[Bug]: RBAC: Issue with granting DatabaseAdmin privilege to a role

[s-sajid-ali]

Is there an existing issue for this?

• I have searched the existing issues

Environment

- Milvus version: 2.5.4
- Deployment mode(standalone or cluster): cluster
- MQ type(rocksmq, pulsar or kafka): kafka
- SDK version(e.g. pymilvus v2.0.0rc2):2.5.4
- OS(Ubuntu or CentOS): macos for client, offical docker images for milvus cluster
- CPU/Memory: aarch64 client, x86_64 server
- GPU: N/A
- Others: Milvus cluster is running on on-prem OpenShift

Current Behavior

Assigning DatabaseAdmin to a user fails silently. Here are the relevant logs from the milvus-proxy pod for the failure:

[2025/02/21 19:37:23.969 +00:00] [INFO] [proxy/impl.go:5464] [OperatePrivilegeV2] [traceID=d8257eb439c8ae3fca9d95449ac82ddd] [req="role:{name:\"sajid_test_database_admin\"} grantor:{privilege:{name:\"DatabaseAdmin\"}} db_name:\"sajid_test_database\" collection_name:\"*\""]
[2025/02/21 19:37:23.991 +00:00] [WARN] [proxy/util.go:2055] ["unknown request"] [request="role:{name:\"sajid_test_database_admin\"} grantor:{user:{name:\"root\"} privilege:{name:\"DatabaseAdmin\"}} db_name:\"sajid_test_database\" collection_name:\"*\""]

Expected Behavior

>>> role = Role('sajid_test_database_admin')
>>> role.list_grants()
GrantInfo groups:
>>> client.grant_privilege_v2('sajid_test_database_admin', "DatabaseAdmin", '*', db_name="sajid_test_database")
>>> role.list_grants()
GrantInfo groups:
>>> client.grant_privilege_v2(role_name='sajid_test_database_admin', privilege="DatabaseAdmin", collection_name='*', db_name="sajid_test_database")
>>> 

Expect to see DatabaseAdmin granted to the role sajid_test_database_admin.

Steps To Reproduce

Milvus Log

Re-posting relevant log:

[2025/02/21 19:37:23.969 +00:00] [INFO] [proxy/impl.go:5464] [OperatePrivilegeV2] [traceID=d8257eb439c8ae3fca9d95449ac82ddd] [req="role:{name:\"sajid_test_database_admin\"} grantor:{privilege:{name:\"DatabaseAdmin\"}} db_name:\"sajid_test_database\" collection_name:\"*\""]
[2025/02/21 19:37:23.991 +00:00] [WARN] [proxy/util.go:2055] ["unknown request"] [request="role:{name:\"sajid_test_database_admin\"} grantor:{user:{name:\"root\"} privilege:{name:\"DatabaseAdmin\"}} db_name:\"sajid_test_database\" collection_name:\"*\""]

Anything else?

Potentially related to #39365, but the error message is different. Would like to also request better error messages instead of silent failures.

[dosubot]

Hello, @s-sajid-ali! I'm here to help you with any bugs, questions, or contributions you have. Let's tackle this issue together!

The "unknown request" warning in the Milvus proxy logs when attempting to grant the DatabaseAdmin role suggests that the request might not be recognized or properly formatted by the system. Here are some steps and considerations to address this issue:

1. Check Request Format: Ensure that the request to grant the privilege is correctly formatted. The logs indicate a potential mismatch in the expected request structure. Verify that all required fields are correctly specified.

2. Validate Role and Privilege Entities: Make sure that the RoleEntity and PrivilegeEntity are correctly defined and exist in the system. The role sajid_test_database_admin and the privilege DatabaseAdmin should be properly set up before attempting to grant them.

3. Review Proxy Configuration: Check the Milvus proxy configuration to ensure that it is set up to handle role and privilege operations correctly. This includes verifying that the authorization settings are enabled and correctly configured.

4. Inspect Related Logs: Look for any additional logs around the time of the request that might provide more context or detail about the failure. This can help identify if there are any other underlying issues.

5. Test with Different Parameters: Try granting a different privilege or using a different role to see if the issue persists. This can help determine if the problem is specific to the DatabaseAdmin privilege or the sajid_test_database_admin role.

6. Update Error Messaging: As you mentioned, improving error messaging can help with debugging. Consider submitting a request for enhanced error messages to provide more detailed feedback when operations fail.

The OperatePrivilegeV2 method in the Milvus proxy involves several checks and validations, including parameter validation and privilege operation execution. If any of these steps fail, it could result in the "unknown request" warning ^[1][2].

If the issue persists, further investigation into the specific configuration and setup of your Milvus deployment may be necessary.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[s-sajid-ali]

@dosu: Is DatabaseAdmin not available as a role by default per https://milvus.io/docs/privilege_group.md#Built-in-privilege-groups ?

[dosubot]

The DatabaseAdmin privilege is not set by default in Milvus. According to the documentation on built-in privilege groups, privileges like DatabaseAdmin need to be assigned manually. The privilege groups do not cascade automatically to all databases and collections, so you'll need to explicitly grant the DatabaseAdmin role to the desired user or role for each specific database or collection.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[yanliang567]

@s-sajid-ali I think you need one more step to grand the role to the user, please check the doc here: https://milvus.io/docs/rbac.md

/assign @s-sajid-ali
/unassign