Versions Compared

Old Version 11

changes.mady.by.user Ke Jiang

Saved on

compared with

New Version Current

changes.mady.by.user Ke Jiang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Design Details

Prerequisite

  • At most ONE user can be created for a milvus instance.
  • SDK clients MUST encrypt password when connecting to milvus service.
  • Milvus create default user root as an initial user to create other users.


Authentication Workflow
Since grpc requests all handled by proxy, we will do the authentication in the proxy component. Logging in on to the milvus instance will follow the processes below:

  1. Create credential for each milvus instance and store encrypted password in etcd. Here we use package bcrypt for encrypting the password which use bcrypt which implements Provos and Mazières's adaptive hashing algorithm.
  2. On the client side, SDK client sends credential with password encrypted when ciphertext when connecting milvus service. The ciphertext is base64(<username>:<passwd>) and attached to the metadata with the key "authorization".
  3. Milvus proxy component intercepts the request and verify the credential.
  4. Credentials are cached locally on Proxy component.

Image Added

Cache Update Workflow

  1. Credential apis (insert/query/delete credentials) are implemented by RootCoord.
  2. Credential modification apis persist credentials on etcd (or other storage like mysql), and call each proxy's api to invalidate local caches in all proxy components.
  3. Auth interceptor in proxy component . When credentials changed, RootCoord will be notified will firstly find credential records from local cache. If the cache missed, it will trigger rpc call to fetch record from RootCoord and update the local cache.

Image RemovedImage Added


Etcd model for credentials

Panel
Key: ${prefix}/credentials/users/${username}
Value: {"password": ${encrypted_password}, ...}


Interface for operating of credentials apis

Code Block
languagepy
struct Credential {
	username string,
	password string
}

func NewCredential(cred Credential) (bool,error)
func ListUsers() []string
func UpdateCredential(cred Credential) (bool,error)
func DeleteCredential(username string) (bool,error)

...

To be compatible with preview version, Milvus will detect the records on credentials path in etcd whether users are created for the milvus instance. If there are non users, use a toggle for it. If the toggle is on, it will check the credentials for each grpc call, otherwise it acts like the non-authenticate mode. Otherwise it will check the credentials for each grpc call.

Test Plan


Case 1: create credentials for milvus

...

  1. Access without credentials should succeed
  2. Access with credentials should fail (return message "authentication not enabled"succeed (just ignore the input credential)

Future work

SSL/TLS transportation
Authorization on RBAC control