search

milvus-io / milvus

A cloud-native vector database, storage for next generation AI applications
https://milvus.io
Apache License 2.0
31.05k stars 2.95k forks source link

[Bug]: RBAC - Does this actually work? #27278

Closed mdcooper-mc closed 1 year ago

mdcooper-mc commented 1 year ago

Is there an existing issue for this?

Environment

- Milvus version: latest
- Deployment mode(standalone or cluster): cluster
- MQ type(rocksmq, pulsar or kafka):    kafka
- SDK version(e.g. pymilvus v2.0.0rc2): ...
- OS(Ubuntu or CentOS): Linux
- CPU/Memory: ...
- GPU: ...
- Others: Come on...

Current Behavior

RBAC doesn't work...

Not sure whats going on here but it looks like no password check is does unless there is a sourceId in the originating request... as a user of the api, i have no idea this is needed and there can always login as root even through the password has been randomised...

Expected Behavior

RBAC should work when being used by a child.

Steps To Reproduce

Read the code...

Milvus Log

No response

Anything else?

This setup is utterly odd. with MTLS, you dont get the user from the cert. just auth anyone with a trusted cert and log them in a root.

yanliang567 commented 1 year ago

@mdcooper-mc Did you enable authentication before using RBAC? if not, please try it. refer to https://milvus.io/docs/authenticate.md

/assign @mdcooper-mc /unassign

mdcooper-mc commented 1 year ago

Yes, obviously auth is enabled. However, if you review the line of code in this issue you will see that there are a lot of hardcoded values, one of which expects you to have a header with @@…@@ in it. In all cases I have tested with python and Java the user is logged in with root even when the root password is randomised. The user creds are not checked, this is the case with TLS and mtls.

xiaofan-luan commented 1 year ago

Yes, obviously auth is enabled. However, if you review the line of code in this issue you will see that there are a lot of hardcoded values, one of which expects you to have a header with @@…@@ in it. In all cases I have tested with python and Java the user is logged in with root even when the root password is randomised. The user creds are not checked, this is the case with TLS and mtls.

I don't really understand. all the authorization check happens at privilege_interceptor.go

xiaofan-luan commented 1 year ago

if you can show your code to reproduce that would be super helful

yanliang567 commented 1 year ago

@mdcooper-mc please attache the code snippet for us to reproduce it. /assign @mdcooper-mc

mdcooper-mc commented 1 year ago

no time