向角色授予权限或权限组
创建角色后,您可以向角色授予权限。本指南介绍如何向角色授予权限或权限组。
向角色授予权限或权限组
Milvus 2.5 引入了新版本的 API,简化了授权操作。向角色授予权限时,您不再需要查找对象类型。以下是参数及相应的说明。
-
role_name:需要授予权限或权限组的目标角色名称。
-
Resource:权限的目标资源,可以是特定实例、数据库或集合。
下表解释了如何在 client.grantV2() 方法中指定资源。
级别 | 资源 | 授权方法 | 说明 |
|---|---|---|---|
Collection | 特定集合 | | 输入目标集合的名称和目标集合所属数据库的名称。 |
特定数据库下的所有集合 | | 输入目标数据库的名称,并使用通配符 | |
Database | 特定数据库 | | 输入目标数据库的名称,并使用通配符 |
当前实例下的所有数据库 | | 输入 | |
Instance | 当前实例 | | 输入 |
-
Privilege:需要授予角色的特定权限或权限组。目前,Milvus 提供 56 种可以授予的权限类型。下表列出了 Milvus 中的权限。
下表中的类型列用于方便您快速查找权限,仅用于分类目的。授予权限时,您不需要理解类型。您只需要输入相应的权限即可。
类型
权限
描述
客户端相关API描述
数据库权限
ListDatabases
查看当前实例中的所有数据库
DescribeDatabase
查看数据库的详细信息
CreateDatabase
创建数据库
DropDatabase
删除数据库
AlterDatabase
修改数据库的属性
Collection Privileges
GetFlushState
Check the status of the collection flush operation
GetLoadState
Check the load status of a collection
GetLoadingProgress
Check the loading progress of a collection
ShowCollections
View all collections with collection privileges
ListAliases
View all aliases of a collection
DescribeCollection
View the details of a collection
DescribeAlias
View the details of an alias
GetStatistics
Obtain the statistics of a collection (eg. The number of entities in a collection)
CreateCollection
Create a collection
DropCollection
Drop a collection
Load
Load a collection
Release
Release a collection
Flush
Persist all entities in a collection to a sealed segment. Any entity inserted after the flush operation will be stored in a new segment.
Compaction
Manually trigger compaction
RenameCollection
Rename a collection
CreateAlias
Create an alias for a collection
DropAlias
Drop the alias of a collection
FlushAll
Flush all collections in a database
Partition Privileges
HasPartition
Check whether a partition exists
ShowPartitions
View all partitions in a collection
CreatePartition
Create a partition
DropPartition
Drop a partition
Index Privileges
IndexDetail
View the details of an index
CreateIndex
Create an index
DropIndex
Drop an index
Resource Management Privileges
LoadBalance
Achieve load balance
CreateResourceGroup
Create a resource group
DropResourceGroup
Drop a resource group
UpdateResourceGroups
Update a resource group
DescribeResourceGroup
View the details of a resource group
ListResourceGroups
View all resource groups of the current instance
TransferNode
Transfer nodes between resource groups
TransferReplica
Transfer replicas between resource groups
BackupRBAC
Create a backup for all RBAC related operations in the current instance
BackupRBAC
RestoreRBAC
Restore a backup of all RBAC related operations in the current instance
RestoreRBAC
Entity Privileges
Query
Conduct a query
Search
Conduct a search
Insert
Insert entities
Delete
Delete entities
Upsert
Upsert entities
Import
Bulk insert or import entities
RBAC Privileges
CreateOwnership
Create a user or a role
UpdateUser
Update the password of a user
DropOwnership
Drop a user password or a role
SelectOwnership
View all users that are granted a specific role
ManageOwnership
Manage a user or a role or grant a role to a user
SelectUser
View all roles granted to a user
CreatePrivilegeGroup
Create a privilege group
DropPrivilegeGroup
Drop a privilege group
ListPrivilegeGroups
View all privilege groups in the current instance
OperatePrivilegeGroup
Add privileges to or remove privileges from a privilege group
以下示例演示如何将 default 数据库下 collection_01 上的 PrivilegeSearch 权限以及名为 privilege_group_1 的权限组授予角色 role_a。
from pymilvus import MilvusClient
client = MilvusClient(
uri="http://localhost:19530",
token="root:Milvus"
)
client.grant_privilege_v2(
role_name="role_a",
privilege="Search",
collection_name='collection_01',
db_name='default',
)
client.grant_privilege_v2(
role_name="role_a",
privilege="privilege_group_1",
collection_name='collection_01',
db_name='default',
)
client.grant_privilege_v2(
role_name="role_a",
privilege="ClusterReadOnly",
collection_name='*',
db_name='*',
)
import io.milvus.v2.service.rbac.request.GrantPrivilegeReqV2
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("Search")
.collectionName("collection_01")
.dbName("default")
.build());
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("privilege_group_1")
.collectionName("collection_01")
.dbName("default")
.build());
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("ClusterReadOnly")
.collectionName("*")
.dbName("*")
.build());
import (
"context"
"fmt"
"github.com/milvus-io/milvus/client/v2/milvusclient"
)
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
client, err := milvusclient.New(ctx, &milvusclient.ClientConfig{
Address: "localhost:19530",
APIKey: "root:Milvus",
})
if err != nil {
fmt.Println(err.Error())
// handle error
}
defer client.Close(ctx)
err = client.GrantV2(ctx, milvusclient.NewGrantV2Option("role_a", "Search", "default", "collection_01"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
err = client.GrantV2(ctx, milvusclient.NewGrantV2Option("role_a", "privilege_group_1", "default", "collection_01"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
err = client.GrantV2(ctx, milvusclient.NewGrantV2Option("role_a", "ClusterReadOnly", "*", "*"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
const { MilvusClient, DataType } = require("@zilliz/milvus2-sdk-node")
const address = "http://localhost:19530";
const token = "root:Milvus";
const client = new MilvusClient({address, token});
await client.grantPrivilegeV2({
role: "role_a",
privilege: "Search"
collection_name: 'collection_01'
db_name: 'default',
});
await client.grantPrivilegeV2({
role: "role_a",
privilege: "privilege_group_1"
collection_name: 'collection_01'
db_name: 'default',
});
await client.grantPrivilegeV2({
role: "role_a",
privilege: "ClusterReadOnly"
collection_name: '*'
db_name: '*',
});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "privilege_group_1",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "ClusterReadOnly",
"collectionName": "*",
"dbName":"*"
}'
描述角色
以下示例演示如何使用 describe_role 方法查看授予角色 role_a 的权限。
from pymilvus import MilvusClient
client.describe_role(role_name="role_a")
import io.milvus.v2.service.rbac.response.DescribeRoleResp;
import io.milvus.v2.service.rbac.request.DescribeRoleReq
DescribeRoleReq describeRoleReq = DescribeRoleReq.builder()
.roleName("role_a")
.build();
DescribeRoleResp resp = client.describeRole(describeRoleReq);
List<DescribeRoleResp.GrantInfo> infos = resp.getGrantInfos();
import "github.com/milvus-io/milvus/client/v2/milvusclient"
role, err := client.DescribeRole(ctx, milvusclient.NewDescribeRoleOption("role_a"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
await client.describeRole({roleName: 'role_a'});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/describe" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a"
}'
以下是输出示例。
{
"role": "role_a",
"privileges": [
{
"collection_name": "collection_01",
"db_name": "default",
"role_name": "role_a",
"privilege": "Search",
"grantor_name": "root"
},
"privilege_group_1"
]
}
从角色撤销权限或权限组
以下示例演示如何撤销已授予角色 role_a 的 default 数据库下 collection_01 上的 PrivilegeSearch 权限以及权限组 privilege_group_1。
client.revoke_privilege_v2(
role_name="role_a",
privilege="Search",
collection_name='collection_01',
db_name='default',
)
client.revoke_privilege_v2(
role_name="role_a",
privilege="privilege_group_1",
collection_name='collection_01',
db_name='default',
)
client.revoke_privilege_v2(
role_name="role_a",
privilege="ClusterReadOnly",
collection_name='*',
db_name='*',
)
import io.milvus.v2.service.rbac.request.RevokePrivilegeReqV2
client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("Search")
.collectionName("collection_01")
.dbName("default")
.build());
client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("privilege_group_1")
.collectionName("collection_01")
.dbName("default")
.build());
client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("ClusterReadOnly")
.collectionName("*")
.dbName("*")
.build());
err = client.RevokePrivilegeV2(ctx, milvusclient.NewRevokePrivilegeV2Option("role_a", "Search", "collection_01").
WithDbName("default"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
err = client.RevokePrivilegeV2(ctx, milvusclient.NewRevokePrivilegeV2Option("role_a", "privilege_group_1", "collection_01").
WithDbName("default"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
err = client.RevokePrivilegeV2(ctx, milvusclient.NewRevokePrivilegeV2Option("role_a", "ClusterReadOnly", "*").
WithDbName("*"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
await client.revokePrivilegeV2({
role: 'role_a',
privilege: 'Search',
collection_name: 'collection_01',
db_name: 'default'
});
await client.revokePrivilegeV2({
role: 'role_a',
collection_name: 'collection_01',
privilege: 'Search',
db_name: 'default'
});
await client.revokePrivilegeV2({
role: 'role_a',
collection_name: '*',
privilege: 'ClusterReadOnly',
db_name: '*'
});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "ClusterReadOnly",
"collectionName": "*",
"dbName":"*"
}'