...
Users/Roles can be granted the following privileges:
Privileges | Resources |
---|---|
ALL | Collection |
CREATE | Collection |
DROP | Collection |
ALTER | Collection |
READ | Collection |
LOAD | Collection |
RELEASE | Collection |
COMPACT | Collection |
INSERT | Collection |
DELETE | Collection |
Index-related operations are included in ALTER privilege, like building, dropping index.
Default Roles
TODO
APIs
For every API, parameter tenant is mandatory for avoiding loading too much data to memory.
...
Code Block | ||
---|---|---|
| ||
func GrantPrivilege(privilege string, resourceType string, resourceName string, principalName string, principalType string) bool func RevokePrivilege(privilege string, resourceType string, resourceName string, principalName string, principalType string) bool |
The user granting privileges must also have the privilege being granted on the target collection. For example, a user granting SELECT privilege on a collection to another user must have the GRANT and SELECT privileges on that table. There is no limitation for the root user.Only root user can grant & revoke privileges.
3、List grants for specific user/role and resource
...
Code Block | ||
---|---|---|
| ||
func AddUserToRole(userName, roleName string) bool
func RemoveUserFromRole(userName, roleName string) bool |
Only root user can manipulate role membership.
...
Output:
RoleName |
---|
admin |
role_a |
Only root user can use the api.
8、List role memberships
Code Block | ||
---|---|---|
| ||
func RoleMembershipList(roleName string) []RoleMembership |
...
Only root user can use the api.
10、List roles of a user (useless???)
Code Block | ||
---|---|---|
| ||
func rolesOfUser(username string) []string |
...
- Presetting users, resource types, privileges are stored in local files. When milvus starts, it will load these files and insert records into database.
- Presetting users, resource types and privileges can be added into files and taking effect after restarting milvus service.
- The root user is the only user that has privileges for creatingto create/droppingdrop/grantinggrant/revoking revoke users and privileges.
- In MEP-27, basic auth is taking effect if there are any existing users. Since root user is created by default once Milvus service starts, it needs to will introduce a toggle to know indicate whether the basic auth authentication is turned on.
- Using Casbin for role-based privileges check.
...