Versions Compared

Old Version 8

changes.mady.by.user Ke Jiang

Saved on

compared with

New Version 9

changes.mady.by.user Ke Jiang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create credential for each milvus instance and store encrypted password in etcd. Here we use package bcrypt for encrypting the password which implements Provos and Mazières's adaptive hashing algorithm.
  2. SDK client sends credential with password encrypted when connecting milvus service.
  3. Milvus proxy component intercepts the request and verify the credential.
  4. Credentials are cached locally on proxy RootCoord component. When credentials changed, proxy  RootCoord will be notified and update the local cache.


Etcd model for credentials:

Panel
Key: ${prefix}/credentials/users/${username}
Value: {"password": ${encrypted_password}, ...}


Interface for operating credentials:

Code Block
languagepy
struct Credential {
	username string,
	password string
}

func NewCredential(cred Credential) (bool,error)
func ListCredentialListUsers() []Credential
func GetCredential(username string) *Credential
func UpdateCredential(cred Credential) (bool,error)
func DeleteCredential(username string) (bool,error)


Compatibility

To be compatible with preview version, Milvus will detect the records on credentials path in etcd whether users are created for the milvus instance. If there are non users, it acts like the non-authenticate mode. Otherwise it will check the credentials for each grpc callThis project also aims to provide HTTPS transport security, and it takes several certificate related configuration options, either through command-line flags or environment variables:
--cert-file=<path>: Certificate used for SSL/TLS connections to milvus.
--key-file=<path>: Key for the certificate. Must be unencrypted.
--client-cert-auth: When this is set milvus will check all incoming HTTPS requests for a client certificate signed by the trusted CA, requests that don’t supply a valid client certificate will fail.
--trusted-ca-file=<path>: Trusted certificate authority.
--auto-tls: Use automatically generated self-signed certificates for TLS connections with clients.

Test Plan


Case 1: create credentials for milvus

...

  1. Access without credentials should succeed
  2. Access with credentials should fail (return message "authentication not enabled")

Future work

SSL/TLS transportation
Authorization on RBAC control