Current state: Under Discussion
To support authentication by username/password when accessing milvus instance.
There is no basic security model for milvus instances currently. Users can access any milvus instance once they have the address by any milvus sdk.
This project aims to support basic authentication with username/password. Clients need to provide username and password when accessing the milvus instance.
Prerequisite
Authentication Workflow
Since grpc requests all handled by proxy, we will do the authentication in the proxy component. Logging on to the milvus instance will follow the processes below:
Cache Update Workflow
Etcd model for credentials
Key : ${prefix}/credentials/users/${username} Value : {"password": ${encrypted_password}, ...} |
Interface of credentials apis
struct Credential { username string, password string } func NewCredential(cred Credential) (bool,error) func ListUsers() []string func UpdateCredential(cred Credential) (bool,error) func DeleteCredential(username string) (bool,error) |
Compatibility
To be compatible with preview version, Milvus will detect the records on credentials path in etcd whether users are created for the milvus instance. If there are non users, it acts like the non-authenticate mode. Otherwise it will check the credentials for each grpc call.
Case 1: create credentials for milvus
Case 2: no credentials created for milvus
SSL/TLS transportation
Authorization on RBAC control