feat: implement KMS key revocation and coordinated rotation

Adds KMS key state monitoring and coordinated key rotation to prevent
message queue consumption failures during encryption key updates.

Key Changes:
- Add KeyManager in RootCoord for periodic KMS state polling
- Integrate KeyManager with QuotaCenter for access denial
- Implement revocation checks in Proxy SimpleLimiter
- Add rotation callback coordination via AlterDatabase broadcast
- Drop internal properties before metadata persistence
- Add GetStates() and InvalidateCipherCache() to hookutil

Access Denial:
- Revoked keys: Release collections + deny DML/DQL (DDL still allowed)
- Check performed on every request at proxy layer
- Manual LoadCollection required after key recovery

Key Rotation Flow:
1. CipherPlugin rotates key, writes to etcd
2. Plugin invokes onKeyRotated callback
3. KeyManager broadcasts AlterDatabase with internal property
4. StreamingNode receives message and reloads cipher
5. ACK callback invalidate Proxy db cache and refresh key

See also: #45117, #45981, #45242

Signed-off-by: yangxuan <[email protected]>

Author: XuanYang-cn

internal/coordinator/mix_coord.go

@@ -215,6 +215,7 @@ func (s *mixCoordImpl) initInternal() error {
 		log.Error("queryCoord start failed", zap.Error(err))
 		return err
 	}
+
 	return nil
 }
 

internal/flushcommon/pipeline/flow_graph_dd_node.go

@@ -297,6 +297,19 @@ func (ddn *ddNode) Operate(in []Msg) []Msg {
 			} else {
 				logger.Info("handle put collection message success")
 			}
+		case commonpb.MsgType_AlterDatabase:
+			alterDatabaseMsg := msg.(*adaptor.AlterDatabaseMessageBody)
+			logger := log.With(
+				zap.String("vchannel", ddn.Name()),
+				zap.Int32("msgType", int32(msg.Type())),
+				zap.Uint64("timetick", alterDatabaseMsg.AlterDatabaseMessage.TimeTick()),
+			)
+			logger.Info("receive alter database message")
+			if err := ddn.msgHandler.HandleAlterDatabase(ddn.ctx, alterDatabaseMsg.AlterDatabaseMessage); err != nil {
+				logger.Warn("handle alter database message failed", zap.Error(err))
+			} else {
+				logger.Info("handle alter database message success")
+			}
 		}
 	}
 

internal/flushcommon/util/msg_handler.go

@@ -34,6 +34,8 @@ type MsgHandler interface {
 	HandleSchemaChange(ctx context.Context, schemaChangeMsg message.ImmutableSchemaChangeMessageV2) error
 
 	HandleAlterCollection(ctx context.Context, alterCollectionMsg message.ImmutableAlterCollectionMessageV2) error
+
+	HandleAlterDatabase(ctx context.Context, alterDatabaseMsg message.ImmutableAlterDatabaseMessageV2) error
 }
 
 func ConvertInternalImportFile(file *msgpb.ImportFile, _ int) *internalpb.ImportFile {

internal/proxy/impl.go

@@ -169,7 +169,13 @@ func (node *Proxy) InvalidateCollectionMetaCache(ctx context.Context, request *p
 			node.shardMgr.RemoveDatabase(request.GetDbName())
 			fallthrough
 		case commonpb.MsgType_AlterDatabase:
-			globalMetaCache.RemoveDatabase(ctx, request.GetDbName())
+			if db, err := globalMetaCache.GetDatabaseInfo(ctx, request.GetDbName()); err == nil {
+				if db != nil {
+					err := hookutil.RefreshEZ(db.properties)
+					log.Info("failed to refresh ez hook", zap.Error(err))
+				}
+			}
+			globalMetaCache.RemoveDatabase(ctx, dbName)
 		case commonpb.MsgType_AlterCollection, commonpb.MsgType_AlterCollectionField:
 			if request.CollectionID != UniqueID(0) {
 				aliasName = globalMetaCache.RemoveCollectionsByID(ctx, collectionID, 0, false)

internal/proxy/simple_rate_limiter.go

@@ -34,6 +34,7 @@ import (
 	"github.com/milvus-io/milvus/pkg/v2/proto/internalpb"
 	"github.com/milvus-io/milvus/pkg/v2/proto/proxypb"
 	"github.com/milvus-io/milvus/pkg/v2/util"
+	"github.com/milvus-io/milvus/pkg/v2/util/merr"
 	"github.com/milvus-io/milvus/pkg/v2/util/paramtable"
 	"github.com/milvus-io/milvus/pkg/v2/util/ratelimitutil"
 	"github.com/milvus-io/milvus/pkg/v2/util/retry"
@@ -48,6 +49,9 @@ type SimpleLimiter struct {
 	// for alloc
 	allocWaitInterval time.Duration
 	allocRetryTimes   uint
+
+	// for KMS key revocation
+	revokedDatabases sync.Map // map[int64]string (dbID → reason)
 }
 
 // NewSimpleLimiter returns a new SimpleLimiter.
@@ -73,6 +77,12 @@ func (m *SimpleLimiter) Check(dbID int64, collectionIDToPartIDs map[int64][]int6
 		return nil
 	}
 
+	// Check for KMS key revocation (highest priority)
+	if dbID != util.InvalidDBID && m.isDatabaseRevoked(dbID) {
+		reason := m.getRevokedReason(dbID)
+		return merr.WrapErrKMSKeyRevoked(dbID, reason)
+	}
+
 	m.quotaStatesMu.RLock()
 	defer m.quotaStatesMu.RUnlock()
 
@@ -378,3 +388,32 @@ func IsDDLRequest(rt internalpb.RateType) bool {
 		return false
 	}
 }
+
+// MarkDatabaseRevoked marks a database as revoked due to KMS key issues
+func (m *SimpleLimiter) MarkDatabaseRevoked(dbID int64, reason string) {
+	m.revokedDatabases.Store(dbID, reason)
+	log.Info("database marked as revoked",
+		zap.Int64("dbID", dbID),
+		zap.String("reason", reason))
+}
+
+// UnmarkDatabaseRevoked removes revocation mark from a database
+func (m *SimpleLimiter) UnmarkDatabaseRevoked(dbID int64) {
+	m.revokedDatabases.Delete(dbID)
+	log.Info("database revocation mark removed",
+		zap.Int64("dbID", dbID))
+}
+
+// isDatabaseRevoked checks if a database is currently revoked
+func (m *SimpleLimiter) isDatabaseRevoked(dbID int64) bool {
+	_, ok := m.revokedDatabases.Load(dbID)
+	return ok
+}
+
+// getRevokedReason returns the revocation reason for a database
+func (m *SimpleLimiter) getRevokedReason(dbID int64) string {
+	if reason, ok := m.revokedDatabases.Load(dbID); ok {
+		return reason.(string)
+	}
+	return "unknown reason"
+}

internal/rootcoord/ddl_callbacks_alter_database.go

@@ -91,6 +91,17 @@ func (c *Core) broadcastAlterDatabase(ctx context.Context, req *rootcoordpb.Alte
 		}
 	}
 
+	// Pop the internal properties before persist
+	newProperties = dropInternalProperties(newProperties)
+	
+	// Get all vchannels for collections in this database to broadcast the message
+	broadcastChannels, err := c.getVChannelsForDatabase(ctx, req.GetDbName())
+	if err != nil {
+		return errors.Wrap(err, "failed to get vchannels for database")
+	}
+	// Always include control channel for ordering and callback coordination
+	broadcastChannels = append(broadcastChannels, streaming.WAL().ControlChannel())
+	
 	msg := message.NewAlterDatabaseMessageBuilderV2().
 		WithHeader(&message.AlterDatabaseMessageHeader{
 			DbName: req.GetDbName(),
@@ -100,12 +111,36 @@ func (c *Core) broadcastAlterDatabase(ctx context.Context, req *rootcoordpb.Alte
 			Properties:      newProperties,
 			AlterLoadConfig: alterLoadConfig,
 		}).
-		WithBroadcast([]string{streaming.WAL().ControlChannel()}).
+		WithBroadcast(broadcastChannels).
 		MustBuildBroadcast()
 	_, err = broadcaster.Broadcast(ctx, msg)
 	return err
 }
 
+func dropInternalProperties(props []*commonpb.KeyValuePair) []*commonpb.KeyValuePair {
+	var newProps []*commonpb.KeyValuePair
+	for _, prop := range props {
+		if !common.IsInternalPropertyKey(prop) {
+			newProps = append(newProps, prop)
+		}
+	}
+	return newProps
+}
+
+// getVChannelsForDatabase gets all virtual channels for collections in the database.
+func (c *Core) getVChannelsForDatabase(ctx context.Context, dbName string) ([]string, error) {
+	colls, err := c.meta.ListCollections(ctx, dbName, typeutil.MaxTimestamp, true)
+	if err != nil {
+		return nil, err
+	}
+	
+	vchannels := make([]string, 0)
+	for _, coll := range colls {
+		vchannels = append(vchannels, coll.VirtualChannelNames...)
+	}
+	return vchannels, nil
+}
+
 // getAlterLoadConfigOfAlterDatabase gets the alter load config of alter database.
 func (c *Core) getAlterLoadConfigOfAlterDatabase(ctx context.Context, dbName string, oldProps []*commonpb.KeyValuePair, newProps []*commonpb.KeyValuePair) (*message.AlterLoadConfigOfAlterDatabase, error) {
 	oldReplicaNumber, _ := common.DatabaseLevelReplicaNumber(oldProps)
@@ -137,7 +172,7 @@ func (c *DDLCallback) alterDatabaseV1AckCallback(ctx context.Context, result mes
 	header := result.Message.Header()
 	body := result.Message.MustBody()
 
-	db := model.NewDatabase(header.DbId, header.DbName, etcdpb.DatabaseState_DatabaseCreated, result.Message.MustBody().Properties)
+	db := model.NewDatabase(header.DbId, header.DbName, etcdpb.DatabaseState_DatabaseCreated, body.Properties)
 	if err := c.meta.AlterDatabase(ctx, db, result.GetControlChannelResult().TimeTick); err != nil {
 		return errors.Wrap(err, "failed to alter database")
 	}

internal/rootcoord/key_manager.go

@@ -0,0 +1,197 @@
+// Licensed to the LF AI & Data foundation under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rootcoord
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"go.uber.org/zap"
+
+	"github.com/milvus-io/milvus-proto/go-api/v2/commonpb"
+	"github.com/milvus-io/milvus/internal/metastore/model"
+	"github.com/milvus-io/milvus/internal/types"
+	"github.com/milvus-io/milvus/internal/util/hookutil"
+	"github.com/milvus-io/milvus/pkg/v2/common"
+	"github.com/milvus-io/milvus/pkg/v2/log"
+	"github.com/milvus-io/milvus/pkg/v2/proto/querypb"
+	"github.com/milvus-io/milvus/pkg/v2/proto/rootcoordpb"
+	"github.com/milvus-io/milvus/pkg/v2/util"
+	"github.com/milvus-io/milvus/pkg/v2/util/merr"
+	"github.com/samber/lo"
+)
+
+type KeyManager struct {
+	ctx      context.Context
+	meta     IMetaTable
+	mixCoord types.MixCoord
+	enabled  bool
+}
+
+func NewKeyManager(
+	ctx context.Context,
+	meta IMetaTable,
+	mixCoord types.MixCoord,
+) *KeyManager {
+	return &KeyManager{
+		ctx:      ctx,
+		meta:     meta,
+		mixCoord: mixCoord,
+		enabled:  hookutil.GetCipherWithState() != nil,
+	}
+}
+
+func (km *KeyManager) Init() error {
+	if !km.enabled {
+		log.Info("KeyManager disabled (cipher plugin not loaded)")
+		return nil
+	}
+
+	hookutil.GetCipherWithState().RegisterRotationCallback(km.onKeyRotated)
+	log.Info("KeyManager initialized")
+	return nil
+}
+
+func (km *KeyManager) GetDatabaseEzStates() ([]int64, error) {
+	if !km.enabled {
+		return nil, nil
+	}
+
+	currentStates, err := hookutil.GetEzStates()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get cipher states: %w", err)
+	}
+
+	revokedDBs := make(map[int64]struct{})
+	for ezID, currentState := range currentStates {
+		switch currentState {
+		case hookutil.KeyStateDisabled, hookutil.KeyStatePendingDeletion:
+			db, err := km.getDatabaseByEzID(ezID)
+			if err != nil {
+				log.Warn("KeyManager: failed to get database for ezID", zap.Int64("ezID", ezID), zap.Error(err))
+				continue
+			}
+
+			revokedDBs[db.ID] = struct{}{}
+		}
+	}
+
+	revokedDBIDs := lo.Keys(revokedDBs)
+	if err := km.releaseLoadedCollections(revokedDBIDs); err != nil {
+		log.Warn("KeyManager: failed to release collections for revoked databases", zap.Error(err))
+	}
+
+	return revokedDBIDs, nil
+}
+
+func (km *KeyManager) releaseLoadedCollections(revokedDBIDs []int64) error {
+	if len(revokedDBIDs) == 0 {
+		return nil
+	}
+
+	collectionIDsToCheck := make([]int64, 0)
+
+	for _, dbID := range revokedDBIDs {
+		db, err := km.meta.GetDatabaseByID(km.ctx, dbID, 0)
+		if err != nil {
+			log.Warn("KeyManager: failed to get database metadata", zap.Int64("dbID", dbID), zap.Error(err))
+			continue
+		}
+
+		colls, err := km.meta.ListCollections(km.ctx, db.Name, 0, true)
+		if err != nil {
+			log.Warn("KeyManager: failed to list collections for revoked database",
+				zap.Int64("dbID", dbID),
+				zap.String("dbName", db.Name),
+				zap.Error(err))
+			continue
+		}
+
+		for _, coll := range colls {
+			collectionIDsToCheck = append(collectionIDsToCheck, coll.CollectionID)
+		}
+	}
+
+	if len(collectionIDsToCheck) == 0 {
+		return nil
+	}
+
+	resp, err := km.mixCoord.ShowLoadCollections(km.ctx, &querypb.ShowCollectionsRequest{
+		CollectionIDs: collectionIDsToCheck,
+	})
+	if err := merr.CheckRPCCall(resp.GetStatus(), err); err != nil {
+		if errors.Is(err, merr.ErrCollectionNotLoaded) {
+			return nil
+		}
+		return fmt.Errorf("failed to get loaded collections: %w", err)
+	}
+
+	log.Info("KeyManager: releasing loaded collection for revoked database",
+		zap.Int64s("collectionIDs", resp.GetCollectionIDs()),
+	)
+	for _, collID := range resp.GetCollectionIDs() {
+		req := &querypb.ReleaseCollectionRequest{CollectionID: collID}
+		if _, err := km.mixCoord.ReleaseCollection(km.ctx, req); err != nil {
+			log.Warn("KeyManager: failed to release collection", zap.Int64("collectionID", collID), zap.Error(err))
+			continue
+		}
+	}
+	return nil
+}
+
+func (km *KeyManager) getDatabaseByEzID(ezID int64) (*model.Database, error) {
+	db, err := km.meta.GetDatabaseByID(km.ctx, ezID, 0)
+	if err != nil {
+		return km.meta.GetDatabaseByID(km.ctx, util.DefaultDBID, 0)
+	}
+	return db, nil
+}
+
+func (km *KeyManager) onKeyRotated(ezID int64) error {
+	if !km.enabled {
+		return nil
+	}
+
+	log.Info("KeyManager: handling key rotation", zap.Int64("ezID", ezID))
+	db, err := km.getDatabaseByEzID(ezID)
+	if err != nil {
+		return err
+	}
+
+	req := &rootcoordpb.AlterDatabaseRequest{
+		DbName: db.Name,
+		Properties: []*commonpb.KeyValuePair{
+			{
+				Key: common.InternalCipherKeyRotatedKey,
+			},
+		},
+	}
+
+	status, err := km.mixCoord.AlterDatabase(km.ctx, req)
+	if err := merr.CheckRPCCall(status, err); err != nil {
+		log.Error("KeyManager: failed to broadcast key rotation",
+			zap.Int64("dbID", db.ID),
+			zap.Int64("ezID", ezID),
+			zap.String("dbName", db.Name),
+			zap.Error(err))
+		return fmt.Errorf("failed to broadcast key rotation: %w", err)
+	}
+
+	log.Info("KeyManager: key rotation handled", zap.Int64("ezID", ezID))
+	return nil
+}