update users_and_roles

Signed-off-by: liyun95 <[email protected]>
milvus-io · Aug 9, 2024 · fe373ee · fe373ee
1 parent aed340f
commit fe373ee
Showing 1 changed file with 83 additions and 9 deletions.
diff --git a/site/en/reference/users_and_roles.md b/site/en/reference/users_and_roles.md
@@ -7,25 +7,99 @@ title: Users and Roles
 
 # Users and Roles
 
-This topic explains the definition of users, roles, objects, and privileges in role-based access control (RBAC).
+This topic provides an overview of Role-Based Access Control (RBAC) in Milvus, detailing the definitions and relationships between users, roles, objects, and privileges.
 
-- **Object:** An object to grant or deny access to. The object can be a collection, a partition, etc. 
+The following figure illustrates the relationship between objects, privileges, roles, and users.
 
-- **User:** A user identity with a username and a corresponding password.
+![users_and_roles](../../../assets/users_and_roles.png "The relationship between object, privilege, role and user.")
 
-- **Privilege:** A privilege defines the actions that can be performed and resources that can be accessed. A privilege cannot be granted to a user directly. It has to be granted to a role first.
+## Key concepts
 
-- **Role:** A role defines the privilege(s) a user has to certain objects. After binding a role to a user, the user inherits all the privileges that are granted to this role.
+To manage access control to Milvus resources, it’s important to understand the key components of RBAC: object types, object names, users, roles, and privileges.
 
-The following figure illustrates the relationship between objects, privileges, roles, and users.
+- **Object type**: the category of the object for which a privilege is being assigned. The object type can be:
+  - `Global`: System-wide objects, allowing the user to perform actions that affect all collections, users, or system-wide settings.
+  - `Collection`: Collection-specific objects, allowing the user to perform actions such as creating indexes, loading data, inserting or deleting data, and querying data within a specific collection.
+  - `User`: Objects related to user management, allowing the user to manage credentials and roles for database users, such as updating user credentials or viewing user details.
 
-![users_and_roles](../../../assets/users_and_roles.png "The relationship between object, privilege, role and user.")
+- **Object name**: the specific name of the object to control access for. For instance:
+  - If the object type is `Global`, the object name must be set to the wildcard (`*`), indicating all objects of the specified type.
+  - If the object type is `Collection`, the object name is the name of a collection.
+  - If the object type is `User`, the object name is the name of a database user.
+
+- **User**: a person or an application that interacts with Milvus, which consists of a username and a corresponding password.
+
+- **Privilege**: defines the actions that can be performed and the resources that can be accessed. Privileges are not granted directly to users but are assigned to roles.
+
+- **Role**: defines the set of privileges that a user has for certain objects. Once a role is bound to a user, the user inherits all the privileges granted to that role.
+
+## Example: Granting privileges
+
+The following code snippet shows how to grant a `CreateIndex` privilege to a role on a specific collection:
+
+<div class="multipleCode">
+    <a href="#python">Python </a>
+    <a href="#java">Java</a>
+    <a href="#javascript">Node.js</a>
+</div>
+
+```python
+milvusClient.grant_privilege(
+    role_name="CUSTOM_ROLE_NAME",
+    object_type="Collection",  # Valid value: Global, Collection or User.
+    privilege="CreateIndex",   # See the table below for valid privilege names and relevant API descriptions.
+    object_name="YOUR_COLLECTION_NAME"  # The name of the collection to grant access to. Use "*" to grant access to all collections.
+)
+```
+
+```java
+GrantPrivilegeReq grantPrivilegeReq = GrantPrivilegeReq.builder()
+        .roleName("roleName")
+        .objectName("CollectionName") // The name of the collection to grant access to. Use "*" to grant access to all collections.
+        .objectType("Collection") // Valid value: Global, Collection or User.
+        .privilege("CreateIndex") // See the table below for valid privilege names and relevant API descriptions.
+        .build();
+client.grantPrivilege(grantPrivilegeReq);
+```
+
+```javascript
+milvusClient.grantPrivilege({
+   roleName: 'roleName',
+   object: 'Collection',  // Valid value: Global, Collection or User.
+   objectName: 'CollectionName', // The name of the collection to grant access to. Use "*" to grant access to all collections.
+   privilegeName: 'CreateIndex' // See the table below for valid privilege names and relevant API descriptions.
+ })
+```
 
-The relationship between object, privilege, role and user.
+<div class="language-python">
+
+To obtain more information about privilege-related APIs, refer to [grant_privilege](https://milvus.io/api-reference/pymilvus/v2.4.x/MilvusClient/Authentication/grant_privilege.md) and [revoke_privilege](https://milvus.io/api-reference/pymilvus/v2.4.x/MilvusClient/Authentication/revoke_privileges.md).
+
+</div>
+
+<div class="language-java">
+
+To obtain more information about privilege-related APIs, refer to [grantPrivilege](https://milvus.io/api-reference/java/v2.4.x/v2/Authentication/grantPrivilege.md) and [revokePrivilege](https://milvus.io/api-reference/java/v2.4.x/v2/Authentication/revokePrivilege.md).
+
+</div>
+
+<div class="language-javascript">
+
+To obtain more information about privilege-related APIs, refer to [grantPrivilege](https://milvus.io/api-reference/node/v2.4.x/Authentication/grantPrivilege.md) and [revokePrivilege](https://milvus.io/api-reference/node/v2.4.x/Authentication/revokePrivilege.md).
+
+</div>
+
+## Default users and roles
 
 Milvus creates a `root` user by default with a default password `Milvus`. The `root` user is granted the `admin` privileges, which means that this `root` user can have access to all resources and perform all actions.
 
-If a user is bind with a `public` role, this user is entitled to the privileges of `DescribeCollection`, `ShowCollections`, and `IndexDetail`.
+If a user is associated with the `public` role, they are entitled to the following privileges:
+
+- `DescribeCollection`
+- `ShowCollections`
+- `IndexDetail`
+
+## List of object types and privileges
 
 The following table lists the values you can choose when [enabling RBAC](rbac.md).