From 0e226502e4159307e84a52c313366807b5c35d52 Mon Sep 17 00:00:00 2001 From: SimFG Date: Thu, 18 Jul 2024 13:45:43 +0800 Subject: [PATCH] enhance: [2.4] pick default root password and log level pr (#34777) default root password - issue: #33058 - pr: #34752 set log level - issue: #34756 - pr: #34757 --------- Signed-off-by: SimFG --- cmd/roles/roles.go | 15 ++++- configs/milvus.yaml | 1 + .../proxy/httpserver/handler_v1_test.go | 59 ++++++++++--------- .../proxy/httpserver/handler_v2_test.go | 4 +- internal/rootcoord/root_coord.go | 2 +- pkg/util/constant.go | 1 - pkg/util/paramtable/component_param.go | 10 ++++ pkg/util/paramtable/component_param_test.go | 4 ++ 8 files changed, 64 insertions(+), 32 deletions(-) diff --git a/cmd/roles/roles.go b/cmd/roles/roles.go index c0877ffc98ece..c32d604c95580 100644 --- a/cmd/roles/roles.go +++ b/cmd/roles/roles.go @@ -30,6 +30,7 @@ import ( "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promhttp" "go.uber.org/zap" + "go.uber.org/zap/zapcore" "github.com/milvus-io/milvus-proto/go-api/v2/commonpb" "github.com/milvus-io/milvus/cmd/components" @@ -249,6 +250,18 @@ func (mr *MilvusRoles) setupLogger() { } logutil.SetupLogger(&logConfig) + params.Watch(params.LogCfg.Level.Key, config.NewHandler("log.level", func(event *config.Event) { + if !event.HasUpdated || event.EventType == config.DeleteType { + return + } + logLevel, err := zapcore.ParseLevel(event.Value) + if err != nil { + log.Warn("failed to parse log level", zap.Error(err)) + return + } + log.SetLevel(logLevel) + log.Info("log level changed", zap.String("level", event.Value)) + })) } // Register serves prometheus http service @@ -352,6 +365,7 @@ func (mr *MilvusRoles) Run() { expr.Init() expr.Register("param", paramtable.Get()) + mr.setupLogger() http.ServeHTTP() setupPrometheusHTTPServer(Registry) @@ -423,7 +437,6 @@ func (mr *MilvusRoles) Run() { return nil }) - mr.setupLogger() tracer.Init() paramtable.Get().WatchKeyPrefix("trace", config.NewHandler("tracing handler", func(e *config.Event) { params := paramtable.Get() diff --git a/configs/milvus.yaml b/configs/milvus.yaml index 3a1cb34675aa1..a6f5420b82646 100644 --- a/configs/milvus.yaml +++ b/configs/milvus.yaml @@ -639,6 +639,7 @@ common: # like the old password verification when updating the credential superUsers: tlsMode: 0 + defaultRootPassword: Milvus session: ttl: 30 # ttl value when session granting a lease to register service retryTimes: 30 # retry times when session sending etcd requests diff --git a/internal/distributed/proxy/httpserver/handler_v1_test.go b/internal/distributed/proxy/httpserver/handler_v1_test.go index f56ec20c70910..bd485108e33b0 100644 --- a/internal/distributed/proxy/httpserver/handler_v1_test.go +++ b/internal/distributed/proxy/httpserver/handler_v1_test.go @@ -82,6 +82,11 @@ var DefaultFalseResp = milvuspb.BoolResponse{ Value: false, } +func getDefaultRootPassword() string { + paramtable.Init() + return paramtable.Get().CommonCfg.DefaultRootPassword.GetValue() +} + func versional(path string) string { return URIPrefixV1 + path } @@ -128,7 +133,7 @@ func genAuthMiddleWare(needAuth bool) gin.HandlerFunc { username, password, ok := ParseUsernamePassword(c) if !ok { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{HTTPReturnCode: merr.Code(merr.ErrNeedAuthenticate), HTTPReturnMessage: merr.ErrNeedAuthenticate.Error()}) - } else if username == util.UserRoot && password != util.DefaultRootPassword { + } else if username == util.UserRoot && password != getDefaultRootPassword() { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{HTTPReturnCode: merr.Code(merr.ErrNeedAuthenticate), HTTPReturnMessage: merr.ErrNeedAuthenticate.Error()}) } else { c.Set(ContextUsername, username) @@ -183,7 +188,7 @@ func TestVectorAuthenticate(t *testing.T) { t.Run("root's password correct", func(t *testing.T) { req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsPath), nil) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -237,7 +242,7 @@ func TestVectorListCollection(t *testing.T) { t.Run(tt.name, func(t *testing.T) { testEngine := initHTTPServer(tt.mp, true) req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsPath), nil) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -301,7 +306,7 @@ func TestVectorCollectionsDescribe(t *testing.T) { t.Run(tt.name, func(t *testing.T) { testEngine := initHTTPServer(tt.mp, true) req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsDescribePath)+"?collectionName="+DefaultCollectionName, nil) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -315,7 +320,7 @@ func TestVectorCollectionsDescribe(t *testing.T) { t.Run("need collectionName", func(t *testing.T) { testEngine := initHTTPServer(mocks.NewMockProxy(t), true) req := httptest.NewRequest(http.MethodGet, versional(VectorCollectionsDescribePath)+"?"+DefaultCollectionName, nil) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -384,7 +389,7 @@ func TestVectorCreateCollection(t *testing.T) { jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `", "dimension": 2}`) bodyReader := bytes.NewReader(jsonBody) req := httptest.NewRequest(http.MethodPost, versional(VectorCollectionsCreatePath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -441,7 +446,7 @@ func TestVectorDropCollection(t *testing.T) { jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `"}`) bodyReader := bytes.NewReader(jsonBody) req := httptest.NewRequest(http.MethodPost, versional(VectorCollectionsDropPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -517,7 +522,7 @@ func TestQuery(t *testing.T) { t.Run(tt.name, func(t *testing.T) { testEngine := initHTTPServer(tt.mp, true) for _, req := range reqs { - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -602,7 +607,7 @@ func TestDelete(t *testing.T) { jsonBody := []byte(`{"collectionName": "` + DefaultCollectionName + `" , "id": [1,2,3]}`) bodyReader := bytes.NewReader(jsonBody) req := httptest.NewRequest(http.MethodPost, versional(VectorDeletePath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -634,7 +639,7 @@ func TestDeleteForFilter(t *testing.T) { testEngine := initHTTPServer(mp, true) bodyReader := bytes.NewReader(jsonBody) req := httptest.NewRequest(http.MethodPost, versional(VectorDeletePath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -726,7 +731,7 @@ func TestInsert(t *testing.T) { testEngine := initHTTPServer(tt.mp, true) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -747,7 +752,7 @@ func TestInsert(t *testing.T) { testEngine := initHTTPServer(mp, true) bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "data": {}}`)) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -788,7 +793,7 @@ func TestInsertForDataType(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -813,7 +818,7 @@ func TestInsertForDataType(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -856,7 +861,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -887,7 +892,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -918,7 +923,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) req.Header.Set(HTTPHeaderAllowInt64, "true") w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) @@ -950,7 +955,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) req.Header.Set(HTTPHeaderAllowInt64, "true") w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) @@ -983,7 +988,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -1014,7 +1019,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -1045,7 +1050,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorInsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) req.Header.Set(HTTPHeaderAllowInt64, "false") w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) @@ -1077,7 +1082,7 @@ func TestReturnInt64(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) req.Header.Set(HTTPHeaderAllowInt64, "false") w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) @@ -1167,7 +1172,7 @@ func TestUpsert(t *testing.T) { testEngine := initHTTPServer(tt.mp, true) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -1188,7 +1193,7 @@ func TestUpsert(t *testing.T) { testEngine := initHTTPServer(mp, true) bodyReader := bytes.NewReader([]byte(`{"collectionName": "` + DefaultCollectionName + `", "data": {}}`)) req := httptest.NewRequest(http.MethodPost, versional(VectorUpsertPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -1271,7 +1276,7 @@ func TestSearch(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorSearchPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -1319,7 +1324,7 @@ func TestSearch(t *testing.T) { }) bodyReader := bytes.NewReader(data) req := httptest.NewRequest(http.MethodPost, versional(VectorSearchPath), bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, tt.exceptCode, w.Code) @@ -1481,7 +1486,7 @@ func TestHttpRequestFormat(t *testing.T) { testEngine := initHTTPServer(mocks.NewMockProxy(t), true) bodyReader := bytes.NewReader(requestJsons[i]) req := httptest.NewRequest(http.MethodPost, path, bodyReader) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() testEngine.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) diff --git a/internal/distributed/proxy/httpserver/handler_v2_test.go b/internal/distributed/proxy/httpserver/handler_v2_test.go index b89c0ee6d0f9e..710c66424fcdd 100644 --- a/internal/distributed/proxy/httpserver/handler_v2_test.go +++ b/internal/distributed/proxy/httpserver/handler_v2_test.go @@ -274,7 +274,7 @@ func TestGrpcWrapper(t *testing.T) { for _, testcase := range getTestCasesNeedAuth { t.Run("get"+testcase.path, func(t *testing.T) { req := httptest.NewRequest(http.MethodGet, testcase.path, nil) - req.SetBasicAuth(util.UserRoot, util.DefaultRootPassword) + req.SetBasicAuth(util.UserRoot, getDefaultRootPassword()) w := httptest.NewRecorder() ginHandler.ServeHTTP(w, req) assert.Equal(t, http.StatusOK, w.Code) @@ -311,7 +311,7 @@ func TestGrpcWrapper(t *testing.T) { paramtable.Get().Save(proxy.Params.CommonCfg.AuthorizationEnabled.Key, "true") req = httptest.NewRequest(http.MethodGet, needAuthPrefix+path, nil) - req.SetBasicAuth("test", util.DefaultRootPassword) + req.SetBasicAuth("test", getDefaultRootPassword()) w = httptest.NewRecorder() ginHandler.ServeHTTP(w, req) assert.Equal(t, http.StatusForbidden, w.Code) diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go index d88eb8e666524..8198a2a3d5cb6 100644 --- a/internal/rootcoord/root_coord.go +++ b/internal/rootcoord/root_coord.go @@ -528,7 +528,7 @@ func (c *Core) initCredentials() error { credInfo, _ := c.meta.GetCredential(util.UserRoot) if credInfo == nil { log.Debug("RootCoord init user root") - encryptedRootPassword, _ := crypto.PasswordEncrypt(util.DefaultRootPassword) + encryptedRootPassword, _ := crypto.PasswordEncrypt(Params.CommonCfg.DefaultRootPassword.GetValue()) err := c.meta.AddCredential(&internalpb.CredentialInfo{Username: util.UserRoot, EncryptedPassword: encryptedRootPassword}) return err } diff --git a/pkg/util/constant.go b/pkg/util/constant.go index 75c58435615c1..4c73ebedac19d 100644 --- a/pkg/util/constant.go +++ b/pkg/util/constant.go @@ -48,7 +48,6 @@ const ( MemberCredID = "@@milvus-member@@" CredentialSeperator = ":" UserRoot = "root" - DefaultRootPassword = "Milvus" PasswordHolder = "___" DefaultTenant = "" RoleAdmin = "admin" diff --git a/pkg/util/paramtable/component_param.go b/pkg/util/paramtable/component_param.go index cc61433a212b5..dfb407861dfc9 100644 --- a/pkg/util/paramtable/component_param.go +++ b/pkg/util/paramtable/component_param.go @@ -218,6 +218,7 @@ type commonConfig struct { AuthorizationEnabled ParamItem `refreshable:"false"` SuperUsers ParamItem `refreshable:"true"` + DefaultRootPassword ParamItem `refreshable:"false"` ClusterName ParamItem `refreshable:"false"` @@ -596,6 +597,15 @@ like the old password verification when updating the credential`, } p.SuperUsers.Init(base.mgr) + p.DefaultRootPassword = ParamItem{ + Key: "common.security.defaultRootPassword", + Version: "2.4.7", + Doc: "default password for root user", + DefaultValue: "Milvus", + Export: true, + } + p.DefaultRootPassword.Init(base.mgr) + p.ClusterName = ParamItem{ Key: "common.cluster.name", Version: "2.0.0", diff --git a/pkg/util/paramtable/component_param_test.go b/pkg/util/paramtable/component_param_test.go index 52c22a9940f18..f495332ba771f 100644 --- a/pkg/util/paramtable/component_param_test.go +++ b/pkg/util/paramtable/component_param_test.go @@ -98,6 +98,10 @@ func TestComponentParam(t *testing.T) { params.Save("common.security.superUsers", "super1,super2,super3") assert.Equal(t, []string{"super1", "super2", "super3"}, Params.SuperUsers.GetAsStrings()) + assert.Equal(t, "Milvus", Params.DefaultRootPassword.GetValue()) + params.Save("common.security.defaultRootPassword", "defaultMilvus") + assert.Equal(t, "defaultMilvus", Params.DefaultRootPassword.GetValue()) + params.Save("common.security.superUsers", "") assert.Equal(t, []string{""}, Params.SuperUsers.GetAsStrings())