RBAC built in privilege groups

Signed-off-by: shaoting-huang <shaoting.huang@zilliz.com>
shaoting-huang · Nov 18, 2024 · 73a02ac · 73a02ac
1 parent a10f95d
commit 73a02ac
Show file tree

Hide file tree

Showing 8 changed files with 431 additions and 23 deletions.
diff --git a/configs/milvus.yaml b/configs/milvus.yaml
@@ -797,6 +797,30 @@ common:
     # like the old password verification when updating the credential
     superUsers: 
     defaultRootPassword: Milvus # default password for root user
+    rbac:
+      overrideBuiltInPrivilgeGroups:
+        enabled: false # Whether to override build-in privilege groups
+      cluster:
+        readonly:
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups # Cluster level readonly privileges
+        readwrite:
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups # Cluster level readwrite privileges
+        admin:
+          privileges: ListDatabases,SelectOwnership,SelectUser,DescribeResourceGroup,ListResourceGroups,FlushAll,TransferNode,TransferReplica,UpdateResourceGroups,BackupRBAC,RestoreRBAC,CreateDatabase,DropDatabase,CreateOwnership,DropOwnership,ManageOwnership,CreateResourceGroup,DropResourceGroup,UpdateUser # Cluster level admin privileges
+      database:
+        readonly:
+          privileges: ShowCollections,DescribeDatabase # Database level readonly privileges
+        readwrite:
+          privileges: ShowCollections,DescribeDatabase,AlterDatabase # Database level readwrite privileges
+        admin:
+          privileges: ShowCollections,DescribeDatabase,AlterDatabase,CreateCollection,DropCollection # Database level admin privileges
+      collection:
+        readonly:
+          privileges: Query,Search,IndexDetail,GetFlushState,GetLoadState,GetLoadingProgress,HasPartition,ShowPartitions,DescribeCollection,DescribeAlias,GetStatistics,ListAliases # Collection level readonly privileges
+        readwrite:
+          privileges: Query,Search,IndexDetail,GetFlushState,GetLoadState,GetLoadingProgress,HasPartition,ShowPartitions,DescribeCollection,DescribeAlias,GetStatistics,ListAliases,Load,Release,Insert,Delete,Upsert,Import,Flush,Compaction,LoadBalance,RenameCollection,CreateIndex,DropIndex,CreatePartition,DropPartition # Collection level readwrite privileges
+        admin:
+          privileges: Query,Search,IndexDetail,GetFlushState,GetLoadState,GetLoadingProgress,HasPartition,ShowPartitions,DescribeCollection,DescribeAlias,GetStatistics,ListAliases,Load,Release,Insert,Delete,Upsert,Import,Flush,Compaction,LoadBalance,RenameCollection,CreateIndex,DropIndex,CreatePartition,DropPartition,CreateAlias,DropAlias # Collection level admin privileges
     tlsMode: 0
   session:
     ttl: 30 # ttl value when session granting a lease to register service

diff --git a/internal/rootcoord/root_coord.go b/internal/rootcoord/root_coord.go
@@ -601,6 +601,50 @@ func (c *Core) initPublicRolePrivilege() error {
 	return nil
 }
 
+func (c *Core) initBuiltinPrivilegeGroups() []*milvuspb.PrivilegeGroupInfo {
+	// init built in privilege groups, override by config if rbac config enabled
+	builtinGroups := make([]*milvuspb.PrivilegeGroupInfo, 0)
+	for groupName, privileges := range util.BuiltinPrivilegeGroups {
+		if Params.RbacConfig.Enabled.GetAsBool() {
+			var confPrivs []string
+			switch groupName {
+			case "ClusterReadOnly":
+				confPrivs = Params.RbacConfig.ClusterReadOnlyPrivileges.GetAsStrings()
+			case "ClusterReadWrite":
+				confPrivs = Params.RbacConfig.ClusterReadWritePrivileges.GetAsStrings()
+			case "ClusterAdmin":
+				confPrivs = Params.RbacConfig.ClusterAdminPrivileges.GetAsStrings()
+			case "DatabaseReadOnly":
+				confPrivs = Params.RbacConfig.DBReadOnlyPrivileges.GetAsStrings()
+			case "DatabaseReadWrite":
+				confPrivs = Params.RbacConfig.DBReadWritePrivileges.GetAsStrings()
+			case "DatabaseAdmin":
+				confPrivs = Params.RbacConfig.DBAdminPrivileges.GetAsStrings()
+			case "CollectionReadOnly":
+				confPrivs = Params.RbacConfig.CollectionReadOnlyPrivileges.GetAsStrings()
+			case "CollectionReadWrite":
+				confPrivs = Params.RbacConfig.CollectionReadWritePrivileges.GetAsStrings()
+			case "CollectionAdmin":
+				confPrivs = Params.RbacConfig.CollectionAdminPrivileges.GetAsStrings()
+			default:
+				return nil
+			}
+			if len(confPrivs) > 0 {
+				privileges = confPrivs
+			}
+		}
+
+		privs := lo.Map(privileges, func(name string, _ int) *milvuspb.PrivilegeEntity {
+			return &milvuspb.PrivilegeEntity{Name: name}
+		})
+		builtinGroups = append(builtinGroups, &milvuspb.PrivilegeGroupInfo{
+			GroupName:  groupName,
+			Privileges: privs,
+		})
+	}
+	return builtinGroups
+}
+
 func (c *Core) initBuiltinRoles() error {
 	rolePrivilegesMap := Params.RoleCfg.Roles.GetAsRoleDetails()
 	for role, privilegesJSON := range rolePrivilegesMap {
@@ -2571,24 +2615,24 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
 		return merr.StatusWithErrorCode(err, commonpb.ErrorCode_OperatePrivilegeFailure), nil
 	}
 
-	// set up privilege name for metastore
-	privName := in.Entity.Grantor.Privilege.Name
-	ctxLog.Debug("before PrivilegeNameForMetastore", zap.String("privilege", privName))
-	if !util.IsAnyWord(privName) {
-		dbPrivName, err := c.getMetastorePrivilegeName(privName)
-		if err != nil {
-			return merr.StatusWithErrorCode(err, commonpb.ErrorCode_OperatePrivilegeFailure), nil
-		}
-		in.Entity.Grantor.Privilege.Name = dbPrivName
-	}
-	ctxLog.Debug("after PrivilegeNameForMetastore", zap.String("privilege", privName))
-
+	// set up object name if it is global object type
 	if in.Entity.Object.Name == commonpb.ObjectType_Global.String() {
 		in.Entity.ObjectName = util.AnyWord
 	}
 
+	privName := in.Entity.Grantor.Privilege.Name
+
 	redoTask := newBaseRedoTask(c.stepExecutor)
 	redoTask.AddSyncStep(NewSimpleStep("operate privilege meta data", func(ctx context.Context) ([]nestedStep, error) {
+		if !util.IsAnyWord(privName) {
+			// set up privilege name for metastore
+			dbPrivName, err := c.getMetastorePrivilegeName(privName)
+			if err != nil {
+				return nil, err
+			}
+			in.Entity.Grantor.Privilege.Name = dbPrivName
+		}
+
 		err := c.meta.OperatePrivilege(util.DefaultTenant, in.Entity, in.Type)
 		if err != nil && !common.IsIgnorableError(err) {
 			log.Warn("fail to operate the privilege", zap.Any("in", in), zap.Error(err))
@@ -2597,6 +2641,8 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
 		return nil, nil
 	}))
 	redoTask.AddAsyncStep(NewSimpleStep("operate privilege cache", func(ctx context.Context) ([]nestedStep, error) {
+		// set back to expand privilege group
+		in.Entity.Grantor.Privilege.Name = privName
 		var opType int32
 		switch in.Type {
 		case milvuspb.OperatePrivilegeType_Grant:
@@ -2607,9 +2653,23 @@ func (c *Core) OperatePrivilege(ctx context.Context, in *milvuspb.OperatePrivile
 			log.Warn("invalid operate type for the OperatePrivilege api", zap.Any("in", in))
 			return nil, nil
 		}
+		grants := []*milvuspb.GrantEntity{in.Entity}
+
+		allGroups, err := c.meta.ListPrivilegeGroups()
+		allGroups = append(allGroups, c.initBuiltinPrivilegeGroups()...)
+		if err != nil {
+			return nil, err
+		}
+		groups := lo.SliceToMap(allGroups, func(group *milvuspb.PrivilegeGroupInfo) (string, []*milvuspb.PrivilegeEntity) {
+			return group.GroupName, group.Privileges
+		})
+		expandGrants, err := c.expandPrivilegeGroups(grants, groups)
+		if err != nil {
+			return nil, err
+		}
 		if err := c.proxyClientManager.RefreshPolicyInfoCache(ctx, &proxypb.RefreshPolicyInfoCacheRequest{
 			OpType: opType,
-			OpKey:  funcutil.PolicyForPrivilege(in.Entity.Role.Name, in.Entity.Object.Name, in.Entity.ObjectName, in.Entity.Grantor.Privilege.Name, in.Entity.DbName),
+			OpKey:  funcutil.PolicyForPrivileges(expandGrants),
 		}); err != nil {
 			log.Warn("fail to refresh policy info cache", zap.Any("in", in), zap.Error(err))
 			return nil, err
@@ -3098,8 +3158,14 @@ func (c *Core) OperatePrivilegeGroup(ctx context.Context, in *milvuspb.OperatePr
 			if err != nil {
 				return nil, err
 			}
-			currGrants := c.expandPrivilegeGroups(grants, currGroups)
-			newGrants := c.expandPrivilegeGroups(grants, newGroups)
+			currGrants, err := c.expandPrivilegeGroups(grants, currGroups)
+			if err != nil {
+				return nil, err
+			}
+			newGrants, err := c.expandPrivilegeGroups(grants, newGroups)
+			if err != nil {
+				return nil, err
+			}
 
 			toRevoke := lo.Filter(currGrants, func(item *milvuspb.GrantEntity, _ int) bool {
 				return !lo.ContainsBy(newGrants, func(newItem *milvuspb.GrantEntity) bool {
@@ -3163,20 +3229,42 @@ func (c *Core) OperatePrivilegeGroup(ctx context.Context, in *milvuspb.OperatePr
 	return merr.Success(), nil
 }
 
-func (c *Core) expandPrivilegeGroups(grants []*milvuspb.GrantEntity, groups map[string][]*milvuspb.PrivilegeEntity) []*milvuspb.GrantEntity {
+func (c *Core) expandPrivilegeGroups(grants []*milvuspb.GrantEntity, groups map[string][]*milvuspb.PrivilegeEntity) ([]*milvuspb.GrantEntity, error) {
 	newGrants := []*milvuspb.GrantEntity{}
 	for _, grant := range grants {
-		if groups[grant.Grantor.Privilege.Name] == nil {
-			newGrants = append(newGrants, grant)
+		privName := grant.Grantor.Privilege.Name
+		if privGroup, exists := groups[privName]; !exists {
+			metaName, err := c.getMetastorePrivilegeName(privName)
+			if err != nil {
+				return nil, err
+			}
+			newGrants = append(newGrants, &milvuspb.GrantEntity{
+				Role:       grant.Role,
+				Object:     grant.Object,
+				ObjectName: grant.ObjectName,
+				Grantor: &milvuspb.GrantorEntity{
+					User: grant.Grantor.User,
+					Privilege: &milvuspb.PrivilegeEntity{
+						Name: metaName,
+					},
+				},
+				DbName: grant.DbName,
+			})
 		} else {
-			for _, priv := range groups[grant.Grantor.Privilege.Name] {
+			for _, priv := range privGroup {
+				metaName, err := c.getMetastorePrivilegeName(priv.Name)
+				if err != nil {
+					return nil, err
+				}
 				newGrants = append(newGrants, &milvuspb.GrantEntity{
 					Role:       grant.Role,
 					Object:     grant.Object,
 					ObjectName: grant.ObjectName,
 					Grantor: &milvuspb.GrantorEntity{
-						User:      grant.Grantor.User,
-						Privilege: priv,
+						User: grant.Grantor.User,
+						Privilege: &milvuspb.PrivilegeEntity{
+							Name: metaName,
+						},
 					},
 					DbName: grant.DbName,
 				})
@@ -3186,5 +3274,5 @@ func (c *Core) expandPrivilegeGroups(grants []*milvuspb.GrantEntity, groups map[
 	// uniq by role + object + object name + grantor user + privilege name + db name
 	return lo.UniqBy(newGrants, func(g *milvuspb.GrantEntity) string {
 		return fmt.Sprintf("%s-%s-%s-%s-%s-%s", g.Role, g.Object, g.ObjectName, g.Grantor.User, g.Grantor.Privilege.Name, g.DbName)
-	})
+	}), nil
 }
diff --git a/internal/rootcoord/root_coord_test.go b/internal/rootcoord/root_coord_test.go
@@ -2009,6 +2009,29 @@ func TestCore_InitRBAC(t *testing.T) {
 		err := c.initRbac()
 		assert.NoError(t, err)
 	})
+
+	t.Run("init default privilege groups", func(t *testing.T) {
+		clusterReadWrite := `SelectOwnership,SelectUser,DescribeResourceGroup`
+		meta := mockrootcoord.NewIMetaTable(t)
+		c := newTestCore(withHealthyCode(), withMeta(meta))
+
+		Params.Save(Params.RbacConfig.Enabled.Key, "true")
+		Params.Save(Params.RbacConfig.ClusterReadWritePrivileges.Key, clusterReadWrite)
+
+		defer func() {
+			Params.Reset(Params.RbacConfig.Enabled.Key)
+			Params.Reset(Params.RbacConfig.ClusterReadWritePrivileges.Key)
+		}()
+
+		builtinGroups := c.initBuiltinPrivilegeGroups()
+		fmt.Println(builtinGroups)
+		assert.Equal(t, len(util.BuiltinPrivilegeGroups), len(builtinGroups))
+		for _, group := range builtinGroups {
+			if group.GroupName == "ClusterReadWrite" {
+				assert.Equal(t, len(group.Privileges), 3)
+			}
+		}
+	})
 }
 
 func TestCore_BackupRBAC(t *testing.T) {

diff --git a/pkg/util/constant.go b/pkg/util/constant.go
@@ -160,6 +160,15 @@ var (
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPrivilegeGroup.String()),
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListPrivilegeGroups.String()),
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeOperatePrivilegeGroup.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupClusterReadOnly.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupClusterReadWrite.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupClusterAdmin.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupDatabaseReadOnly.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupDatabaseReadWrite.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupDatabaseAdmin.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupCollectionReadOnly.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupCollectionReadWrite.String()),
+			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupCollectionAdmin.String()),
 		},
 		commonpb.ObjectType_User.String(): {
 			MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),
@@ -283,6 +292,97 @@ var (
 		commonpb.ObjectPrivilege_PrivilegeAlterDatabase.String(),
 		commonpb.ObjectPrivilege_PrivilegeFlush.String(),
 	}
+
+	BuiltinPrivilegeGroups = map[string][]string{
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupCollectionReadOnly.String()):  CollectionReadOnlyPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupCollectionReadWrite.String()): CollectionReadWritePrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupCollectionAdmin.String()):     CollectionAdminPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupDatabaseReadOnly.String()):    DatabaseReadOnlyPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupDatabaseReadWrite.String()):   DatabaseReadWritePrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupDatabaseAdmin.String()):       DatabaseAdminPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupClusterReadOnly.String()):     ClusterReadOnlyPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupClusterReadWrite.String()):    ClusterReadWritePrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGroupClusterAdmin.String()):        ClusterAdminPrivilegeGroup,
+	}
+
+	CollectionReadOnlyPrivilegeGroup = []string{
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeQuery.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSearch.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeIndexDetail.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGetFlushState.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGetLoadState.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGetLoadingProgress.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeHasPartition.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeShowPartitions.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeCollection.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeAlias.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeGetStatistics.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListAliases.String()),
+	}
+
+	CollectionReadWritePrivilegeGroup = append(CollectionReadOnlyPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeLoad.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRelease.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeInsert.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDelete.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpsert.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeImport.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeFlush.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCompaction.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeLoadBalance.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRenameCollection.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateIndex.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropIndex.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreatePartition.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropPartition.String()),
+	)
+
+	CollectionAdminPrivilegeGroup = append(CollectionReadWritePrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateAlias.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropAlias.String()),
+	)
+
+	DatabaseReadOnlyPrivilegeGroup = []string{
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeShowCollections.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeDatabase.String()),
+	}
+
+	DatabaseReadWritePrivilegeGroup = append(DatabaseReadOnlyPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeAlterDatabase.String()),
+	)
+
+	DatabaseAdminPrivilegeGroup = append(DatabaseReadWritePrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateCollection.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropCollection.String()),
+	)
+
+	ClusterReadOnlyPrivilegeGroup = []string{
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListDatabases.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectOwnership.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeSelectUser.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDescribeResourceGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeListResourceGroups.String()),
+	}
+
+	ClusterReadWritePrivilegeGroup = append(ClusterReadOnlyPrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeFlushAll.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeTransferNode.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeTransferReplica.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateResourceGroups.String()),
+	)
+
+	ClusterAdminPrivilegeGroup = append(ClusterReadWritePrivilegeGroup,
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeBackupRBAC.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeRestoreRBAC.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateDatabase.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropDatabase.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateOwnership.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropOwnership.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeManageOwnership.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeCreateResourceGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeDropResourceGroup.String()),
+		MetaStore2API(commonpb.ObjectPrivilege_PrivilegeUpdateUser.String()),
+	)
 )
 
 // StringSet convert array to map for conveniently check if the array contains an element
@@ -344,6 +444,12 @@ func IsPrivilegeNameDefined(name string) bool {
 	return PrivilegeNameForMetastore(name) != ""
 }
 
+func IsBuiltinPrivilegeGroup(name string) bool {
+	dbPrivilege := PrivilegeGroupWord + name
+	_, ok := commonpb.ObjectPrivilege_value[dbPrivilege]
+	return ok
+}
+
 func PrivilegeGroupNameForMetastore(name string) string {
 	return PrivilegeGroupWord + name
 }

diff --git a/pkg/util/paramtable/component_param.go b/pkg/util/paramtable/component_param.go
@@ -74,6 +74,7 @@ type ComponentParam struct {
 	HTTPCfg       httpConfig
 	LogCfg        logConfig
 	RoleCfg       roleConfig
+	RbacConfig    rbacConfig
 
 	RootCoordGrpcServerCfg  GrpcServerConfig
 	ProxyGrpcServerCfg      GrpcServerConfig
@@ -124,6 +125,7 @@ func (p *ComponentParam) init(bt *BaseTable) {
 	p.HTTPCfg.init(bt)
 	p.LogCfg.init(bt)
 	p.RoleCfg.init(bt)
+	p.RbacConfig.init(bt)
 	p.GpuConfig.init(bt)
 
 	p.RootCoordGrpcServerCfg.Init("rootCoord", bt)