跳到主要内容
版本:v3.0.x

为角色授予权限或权限组

创建角色后,就可以向角色授予权限。本指南将介绍如何向角色授予权限或权限组。

向角色授予权限或权限组

Milvus 2.5 引入了新版本的 API,简化了授予操作。向角色授予权限时,不再需要查找对象类型。以下是参数和相应的解释。

  • **role_name:**需要授予权限或权限组的目标角色名称。

  • 资源:权限的目标资源,可以是特定实例、数据库或 Collection。

下表解释了如何在client.grantV2() 方法中指定资源。

| 级别

|

资源

|

授予方法

|

注释

| | --- | --- | --- | --- | |

Collection

|

特定 Collection

|

 client.grant_privilege_v2(
role_name="roleA",
privilege="CollectionAdmin",
collection_name="col1",
db_name="db1"
)

|

输入目标 Collection 的名称以及目标 Collection 所属数据库的名称。

| |

特定数据库下的所有 Collection

|

 client.grant_privilege_v2(
role_name="roleA",
privilege="CollectionAdmin",
collection_name="*",
db_name="db1"
)

|

输入目标数据库名称和通配符* 作为 Collection 名称。

| |

数据库

|

特定数据库

|

 client.grant_privilege_v2(
role_name="roleA",
privilege="DatabaseAdmin",
collection_name="*",
db_name="db1"
)

|

输入目标数据库的名称和通配符* 作为 Collection 名称。

| |

当前实例下的所有数据库

|

 client.grant_privilege_v2(
role_name="roleA",
privilege="DatabaseAdmin",
collection_name="*",
db_name="*"
)

|

输入* 作为数据库名称,输入* 作为 Collection 名称。

| |

实例

|

当前实例

|

 client.grant_privilege_v2(
role_name="roleA",
privilege="ClusterAdmin",
collection_name="*",
db_name="*"
)

|

输入* 作为数据库名称,输入* 作为 Collection 名称。

|

下面的示例演示了如何在default 数据库下的collection_01 上授予PrivilegeSearch 权限,以及如何将名为privilege_group_1 的特权组授予角色role_a

from pymilvus import MilvusClient

client = MilvusClient(
uri="http://localhost:19530",
token="root:Milvus"
)

client.grant_privilege_v2(
role_name="role_a",
privilege="Search",
collection_name='collection_01',
db_name='default',
)

client.grant_privilege_v2(
role_name="role_a",
privilege="privilege_group_1",
collection_name='collection_01',
db_name='default',
)

client.grant_privilege_v2(
role_name="role_a",
privilege="ClusterReadOnly",
collection_name='*',
db_name='*',
)
import io.milvus.v2.service.rbac.request.GrantPrivilegeReqV2

client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("Search")
.collectionName("collection_01")
.dbName("default")
.build());

client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("privilege_group_1")
.collectionName("collection_01")
.dbName("default")
.build());

client.grantPrivilegeV2(GrantPrivilegeReqV2.builder()
.roleName("role_a")
.privilege("ClusterReadOnly")
.collectionName("*")
.dbName("*")
.build());
import (
"context"
"fmt"

"github.com/milvus-io/milvus/client/v2/milvusclient"
)

ctx, cancel := context.WithCancel(context.Background())
defer cancel()

client, err := milvusclient.New(ctx, &milvusclient.ClientConfig{
Address: "localhost:19530",
APIKey: "root:Milvus",
})
if err != nil {
fmt.Println(err.Error())
// handle error
}
defer client.Close(ctx)

err = client.GrantV2(ctx, milvusclient.NewGrantV2Option("role_a", "Search", "default", "collection_01"))
if err != nil {
fmt.Println(err.Error())
// handle error
}

err = client.GrantV2(ctx, milvusclient.NewGrantV2Option("role_a", "privilege_group_1", "default", "collection_01"))
if err != nil {
fmt.Println(err.Error())
// handle error
}

err = client.GrantV2(ctx, milvusclient.NewGrantV2Option("role_a", "ClusterReadOnly", "*", "*"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
const { MilvusClient, DataType } = require("@zilliz/milvus2-sdk-node")

const address = "http://localhost:19530";
const token = "root:Milvus";
const client = new MilvusClient({address, token});

await client.grantPrivilegeV2({
role: "role_a",
privilege: "Search"
collection_name: 'collection_01'
db_name: 'default',
});

await client.grantPrivilegeV2({
role: "role_a",
privilege: "privilege_group_1"
collection_name: 'collection_01'
db_name: 'default',
});

await client.grantPrivilegeV2({
role: "role_a",
privilege: "ClusterReadOnly"
collection_name: '*'
db_name: '*',
});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a",
"privilege": "privilege_group_1",
"collectionName": "collection_01",
"dbName":"default"
}'

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/grant_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a",
"privilege": "ClusterReadOnly",
"collectionName": "*",
"dbName":"*"
}'

描述角色

下面的示例演示了如何使用describe_role 方法查看授予角色role_a 的权限。

from pymilvus import MilvusClient

client.describe_role(role_name="role_a")
import io.milvus.v2.service.rbac.response.DescribeRoleResp;
import io.milvus.v2.service.rbac.request.DescribeRoleReq

DescribeRoleReq describeRoleReq = DescribeRoleReq.builder()
.roleName("role_a")
.build();
DescribeRoleResp resp = client.describeRole(describeRoleReq);
List<DescribeRoleResp.GrantInfo> infos = resp.getGrantInfos();
import "github.com/milvus-io/milvus/client/v2/milvusclient"

role, err := client.DescribeRole(ctx, milvusclient.NewDescribeRoleOption("role_a"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
await client.describeRole({roleName: 'role_a'});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/describe" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a"
}'

下面是一个输出示例。

{
"role": "role_a",
"privileges": [
{
"collection_name": "collection_01",
"db_name": "default",
"role_name": "role_a",
"privilege": "Search",
"grantor_name": "root"
},
"privilege_group_1"
]
}

撤销角色的权限或权限组

下面的示例演示了如何撤销default 数据库下collection_01 的特权PrivilegeSearch 以及授予角色role_a 的特权组privilege_group_1

client.revoke_privilege_v2(
role_name="role_a",
privilege="Search",
collection_name='collection_01',
db_name='default',
)

client.revoke_privilege_v2(
role_name="role_a",
privilege="privilege_group_1",
collection_name='collection_01',
db_name='default',
)

client.revoke_privilege_v2(
role_name="role_a",
privilege="ClusterReadOnly",
collection_name='*',
db_name='*',
)
import io.milvus.v2.service.rbac.request.RevokePrivilegeReqV2

client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("Search")
.collectionName("collection_01")
.dbName("default")
.build());

client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("privilege_group_1")
.collectionName("collection_01")
.dbName("default")
.build());

client.revokePrivilegeV2(RevokePrivilegeReqV2.builder()
.roleName("role_a")
.privilege("ClusterReadOnly")
.collectionName("*")
.dbName("*")
.build());
err = client.RevokePrivilegeV2(ctx, milvusclient.NewRevokePrivilegeV2Option("role_a", "Search", "collection_01").
WithDbName("default"))
if err != nil {
fmt.Println(err.Error())
// handle error
}

err = client.RevokePrivilegeV2(ctx, milvusclient.NewRevokePrivilegeV2Option("role_a", "privilege_group_1", "collection_01").
WithDbName("default"))
if err != nil {
fmt.Println(err.Error())
// handle error
}

err = client.RevokePrivilegeV2(ctx, milvusclient.NewRevokePrivilegeV2Option("role_a", "ClusterReadOnly", "*").
WithDbName("*"))
if err != nil {
fmt.Println(err.Error())
// handle error
}
await client.revokePrivilegeV2({
role: 'role_a',
privilege: 'Search',
collection_name: 'collection_01',
db_name: 'default'
});

await client.revokePrivilegeV2({
role: 'role_a',
collection_name: 'collection_01',
privilege: 'Search',
db_name: 'default'
});

await client.revokePrivilegeV2({
role: 'role_a',
collection_name: '*',
privilege: 'ClusterReadOnly',
db_name: '*'
});
curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a",
"privilege": "Search",
"collectionName": "collection_01",
"dbName":"default"
}'

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/roles/revoke_privilege_v2" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
--header "Request-Timeout: 10" \
-d '{
"roleName": "role_a",
"privilege": "ClusterReadOnly",
"collectionName": "*",
"dbName":"*"
}'