enhance: [2.4] pick default root password and log level pr (#34777)

default root password
- issue: #33058
- pr: #34752

set log level
- issue: #34756
- pr: #34757

---------

Signed-off-by: SimFG <[email protected]>

cmd/roles/roles.go

@@ -30,6 +30,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
 
 	"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
 	"github.com/milvus-io/milvus/cmd/components"
@@ -249,6 +250,18 @@ func (mr *MilvusRoles) setupLogger() {
 	}
 
 	logutil.SetupLogger(&logConfig)
+	params.Watch(params.LogCfg.Level.Key, config.NewHandler("log.level", func(event *config.Event) {
+		if !event.HasUpdated || event.EventType == config.DeleteType {
+			return
+		}
+		logLevel, err := zapcore.ParseLevel(event.Value)
+		if err != nil {
+			log.Warn("failed to parse log level", zap.Error(err))
+			return
+		}
+		log.SetLevel(logLevel)
+		log.Info("log level changed", zap.String("level", event.Value))
+	}))
 }
 
 // Register serves prometheus http service
@@ -352,6 +365,7 @@ func (mr *MilvusRoles) Run() {
 
 	expr.Init()
 	expr.Register("param", paramtable.Get())
+	mr.setupLogger()
 	http.ServeHTTP()
 	setupPrometheusHTTPServer(Registry)
 
@@ -423,7 +437,6 @@ func (mr *MilvusRoles) Run() {
 		return nil
 	})
 
-	mr.setupLogger()
 	tracer.Init()
 	paramtable.Get().WatchKeyPrefix("trace", config.NewHandler("tracing handler", func(e *config.Event) {
 		params := paramtable.Get()

configs/milvus.yaml

@@ -639,6 +639,7 @@ common:
     # like the old password verification when updating the credential
     superUsers: 
     tlsMode: 0
+    defaultRootPassword: Milvus
   session:
     ttl: 30 # ttl value when session granting a lease to register service
     retryTimes: 30 # retry times when session sending etcd requests

internal/distributed/proxy/httpserver/handler_v1_test.go

@@ -82,6 +82,11 @@ var DefaultFalseResp = milvuspb.BoolResponse{
 	Value:  false,
 }
 
+func getDefaultRootPassword() string {
+	paramtable.Init()
+	return paramtable.Get().CommonCfg.DefaultRootPassword.GetValue()
+}
+
 func versional(path string) string {
 	return URIPrefixV1 + path
 }
@@ -128,7 +133,7 @@ func genAuthMiddleWare(needAuth bool) gin.HandlerFunc {
 			username, password, ok := ParseUsernamePassword(c)
 			if !ok {
 				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{HTTPReturnCode: merr.Code(merr.ErrNeedAuthenticate), HTTPReturnMessage: merr.ErrNeedAuthenticate.Error()})
-			} else if username == util.UserRoot && password != util.DefaultRootPassword {
+			} else if username == util.UserRoot && password != getDefaultRootPassword() {
 				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{HTTPReturnCode: merr.Code(merr.ErrNeedAuthenticate), HTTPReturnMessage: merr.ErrNeedAuthenticate.Error()})
 			} else {
 				c.Set(ContextUsername, username)
@@ -183,7 +188,7 @@ func TestVectorAuthenticate(t *testing.T) {
 
 	t.Run("root's password correct", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsPath), nil)
-		req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+		req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 		w := httptest.NewRecorder()
 		testEngine.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusOK, w.Code)
@@ -237,7 +242,7 @@ func TestVectorListCollection(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			testEngine := initHTTPServer(tt.mp, true)
 			req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsPath), nil)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -301,7 +306,7 @@ func TestVectorCollectionsDescribe(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			testEngine := initHTTPServer(tt.mp, true)
 			req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsDescribePath)+"?collectionName="+DefaultCollectionName, nil)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -315,7 +320,7 @@ func TestVectorCollectionsDescribe(t *testing.T) {
 	t.Run("need collectionName", func(t *testing.T) {
 		testEngine := initHTTPServer(mocks.NewMockProxy(t), true)
 		req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsDescribePath)+"?"+DefaultCollectionName, nil)
-		req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+		req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 		w := httptest.NewRecorder()
 		testEngine.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusOK, w.Code)
@@ -384,7 +389,7 @@ func TestVectorCreateCollection(t *testing.T) {
 			jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `", "dimension": 2}`)
 			bodyReader := bytes.NewReader(jsonBody)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorCollectionsCreatePath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -441,7 +446,7 @@ func TestVectorDropCollection(t *testing.T) {
 			jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `"}`)
 			bodyReader := bytes.NewReader(jsonBody)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorCollectionsDropPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -517,7 +522,7 @@ func TestQuery(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			testEngine := initHTTPServer(tt.mp, true)
 			for _, req := range reqs {
-				req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+				req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 				w := httptest.NewRecorder()
 				testEngine.ServeHTTP(w, req)
 				assert.Equal(t, tt.exceptCode, w.Code)
@@ -602,7 +607,7 @@ func TestDelete(t *testing.T) {
 			jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `" , "id": [1,2,3]}`)
 			bodyReader := bytes.NewReader(jsonBody)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorDeletePath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -634,7 +639,7 @@ func TestDeleteForFilter(t *testing.T) {
 			testEngine := initHTTPServer(mp, true)
 			bodyReader := bytes.NewReader(jsonBody)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorDeletePath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -726,7 +731,7 @@ func TestInsert(t *testing.T) {
 			testEngine := initHTTPServer(tt.mp, true)
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -747,7 +752,7 @@ func TestInsert(t *testing.T) {
 		testEngine := initHTTPServer(mp, true)
 		bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "data": {}}`))
 		req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-		req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+		req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 		w := httptest.NewRecorder()
 		testEngine.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusOK, w.Code)
@@ -788,7 +793,7 @@ func TestInsertForDataType(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -813,7 +818,7 @@ func TestInsertForDataType(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -856,7 +861,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -887,7 +892,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -918,7 +923,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			req.Header.Set(HTTPHeaderAllowInt64, "true")
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
@@ -950,7 +955,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			req.Header.Set(HTTPHeaderAllowInt64, "true")
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
@@ -983,7 +988,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -1014,7 +1019,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -1045,7 +1050,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			req.Header.Set(HTTPHeaderAllowInt64, "false")
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
@@ -1077,7 +1082,7 @@ func TestReturnInt64(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			req.Header.Set(HTTPHeaderAllowInt64, "false")
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
@@ -1167,7 +1172,7 @@ func TestUpsert(t *testing.T) {
 			testEngine := initHTTPServer(tt.mp, true)
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -1188,7 +1193,7 @@ func TestUpsert(t *testing.T) {
 		testEngine := initHTTPServer(mp, true)
 		bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "data": {}}`))
 		req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader)
-		req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+		req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 		w := httptest.NewRecorder()
 		testEngine.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusOK, w.Code)
@@ -1271,7 +1276,7 @@ func TestSearch(t *testing.T) {
 			})
 			bodyReader := bytes.NewReader(data)
 			req := httptest.NewRequest(http.MethodPost, versional(VectorSearchPath), bodyReader)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			testEngine.ServeHTTP(w, req)
 			assert.Equal(t, tt.exceptCode, w.Code)
@@ -1319,7 +1324,7 @@ func TestSearch(t *testing.T) {
 		})
 		bodyReader := bytes.NewReader(data)
 		req := httptest.NewRequest(http.MethodPost, versional(VectorSearchPath), bodyReader)
-		req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+		req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 		w := httptest.NewRecorder()
 		testEngine.ServeHTTP(w, req)
 		assert.Equal(t, tt.exceptCode, w.Code)
@@ -1481,7 +1486,7 @@ func TestHttpRequestFormat(t *testing.T) {
 				testEngine := initHTTPServer(mocks.NewMockProxy(t), true)
 				bodyReader := bytes.NewReader(requestJsons[i])
 				req := httptest.NewRequest(http.MethodPost, path, bodyReader)
-				req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+				req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 				w := httptest.NewRecorder()
 				testEngine.ServeHTTP(w, req)
 				assert.Equal(t, http.StatusOK, w.Code)

internal/distributed/proxy/httpserver/handler_v2_test.go

@@ -274,7 +274,7 @@ func TestGrpcWrapper(t *testing.T) {
 	for _, testcase := range getTestCasesNeedAuth {
 		t.Run("get"+testcase.path, func(t *testing.T) {
 			req := httptest.NewRequest(http.MethodGet, testcase.path, nil)
-			req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword)
+			req.SetBasicAuth(util.UserRoot, getDefaultRootPassword())
 			w := httptest.NewRecorder()
 			ginHandler.ServeHTTP(w, req)
 			assert.Equal(t, http.StatusOK, w.Code)
@@ -311,7 +311,7 @@ func TestGrpcWrapper(t *testing.T) {
 
 		paramtable.Get().Save(proxy.Params.CommonCfg.AuthorizationEnabled.Key, "true")
 		req = httptest.NewRequest(http.MethodGet, needAuthPrefix+path, nil)
-		req.SetBasicAuth("test", util.DefaultRootPassword)
+		req.SetBasicAuth("test", getDefaultRootPassword())
 		w = httptest.NewRecorder()
 		ginHandler.ServeHTTP(w, req)
 		assert.Equal(t, http.StatusForbidden, w.Code)

internal/rootcoord/root_coord.go

@@ -528,7 +528,7 @@ func (c *Core) initCredentials() error {
 	credInfo, _ := c.meta.GetCredential(util.UserRoot)
 	if credInfo == nil {
 		log.Debug("RootCoord init user root")
-		encryptedRootPassword, _ := crypto.PasswordEncrypt(util.DefaultRootPassword)
+		encryptedRootPassword, _ := crypto.PasswordEncrypt(Params.CommonCfg.DefaultRootPassword.GetValue())
 		err := c.meta.AddCredential(&internalpb.CredentialInfo{Username: util.UserRoot, EncryptedPassword: encryptedRootPassword})
 		return err
 	}

pkg/util/constant.go

@@ -48,7 +48,6 @@ const (
 	MemberCredID        = "@@milvus-member@@"
 	CredentialSeperator = ":"
 	UserRoot            = "root"
-	DefaultRootPassword = "Milvus"
 	PasswordHolder      = "___"
 	DefaultTenant       = ""
 	RoleAdmin           = "admin"

pkg/util/paramtable/component_param.go

@@ -218,6 +218,7 @@ type commonConfig struct {
 
 	AuthorizationEnabled ParamItem `refreshable:"false"`
 	SuperUsers           ParamItem `refreshable:"true"`
+	DefaultRootPassword  ParamItem `refreshable:"false"`
 
 	ClusterName ParamItem `refreshable:"false"`
 
@@ -596,6 +597,15 @@ like the old password verification when updating the credential`,
 	}
 	p.SuperUsers.Init(base.mgr)
 
+	p.DefaultRootPassword = ParamItem{
+		Key:          "common.security.defaultRootPassword",
+		Version:      "2.4.7",
+		Doc:          "default password for root user",
+		DefaultValue: "Milvus",
+		Export:       true,
+	}
+	p.DefaultRootPassword.Init(base.mgr)
+
 	p.ClusterName = ParamItem{
 		Key:          "common.cluster.name",
 		Version:      "2.0.0",

pkg/util/paramtable/component_param_test.go

@@ -98,6 +98,10 @@ func TestComponentParam(t *testing.T) {
 		params.Save("common.security.superUsers", "super1,super2,super3")
 		assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers.GetAsStrings())
 
+		assert.Equal(t, "Milvus", Params.DefaultRootPassword.GetValue())
+		params.Save("common.security.defaultRootPassword", "defaultMilvus")
+		assert.Equal(t, "defaultMilvus", Params.DefaultRootPassword.GetValue())
+
 		params.Save("common.security.superUsers", "")
 		assert.Equal(t, []string{""}, Params.SuperUsers.GetAsStrings())