Milvus Manager uses a comprehensive role-based access control (RBAC) system to ensure only authorized users access specific resources. This topic explains how to manage users, roles, and permission groups within the platform.
User management
Add a user
On the Users and Roles page, go to the Users tab and click + User. Configure the following parameters:
|
Parameter |
Description |
|---|---|
|
Username |
Usernames must be 1 to 32 characters long, start with a letter, and contain only letters, numbers, and underscores. |
|
Password |
The password must be 6 to 32 characters long and include uppercase letters, lowercase letters, numbers, and special characters (@#$%^*_+-). |
|
Role |
Assign an existing built-in role or custom role to the new user. |
User operations
In the user list, you can perform the following operations on a user:
-
Associate RAM identity: Associate an Alibaba Cloud RAM user to manage external collections. The system then uses this RAM identity for DLF permission checks.
-
Change password: You must verify the current password to change it.
-
Edit role: Assign roles to the user.
-
Delete: Delete the user.
NoteThe built-in root user cannot be deleted. An admin user with the required permissions can delete custom users.
Role management
Built-in roles
|
Role name |
Description |
|---|---|
|
admin |
The administrative role that has all permissions. |
|
public |
The default role assigned to all users, providing basic access permissions. |
Create a custom role
If the built-in roles do not meet your needs, create a custom role:
-
On the role management page, click + Role.
-
Enter a role name, select permission groups or individual permissions, and then click Create.
Supported resources and permissions:
|
Resource level |
Available permissions |
|---|---|
|
cluster |
ReadOnly, ReadWrite, Admin |
|
database |
ReadOnly, ReadWrite, Admin |
|
collection |
ReadOnly (includes 14 permissions such as Query, Search, and IndexDetail), ReadWrite (includes Insert, Delete, and Upsert), and Admin (includes Load, Release, and Flush) |
Edit and delete roles
-
Built-in roles cannot be edited or deleted.
-
Custom roles can be edited or deleted by an admin with the necessary permissions.
Permission system
The Milvus Manager permission system extends the native Milvus RBAC by integrating with the Alibaba Cloud RAM identity system. This provides two layers of access control for the external collection feature.
Permission model
Milvus permissions are organized into three levels:
|
Level |
Description |
|---|---|
|
cluster |
Permissions that affect the entire instance, such as system configuration and global monitoring. |
|
database |
Permissions that apply to a specific database, such as creating or deleting it, and managing the collections it contains. |
|
collection |
Permissions that affect a specific collection, such as data reads and writes, index management, and loading or releasing the collection. |
Built-in permission groups
Milvus Manager provides nine built-in permission groups, categorized into three levels:
|
Level |
Permission group |
Description |
|---|---|---|
|
cluster |
ClusterReadOnly |
Global read-only permissions, including viewing monitoring data and metadata. |
|
cluster |
ClusterReadWrite |
Global read-write permissions, including data operations and index management. |
|
cluster |
ClusterAdmin |
Global administrative permissions, including user and role management. |
|
database |
DatabaseReadOnly |
Database-level read-only permissions. |
|
database |
DatabaseReadWrite |
Database-level read-write permissions. |
|
database |
DatabaseAdmin |
Database-level administrative permissions. |
|
collection |
CollectionReadOnly |
Includes 14 permissions such as Query, Search, and IndexDetail. |
|
collection |
CollectionReadWrite |
Includes permissions such as Insert, Delete, and Upsert. |
|
collection |
CollectionAdmin |
Includes permissions such as Load, Release, and Flush. |
Custom permission groups
In addition to the built-in permission groups, you can create custom ones for more granular permission control.
Create a permission group:
-
On the Users and Roles page, click the Permission Groups tab.
-
Click + Permission Group.
-
In the dialog box that appears, configure the following information:
-
Permission group name: The name for your custom permission group.
-
Permissions: Select the specific permissions to include in this group.
-
A permission group cannot contain permissions from different levels.
Use a permission group: Once created, you can assign a custom permission group to a role. This allows you to grant a set of related permissions at once, simplifying management.