...
There is no basic security model for milvus instances currently. Users can access any milvus instance once they have the address by any milvus sdk.
This project aims to support basic authentication with username/password. Clients need to provide username and password when accessing the milvus instance.
Design Details
Prerequisite
- SDK clients MUST encrypt password when connecting to milvus service.
- Milvus create default user root as an initial user to create other users.
Authentication Workflow
Since grpc requests all handled by proxy, we will do the authentication in the proxy component. Logging in on to the milvus instance will follow the processes below:
- Create credential for each milvus instance and store encrypted password in etcd. Here we use package bcrypt for encrypting the password which use bcrypt which implements Provos and Mazières's adaptive hashing algorithm.
- On the client side, SDK client sends credential when ciphertext when connecting milvus service. The ciphertext is base64(<username>:<passwd>) and attached to the metadata with the key "authorization".
- Milvus proxy component intercepts the request and verify the credential.
- Credentials are cached locally on proxy component. When credentials changed, proxy will be notified Proxy component.
Cache Update Workflow
- Credential apis (insert/query/delete credentials) are implemented by RootCoord.
- Credential modification apis persist credentials on etcd (or other storage like mysql), and call each proxy's api to invalidate local caches in all proxy components.
- Auth interceptor in proxy component will firstly find credential records from local cache. If the cache missed, it will trigger rpc call to fetch record from RootCoord and update the local cache.
Etcd model for credentials:
Panel |
---|
Key : ${prefix}/credentials/users/${username} Value : {"password": ${encrypted_password}, ...} |
Interface for operating of credentials :apis
Code Block | ||
---|---|---|
| ||
struct Credential { username string, password string } func NewCredential(cred Credential) (bool,error) func ListCredentialListUsers() []Credential func GetCredential(username string) *Credential func UpdateCredential(cred Credential) (bool,error) func DeleteCredential(username string) (bool,error) |
This project also aims to provide HTTPS transport security, and it takes several certificate related configuration options, either through command-line flags or environment variables: --cert-file=<path>: Certificate used for SSL/TLS connections to milvus. --key-file=<path>: Key for the certificate. Must be unencrypted. --client-cert-auth: When this is set milvus will check all incoming HTTPS requests for a client certificate signed by the trusted CA, requests that don’t supply a valid client certificate will fail. --trusted-ca-file=<path>: Trusted certificate authority. --auto-tls: Use automatically generated self-signed certificates for TLS connections with clients.Compatibility
To be compatible with preview version, Milvus will use a toggle for it. If the toggle is on, it will check the credentials for each grpc call, otherwise it acts like the non-authenticate mode.
Test Plan
Case 1: create credentials for milvus
...
- Access without credentials should succeed
- Access with credentials should fail
Case 3: https enabled for milvus
Access with correct certificates should succeedAccess with incorrect certificates should failAccess without any certificates should fail
Case 4: https not enabled for milvus
Access without certificates should succeedAccess with certificates should fail
Future work
...
- succeed (just ignore the input credential)
Future work
SSL/TLS transportation
Authorization on RBAC control