Current state: Under Discussion
Summary
To control users' access to resources like collections in Milvus.
Motivation
There is no basic security model for resource access in Milvus currently. Users can do damage to data either intentionally or unintentionally.
This project aims to support role-based access control. Users can do their operations according to the privileges assigned to them. And administrators of the Milvus cluster can manage users and operations under control.
Design Details
Entities
User: Every user has a unique identifier and is assigned a number of privileges.
Resource Types: Resources defined in Milvus service, like collection, database, etc.
Privilege: Permissions to specific resource.
Role mapping: The mapping between users and roles.
Privilege mapping: The privileges users or roles having for a specific resource.
Additionally, when Milvus service is deployed in cloud, there will be a namespace for each Milvus cluster called tenant.
DB Schema for entities
1、User
id | tenant | username | is_super | is_deleted | created_time | updated_time |
Attribute is_super is true for root user, meaning the root is a super user.
The root user is created by default for each cluster and has all permissions across the cluster.
The root user does not belong to any role.
2、Resource Types
id | resource_type | resource_name | created_time |
Resource types are globally unique, no need to add attribute tenant for it.
3、Privilege
id | tenant | resource_type | privilege | updated_time | is_deleted | created_time |
4、Role
id | tenant | role_name | updated_time | is_deleted | created_time |
5、Role mapping
id | tenant | user_id | role_id | is_deleted | created_time |
By design, a role inherited from another role is not possible here.
6、Privileges of resource COLLECTION
id | tenant | grantor_name | principal_name | principal_type | collection_priv | collection_id | is_deleted | created_time |
Grantor_name is the user who grants the privileges.
Principal_name is the target which grantor grants privileges to.
The value of principal_type are USER or ROLE.
Collection_priv is the privilege to a collection, like SELECT, INSERT, UPDATE, etc.
7、Privileges of resource DATABASE (Not used now)
id | tenant | grantor_name | principal_name | principal_type | db_priv | db_id | is_deleted | created_time |
Db_priv is the privilege to a database, like CREATE, DROP, etc.
KV Store Schema
1、User
/prefix/credentials/users/{tenant}/{username} | {"userType": "admin"} |
2、Resource Types
/prefix/credentials/resources/{resourcename} | nil |
3、Privilege
/prefix/credentials/privileges/{tenant}/{privilege} | nil |
4、Role
/prefix/credentials/roles/{tenant}/{rolename} | nil |
5、Role mapping
/prefix/credentials/user-role-mapping/{tenant}/{username}/{rolename} | nil |
6、Grantee's Privileges
/prefix/credentials/grantee-privileges/{tenant}/{principalType}/{principalName}/{resourceType}/{resourceName} | ["SELECT", "UPDATE"] |
Resources & Privileges defined in Milvus
Users/Roles can be granted the following privileges:
| Privileges | Resources |
| ALL | Collection |
| CREATE | Collection |
| DROP | Collection |
| ALTER | Collection |
| SELECT | Collection |
| INSERT | Collection |
| DELETE | Collection |
| UPDATE | Collection |
| GRANT | Collection |
| REVOKE | Collection |
APIs
For every API, parameter tenant is mandatory for avoiding loading too much data to memory.
1、Create a role
func CreateRole(roleName string) bool
Only root user can create roles.
2、Grant & revoke privileges
func GrantPrivilege(privilege string, resourceType string, resourceName string, principalName string, principalType string) bool func RevokePrivilege(privilege string, resourceType string, resourceName string, principalName string, principalType string) bool
The user granting privileges must also have the privilege being granted on the target collection. For example, a user granting SELECT privilege on a collection to another user must have the GRANT and SELECT privileges on that table. There is no limitation for the root user.
3、List grants for specific user/role and resource
func UserGrantList(principalName string, principalType string, resourceType string, resourceName string) []UserGrant
Output structure:
| ResourceType | ResourceName | PrincipalName | PrincipalType | Privilege |
|---|---|---|---|---|
| Collection | tbl_1 | Alice | User | INSERT |
Users can only query the grants for himself. And only root user can query grants for a role.
4、Show the role grants
func RoleGrantList(roleName string) []RoleGrant
Output:
| Role | Privilege | ResourceType | ResourceName |
|---|---|---|---|
| role_a | INSERT | COLLECTION | tbl_1 |
| role_a | SELECT | COLLECTION | tbl_1 |
| role_a | CREATE | DATABASE | db_1 |
| role_a | DROP | DATABASE | db_1 |
The API may query multiple tables depending on how many resource types milvus supporting.
Only root user can use the api.
5、Manipulate role membership, includes adding/removing users to a role
func AddUserToRole(userName, roleName string) bool
Only root user can manipulate role membership.
6、Drop a role
func DropRole(roleName string) bool
A role cannot be dropped if it has privileges. Use REVOKE API to remove privileges.
Only root user can drop roles.
7、List roles
func RoleList() []Role
Output:
| RoleName |
|---|
| admin |
| role_a |
8、List role memberships
func RoleMembershipList(roleName string) []RoleMembership
Output:
| RoleName | UserName |
|---|---|
| admin | root |
Only root user can use the api.
9、Show users
func UserList() []User
Output:
| UserName | Roles |
|---|---|
| root | [admin, role_a] |
Only root user can use the api.
10、List roles of a user (useless???)
func rolesOfUser(username string) []string
11、List all types of resources
func ResourceList() []Resource
Output:
| Resource |
|---|
| COLLECTION |
| DATABASE |
12、List all privileges
func PrivilegeListOfResource(resourceType string) []Privilege
Output:
| ResourceType | Privilege |
|---|---|
| COLLECTION | INSERT |
| COLLECTION | SELECT |
13、Delete User
The root user cannot be deleted.
The root is initialized by default when milvus service starts. Once the root user is created, basic auth will be turned on automatically.
Other Notices
- Presetting users, resource types, privileges are stored in local files. When milvus starts, it will load these files and insert records into database.
- Presetting users, resource types and privileges can be added into files and taking effect after restarting milvus service.
- The root user is the only user that has privileges for creating and dropping users.
- In MEP-27, basic auth is taking effect if there are any existing users. It needs to introduce a toggle to know where the basic auth is turned on.
- Using Casbin for role-based privileges check ???
Test Plan
Testing all the APIs listed above.