Current state: Under Discussion
To support authentication by username/password when accessing milvus instance.
There is no basic security model for milvus instances currently. Users can access any milvus instance once they have the address by any milvus sdk.
This project aims to support basic authentication with username/password. Clients need to provide username and password when accessing the milvus instance.
Prerequisite
Authentication Workflow
Since grpc requests all handled by proxy, we will do the authentication in the proxy component. Logging on to the milvus instance will follow the processes below:
Cache Update Workflow
Etcd model for credentials
Key : ${prefix}/credentials/users/${username} Value : {"password": ${encrypted_password}, ...} |
Interface of credentials apis
struct Credential { username string, password string } func NewCredential(cred Credential) (bool,error) func ListUsers() []string func UpdateCredential(cred Credential) (bool,error) func DeleteCredential(username string) (bool,error) |
Compatibility
To be compatible with preview version, Milvus will use a toggle for it. If the toggle is on, it will check the credentials for each grpc call, otherwise it acts like the non-authenticate mode.
Case 1: create credentials for milvus
Case 2: no credentials created for milvus
SSL/TLS transportation
Authorization on RBAC control