...
Design Details
Prerequisite
- At most ONE user can be created for a milvus instance.
- SDK clients MUST encrypt password when connecting to milvus service.
- Milvus create default user root as an initial user to create other users.
Authentication Workflow
Since grpc requests all handled by proxy, we will do the authentication in the proxy component. Logging on to the milvus instance will follow the processes below:
- Create credential for each milvus instance and store encrypted password in etcd. Here we use bcrypt which implements Provos and Mazières's adaptive hashing algorithm.
- SDK clients send On the client side, SDK sends ciphertext when connecting milvus service. The ciphertext is base64(<username>:<passwd>) and attached to the metadata with the key "authorization".
- Milvus proxy component intercepts the request and verify the credential.
- Credentials are cached locally on Proxy component.
...
To be compatible with preview version, Milvus will detect the records on credentials path in etcd whether users are created for the milvus instance. If there are non users, use a toggle for it. If the toggle is on, it will check the credentials for each grpc call, otherwise it acts like the non-authenticate mode. Otherwise it will check the credentials for each grpc call.
Test Plan
Case 1: create credentials for milvus
...
- Access without credentials should succeed
- Access with credentials should fail (return message "authentication not enabled"succeed (just ignore the input credential)
Future work
SSL/TLS transportation
Authorization on RBAC control