milvus

milvus copied to clipboard

Is there an existing issue for this?

• [X] I have searched the existing issues

Environment

- Milvus version: 2.4.1
- Deployment mode(standalone or cluster): standalone
- MQ type(rocksmq, pulsar or kafka):    
- SDK version(e.g. pymilvus v2.0.0rc2): 2.4.1
- OS(Ubuntu or CentOS): opensuse
- CPU/Memory: 16 core, 64GiB
- GPU: N/A
- Others:

Current Behavior

I am not able to create a user specific collection. The steps I am taking, generally are:

1. Create root client
2. Create user
3. Create user role
4. Grant privileges to user role

• object_type='Global', privilege='All', object_name='*'
• object_type='Global', privilege='CreateCollection', object_name='CreateCollection'

5. Grant role to user
6. Create user client
7. Create collection with user client -> Fails with "permission deny to user1 in the default database"

Expected Behavior

I expect to be able to create collections with a user client that is private to the user.

Steps To Reproduce

I have created a script to reproduce this problem here:

https://github.com/highvelcty/milvus_checkout/blob/main/create_user_collection.py

Milvus Log

No response

Anything else?

I added a link to a script in this repository to repeat the problem. If it would be helpful, perhaps creating a pull request in this repo (or a forked repo) might be helpful in collaborating on a fix.

@highvelcty I tried using your script and no errors were found. And the collection was created correctly

can you give me more information about the milvus and pymilvus version, and completed error message.

/assign @highvelcty /unassign

Hi @yanliang567 ,

Thank you for looking into this with me.

I initialized my entire system and I was able to create a user specific collection without error. I wonder if there was something with the state of my machine that was causing the trouble.

However, I tried listing the created collections with a non-root user, but an empty list was returned.

These permissions have been provided to the role assigned to the user (see line 71 of create_user_collection.py):

    root_client.grant_privilege(role_name=USERROLE,
                                object_type='Global',
                                privilege='All',
                                object_name='*')
    root_client.grant_privilege(role_name=USERROLE,
                                object_type='Global',
                                privilege='CreateCollection',
                                object_name='CreateCollection')
    root_client.grant_privilege(role_name=USERROLE,
                                object_type='Global',
                                privilege='ShowCollections',
                                object_name='ShowCollections')

I updated this the create_user_collections.py script to print the collection listing via the non-root user client (see line 149).

# ./create_user_collection.py 
root client list collections: ['user_collection']
user1 list collections: []
#

The expectcation is that either the "Global/All/*" or the "Global/ShowCollections/ShowCollections" permissions should have allowed the non-root user to list collections.

I see the "user1 client list collections: []" output with the following version sets:

- Milvus version: 2.4.1
- SDK version: 2.4.1

- Milvus version: 2.4.1
- SDK version: 2.4.3

I tried to run the script above, and only update the milvus host with my deployment. it seems it returns the collections successfully, is that your expectation? my milvus and sdk version:

• Milvus version: 2.4.1
• SDK version: 2.4.3

@highvelcty I have found the cause of the problem. A temporary solution is to grant this role the relevant permissions of a collection, for example:

root_client.grant_privilege(role_name=USERROLE,
                                object_type='Collection',
                                privilege='Insert',
                                object_name='*')

I will fix it in the next version

Great! Thank you @SimFG and @yanliang567!