Fix superusers' password verification problem (#23733)

Signed-off-by: N SimFG <bang.fu@zilliz.com>

Fix superusers' password verification problem (#23733)
Signed-off-by: N SimFG <bang.fu@zilliz.com>
5cd21893 · SimFG · GitHub · fc3466d9 · 5cd21893 · 5cd21893
5 changed file
--- a/configs/milvus.yaml
+++ b/configs/milvus.yaml
@@ -401,7 +401,7 @@ common:
    authorizationEnabled: false
    # The superusers will ignore some system check processes,
    # like the old password verification when updating the credential
-    superUsers: root
+    # superUsers: root
    tlsMode: 0
  session:
    ttl: 20 # ttl value when session granting a lease to register service

--- a/internal/proxy/impl.go
+++ b/internal/proxy/impl.go
@@ -4000,7 +4000,16 @@ func (node *Proxy) UpdateCredential(ctx context.Context, req *milvuspb.UpdateCre
 		}, nil
 	}

-	if !passwordVerify(ctx, req.Username, rawOldPassword, globalMetaCache) {
+	skipPasswordVerify := false
+	if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" {
+		for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() {
+			if s == currentUser {
+				skipPasswordVerify = true
+			}
+		}
+	}
+
+	if !skipPasswordVerify && !passwordVerify(ctx, req.Username, rawOldPassword, globalMetaCache) {
 		return &commonpb.Status{
 			ErrorCode: commonpb.ErrorCode_UpdateCredentialFailure,
 			Reason:    "old password is not correct:" + req.Username,

--- a/internal/proxy/proxy_test.go
+++ b/internal/proxy/proxy_test.go
@@ -2271,6 +2271,8 @@ func TestProxy(t *testing.T) {
 		assert.NotEqual(t, commonpb.ErrorCode_Success, updateResp.ErrorCode)

 		// super user
+		paramtable.Get().Save(Params.CommonCfg.SuperUsers.Key, "root")
+		defer paramtable.Get().Reset(Params.CommonCfg.SuperUsers.Key)
 		updateCredentialReq.OldPassword = crypto.Base64Encode("wrong_password")
 		updateCredentialReq.NewPassword = crypto.Base64Encode(newPassword)
 		updateResp, err = proxy.UpdateCredential(rootCtx, updateCredentialReq)

--- a/internal/proxy/util.go
+++ b/internal/proxy/util.go
@@ -746,15 +746,6 @@ func passwordVerify(ctx context.Context, username, rawPwd string, globalMetaCach
 		return false
 	}

-	if currentUser, _ := GetCurUserFromContext(ctx); currentUser != "" {
-		log.Debug("simfg password", zap.Strings("super users", Params.CommonCfg.SuperUsers.GetAsStrings()))
-		for _, s := range Params.CommonCfg.SuperUsers.GetAsStrings() {
-			if s == currentUser {
-				return true
-			}
-		}
-	}
-
 	// hit cache
 	sha256Pwd := crypto.SHA256(rawPwd, credInfo.Username)
 	if credInfo.Sha256Password != "" {

--- a/pkg/util/paramtable/component_param.go
+++ b/pkg/util/paramtable/component_param.go
@@ -587,7 +587,8 @@ Check https://milvus.io/docs/limitations.md for more details.`,
 		Version: "2.2.1",
 		Doc: `The superusers will ignore some system check processes,
 like the old password verification when updating the credential`,
-		Export: true,
+		DefaultValue: "",
+		Export:       true,
 	}
 	p.SuperUsers.Init(base.mgr)