feat: added MILVU client to configure access rights

francescotimperi · francescotimperi · commit 768a09940557 · 2024-12-07T11:16:55.000+01:00
diff --git a/TaskfileTest.yml b/TaskfileTest.yml
@@ -120,62 +120,62 @@ tasks:
     echo "*** $APIHOST ***"
     AUTH=$(kubectl -n nuvolaris get wsk/controller -o jsonpath='{.spec.openwhisk.namespaces.nuvolaris}')
     echo $AUTH
-    echo wsk property set --apihost $APIHOST --auth $AUTH
-    wsk property set --apihost $APIHOST --auth $AUTH
-    while ! wsk action list
+    echo ops -wsk property set --apihost $APIHOST --auth $AUTH
+    ops -wsk property set --apihost $APIHOST --auth $AUTH
+    while ! ops action list
     do echo $(( N++)) "waiting for the load balancer to be ready..." ; sleep 10
     done
   
   hello:
-    - wsk -i action update hello tests/hello.js --web=true
-    - wsk -i action invoke hello -r | grep "hello"
+    - ops -wsk -i action update hello tests/hello.js --web=true
+    - ops -wsk -i action invoke hello -r | grep "hello"
     - |
-      URL=$(wsk -i action get hello --url | tail +2)
+      URL=$(ops -wsk -i action get hello --url | tail +2)
       curl -skL $URL | grep hello
 
   redis:
     cmds:
-      - wsk -i package update redis -p redis_url "{{.REDIS_NUV_URL}}" -p redis_prefix "{{.REDIS_NUV_PREFIX}}" -p password "{{.REDIS_PASSWORD}}"
-      - wsk -i action update redis/ping tests/ping.js   
-      - wsk -i action invoke redis/ping -r | grep "PONG"      
-      - wsk -i action update redis/redis tests/redis.js
-      - wsk -i action invoke redis/redis -r | grep "world"
+      - ops -wsk -i package update redis -p redis_url "{{.REDIS_NUV_URL}}" -p redis_prefix "{{.REDIS_NUV_PREFIX}}" -p password "{{.REDIS_PASSWORD}}"
+      - ops -wsk -i action update redis/ping tests/ping.js   
+      - ops -wsk -i action invoke redis/ping -r | grep "PONG"      
+      - ops -wsk -i action update redis/redis tests/redis.js
+      - ops -wsk -i action invoke redis/redis -r | grep "world"
     vars:
         REDIS_NUV_PREFIX:
           sh:  kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.redis_prefix}'
         REDIS_NUV_URL:
           sh:  kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.redis_url}'
 
   echo:
-    - wsk -i action update echo tests/echo.js -a provide-api-key true
-    - wsk -i action invoke echo -r | grep "__OW_API_KEY"
-    - wsk -i action invoke echo -r | grep "__OW_API_HOST"
+    - ops -wsk -i action update echo tests/echo.js -a provide-api-key true
+    - ops -wsk -i action invoke echo -r | grep "__OW_API_KEY"
+    - ops -wsk -i action invoke echo -r | grep "__OW_API_HOST"
 
   api:
-    - wsk -i action update api tests/api.js -a provide-api-key true
-    - wsk -i action invoke api -r | grep '"api"'
+    - ops -wsk -i action update api tests/api.js -a provide-api-key true
+    - ops -wsk -i action invoke api -r | grep '"api"'
 
   mongo:
     - | 
        MONGODB_URL=$(kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.mongodb_url}') 
        wsk -i package update mongo -p dburi "$MONGODB_URL"
-    - wsk -i action update mongo/mongo tests/mongo.js
-    - wsk -i action invoke mongo/mongo -r | grep "hello"
+    - ops -wsk -i action update mongo/mongo tests/mongo.js
+    - ops -wsk -i action invoke mongo/mongo -r | grep "hello"
 
   minio:
-    - wsk -i package update minio -p minio_host {{.MINIO_HOST}} -p minio_port {{.MINIO_PORT}} -p minio_user {{.MINIO_USER}} -p minio_pwd {{.MINIO_PWD}}
-    - wsk -i action update minio/minio tests/minio.js
-    - wsk -i action invoke minio/minio -r
+    - ops -wsk -i package update minio -p minio_host {{.MINIO_HOST}} -p minio_port {{.MINIO_PORT}} -p minio_user {{.MINIO_USER}} -p minio_pwd {{.MINIO_PWD}}
+    - ops -wsk -i action update minio/minio tests/minio.js
+    - ops -wsk -i action invoke minio/minio -r
     
   mongo2:
-    - wsk -i project deploy --manifest tests/mongo.yaml
+    - ops -wsk -i project deploy --manifest tests/mongo.yaml
 
   postgres:
     - |
       PG_URL=$(kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.postgres_url}')
-      wsk -i package update postgres -p dburi "$PG_URL"
-    - wsk -i action update postgres/postgres tests/postgres.js
-    - wsk -i action invoke postgres/postgres -r | grep "Nuvolaris Postgres is up and running!"
+      ops -wsk -i package update postgres -p dburi "$PG_URL"
+    - ops -wsk -i action update postgres/postgres tests/postgres.js
+    - ops -wsk -i action invoke postgres/postgres -r | grep "Nuvolaris Postgres is up and running!"
 
   minio2:
     silent: true
@@ -188,10 +188,10 @@ tasks:
       MINIO_PORT=$(kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.s3_port}')
       MINIO_BUCKET_DATA=$(kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.s3_bucket_data}')
       MINIO_BUCKET_WEB=$(kubectl -n nuvolaris get cm/config -o jsonpath='{.metadata.annotations.s3_bucket_static}')
-      wsk -i action update minio/minio-nuv tests/minio-nuv.js \
+      ops -wsk -i action update minio/minio-nuv tests/minio-nuv.js \
       -p minio_access "$MINIO_ACCESS_KEY" \
       -p minio_secret "$MINIO_SECRET_KEY" \
       -p minio_host "$MINIO_HOST" \
       -p minio_port "$MINIO_PORT" \
       -p minio_data "$MINIO_BUCKET_DATA" 
-    - wsk -i action invoke minio/minio-nuv -r        
+    - ops -wsk -i action invoke minio/minio-nuv -r        
diff --git a/deploy/nginx-static/nginx-static-sts.yaml b/deploy/nginx-static/nginx-static-sts.yaml
@@ -36,7 +36,7 @@ spec:
       initContainers:
       - name: check-minio
         image: busybox:1.36.0
-        command: ['sh', '-c', "until nslookup minio.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for minio; sleep 2; done"]     
+        command: ['sh', '-c', "until nslookup nuvolaris-minio.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for minio; sleep 2; done"]     
       containers:
       - name: nuvolaris-static
         image: nginxinc/nginx-unprivileged:1.24
diff --git a/deploy/nuvolaris-permissions/whisk-crd.yaml b/deploy/nuvolaris-permissions/whisk-crd.yaml
@@ -738,15 +738,28 @@ spec:
                       description: MILVUS related user passwords
                       type: object
                       properties:
+                        root:
+                          description: milvus root password
+                          type: string
                         etcd:
                           description: ETCD milvus user password
                           type: string
                         s3:
                           description: MINIO/S3 milvus user password
                           type: string                          
                       required:
-                      - etcd
-                      - s3                      
+                      - root
+                      - s3
+                    nuvolaris:
+                      description: MILVUS default user setup
+                      type: object
+                      properties:
+                        password:
+                          description: nuvolaris MILVUS password
+                          type: string
+                        collection:
+                          description: nuvolaris MILVUS collection (default to nuvolaris)
+                          type: string                        
             status:
               x-kubernetes-preserve-unknown-fields: true
               # type: object
diff --git a/nuvolaris/milvus_admin_client.py b/nuvolaris/milvus_admin_client.py
@@ -0,0 +1,129 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+import logging
+import nuvolaris.config as cfg
+from pymilvus import MilvusClient
+
+class MilvusAdminClient:
+    """
+    Simple Milvus Client used to perform Mivlus administration Tasks
+    """
+    def __init__(self, db_name="default"):
+        self.admin_username   = cfg.get("milvus.admin.user", "MILVUS_ROOT_USER", "root")
+        self.milvus_api_host  = cfg.get("milvus.host", "MILVUS_API_HOST", "nuvolaris-milvus")            
+        self.milvus_api_port  = cfg.get("milvus.host", "MILVUS_API_PORT", "19530")
+        self.admin_password   = cfg.get("milvus.password.root", "MILVUS_ROOT_PASSWORD", "An0therPa55")
+
+        self.milvus_api_url   = f"http://{self.milvus_api_host}:{self.milvus_api_port}"
+        self.client = MilvusClient(
+            uri=self.milvus_api_url,
+            token=f"{self.admin_username}:{self.admin_password}",
+            db_name=db_name
+        )
+
+        print(f"{self.admin_username}:{self.admin_password}")
+
+    def close_connection(self):
+        try:
+            self.client.close()
+            logging.info("MILVUS client connection closed")
+        except Exception as ex:
+            logging.warning("cannot close MILVUS client connection", ex)
+
+    def add_user(self, username, password):
+        """
+        adds a new MILVUS user to the predefined
+        param: username
+        param: password
+        return: True if user has been successfully created
+        """
+        try:
+            self.client.create_user(username, password)
+            created_user = self.client.describe_user(username)
+            return 'user_name' in created_user
+        except Exception as ex:
+            logging.error(f"Could not create milvus user {username}", ex)
+            return False
+        
+    def add_role(self, role):
+        """
+        adds a new MILVUS role 
+        param: role        
+        return: True if role has been successfully created
+        """
+        try:
+            self.client.create_role(role)
+            created_role = self.client.describe_role(role)
+            return 'role_name' in created_role
+        except Exception as ex:
+            logging.error(f"Could not create milvus role {role}", ex)
+            return False 
+
+    def add_default_privileges_to_role(self, role):
+        """
+        adds default privileges to a role
+        param: role        
+        return: True if role has been successfully created
+        """
+        try:
+            self.client.grant_privilege(
+                role_name=role,
+                object_type='Global',  # value here can be Global, Collection or User, object type also depends on the API defined in privilegeName
+                object_name='*',  # value here can be * or a specific user name if object type is 'User'
+                privilege='CreateCollection'
+            )
+
+            self.client.grant_privilege(
+                role_name=role,
+                object_type='Collection',  # value here can be Global, Collection or User, object type also depends on the API defined in privilegeName
+                object_name='*',  # value here can be * or a specific user name if object type is 'User'
+                privilege='*'
+            )
+
+            return True
+        except Exception as ex:
+            logging.error(f"Could not create milvus role {role}", ex)
+            return False 
+    
+    def assign_role(self, username, role):
+        """
+        assign a tole to a user
+        param: username
+        param: role        
+        return: True if role has been successfully created
+        """
+        try:
+            self.client.grant_role(user_name=username,role_name=role)
+            user_detail = self.client.describe_user(username)
+            return role in user_detail['roles']
+        except Exception as ex:
+            logging.error(f"Could not assign MILVUS role {role}", ex)
+            return False 
+
+    def setup_user(self, username, password):
+        """
+        Creates a user into MILVUS and assign permission on collection
+        param: username
+        param: role        
+        return: True if role has been successfully created
+        """
+        role = f"{username}_role"
+        self.add_user(username,password)
+        self.add_role(role)
+        self.add_default_privileges_to_role(role)
+        self.assign_role(username, role)
diff --git a/nuvolaris/templates/milvus-cfg-base.yaml b/nuvolaris/templates/milvus-cfg-base.yaml
@@ -132,4 +132,9 @@ data:
     #    serverKeyPath: /etc/milvus/certs/tls.key
     #   common:
     #     security:
-    #       tlsMode: 1
+    #       tlsMode: 1
+    # Enable User Authentication
+    common:
+      security:
+        authorizationEnabled: true
+        defaultRootPassword: {{milvus_root_password}}
diff --git a/nuvolaris/util.py b/nuvolaris/util.py
@@ -726,7 +726,10 @@ def get_milvus_config_data():
         'replicas': cfg.get('milvus.replicas') or 1,
         'storageClass': cfg.get('nuvolaris.storageclass'),
         "etcd_replicas":get_etcd_replica(),
-        "etcd_container": "nuvolaris-etcd", 
+        "etcd_container": "nuvolaris-etcd",
+        'milvus_root_password': cfg.get('milvus.password.root') or "An0therPa55",
+        'nuvolaris_password': cfg.get('milvus.nuvolaris.password') or "Nuv0therPa55",
+        'nuvolaris_collection': cfg.get('milvus.nuvolaris.collection') or "nuvolaris"
         }
     
     data["etcd_range"]=range(data["etcd_replicas"])
diff --git a/tests/k3s/whisk.yaml b/tests/k3s/whisk.yaml
@@ -191,6 +191,7 @@ spec:
       journal: 20
       ledgers: 25
     replicas: 1
-    password:      
+    password:
+      root: x£VqD7G6712o        
       etcd: 97Vk2{qe8o>S
       s3: 8_d$8zCrl7£m      
diff --git a/tests/kind/milvus_admin_test.ipy b/tests/kind/milvus_admin_test.ipy
@@ -0,0 +1,52 @@
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+import os
+import nuvolaris.testutil as tu
+import nuvolaris.config as cfg
+from nuvolaris.milvus_admin_client import MilvusAdminClient
+from pymilvus import MilvusClient
+
+# for this test minioClient should see this env variable
+os.environ['MILVUS_ROOT_USER']='root'
+os.environ['MILVUS_API_HOST']='localhost'
+os.environ['MILVUS_API_PORT']='19530'
+os.environ['MILVUS_ROOT_PASSWORD']='x£VqD7G6712o'
+
+#client = MilvusAdminClient()
+#client.setup_user("franz","Afrodite1972#123")
+#client.setup_user("ciccillo","Afrodite1973#123")
+#client.close_connection()
+
+milvus = MilvusClient(uri="http://localhost:19530",token="root:x£VqD7G6712o")
+print(milvus.grant_privilege(role_name="ciccillo_role",object_type='Global',  object_name='*', privilege='CreateCollection'))
+#print(milvus.grant_privilege(role_name="franz_role",object_type='Global',  object_name='*', privilege='CreateCollection'))
+#print(milvus.grant_role(user_name="franz",role_name="franz_role"))
+#print(milvus.describe_role(role_name="franz_role"))
+#print(milvus.describe_user("franz"))
+milvus.close()
+
+fttclient = MilvusClient(uri="http://localhost:19530",token="franz:Afrodite1972#123")
+#print(fttclient.create_collection(collection_name="franz_collection", dimension=100))
+fttclient.close()
+
+cclient = MilvusClient(uri="http://localhost:19530",token="ciccillo:Afrodite1973#123")
+print(cclient.create_collection(collection_name="cc_collection",dimension=100))
+print(cclient.list_collections())
+
diff --git a/tests/kind/milvus_standalone_test.ipy b/tests/kind/milvus_standalone_test.ipy
@@ -36,9 +36,6 @@ assert(cfg.detect_storage()["nuvolaris.storageclass"])
 # for this test minioClient should see this env variable
 os.environ['MINIO_API_HOST']='localhost'
 
-# for this test minioClient should see this env variable
-os.environ['MINIO_API_HOST']='localhost'
-
 assert(etcd.create())
 assert(minio.create())
 assert(milvus.create())
diff --git a/tests/kind/whisk.yaml b/tests/kind/whisk.yaml
@@ -33,9 +33,9 @@ spec:
     # start mongodb
     mongodb: false
     # start redis
-    redis: true      
+    redis: false      
     # start cron based action parser
-    cron: true 
+    cron: false 
     # tls enabled or not
     tls: false
     # minio enabled or not
@@ -47,7 +47,7 @@ spec:
     # etcd enabled or not
     etcd: true
     # milvus enabled or not
-    etcd: true                      
+    milvus: true                      
   openwhisk:
     namespaces:
       whisk-system: 789c46b1-71f6-4ed5-8c54-816aa4f8c502:abczO3xZCLrMN6v2BKK1dXYFpXlPkccOFqm12CdAsMgRU4VrNZ9lyGVCGuMDGIwP
@@ -170,6 +170,7 @@ spec:
       journal: 20
       ledgers: 25
     replicas: 1
-    password:      
+    password:
+      root: x£VqD7G6712o        
       etcd: 97Vk2{qe8o>S
-      s3: 8_d$8zCrl7£m                                           
+      s3: 8_d$8zCrl7£m                                            
