From fe373ee1ea13a51702297b65828d50702478f859 Mon Sep 17 00:00:00 2001 From: liyun95 Date: Fri, 9 Aug 2024 14:35:08 +0800 Subject: [PATCH] update users_and_roles Signed-off-by: liyun95 --- site/en/reference/users_and_roles.md | 92 +++++++++++++++++++++++++--- 1 file changed, 83 insertions(+), 9 deletions(-) diff --git a/site/en/reference/users_and_roles.md b/site/en/reference/users_and_roles.md index 128b389f6..3614fb56d 100644 --- a/site/en/reference/users_and_roles.md +++ b/site/en/reference/users_and_roles.md @@ -7,25 +7,99 @@ title: Users and Roles # Users and Roles -This topic explains the definition of users, roles, objects, and privileges in role-based access control (RBAC). +This topic provides an overview of Role-Based Access Control (RBAC) in Milvus, detailing the definitions and relationships between users, roles, objects, and privileges. -- **Object:** An object to grant or deny access to. The object can be a collection, a partition, etc. +The following figure illustrates the relationship between objects, privileges, roles, and users. -- **User:** A user identity with a username and a corresponding password. +![users_and_roles](../../../assets/users_and_roles.png "The relationship between object, privilege, role and user.") -- **Privilege:** A privilege defines the actions that can be performed and resources that can be accessed. A privilege cannot be granted to a user directly. It has to be granted to a role first. +## Key concepts -- **Role:** A role defines the privilege(s) a user has to certain objects. After binding a role to a user, the user inherits all the privileges that are granted to this role. +To manage access control to Milvus resources, it’s important to understand the key components of RBAC: object types, object names, users, roles, and privileges. -The following figure illustrates the relationship between objects, privileges, roles, and users. +- **Object type**: the category of the object for which a privilege is being assigned. The object type can be: + - `Global`: System-wide objects, allowing the user to perform actions that affect all collections, users, or system-wide settings. + - `Collection`: Collection-specific objects, allowing the user to perform actions such as creating indexes, loading data, inserting or deleting data, and querying data within a specific collection. + - `User`: Objects related to user management, allowing the user to manage credentials and roles for database users, such as updating user credentials or viewing user details. -![users_and_roles](../../../assets/users_and_roles.png "The relationship between object, privilege, role and user.") +- **Object name**: the specific name of the object to control access for. For instance: + - If the object type is `Global`, the object name must be set to the wildcard (`*`), indicating all objects of the specified type. + - If the object type is `Collection`, the object name is the name of a collection. + - If the object type is `User`, the object name is the name of a database user. + +- **User**: a person or an application that interacts with Milvus, which consists of a username and a corresponding password. + +- **Privilege**: defines the actions that can be performed and the resources that can be accessed. Privileges are not granted directly to users but are assigned to roles. + +- **Role**: defines the set of privileges that a user has for certain objects. Once a role is bound to a user, the user inherits all the privileges granted to that role. + +## Example: Granting privileges + +The following code snippet shows how to grant a `CreateIndex` privilege to a role on a specific collection: + +
+ Python + Java + Node.js +
+ +```python +milvusClient.grant_privilege( + role_name="CUSTOM_ROLE_NAME", + object_type="Collection", # Valid value: Global, Collection or User. + privilege="CreateIndex", # See the table below for valid privilege names and relevant API descriptions. + object_name="YOUR_COLLECTION_NAME" # The name of the collection to grant access to. Use "*" to grant access to all collections. +) +``` + +```java +GrantPrivilegeReq grantPrivilegeReq = GrantPrivilegeReq.builder() + .roleName("roleName") + .objectName("CollectionName") // The name of the collection to grant access to. Use "*" to grant access to all collections. + .objectType("Collection") // Valid value: Global, Collection or User. + .privilege("CreateIndex") // See the table below for valid privilege names and relevant API descriptions. + .build(); +client.grantPrivilege(grantPrivilegeReq); +``` + +```javascript +milvusClient.grantPrivilege({ + roleName: 'roleName', + object: 'Collection', // Valid value: Global, Collection or User. + objectName: 'CollectionName', // The name of the collection to grant access to. Use "*" to grant access to all collections. + privilegeName: 'CreateIndex' // See the table below for valid privilege names and relevant API descriptions. + }) +``` -The relationship between object, privilege, role and user. +
+ +To obtain more information about privilege-related APIs, refer to [grant_privilege](https://milvus.io/api-reference/pymilvus/v2.4.x/MilvusClient/Authentication/grant_privilege.md) and [revoke_privilege](https://milvus.io/api-reference/pymilvus/v2.4.x/MilvusClient/Authentication/revoke_privileges.md). + +
+ +
+ +To obtain more information about privilege-related APIs, refer to [grantPrivilege](https://milvus.io/api-reference/java/v2.4.x/v2/Authentication/grantPrivilege.md) and [revokePrivilege](https://milvus.io/api-reference/java/v2.4.x/v2/Authentication/revokePrivilege.md). + +
+ +
+ +To obtain more information about privilege-related APIs, refer to [grantPrivilege](https://milvus.io/api-reference/node/v2.4.x/Authentication/grantPrivilege.md) and [revokePrivilege](https://milvus.io/api-reference/node/v2.4.x/Authentication/revokePrivilege.md). + +
+ +## Default users and roles Milvus creates a `root` user by default with a default password `Milvus`. The `root` user is granted the `admin` privileges, which means that this `root` user can have access to all resources and perform all actions. -If a user is bind with a `public` role, this user is entitled to the privileges of `DescribeCollection`, `ShowCollections`, and `IndexDetail`. +If a user is associated with the `public` role, they are entitled to the following privileges: + +- `DescribeCollection` +- `ShowCollections` +- `IndexDetail` + +## List of object types and privileges The following table lists the values you can choose when [enabling RBAC](rbac.md).