support rg api rbac (#22097)

Signed-off-by: Wei Liu <wei.liu@zilliz.com>

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/klauspost/compress v1.14.4
 	github.com/lingdor/stackerror v0.0.0-20191119040541-976d8885ed76
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
-	github.com/milvus-io/milvus-proto/go-api v0.0.0-20230129073344-87a125853a0b
+	github.com/milvus-io/milvus-proto/go-api v0.0.0-20230209081028-aabbca7f95ae
 	github.com/minio/minio-go/v7 v7.0.17
 	github.com/panjf2000/ants/v2 v2.4.8
 	github.com/pkg/errors v0.9.1

go.sum

@@ -491,8 +491,8 @@ github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyex
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b h1:TfeY0NxYxZzUfIfYe5qYDBzt4ZYRqzUjTR6CvUzjat8=
 github.com/milvus-io/gorocksdb v0.0.0-20220624081344-8c5f4212846b/go.mod h1:iwW+9cWfIzzDseEBCCeDSN5SD16Tidvy8cwQ7ZY8Qj4=
-github.com/milvus-io/milvus-proto/go-api v0.0.0-20230129073344-87a125853a0b h1:HoJ3J70COnaR3WQTA4gN70DkiaMRPkyLI6yXrPqpFiU=
+github.com/milvus-io/milvus-proto/go-api v0.0.0-20230209081028-aabbca7f95ae h1:4PPf72uc+pUFIT22yUHKrMMVyiJu8Q5l8FrQ4IkvAAY=
-github.com/milvus-io/milvus-proto/go-api v0.0.0-20230129073344-87a125853a0b/go.mod h1:148qnlmZ0Fdm1Fq+Mj/OW2uDoEP25g3mjh0vMGtkgmk=
+github.com/milvus-io/milvus-proto/go-api v0.0.0-20230209081028-aabbca7f95ae/go.mod h1:148qnlmZ0Fdm1Fq+Mj/OW2uDoEP25g3mjh0vMGtkgmk=
 github.com/milvus-io/pulsar-client-go v0.6.10 h1:eqpJjU+/QX0iIhEo3nhOqMNXL+TyInAs1IAHZCrCM/A=
 github.com/milvus-io/pulsar-client-go v0.6.10/go.mod h1:lQqCkgwDF8YFYjKA+zOheTk1tev2B+bKj5j7+nm8M1w=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 h1:AMFGa4R4MiIpspGNG7Z948v4n35fFGB3RR3G/ry4FWs=

internal/core/src/pb/common.pb.cc

@@ -428,7 +428,7 @@ const char descriptor_table_protodef_common_2eproto[] PROTOBUF_SECTION_VARIABLE(
   "ImportStarted\020\002\022\023\n\017ImportPersisted\020\005\022\021\n\r"
   "ImportFlushed\020\010\022\023\n\017ImportCompleted\020\006\022\032\n\026"
   "ImportFailedAndCleaned\020\007*2\n\nObjectType\022\016"
-  "\n\nCollection\020\000\022\n\n\006Global\020\001\022\010\n\004User\020\002*\233\005\n"
+  "\n\nCollection\020\000\022\n\n\006Global\020\001\022\010\n\004User\020\002*\333\006\n"
   "\017ObjectPrivilege\022\020\n\014PrivilegeAll\020\000\022\035\n\031Pr"
   "ivilegeCreateCollection\020\001\022\033\n\027PrivilegeDr"
   "opCollection\020\002\022\037\n\033PrivilegeDescribeColle"
@@ -445,24 +445,29 @@ const char descriptor_table_protodef_common_2eproto[] PROTOBUF_SECTION_VARIABLE(
   "UpdateUser\020\024\022\032\n\026PrivilegeDropOwnership\020\025"
   "\022\034\n\030PrivilegeSelectOwnership\020\026\022\034\n\030Privil"
   "egeManageOwnership\020\027\022\027\n\023PrivilegeSelectU"
-  "ser\020\030\022\023\n\017PrivilegeUpsert\020\031*S\n\tStateCode\022"
+  "ser\020\030\022\023\n\017PrivilegeUpsert\020\031\022 \n\034PrivilegeC"
-  "\020\n\014Initializing\020\000\022\013\n\007Healthy\020\001\022\014\n\010Abnorm"
+  "reateResourceGroup\020\032\022\036\n\032PrivilegeDropRes"
-  "al\020\002\022\013\n\007StandBy\020\003\022\014\n\010Stopping\020\004*c\n\tLoadS"
+  "ourceGroup\020\033\022\"\n\036PrivilegeDescribeResourc"
-  "tate\022\025\n\021LoadStateNotExist\020\000\022\024\n\020LoadState"
+  "eGroup\020\034\022\037\n\033PrivilegeListResourceGroups\020"
-  "NotLoad\020\001\022\024\n\020LoadStateLoading\020\002\022\023\n\017LoadS"
+  "\035\022\031\n\025PrivilegeTransferNode\020\036\022\034\n\030Privileg"
-  "tateLoaded\020\003:^\n\021privilege_ext_obj\022\037.goog"
+  "eTransferReplica\020\037*S\n\tStateCode\022\020\n\014Initi"
-  "le.protobuf.MessageOptions\030\351\007 \001(\0132!.milv"
+  "alizing\020\000\022\013\n\007Healthy\020\001\022\014\n\010Abnormal\020\002\022\013\n\007"
-  "us.proto.common.PrivilegeExtBf\n\016io.milvu"
+  "StandBy\020\003\022\014\n\010Stopping\020\004*c\n\tLoadState\022\025\n\021"
-  "s.grpcB\013CommonProtoP\001Z1github.com/milvus"
+  "LoadStateNotExist\020\000\022\024\n\020LoadStateNotLoad\020"
-  "-io/milvus-proto/go-api/commonpb\240\001\001\252\002\016IO"
+  "\001\022\024\n\020LoadStateLoading\020\002\022\023\n\017LoadStateLoad"
-  ".Milvus.Grpcb\006proto3"
+  "ed\020\003:^\n\021privilege_ext_obj\022\037.google.proto"
+  "buf.MessageOptions\030\351\007 \001(\0132!.milvus.proto"
+  ".common.PrivilegeExtBf\n\016io.milvus.grpcB\013"
+  "CommonProtoP\001Z1github.com/milvus-io/milv"
+  "us-proto/go-api/commonpb\240\001\001\252\002\016IO.Milvus."
+  "Grpcb\006proto3"
   ;
 static const ::_pbi::DescriptorTable* const descriptor_table_common_2eproto_deps[1] = {
   &::descriptor_table_google_2fprotobuf_2fdescriptor_2eproto,
 };
 static ::_pbi::once_flag descriptor_table_common_2eproto_once;
 const ::_pbi::DescriptorTable descriptor_table_common_2eproto = {
-    false, false, 5860, descriptor_table_protodef_common_2eproto,
+    false, false, 6052, descriptor_table_protodef_common_2eproto,
     "common.proto",
     &descriptor_table_common_2eproto_once, descriptor_table_common_2eproto_deps, 1, 11,
     schemas, file_default_instances, TableStruct_common_2eproto::offsets,
@@ -813,6 +818,12 @@ bool ObjectPrivilege_IsValid(int value) {
     case 23:
     case 24:
     case 25:
+    case 26:
+    case 27:
+    case 28:
+    case 29:
+    case 30:
+    case 31:
       return true;
     default:
       return false;

internal/core/src/pb/common.pb.h

@@ -542,12 +542,18 @@ enum ObjectPrivilege : int {
   PrivilegeManageOwnership = 23,
   PrivilegeSelectUser = 24,
   PrivilegeUpsert = 25,
+  PrivilegeCreateResourceGroup = 26,
+  PrivilegeDropResourceGroup = 27,
+  PrivilegeDescribeResourceGroup = 28,
+  PrivilegeListResourceGroups = 29,
+  PrivilegeTransferNode = 30,
+  PrivilegeTransferReplica = 31,
   ObjectPrivilege_INT_MIN_SENTINEL_DO_NOT_USE_ = std::numeric_limits<int32_t>::min(),
   ObjectPrivilege_INT_MAX_SENTINEL_DO_NOT_USE_ = std::numeric_limits<int32_t>::max()
 };
 bool ObjectPrivilege_IsValid(int value);
 constexpr ObjectPrivilege ObjectPrivilege_MIN = PrivilegeAll;
-constexpr ObjectPrivilege ObjectPrivilege_MAX = PrivilegeUpsert;
+constexpr ObjectPrivilege ObjectPrivilege_MAX = PrivilegeTransferReplica;
 constexpr int ObjectPrivilege_ARRAYSIZE = ObjectPrivilege_MAX + 1;
 
 const ::PROTOBUF_NAMESPACE_ID::EnumDescriptor* ObjectPrivilege_descriptor();

internal/proxy/privilege_interceptor_test.go

@@ -133,3 +133,64 @@ func TestPrivilegeInterceptor(t *testing.T) {
 	})
 
 }
+
+func TestResourceGroupPrivilege(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("Resource Group Privilege", func(t *testing.T) {
+		paramtable.Get().Save(Params.CommonCfg.AuthorizationEnabled.Key, "true")
+
+		_, err := PrivilegeInterceptor(ctx, &milvuspb.ListResourceGroupsRequest{})
+		assert.NotNil(t, err)
+
+		ctx = GetContext(context.Background(), "fooo:123456")
+		client := &MockRootCoordClientInterface{}
+		queryCoord := &MockQueryCoordClientInterface{}
+		mgr := newShardClientMgr()
+
+		client.listPolicy = func(ctx context.Context, in *internalpb.ListPolicyRequest) (*internalpb.ListPolicyResponse, error) {
+			return &internalpb.ListPolicyResponse{
+				Status: &commonpb.Status{
+					ErrorCode: commonpb.ErrorCode_Success,
+				},
+				PolicyInfos: []string{
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String()),
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeTransferNode.String()),
+					funcutil.PolicyForPrivilege("role1", commonpb.ObjectType_Global.String(), "*", commonpb.ObjectPrivilege_PrivilegeTransferReplica.String()),
+				},
+				UserRoles: []string{
+					funcutil.EncodeUserRoleCache("fooo", "role1"),
+				},
+			}, nil
+		}
+		InitMetaCache(ctx, client, queryCoord, mgr)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.CreateResourceGroupRequest{
+			ResourceGroup: "rg",
+		})
+		assert.Nil(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DropResourceGroupRequest{
+			ResourceGroup: "rg",
+		})
+		assert.Nil(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.DescribeResourceGroupRequest{
+			ResourceGroup: "rg",
+		})
+		assert.Nil(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.ListResourceGroupsRequest{})
+		assert.Nil(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.TransferNodeRequest{})
+		assert.Nil(t, err)
+
+		_, err = PrivilegeInterceptor(GetContext(context.Background(), "fooo:123456"), &milvuspb.TransferReplicaRequest{})
+		assert.Nil(t, err)
+	})
+
+}

internal/util/constant.go

@@ -93,6 +93,13 @@ var (
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropOwnership.String()),
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectOwnership.String()),
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeManageOwnership.String()),
+
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeTransferReplica.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeTransferNode.String()),
 		},
 		commonpb.ObjectType_User.String(): {
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),