Grant Privilege or Privilege Group to Roles
Once a role is created, you can grant privileges to the role. This guide introduces how to grant privileges or privilege groups to a role.
Examples on this page use GrantV2 and RevokeV2 APIs, which are introduced in Milvus 2.5. You are recommended to use the new APIs for better performance and usability.
Grant a privilege or a privilege group to a role
Milvus 2.5 introduces a new version of API which streamlines the grant operation. You no longer need to look up the object type when granting a privilege to a role. The following are the parameters and corresponding explanations.
role_name: The name of the target role to which privilege(s) or privilege group(s) need to be granted.
Resource: The target resource of a privilege, which can be a specific instance, database or collection. The following table explains how to specify the resource in the
client.grantV2()method.
Level | Resource | Grant Method | Notes |
|---|---|---|---|
Collection | A specific collection | client.grant_privilege_v2(role_name="roleA", privilege="CollectionAdmin", collection_name="col1", db_name="db1") | Input the name of your target collection and the name of the database to which the target collection belongs. |
All collections under a specific database | client.grant_privilege_v2(role_name="roleA", privilege="CollectionAdmin", collection_name="*", db_name="db1") | Input the name of your target database and a wildcard | |
**Database** | A specific database | client.grant_privilege_v2(role_name="roleA", privilege="DatabaseAdmin", collection_name="*", db_name="db1") | Input the name of your target database and a wildcard |
All databases under the current instance | client.grant_privilege_v2(role_name="roleA", privilege="DatabaseAdmin", collection_name="*", db_name="*") | Input | |
**Instance** | The current instance | client.grant_privilege_v2(role_name="roleA", privilege="ClusterAdmin", collection_name="*", db_name="*") | Input |
Privilege: The specific privilege or privilege group that you need to grant to a role. Currently, Milvus provides 56 types of privileges that you can grant. The table below lists the privileges in Milvus.
The type column in the table below are user to facilitate your quick lookup for privileges and is used for classification purposes only. When granting privileges, you do not need to understand the types. You just need to input the corresponding privileges.
Type | Privilege | Description | Relevant API description on the client side |
|---|---|---|---|
Database Privileges | ListDatabases | View all databases in the current instance | |
DescribeDatabase | View the details of a database | ||
CreateDatabase | Create a database | ||
DropDatabase | Drop a database | ||
AlterDatabase | Modify the properties of a database | ||
Collection Privileges | GetFlushState | Check the status of the collection flush operation | |
GetLoadState | Check the load status of a collection | ||
GetLoadingProgress | Check the loading progress of a collection | ||
ShowCollections | View all collections with collection privileges | ||
ListAliases | View all aliases of a collection | ||
DescribeCollection | View the details of a collection | ||
DescribeAlias | View the details of an alias | ||
GetStatistics | Obtain the statistics of a collection (eg. The number of entities in a collection) | ||
CreateCollection | Create a collection | ||
DropCollection | Drop a collection | ||
Load | Load a collection | ||
Release | Release a collection | ||
Flush | Persist all entities in a collection to a sealed segment. Any entity inserted after the flush operation will be stored in a new segment. | ||
Compaction | Manually trigger compaction | ||
RenameCollection | Rename a collection | ||
CreateAlias | Create an alias for a collection | ||
DropAlias | Drop the alias of a collection | ||
FlushAll | Flush all collections in a database | ||
Partition Privileges | HasPartition | Check whether a partition exists | |
ShowPartitions | View all partitions in a collection | ||
CreatePartition | Create a partition | ||
DropPartition | Drop a partition | ||
Index Privileges | IndexDetail | View the details of an index | |
CreateIndex | Create an index | ||
DropIndex | Drop an index | ||
Resource Management Privileges | LoadBalance | Achieve load balance | |
CreateResourceGroup | Create a resource group | ||
DropResourceGroup | Drop a resource group | ||
UpdateResourceGroups | Update a resource group | ||
DescribeResourceGroup | View the details of a resource group | ||
ListResourceGroups | View all resource groups of the current instance | ||
TransferNode | Transfer nodes between resource groups | ||
TransferReplica | Transfer replicas between resource groups | ||
BackupRBAC | Create a backup for all RBAC related operations in the current instance | BackupRBAC | |
RestoreRBAC | Restore a backup of all RBAC related operations in the current instance | RestoreRBAC | |
Entity Privileges | Query | Conduct a query | |
Search | Conduct a search | ||
Insert | Insert entities | ||
Delete | Delete entities | ||
Upsert | Upsert entities | ||
Import | Bulk insert or import entities | ||
RBAC Privileges | CreateOwnership | Create a user or a role | |
UpdateUser | Update the password of a user | ||
DropOwnership | Drop a user password or a role | ||
SelectOwnership | View all users that are granted a specific role | ||
ManageOwnership | Manage a user or a role or grant a role to a user | ||
SelectUser | View all roles granted to a user | ||
CreatePrivilegeGroup | Create a privilege group | ||
DropPrivilegeGroup | Drop a privilege group | ||
ListPrivilegeGroups | View all privilege groups in the current instance | ||
OperatePrivilegeGroup | Add privileges to or remove privileges from a privilege group |
The following example demonstrates how to grant the privilege PrivilegeSearch on collection_01 under the default database as well as a privilege group named privilege_group_1 to the role role_a.
from pymilvus import MilvusClient
client = MilvusClient(
uri="http://localhost:19530",
token="root:Milvus"
)
client.grant_privilege_v2(
role_name="role_a",
privilege="Search"
collection_name='collection_01'
db_name='default',
)
client.grant_privilege_v2(
role_name="role_a",
privilege="privilege_group_1"
collection_name='collection_01'
db_name='default',
)
client.grant_privilege_v2(
role_name="role_a",
privilege="ClusterReadOnly"
collection_name='*'
db_name='*',
)
import io.milvus.v2.service.rbac.request.GrantPrivilegeReqV2
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("Search")
.collectionName("collection_01")
.dbName("default")
.build());
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("privilege_group_1")
.collectionName("collection_01")
.dbName("default")
.build());
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("ClusterReadOnly")
.collectionName("*")
.dbName("*")
.build());
import "github.com/milvus-io/milvus-sdk-go/v2/client"
client.GrantV2(context.Background(), "role_a", "collection_01", "Search", entity.WithOperatePrivilegeDatabase("default"))
client.GrantV2(context.Background(), "role_a", "collection_01", "privilege_group_1", entity.WithOperatePrivilegeDatabase("default"))
client.GrantV2(context.Background(), "role_a", "*", "ClusterReadOnly", entity.WithOperatePrivilegeDatabase("*"))
const { MilvusClient, DataType } = require("@zilliz/milvus2-sdk-node")
const address = "http://localhost:19530";
const token = "root:Milvus";
const client = new MilvusClient({address, token});
await milvusClient.grantPrivilege({
roleName: 'role_a',
object: 'Collection',
objectName: 'collection_01',
privilegeName: 'Search'
});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "privilege_group_1",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "ClusterReadOnly",
"collectionName": "*",
"dbName":"*"
}'
Describe a role
The following example demonstrates how to view the privileges granted to the role role_a using the describe_role method.
from pymilvus import MilvusClient
client.describe_role(role_name="role_a")
import io.milvus.v2.service.rbac.response.DescribeRoleResp;
import io.milvus.v2.service.rbac.request.DescribeRoleReq
DescribeRoleReq describeRoleReq = DescribeRoleReq.builder()
.roleName("role_a")
.build();
DescribeRoleResp resp = client.describeRole(describeRoleReq);
List<DescribeRoleResp.GrantInfo> infos = resp.getGrantInfos();
import "github.com/milvus-io/milvus-sdk-go/v2/client"
client.ListRoles(context.Background())
const { MilvusClient, DataType } = require("@zilliz/milvus2-sdk-node")
await milvusClient.describeRole({roleName: 'role_a'});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/describe" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a"
}'
Below is an example output.
{
"role": "role_a",
"privileges": [
{
"collection_name": "collection_01",
"db_name": "default",
"role_name": "role_a",
"privilege": "Search",
"grantor_name": "root"
},
"privilege_group_1"
]
}
Revoke a privilege or a privilege group from a role
The following example demonstrates how to revoke the privilege PrivilegeSearch on collection_01 under the default database as well as the privilege group privilege_group_1 that have been granted to the role role_a.
from pymilvus import MilvusClient
client = MilvusClient(
uri="http://localhost:19530",
token="root:Milvus"
)
client.revoke_privilege_v2(
role_name="role_a",
privilege="Search"
collection_name='collection_01'
db_name='default',
)
client.revoke_privilege_v2(
role_name="role_a",
privilege="privilege_group_1"
collection_name='collection_01'
db_name='default',
)
client.revoke_privilege_v2(
role_name="role_a",
privilege="ClusterReadOnly"
collection_name='*'
db_name='*',
)
import io.milvus.v2.service.rbac.request.RevokePrivilegeReqV2
client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("Search")
.collectionName("collection_01")
.dbName("default")
.build());
client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("privilege_group_1")
.collectionName("collection_01")
.dbName("default")
.build());
client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("ClusterReadOnly")
.collectionName("*")
.dbName("*")
.build());
import "github.com/milvus-io/milvus-sdk-go/v2/client"
client.RevokeV2(context.Background(), "role_a", "collection_01", "Search", entity.WithOperatePrivilegeDatabase("default"))
client.RevokeV2(context.Background(), "role_a", "collection_01", "privielge_group_1", entity.WithOperatePrivilegeDatabase("default"))
client.RevokeV2(context.Background(), "role_a", "*", "ClusterReadOnly", entity.WithOperatePrivilegeDatabase("*"))
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
"roleName": "role_a",
"privilege": "ClusterReadOnly",
"collectionName": "*",
"dbName":"*"
}'