ObjectPrivilege_PrivilegeFlush.String(),
+		commonpb.ObjectPrivilege_PrivilegeCompaction.String(),
+		commonpb.ObjectPrivilege_PrivilegeLoadBalance.String(),
+		commonpb.ObjectPrivilege_PrivilegeRenameCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateAlias.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropAlias.String(),
+	}
+	AdminPrivilegeGroup = []string{
+		commonpb.ObjectPrivilege_PrivilegeQuery.String(),
+		commonpb.ObjectPrivilege_PrivilegeSearch.String(),
+		commonpb.ObjectPrivilege_PrivilegeIndexDetail.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetFlushState.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetLoadState.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetLoadingProgress.String(),
+		commonpb.ObjectPrivilege_PrivilegeHasPartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeShowPartitions.String(),
+		commonpb.ObjectPrivilege_PrivilegeShowCollections.String(),
+		commonpb.ObjectPrivilege_PrivilegeListAliases.String(),
+		commonpb.ObjectPrivilege_PrivilegeListDatabases.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeDatabase.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeAlias.String(),
+		commonpb.ObjectPrivilege_PrivilegeGetStatistics.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateIndex.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropIndex.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreatePartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropPartition.String(),
+		commonpb.ObjectPrivilege_PrivilegeLoad.String(),
+		commonpb.ObjectPrivilege_PrivilegeRelease.String(),
+		commonpb.ObjectPrivilege_PrivilegeInsert.String(),
+		commonpb.ObjectPrivilege_PrivilegeDelete.String(),
+		commonpb.ObjectPrivilege_PrivilegeUpsert.String(),
+		commonpb.ObjectPrivilege_PrivilegeImport.String(),
+		commonpb.ObjectPrivilege_PrivilegeFlush.String(),
+		commonpb.ObjectPrivilege_PrivilegeCompaction.String(),
+		commonpb.ObjectPrivilege_PrivilegeLoadBalance.String(),
+		commonpb.ObjectPrivilege_PrivilegeRenameCollection.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateAlias.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropAlias.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateOwnership.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropOwnership.String(),
+		commonpb.ObjectPrivilege_PrivilegeSelectOwnership.String(),
+		commonpb.ObjectPrivilege_PrivilegeManageOwnership.String(),
+		commonpb.ObjectPrivilege_PrivilegeSelectUser.String(),
+		commonpb.ObjectPrivilege_PrivilegeUpdateUser.String(),
+		commonpb.ObjectPrivilege_PrivilegeBackupRBAC.String(),
+		commonpb.ObjectPrivilege_PrivilegeRestoreRBAC.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String(),
+		commonpb.ObjectPrivilege_PrivilegeUpdateResourceGroups.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String(),
+		commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String(),
+		commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String(),
+		commonpb.ObjectPrivilege_PrivilegeTransferReplica.String(),
+		commonpb.ObjectPrivilege_PrivilegeTransferNode.String(),
+		commonpb.ObjectPrivilege_PrivilegeCreateDatabase.String(),
+		commonpb.ObjectPrivilege_PrivilegeDropDatabase.String(),
+		commonpb.ObjectPrivilege_PrivilegeAlterDatabase.String(),
+		commonpb.ObjectPrivilege_PrivilegeFlush.String(),
+	}
 )

 // StringSet convert array to map for conveniently check if the array contains an element
--- a/pkg/util/paramtable/component_param.go
+++ b/pkg/util/paramtable/component_param.go
@ -259,6 +259,9 @@ type commonConfig struct {
 	OverloadedMemoryThresholdPercentage ParamItem `refreshable:"false"`
 	MaximumGOGCConfig                   ParamItem `refreshable:"false"`
 	MinimumGOGCConfig                   ParamItem `refreshable:"false"`
+	ReadOnlyPrivileges                  ParamItem `refreshable:"false"`
+	ReadWritePrivileges                 ParamItem `refreshable:"false"`
+	AdminPrivileges                     ParamItem `refreshable:"false"`
 }

 func (p *commonConfig) init(base *BaseTable) {
@ -883,6 +886,27 @@ This helps Milvus-CDC synchronize incremental data`,
 		DefaultValue: "30",
 	}
 	p.MinimumGOGCConfig.Init(base.mgr)
+
+	p.ReadOnlyPrivileges = ParamItem{
+		Key:     "common.security.readonly.privileges",
+		Version: "2.4.7",
+		Doc:     `use to override the default value of read-only privileges,  example: "PrivilegeQuery,PrivilegeSearch"`,
+	}
+	p.ReadOnlyPrivileges.Init(base.mgr)
+
+	p.ReadWritePrivileges = ParamItem{
+		Key:     "common.security.readwrite.privileges",
+		Version: "2.4.7",
+		Doc:     `use to override the default value of read-write privileges,  example: "PrivilegeCreateCollection,PrivilegeDropCollection"`,
+	}
+	p.ReadWritePrivileges.Init(base.mgr)
+
+	p.AdminPrivileges = ParamItem{
+		Key:     "common.security.admin.privileges",
+		Version: "2.4.7",
+		Doc:     `use to override the default value of admin privileges,  example: "PrivilegeCreateOwnership,PrivilegeDropOwnership"`,
+	}
+	p.AdminPrivileges.Init(base.mgr)
 }

 type gpuConfig struct {
--- a/pkg/util/paramtable/component_param_test.go
+++ b/pkg/util/paramtable/component_param_test.go
@ -125,6 +125,10 @@ func TestComponentParam(t *testing.T) {
 		assert.Equal(t, 100, Params.MaximumGOGCConfig.GetAsInt())
 		params.Save("common.gchelper.minimumGoGC", "80")
 		assert.Equal(t, 80, Params.MinimumGOGCConfig.GetAsInt())
+
+		assert.Equal(t, 0, len(Params.ReadOnlyPrivileges.GetAsStrings()))
+		assert.Equal(t, 0, len(Params.ReadWritePrivileges.GetAsStrings()))
+		assert.Equal(t, 0, len(Params.AdminPrivileges.GetAsStrings()))
 	})

 	t.Run("test rootCoordConfig", func(t *testing.T) {