fix: [2.5] fix restore rbac empty meta crash (#39143)

shaoting-huang · web-flow · commit 3059fae40dd2 · 2025-01-13T12:04:58.000+08:00
cp from master: #39141 related: #38985 Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
diff --git a/internal/metastore/kv/rootcoord/kv_catalog.go b/internal/metastore/kv/rootcoord/kv_catalog.go
@@ -1489,7 +1489,7 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 			log.Ctx(ctx).Warn("failed to restore rbac, try to rollback", zap.Error(err))
 			// roll back role
 			for _, role := range needRollbackRole {
-				err = kc.DropRole(ctx, tenant, role.Name)
+				err = kc.DropRole(ctx, tenant, role.GetName())
 				if err != nil {
 					log.Ctx(ctx).Warn("failed to rollback roles after restore failed", zap.Error(err))
 				}
@@ -1505,15 +1505,15 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 
 			for _, user := range needRollbackUser {
 				// roll back user
-				err = kc.DropCredential(ctx, user.User)
+				err = kc.DropCredential(ctx, user.GetUser())
 				if err != nil {
 					log.Ctx(ctx).Warn("failed to rollback users after restore failed", zap.Error(err))
 				}
 			}
 
 			// roll back privilege group
 			for _, group := range needRollbackPrivilegeGroups {
-				err = kc.DropPrivilegeGroup(ctx, group.GroupName)
+				err = kc.DropPrivilegeGroup(ctx, group.GetGroupName())
 				if err != nil {
 					log.Ctx(ctx).Warn("failed to rollback privilege groups after restore failed", zap.Error(err))
 				}
@@ -1527,7 +1527,7 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 		return err
 	}
 	existRoleMap := lo.SliceToMap(existRoles, func(entity *milvuspb.RoleResult) (string, struct{}) { return entity.GetRole().GetName(), struct{}{} })
-	for _, role := range meta.Roles {
+	for _, role := range meta.GetRoles() {
 		if _, ok := existRoleMap[role.GetName()]; ok {
 			log.Ctx(ctx).Warn("failed to restore, role already exists", zap.String("role", role.GetName()))
 			err = errors.Newf("role [%s] already exists", role.GetName())
@@ -1545,11 +1545,11 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 	if err != nil {
 		return err
 	}
-	existPrivGroupMap := lo.SliceToMap(existPrivGroups, func(entity *milvuspb.PrivilegeGroupInfo) (string, struct{}) { return entity.GroupName, struct{}{} })
-	for _, group := range meta.PrivilegeGroups {
-		if _, ok := existPrivGroupMap[group.GroupName]; ok {
-			log.Ctx(ctx).Warn("failed to restore, privilege group already exists", zap.String("group", group.GroupName))
-			err = errors.Newf("privilege group [%s] already exists", group.GroupName)
+	existPrivGroupMap := lo.SliceToMap(existPrivGroups, func(entity *milvuspb.PrivilegeGroupInfo) (string, struct{}) { return entity.GetGroupName(), struct{}{} })
+	for _, group := range meta.GetPrivilegeGroups() {
+		if _, ok := existPrivGroupMap[group.GetGroupName()]; ok {
+			log.Ctx(ctx).Warn("failed to restore, privilege group already exists", zap.String("group", group.GetGroupName()))
+			err = errors.Newf("privilege group [%s] already exists", group.GetGroupName())
 			return err
 		}
 		err = kc.SavePrivilegeGroup(ctx, group)
@@ -1564,9 +1564,9 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 	if err != nil {
 		return err
 	}
-	existPrivGroupMap = lo.SliceToMap(existPrivGroups, func(entity *milvuspb.PrivilegeGroupInfo) (string, struct{}) { return entity.GroupName, struct{}{} })
-	for _, grant := range meta.Grants {
-		privName := grant.Grantor.Privilege.Name
+	existPrivGroupMap = lo.SliceToMap(existPrivGroups, func(entity *milvuspb.PrivilegeGroupInfo) (string, struct{}) { return entity.GetGroupName(), struct{}{} })
+	for _, grant := range meta.GetGrants() {
+		privName := grant.GetGrantor().GetPrivilege().GetName()
 		if util.IsPrivilegeNameDefined(privName) {
 			grant.Grantor.Privilege.Name = util.PrivilegeNameForMetastore(privName)
 		} else if _, ok := existPrivGroupMap[privName]; ok {
@@ -1589,16 +1589,16 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 		return err
 	}
 	existUserMap := lo.SliceToMap(existUser, func(entity *milvuspb.UserResult) (string, struct{}) { return entity.GetUser().GetName(), struct{}{} })
-	for _, user := range meta.Users {
+	for _, user := range meta.GetUsers() {
 		if _, ok := existUserMap[user.GetUser()]; ok {
 			log.Ctx(ctx).Info("failed to restore, user already exists", zap.String("user", user.GetUser()))
 			err = errors.Newf("user [%s] already exists", user.GetUser())
 			return err
 		}
 		// restore user
 		err = kc.CreateCredential(ctx, &model.Credential{
-			Username:          user.User,
-			EncryptedPassword: user.Password,
+			Username:          user.GetUser(),
+			EncryptedPassword: user.GetPassword(),
 		})
 		if err != nil {
 			return err
@@ -1607,9 +1607,9 @@ func (kc *Catalog) RestoreRBAC(ctx context.Context, tenant string, meta *milvusp
 
 		// restore user role mapping
 		entity := &milvuspb.UserEntity{
-			Name: user.User,
+			Name: user.GetUser(),
 		}
-		for _, role := range user.Roles {
+		for _, role := range user.GetRoles() {
 			err = kc.AlterUserRole(ctx, tenant, entity, role, milvuspb.OperateUserRoleType_AddUserToRole)
 			if err != nil {
 				return err
diff --git a/internal/proxy/impl.go b/internal/proxy/impl.go
@@ -5656,6 +5656,9 @@ func (node *Proxy) RestoreRBAC(ctx context.Context, req *milvuspb.RestoreRBACMet
 	if err := merr.CheckHealthy(node.GetStateCode()); err != nil {
 		return merr.Status(err), nil
 	}
+	if req.RBACMeta == nil {
+		return merr.Success(), nil
+	}
 
 	result, err := node.rootCoord.RestoreRBAC(ctx, req)
 	if err != nil {
diff --git a/tests/integration/rbac/rbac_backup_test.go b/tests/integration/rbac/rbac_backup_test.go
@@ -154,8 +154,12 @@ func (s *RBACBackupTestSuite) TestBackup() {
 	s.Equal(groupName, backupRBACResp.GetRBACMeta().PrivilegeGroups[0].GroupName)
 	s.Equal(2, len(backupRBACResp.GetRBACMeta().PrivilegeGroups[0].Privileges))
 
+	restoreRBACResp, err := s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{})
+	s.NoError(err)
+	s.True(merr.Ok(restoreRBACResp))
+
 	// test restore, expect to failed due to role/user already exist
-	restoreRBACResp, err := s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{
+	restoreRBACResp, err = s.Cluster.Proxy.RestoreRBAC(ctx, &milvuspb.RestoreRBACMetaRequest{
 		RBACMeta: backupRBACResp.GetRBACMeta(),
 	})
 	s.NoError(err)

Original file line number	Diff line number	Diff line change
`@@ -5656,6 +5656,9 @@ func (node Proxy) RestoreRBAC(ctx context.Context, req milvuspb.RestoreRBACMet`
`5656`	`5656`	`if err := merr.CheckHealthy(node.GetStateCode()); err != nil {`
`5657`	`5657`	`return merr.Status(err), nil`
`5658`	`5658`	`}`
	`5659`	`+ if req.RBACMeta == nil {`
	`5660`	`+ return merr.Success(), nil`
	`5661`	`+ }`
`5659`	`5662`
`5660`	`5663`	`result, err := node.rootCoord.RestoreRBAC(ctx, req)`
`5661`	`5664`	`if err != nil {`