search

milvus-io / milvus

A cloud-native vector database, storage for next generation AI applications
https://milvus.io
Apache License 2.0
30.18k stars 2.89k forks source link

[Bug]: No specific Privilege to let the user update its own password. #31501

Closed mcandio closed 3 months ago

mcandio commented 7 months ago

Is there an existing issue for this?

Environment

- Milvus version: v2.4.0-rc.1
- Deployment mode(standalone or cluster): Standalone
- MQ type(rocksmq, pulsar or kafka): rocksmq
- SDK version(e.g. pymilvus v2.0.0rc2): same as Milvus version
- OS(Ubuntu or CentOS): CentOS 
- CPU/Memory: 
- GPU: 
- Others: Auth enabled by setting:
'''
extraConfigFiles:
  user.yaml: |+
    common:
      security:
        authorizationEnabled: true

Current Behavior

We are trying to configure user privileges to standardise roles, we want to set a dev_role where the user is able to:

RenameCollection ShowCollections UpdateUser

As I understand from the documentation here, UpdateUser should be enough to let the user update its credentials, but it is failing, from the Attu UI (v2.3.8) it is not possible to see users or roles.

The only way we were able to let the user update its own password is to add to the role: CreateOwnership, DropOwnership or ManageOwnership.

In any case, by adding the previous privileges, we allow the user to see other users or to update out-of-the-scope stuff.

Expected Behavior

Privilege should grant the user the ability to update its own password and not to manage bind role to user, alter other users password or manage roles.

Steps To Reproduce

1- Install milvus and attu as standalone using latest versions.
2- from Root user create testuser and assign password.
3- from Root user create role with following privileges:
RenameCollection
ShowCollections
SelectUser
UpdateUser
4- Switch to newly created user
5- check the users section, nothing is there to manage
6- switch back to Root user
7- update the newly created role and add one of the following (or all, the bahaviour is the same): CreateOwnership, DropOwnership or ManageOwnership.
8- switch back to newly created user.
9- check the user tab, see that users are now showing and actions enabled.

Milvus Log

No response

Anything else?

No response

yanliang567 commented 7 months ago

/assign @SimFG /unassign

SimFG commented 7 months ago

@mcandio you need to give the dev_role to the SelectOwnership privilege

xiaofan-luan commented 7 months ago

@mcandio you need to give the dev_role to the SelectOwnership privilege

we can update root password if we have admin access right?

SimFG commented 7 months ago

@xiaofan-luan yes, we can

mcandio commented 6 months ago

@SimFG The outcome is the same either by setting SelectOwnership or the ones specified on my first comment.

xiaofan-luan commented 6 months ago

@SimFG User should be able update their own password. Does this violate any rule of our RBAC? I think this is very straightforward to most of the users. Very similar to database management, I need to have access to list the databases I have access control

SimFG commented 6 months ago

@mcandio when you fail to operate, is there any error message? When an error occurs, there should be a message indicating that the API does not have permission.

SimFG commented 6 months ago

@xiaofan-luan The error occurs here mainly because some other APIs may be used in the attu page.

stale[bot] commented 4 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Rotten issues close after 30d of inactivity. Reopen the issue with /reopen.