...
By design, a role inherited from another role is not possible here.
6、Privileges 6、Privilege grants of resource COLLECTION
id | tenant | grantor_name | principal_name | principal_type | collection_priv | collection_id | is_deleted | created_time |
...
The wildcard mode is supported for the collections in the table.
7、Privileges 7、Privilege grants of resource DATABASE (Not used since database is not supported in Milvus for now)
...
KV Store Schema
1、User
/prefix/credentialscredential/users/{tenant}/{username} | {"userType"k1": "v1", "k2": "adminv2"} |
2、Resource Types
/prefix/credentialscredential/resources/{resourceType} | nil |
3、Privilege
/prefix/credentialscredential/privileges/{tenant}/{resourceType}/{privilege} | nil |
4、Role
/prefix/credentialscredential/roles/{tenant}/{rolename} | nil |
5、Role mapping
/prefix/credentialscredential/user-role-mapping/{tenant}/{username}/{rolename} | nil |
6、Grantee's Privileges6、Privilege Grants
/prefix/ |
credential/ |
privilege- |
grants/{tenant}/{principalType}/{principalName}/{resourceType}/{resourceName} | [{"resource":"SELECT", "grantor":"Alice"}, {"resource":"UPDATE", "grantor":"Bob"}] |
Resources & Privileges defined in Milvus
...
Role admin have ALL the privilege. Role public only has READ and LOAD privileges.
APIs
For every API, parameter tenant is mandatory for avoiding loading too much data to memory.
...
Only root user can grant & revoke privileges.
3、List grants for specific a user/role and resource
Code Block | ||
---|---|---|
| ||
func UserGrantListPrincipalGrantList(principalName string, principalType string, resourceType string, resourceName string) []UserGrantPrincipalGrant |
Output structure:
PrincipalName | PrincipalType | Privilege | ResourceType | ResourceNamePrincipalName | |||
---|---|---|---|---|---|---|---|
Alice | PrincipalTypeUSER | PrivilegeINSERT | Collection | tbl_1 | Alice | User | INSERT |
Users can only query the grants for himself. And only root user can query grants for a role.
...