You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Current state: Under Discussion

Summary


To support authentication by username/password when accessing milvus instance.

Motivation


There is no basic security model for milvus instances currently. Users can access any milvus instance once they have the address by any milvus sdk.
This project aims to support basic authentication with username/password. Clients need to provide username and password when accessing the milvus instance.

Design Details

Prerequisite

  • At most ONE user can be created for a milvus instance.
  • SDK clients MUST encrypt password when connecting to milvus service.


Authentication Workflow
Since grpc requests all handled by proxy, we will do the authentication in the proxy component. Logging on to the milvus instance will follow the processes below:

  1. Create credential for each milvus instance and store encrypted password in etcd. Here we use package bcrypt for encrypting the password which implements Provos and Mazières's adaptive hashing algorithm.
  2. SDK client sends credential with password encrypted when connecting milvus service.
  3. Milvus proxy component intercepts the request and verify the credential.
  4. Credentials are cached locally on Proxy component.

Cache Update Workflow

1、Credential apis are provided by RootCoord.

2、Credential apis persist credentials on etcd (or other storage like mysql), and create task called CredTask for updating local caches in all proxy components.

3、CredTask will iterate all the proxy components, and call every proxy's rpc for updating the local cache until all of them are success.

4、Auth interceptor in proxy component will just search credential records from local cache.


Etcd model for credentials

Key: ${prefix}/credentials/users/${username}
Value: {"password": ${encrypted_password}, ...}


Interface of credentials apis

struct Credential {
	username string,
	password string
}

func NewCredential(cred Credential) (bool,error)
func ListUsers() []string
func UpdateCredential(cred Credential) (bool,error)
func DeleteCredential(username string) (bool,error)


Compatibility

To be compatible with preview version, Milvus will detect the records on credentials path in etcd whether users are created for the milvus instance. If there are non users, it acts like the non-authenticate mode. Otherwise it will check the credentials for each grpc call.

Test Plan


Case 1: create credentials for milvus

  1. Access with correct credentials should succeed
  2. Access with incorrect credentials should fail
  3. Access without credentials should fail

Case 2: no credentials created for milvus

  1. Access without credentials should succeed
  2. Access with credentials should fail (return message "authentication not enabled")

Future work

SSL/TLS transportation
Authorization on RBAC control

  • No labels