[Bug]: Way to break RBAC v. 2

[tmnhy]

Is there an existing issue for this?

• I have searched the existing issues

Environment

- Milvus version: 2.4.20
- Deployment mode(standalone or cluster): standalone
- MQ type(rocksmq, pulsar or kafka):    
- SDK version(e.g. pymilvus v2.0.0rc2):
- OS(Ubuntu or CentOS): official docker image milvusdb/milvus:v2.4.20
- CPU/Memory: 
- GPU: 
- Others:

Current Behavior

It is possible to call a grant_privilege_v2 incorrect parameters. This call breaks RBAC.

Instead of correct

client.grant_privilege_v2(
    db_name=DB_NAME,
    role_name=USER_ROLE_NAME,
    privilege="CollectionAdmin",
    collection_name=COLLECTION_NAME,
)

it can be misspelled like:

client.grant_privilege_v2(
    db_name=DB_NAME,
    role_name=USER_ROLE_NAME,
    object_type='CollectionAdmin',
    collection_name=COLLECTION_NAME,
    privilege='*'
)

And the bad thing is, there will be no exceptions in this case. And what's worse, it affects the whole RBAC v. 2, correct setting privileges stop working.

Expected Behavior

A call with invalid parameters should raise an exception.:

client.grant_privilege_v2(
    db_name=DB_NAME,
    role_name=USER_ROLE_NAME,
    object_type='CollectionAdmin',
    collection_name=COLLECTION_NAME,
    privilege='*'
)

Steps To Reproduce

Milvus Log

[2025/01/16 13:16:57.964 +00:00] [INFO] [proxy/impl.go:5401] [OperatePrivilegeV2] [traceID=943694dfb20890e79d07431cda8b2436] [req="role:{nam
e:\"user_role\"} grantor:{privilege:{name:\"DatabaseAdmin\"}} db_name:\"test\" collection_name:\"*\""]
[2025/01/16 13:16:57.964 +00:00] [WARN] [rootcoord/kv_catalog.go:1118] ["fail to load grant privilege entity"] [key=root-coord/credential/gr
antee-privileges/user_role/Global/test.*] [type=Grant] [error="key not found[key=by-dev/meta/root-coord/credential/grantee-privileges/user_r
ole/Global/test.*]"]
[2025/01/16 13:16:57.965 +00:00] [WARN] [rootcoord/kv_catalog.go:1140] ["fail to load the grantee id"] [key=root-coord/credential/grantee-id
/d2583cc2c3caa704/PrivilegeGroupDatabaseAdmin] [error="key not found[key=by-dev/meta/root-coord/credential/grantee-id/d2583cc2c3caa704/Privi
legeGroupDatabaseAdmin]"]
[2025/01/16 13:16:57.966 +00:00] [WARN] [proxy/util.go:1866] ["unknown request"] [request="role:{name:\"user_role\"} grantor:{user:{name:\"r
oot\"} privilege:{name:\"DatabaseAdmin\"}} db_name:\"test\" collection_name:\"*\""]
[2025/01/16 13:16:57.968 +00:00] [INFO] [proxy/impl.go:5401] [OperatePrivilegeV2] [traceID=d75b0d97e7aef3926f1d6c8a7dd129f4] [req="role:{nam
e:\"user_role\"} grantor:{privilege:{name:\"*\"}} db_name:\"test\" collection_name:\"user_collection\""]
[2025/01/16 13:16:57.969 +00:00] [WARN] [rootcoord/kv_catalog.go:1118] ["fail to load grant privilege entity"] [key=root-coord/credential/gr
antee-privileges/user_role/Global/test.user_collection] [type=Grant] [error="key not found[key=by-dev/meta/root-coord/credential/grantee-pri
vileges/user_role/Global/test.user_collection]"]
[2025/01/16 13:16:57.969 +00:00] [WARN] [rootcoord/kv_catalog.go:1140] ["fail to load the grantee id"] [key=root-coord/credential/grantee-id
/fbc2a21a870ffcda/*] [error="key not found[key=by-dev/meta/root-coord/credential/grantee-id/fbc2a21a870ffcda/*]"]
[2025/01/16 13:16:57.970 +00:00] [WARN] [rootcoord/step_executor.go:75] ["failed to execute step, wait for reschedule"] [error="not found th
e privilege name"] [errorVerbose="not found the privilege name\n(1) attached stack trace\n  -- stack trace:\n  | github.com/milvus-io/milvus
/internal/rootcoord.(*Core).getMetastorePrivilegeName\n  | \t/workspace/source/internal/rootcoord/root_coord.go:2790\n  | github.com/milvus-
io/milvus/internal/rootcoord.(*Core).expandPrivilegeGroups.func1\n  | \t/workspace/source/internal/rootcoord/root_coord.go:3332\n  | github.
com/milvus-io/milvus/internal/rootcoord.(*Core).expandPrivilegeGroups\n  | \t/workspace/source/internal/rootcoord/root_coord.go:3364\n  | gi
thub.com/milvus-io/milvus/internal/rootcoord.(*Core).OperatePrivilege.func2\n  | \t/workspace/source/internal/rootcoord/root_coord.go:2696\n
  | github.com/milvus-io/milvus/internal/rootcoord.(*simpleStep).Execute\n  | \t/workspace/source/internal/rootcoord/step.go:540\n  | github
.com/milvus-io/milvus/internal/rootcoord.(*stepStack).Execute\n  | \t/workspace/source/internal/rootcoord/step_executor.go:59\n  | github.co
m/milvus-io/milvus/internal/rootcoord.(*bgStepExecutor).process.func1\n  | \t/workspace/source/internal/rootcoord/step_executor.go:201\n  | 
runtime.goexit\n  | \t/usr/local/go/src/runtime/asm_amd64.s:1650\nWraps: (2) not found the privilege name\nError types: (1) *withstack.withS
tack (2) *errutil.leafError"] [step="operate privilege cache"]
[2025/01/16 13:16:57.970 +00:00] [WARN] [proxy/util.go:1866] ["unknown request"] [request="role:{name:\"user_role\"} grantor:{user:{name:\"r
oot\"} privilege:{name:\"*\"}} db_name:\"test\" collection_name:\"user_collection\""]
[2025/01/16 13:16:57.973 +00:00] [INFO] [proxy/impl.go:4976] [CreateCredential] [traceID=9c3163b4da92f8e132cd58b2db0b22d1] [username=user] [
role=proxy]
[2025/01/16 13:16:57.977 +00:00] [INFO] [proxy/impl.go:5242] [OperateUserRole] [traceID=11faf0c45f772ba00765e004ca573a91] [req="username:\"u
ser\" role_name:\"user_role\""]
[2025/01/16 13:16:57.978 +00:00] [WARN] [rootcoord/step_executor.go:75] ["failed to execute step, wait for reschedule"] [error="not found th
e privilege name"] [errorVerbose="not found the privilege name\n(1) attached stack trace\n  -- stack trace:\n  | github.com/milvus-io/milvus
/internal/rootcoord.(*Core).getMetastorePrivilegeName\n  | \t/workspace/source/internal/rootcoord/root_coord.go:2790\n  | github.com/milvus-
io/milvus/internal/rootcoord.(*Core).expandPrivilegeGroups.func1\n  | \t/workspace/source/internal/rootcoord/root_coord.go:3332\n  | github.
com/milvus-io/milvus/internal/rootcoord.(*Core).expandPrivilegeGroups\n  | \t/workspace/source/internal/rootcoord/root_coord.go:3364\n  | gi
thub.com/milvus-io/milvus/internal/rootcoord.(*Core).OperatePrivilege.func2\n  | \t/workspace/source/internal/rootcoord/root_coord.go:2696\n
  | github.com/milvus-io/milvus/internal/rootcoord.(*simpleStep).Execute\n  | \t/workspace/source/internal/rootcoord/step.go:540\n  | github
.com/milvus-io/milvus/internal/rootcoord.(*stepStack).Execute\n  | \t/workspace/source/internal/rootcoord/step_executor.go:59\n  | github.co
m/milvus-io/milvus/internal/rootcoord.(*bgStepExecutor).process.func1\n  | \t/workspace/source/internal/rootcoord/step_executor.go:201\n  | 
runtime.goexit\n  | \t/usr/local/go/src/runtime/asm_amd64.s:1650\nWraps: (2) not found the privilege name\nError types: (1) *withstack.withS
tack (2) *errutil.leafError"] [step="operate privilege cache"]
[2025/01/16 13:16:58.177 +00:00] [WARN] [rootcoord/step_executor.go:75] ["failed to execute step, wait for reschedule"] [error="not found th
e privilege name"] [errorVerbose="not found the privilege name\n(1) attached stack trace\n  -- stack trace:\n  | github.com/milvus-io/milvus
/internal/rootcoord.(*Core).getMetastorePrivilegeName\n  | \t/workspace/source/internal/rootcoord/root_coord.go:2790\n  | github.com/milvus-
io/milvus/internal/rootcoord.(*Core).expandPrivilegeGroups.func1\n  | \t/workspace/source/internal/rootcoord/root_coord.go:3332\n  | github.
com/milvus-io/milvus/internal/rootcoord.(*Core).expandPrivilegeGroups\n  | \t/workspace/source/internal/rootcoord/root_coord.go:3364\n  | gi
thub.com/milvus-io/milvus/internal/rootcoord.(*Core).OperatePrivilege.func2\n  | \t/workspace/source/internal/rootcoord/root_coord.go:2696\n
  | github.com/milvus-io/milvus/internal/rootcoord.(*simpleStep).Execute\n  | \t/workspace/source/internal/rootcoord/step.go:540\n  | github
.com/milvus-io/milvus/internal/rootcoord.(*stepStack).Execute\n  | \t/workspace/source/internal/rootcoord/step_executor.go:59\n  | github.co
m/milvus-io/milvus/internal/rootcoord.(*bgStepExecutor).process.func1\n  | \t/workspace/source/internal/rootcoord/step_executor.go:201\n  | 
runtime.goexit\n  | \t/usr/local/go/src/runtime/asm_amd64.s:1650\nWraps: (2) not found the privilege name\nError types: (1) *withstack.withS
tack (2) *errutil.leafError"] [step="operate privilege cache"]

Anything else?

No response

[yanliang567]

/assign @shaoting-huang
/unassign