From c0e03b6ca42d69edcaa20911279d60d5d1e6cb08 Mon Sep 17 00:00:00 2001
From: sthuang <167743503+shaoting-huang@users.noreply.github.com>
Date: Wed, 12 Mar 2025 14:16:05 +0800
Subject: [PATCH] fix: rbac star privilege return empty when listing policy
 (#40553)

related: https://github.com/milvus-io/milvus/issues/40547

Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
---
 internal/metastore/kv/rootcoord/kv_catalog.go      |  9 ++++++++-
 internal/metastore/kv/rootcoord/kv_catalog_test.go | 11 +++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/internal/metastore/kv/rootcoord/kv_catalog.go b/internal/metastore/kv/rootcoord/kv_catalog.go
index 5fa3f4e2ca..8728e5ee53 100644
--- a/internal/metastore/kv/rootcoord/kv_catalog.go
+++ b/internal/metastore/kv/rootcoord/kv_catalog.go
@@ -1396,13 +1396,20 @@ func (kc *Catalog) ListPolicy(ctx context.Context, tenant string) ([]*milvuspb.G
 				continue
 			}
 			dbName, objectName := funcutil.SplitObjectName(grantInfos[2])
+
+			var privilegeName string
+			if granteeIDInfos[0] == util.AnyWord {
+				privilegeName = util.AnyWord
+			} else {
+				privilegeName = util.PrivilegeNameForAPI(granteeIDInfos[0])
+			}
 			grants = append(grants, &milvuspb.GrantEntity{
 				Role:       &milvuspb.RoleEntity{Name: grantInfos[0]},
 				Object:     &milvuspb.ObjectEntity{Name: grantInfos[1]},
 				ObjectName: objectName,
 				DbName:     dbName,
 				Grantor: &milvuspb.GrantorEntity{
-					Privilege: &milvuspb.PrivilegeEntity{Name: util.PrivilegeNameForAPI(granteeIDInfos[0])},
+					Privilege: &milvuspb.PrivilegeEntity{Name: privilegeName},
 				},
 			})
 		}
diff --git a/internal/metastore/kv/rootcoord/kv_catalog_test.go b/internal/metastore/kv/rootcoord/kv_catalog_test.go
index af93892210..8ffe8b4dcf 100644
--- a/internal/metastore/kv/rootcoord/kv_catalog_test.go
+++ b/internal/metastore/kv/rootcoord/kv_catalog_test.go
@@ -2586,13 +2586,17 @@ func TestRBAC_Grant(t *testing.T) {
 		)
 
 		grant := func(role, obj, objName, privilege, dbName string) *milvuspb.GrantEntity {
+			privilegeName := util.PrivilegeNameForAPI(privilege)
+			if privilege == util.AnyWord {
+				privilegeName = util.AnyWord
+			}
 			return &milvuspb.GrantEntity{
 				Role:       &milvuspb.RoleEntity{Name: role},
 				Object:     &milvuspb.ObjectEntity{Name: obj},
 				ObjectName: objName,
 				DbName:     dbName,
 				Grantor: &milvuspb.GrantorEntity{
-					Privilege: &milvuspb.PrivilegeEntity{Name: util.PrivilegeNameForAPI(privilege)},
+					Privilege: &milvuspb.PrivilegeEntity{Name: privilegeName},
 				},
 			}
 		}
@@ -2606,6 +2610,7 @@ func TestRBAC_Grant(t *testing.T) {
 							fmt.Sprintf("%s/%s", key, "PrivilegeLoad"),
 							fmt.Sprintf("%s/%s", key, "PrivilegeRelease"),
 							fmt.Sprintf("%s/%s", key, "random/a/b/c"),
+							fmt.Sprintf("%s/%s", key, util.AnyWord),
 						}
 					}
 					return nil
@@ -2668,12 +2673,14 @@ func TestRBAC_Grant(t *testing.T) {
 				policy, err := c.ListPolicy(ctx, tenant)
 				if test.isValid {
 					assert.NoError(t, err)
-					assert.Equal(t, 4, len(policy))
+					assert.Equal(t, 6, len(policy))
 					ps := []*milvuspb.GrantEntity{
 						grant("role1", "obj1", "obj_name1", "PrivilegeLoad", "default"),
 						grant("role1", "obj1", "obj_name1", "PrivilegeRelease", "default"),
+						grant("role1", "obj1", "obj_name1", util.AnyWord, "default"),
 						grant("role2", "obj2", "obj_name2", "PrivilegeLoad", "default"),
 						grant("role2", "obj2", "obj_name2", "PrivilegeRelease", "default"),
+						grant("role2", "obj2", "obj_name2", util.AnyWord, "default"),
 					}
 					assert.ElementsMatch(t, ps, policy)
 				} else {