diff --git a/configs/milvus.yaml b/configs/milvus.yaml index c8d17138f5..b4bdca79be 100644 --- a/configs/milvus.yaml +++ b/configs/milvus.yaml @@ -401,7 +401,7 @@ common: authorizationEnabled: false # The superusers will ignore some system check processes, # like the old password verification when updating the credential - superUsers: root + # superUsers: root tlsMode: 0 session: ttl: 20 # ttl value when session granting a lease to register service diff --git a/internal/proxy/impl.go b/internal/proxy/impl.go index f7a6e41594..579e19eafe 100644 --- a/internal/proxy/impl.go +++ b/internal/proxy/impl.go @@ -4000,7 +4000,16 @@ func (node *Proxy) UpdateCredential(ctx context.Context, req *milvuspb.UpdateCre }, nil } - if !passwordVerify(ctx, req.Username, rawOldPassword, globalMetaCache) { + skipPasswordVerify := false + if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" { + for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() { + if s == currentUser { + skipPasswordVerify = true + } + } + } + + if !skipPasswordVerify && !passwordVerify(ctx, req.Username, rawOldPassword, globalMetaCache) { return &commonpb.Status{ ErrorCode: commonpb.ErrorCode_UpdateCredentialFailure, Reason: "old password is not correct:" + req.Username, diff --git a/internal/proxy/proxy_test.go b/internal/proxy/proxy_test.go index aed18e5f7b..b09dbb0cd0 100644 --- a/internal/proxy/proxy_test.go +++ b/internal/proxy/proxy_test.go @@ -2271,6 +2271,8 @@ func TestProxy(t *testing.T) { assert.NotEqual(t, commonpb.ErrorCode_Success, updateResp.ErrorCode) // super user + paramtable.Get().Save(Params.CommonCfg.SuperUsers.Key, "root") + defer paramtable.Get().Reset(Params.CommonCfg.SuperUsers.Key) updateCredentialReq.OldPassword = crypto.Base64Encode("wrong_password") updateCredentialReq.NewPassword = crypto.Base64Encode(newPassword) updateResp, err = proxy.UpdateCredential(rootCtx, updateCredentialReq) diff --git a/internal/proxy/util.go b/internal/proxy/util.go index f5da04a7c9..f31870ae38 100644 --- a/internal/proxy/util.go +++ b/internal/proxy/util.go @@ -746,15 +746,6 @@ func passwordVerify(ctx context.Context, username, rawPwd string, globalMetaCach return false } - if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" { - log.Debug("simfg password", zap.Strings("super users", Params.CommonCfg.SuperUsers.GetAsStrings())) - for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() { - if s == currentUser { - return true - } - } - } - // hit cache sha256Pwd := crypto.SHA256(rawPwd, credInfo.Username) if credInfo.Sha256Password != "" { diff --git a/pkg/util/paramtable/component_param.go b/pkg/util/paramtable/component_param.go index fea962fb59..9ac9abd371 100644 --- a/pkg/util/paramtable/component_param.go +++ b/pkg/util/paramtable/component_param.go @@ -587,7 +587,8 @@ Check https://milvus.io/docs/limitations.md for more details.`, Version: "2.2.1", Doc: `The superusers will ignore some system check processes, like the old password verification when updating the credential`, - Export: true, + DefaultValue: "", + Export: true, } p.SuperUsers.Init(base.mgr)