milvus-logo
LFAI
Home
  • Reference

Users and Roles

This topic explains the definition of users, roles, objects, and privileges in role-based access control (RBAC).

  • Object: An object to grant or deny access to. The object can be a collection, a partition, etc.

  • User: A user identity with a username and a corresponding password.

  • Privilege: A privilege defines the actions that can be performed and resources that can be accessed. A privilege cannot be granted to a user directly. It has to be granted to a role first.

  • Role: A role defines the privilege(s) a user has to certain objects. After binding a role to a user, the user inherits all the privileges that are granted to this role.

The following figure illustrates the relationship between objects, privileges, roles, and users.

users_and_roles users_and_roles

The relationship between object, privilege, role and user.

Milvus creates a root user by default with a default password Milvus. The root user is granted the admin privileges, which means that this root user can have access to all resources and perform all actions.

If a user is bind with a public role, this user is entitled to the privileges of DescribeCollection, ShowCollections, and IndexDetail.

The following table lists the values you can choose when enabling RBAC.

Object namePrivilege nameRelevant API description on the client side
CollectionCreateIndexCreateIndex
CollectionDropIndexDropIndex
CollectionIndexDetailDescribeIndex/GetIndexState/GetIndexBuildProgress
CollectionLoadLoadCollection/GetLoadingProgress/GetLoadState
CollectionGetLoadingProgressGetLoadingProgress
CollectionGetLoadStateGetLoadState
CollectionReleaseReleaseCollection
CollectionInsertInsert
CollectionDeleteDelete
CollectionUpsertUpsert
CollectionSearchSearch
CollectionFlushFlush/GetFlushState
CollectionGetFlushStateGetFlushState
CollectionQueryQuery
CollectionGetStatisticsGetCollectionStatistics
CollectionCompactionCompact
CollectionImportBulkInsert/Import
CollectionLoadBalanceLoadBalance
CollectionCreatePartitionCreatePartition
CollectionDropPartitionDropPartition
CollectionShowPartitionsShowPartitions
CollectionHasPartitionHasPartition
GlobalAllAll API operation permissions in this table
GlobalCreateCollectionCreateCollection
GlobalDropCollectionDropCollection
GlobalDescribeCollectionDescribeCollection
GlobalShowCollectionsShowCollections
GlobalRenameCollectionRenameCollection
GlobalFlushAllFlushAll
GlobalCreateOwnershipCreateUser CreateRole
GlobalDropOwnershipDeleteCredential DropRole
GlobalSelectOwnershipSelectRole/SelectGrant
GlobalManageOwnershipOperateUserRole OperatePrivilege
GlobalCreateResourceGroupCreateResourceGroup
GlobalDropResourceGroupDropResourceGroup
GlobalDescribeResourceGroupDescribeResourceGroup
GlobalListResourceGroupsListResourceGroups
GlobalTransferNodeTransferNode
GlobalTransferReplicaTransferReplica
GlobalCreateDatabaseCreateDatabase
GlobalDropDatabaseDropDatabase
GlobalListDatabasesListDatabases
GlobalCreateAliasCreateAlias
GlobalDropAliasDropAlias
GlobalDescribeAliasDescribeAlias
GlobalListAliasesListAliases
UserUpdateUserUpdateCredential
UserSelectUserSelectUser
  • Object and privilege names are case-sensitive.
  • To grant all privileges to a kind of object, like Collection, Global, User, use "*" for privilege name.
  • The "*" privilege name for the Global object doesn't include the All privilege, because the All privilege includes all permissions, including any collection and user object.
  • What's next

    Feedback

    Was this page helpful?