enhance: add privilege group privilege into built-in privilege group (#38393)

shaoting-huang · web-flow · commit c2855a5c745b · 2024-12-12T17:20:42.000+08:00
related issue: #37031 Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
diff --git a/configs/milvus.yaml b/configs/milvus.yaml
@@ -831,11 +831,11 @@ common:
         enabled: false # Whether to override build-in privilege groups
       cluster:
         readonly:
-          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups # Cluster level readonly privileges
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups # Cluster level readonly privileges
         readwrite:
-          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges
         admin:
-          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection # Cluster level admin privileges
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,ListPrivilegeGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser,RenameCollection,CreatePrivilegeGroup,DropPrivilegeGroup,OperatePrivilegeGroup # Cluster level admin privileges
       database:
         readonly:
           privileges: ShowCollections,DescribeDatabase # Database level readonly privileges
diff --git a/pkg/util/constant.go b/pkg/util/constant.go
@@ -363,6 +363,7 @@ var (
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectUser.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()),
 	}
 
 	ClusterReadWritePrivilegeGroup = append(ClusterReadOnlyPrivilegeGroup,
@@ -384,6 +385,9 @@ var (
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),
 		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRenameCollection.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePrivilegeGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()),
 	)
 )
 
@@ -407,11 +411,13 @@ func StringList(stringMap map[string]struct{}) []string {
 // MetaStore2API convert meta-store's privilege name to api's
 // example: PrivilegeAll -> All
 func MetaStore2API(name string) string {
-	prefix := PrivilegeWord
-	if strings.Contains(name, PrivilegeGroupWord) {
-		prefix = PrivilegeGroupWord
+	if strings.HasPrefix(name, PrivilegeGroupWord) {
+		return name[len(PrivilegeGroupWord):]
 	}
-	return name[strings.Index(name, prefix)+len(prefix):]
+	if strings.HasPrefix(name, PrivilegeWord) {
+		return name[len(PrivilegeWord):]
+	}
+	return name
 }
 
 func PrivilegeNameForAPI(name string) string {
