About Milvus
Get Started
Concepts
User Guide
Models
Milvus Migration
Administration Guide
Tools
Integrations
Tutorials
FAQs
API Reference

Enable RBAC

By enabling RBAC, you can control access to specific Milvus resources (Eg. a collection or a partition) or permissions based on user role and privileges. Currently, this feature is only available in Python and Java.

This topic describes how to enable RBAC and manage users and roles.

The code snippets on this page use new MilvusClient (Python) to interact with Milvus. New MilvusClient SDKs for other languages will be released in future updates.

1. Initiate a Milvus client to establish a connection

After you enable user authentication, connect to your Milvus instance using token that consists of a username and a password. By default, Milvus uses the root user with the password Milvus.

from pymilvus import MilvusClient

client = MilvusClient(
    uri='http://localhost:19530', # replace with your own Milvus server address
    token='root:Milvus' # replace with your own Milvus server token
)

2. Create a user

Create a user named user_1 with the password P@ssw0rd:

client.create_user(
    user_name='user_1',
    password='P@ssw0rd'
)

After creating a user, you can:

Update a user password. You need to provide both the original and the new password.

client.update_password(
    user_name='user_1',
    old_password='P@ssw0rd',
    new_password='P@ssw0rd123'
)

List all users.

client.list_users()

# output:
# ['root', 'user_1']

Check the role of a particular user.

client.describe_user(user_name='user_1')

# output:
# {'user_name': 'user_1', 'roles': ()}

3. Create a role

The following example creates a role named roleA.

client.create_role(
    role_name="roleA",
)

After creating a role, you can:

List all roles.

client.list_roles()

# output:
# ['admin', 'public', 'roleA']

4. Grant a privilege to a role

The following example demonstrates how to grant the permission of searching all collections to the role named roleA.

The object_type specifies the object type, which can also be understood as the resource type. Currently, valid values include Collection/User/Global, etc., where Global means that there is no specific resource type. The object_name is the resource name. If objecttype is Collection, then object name can be referred to a specific collection name, or you can use * to specify all collections. If objecttype is Global, then the object name can be only specified as *. See Users and Roles for other types of privileges you can grant.

Before managing role privileges, make sure you have enabled user authentication. Otherwise, an error may occur. For information on how to enable user authentication, refer to Authenticate User Access.

# grant privilege to a role

client.grant_privilege(
    role_name='roleA',
    object_type='User',  # value here can be Global, Collection or User, object type also depends on the API defined in privilegeName
    object_name='user_1',  # value here can be * or a specific user name if object type is 'User'
    privilege='SelectUser'
)

After granting a privilege to a role, you can:

View the privileges granted to a role.

client.describe_role(
    role_name='roleA'
)

# output:
# {'role': 'roleA',
#  'privileges': [{'object_type': 'User',
#    'object_name': 'user_1',
#    'db_name': 'default',
#    'role_name': 'roleA',
#    'privilege': 'SelectUser',
#    'grantor_name': 'root'}]}

5. Grant a role to a user

Grant the role to a user so that this user can inherit all the privileges of the role.

# grant a role to a user

client.grant_role(
    user_name='user_1',
    role_name='roleA'
)

After granting the role, verity that it has been granted:

client.describe_user(
    user_name='user_1'
)

# output:
# {'user_name': 'user_1', 'roles': ('roleA')}

6. Revoke privileges

Exercise caution when performing the following operations because these operations are irreversible.

Remove a privilege from a role. If you revoke a privilege that has not been granted to the role, an error will occur.

client.revoke_privilege(
    role_name='roleA',
    object_type='User',  # value here can be Global, Collection or User, object type also depends on the API defined in privilegeName
    object_name='user_1',  # value here can be * or a specific user name if object type is 'User'
    privilege='SelectUser'
)

Remove a user from a role. If you revoke a role that has not been granted to the user, an error will occur.

client.revoke_role(
    user_name='user_1',
    role_name='roleA'
)

Drop a role.

client.drop_role(role_name='roleA')

Drop a user.

client.drop_user(user_name='user_1')

What’s next

Learn how to manage user authentication.
Learn how to enable TLS proxy in Milvus.

Enable RBAC
1. Initiate a Milvus client to establish a connection
2. Create a user
3. Create a role
4. Grant a privilege to a role
5. Grant a role to a user
6. Revoke privileges
What's next

Feedback

Was this page helpful?