From 16daf9177f4b7e8be5d1c8a10a8ed1c04cbe56b7 Mon Sep 17 00:00:00 2001 From: wei liu Date: Fri, 13 Sep 2024 10:31:07 +0800 Subject: [PATCH] fix: fix ReadWrite privilege group deny all global API (#36145) issue: #35471 pr: #36144 Signed-off-by: Wei Liu --- internal/proxy/privilege_interceptor.go | 2 +- internal/proxy/privilege_interceptor_test.go | 36 ++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/internal/proxy/privilege_interceptor.go b/internal/proxy/privilege_interceptor.go index a25aa392f0..fc78fc3538 100644 --- a/internal/proxy/privilege_interceptor.go +++ b/internal/proxy/privilege_interceptor.go @@ -252,7 +252,7 @@ func collMatch(requestObj, policyObj string) bool { _, coll1 := funcutil.SplitObjectName(requestObj[strings.Index(requestObj, "-")+1:]) _, coll2 := funcutil.SplitObjectName(policyObj[strings.Index(policyObj, "-")+1:]) - return coll2 == util.AnyWord || coll1 == coll2 + return coll1 == util.AnyWord || coll2 == util.AnyWord || coll1 == coll2 } func PrivilegeGroupContains(args ...interface{}) (interface{}, error) { diff --git a/internal/proxy/privilege_interceptor_test.go b/internal/proxy/privilege_interceptor_test.go index 785fc53191..92621d010e 100644 --- a/internal/proxy/privilege_interceptor_test.go +++ b/internal/proxy/privilege_interceptor_test.go @@ -417,6 +417,42 @@ func TestPrivilegeGroup(t *testing.T) { _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{}) assert.Error(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateAliasRequest{}) + assert.NoError(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DropAliasRequest{}) + assert.NoError(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DescribeAliasRequest{}) + assert.NoError(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateDatabaseRequest{}) + assert.Error(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DropDatabaseRequest{}) + assert.Error(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.ListDatabasesRequest{}) + assert.NoError(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateCollectionRequest{}) + assert.Error(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DropCollectionRequest{}) + assert.Error(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DescribeCollectionRequest{}) + assert.NoError(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.ShowCollectionsRequest{}) + assert.NoError(t, err) + + _, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.RenameCollectionRequest{ + OldName: "coll1", + NewName: "newName", + }) + assert.NoError(t, err) }) t.Run("grant ReadWrite to all collection", func(t *testing.T) {