Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: [privilege_group] The object name is * rather than the collection names returned by "list_grants()" when grant the role with the built-in privilege group to collection level #37903

Closed
1 task done
binbinlv opened this issue Nov 21, 2024 · 6 comments
Closed
1 task done

[Bug]: [privilege_group] The object name is * rather than the collection names returned by "list_grants()" when grant the role with the built-in privilege group to collection level #37903

binbinlv opened this issue Nov 21, 2024 · 6 comments
Assignees
@shaoting-huang
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Milestone
2.4.18

Comments

@binbinlv
Copy link
Contributor

binbinlv commented Nov 21, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Environment

- Milvus version: master-20241120-c73ca14a-amd64
- Deployment mode(standalone or cluster):both
- MQ type(rocksmq, pulsar or kafka):    all
- SDK version(e.g. pymilvus v2.0.0rc2): 2.5.0rc126
- OS(Ubuntu or CentOS): 
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

The object name is * rather than the collection names returned by "list_grants()" when grant the role with the built-in privilege group to collection level

role.grant(object="Global", object_name="binbin", privilege="CollectionReadOnly")

>>> role.list_grants()
GrantInfo groups:
- GrantItem: <object:Global>, <object_name:*>, <db_name:default>, <role_name:binbin_new>, <grantor_name:root>, <privilege:CollectionReadOnly>

Expected Behavior

The object name is the collection names rather than "*" returned by "list_grants()" when grant the role with the built-in privilege group to collection level

Steps To Reproduce

from pymilvus import Role
from pymilvus import connections
connections.connect()
role = Role("newRole")
role.create()
role.grant(object="Global", object_name="binbin", privilege="CollectionReadOnly")
role.list_grants()

Milvus Log

No response

Anything else?

No response
@binbinlv binbinlv added kind/bug Issues or changes related a bug needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 21, 2024
@binbinlv
Copy link
Contributor Author

/assign @shaoting-huang

@sre-ci-robot
Copy link
Contributor

@binbinlv: GitHub didn't allow me to assign the following users: shaoting-huang.

Note that only milvus-io members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @shaoting-huang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@binbinlv binbinlv added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 21, 2024
@yanliang567 yanliang567 removed their assignment Nov 25, 2024
@yanliang567 yanliang567 modified the milestones: 2.4.17, 2.4.18 Nov 25, 2024
@shaoting-huang
Copy link
Contributor

/assign

@shaoting-huang
Copy link
Contributor

fix:

role.grant_v2("CollectionReadOnly", "db", "binbin")
role.list_grants("db")

GrantInfo groups:

  • GrantItem: object:Global, <object_name:binbin>, <db_name:db>, <role_name:binbin_new>, <grantor_name:root>, privilege:CollectionReadOnly

@shaoting-huang shaoting-huang mentioned this issue Nov 25, 2024
Closed
@binbinlv
Copy link
Contributor Author

binbinlv commented Nov 26, 2024
edited
Loading

Now V1 interface "grant" could not operate privilege group, and only use grant_v2 to operate privilege group.

>>> role.grant(object="Global", object_name="binbin_new", privilege="CollectionReadOnly")
RPC error: [grant_privilege], <MilvusException: (code=65535, message=can not operate the built-in privilege group [CollectionReadOnly])>, <Time:{'RPC start': '2024-11-26 17:50:13.047538', 'RPC error': '2024-11-26 17:50:13.071613'}>
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/orm/role.py", line 156, in grant
    return self._get_connection().grant_privilege(
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 141, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 137, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 176, in handler
    return func(self, *args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 116, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 86, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/grpc_handler.py", line 1851, in grant_privilege
    check_status(resp)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/utils.py", line 63, in check_status
    raise MilvusException(status.code, status.reason, status.error_code)
pymilvus.exceptions.MilvusException: <MilvusException: (code=65535, message=can not operate the built-in privilege group [CollectionReadOnly])>

>>> role.grant(object="Global", object_name="binbin_new", privilege="normal")
RPC error: [grant_privilege], <MilvusException: (code=65535, message=can not operate the custom privilege group [normal])>, <Time:{'RPC start': '2024-11-26 17:54:22.284387', 'RPC error': '2024-11-26 17:54:22.321407'}>
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/orm/role.py", line 156, in grant
    return self._get_connection().grant_privilege(
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 141, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 137, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 176, in handler
    return func(self, *args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 116, in handler
    raise e from e
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/decorators.py", line 86, in handler
    return func(*args, **kwargs)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/grpc_handler.py", line 1851, in grant_privilege
    check_status(resp)
  File "/Users/binbin/milvus_latest/lib/python3.8/site-packages/pymilvus/client/utils.py", line 63, in check_status
    raise MilvusException(status.code, status.reason, status.error_code)
pymilvus.exceptions.MilvusException: <MilvusException: (code=65535, message=can not operate the custom privilege group [normal])>

Verified and fixed in dev branch.
milvus: shaoting-huang-rbacv2fix-df5df8d-20241125
pymilvus: 2.5.0rc126

@binbinlv
Copy link
Contributor Author

Close it first, and will reopen it if there are any errors on the master image when the fix pr is merged.

@shaoting-huang shaoting-huang mentioned this issue Nov 29, 2024
Merged
sre-ci-robot pushed a commit that referenced this issue Dec 2, 2024
@shaoting-huang
fix: fix grant/revoke v2 meta and unclear error messages (#38110)
23dc313 
related issue: #37031

fixed issues:
#37974: better error messages for grant v2 interface
#37903: fix meta built-in privilege group object name
#37843: better error messages for custom privilege group interface 
#38002: fix built-in privilege group meta to pass proxy interceptor
check
#38008: fix revoke v2 to support revoking v1 granted privileges

Signed-off-by: shaoting-huang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shaoting-huang shaoting-huang

Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
2.4.18
Development

No branches or pull requests
4 participants
@sre-ci-robot @yanliang567 @binbinlv @shaoting-huang