Roles And Privileges in 2.5.x version

[shaiktas]

Hi,
We created cluster with 2.4.x version , we had read only user with Load,search,HasParitiion privileges. Later we migrated cluster to 2.5.x and started receiving PERMISSION DENIED error when trying to load collection. We revoked all privileges created in 2.4.x and created back same in 2.5.x as below:

client.grantPrivilegeV2(GrantPrivilegeReqV2.builder().privilege("Search").
collectionName("").
dbName(db)
.roleName(role)
.build());
client.grantPrivilegeV2(GrantPrivilegeReqV2.builder().privilege("Load").
collectionName("").
dbName(db)
.roleName(role)
.build());

with above privileges granted to the role, still load API is giving PermissionDenied error,
R{exception=StatusRuntimeException: PERMISSION_DENIED: PrivilegeLoad: permission deny to xx_roin thexx_db database, status=-3, data=null}
Can you please verify if above API's correctly applied or any changes required ? We following https://milvus.io/docs/grant_privileges.md

[xiaofan-luan]

1. it seems that you need load privilege.
   you can assign by

from pymilvus import MilvusClient

client.grant_privilege_v2(
role_name="role_a",
privilege="Load",
collection_name='collection_01',
db_name='default',
)

or just give collection read write priviledge group
client.grant_privilege_v2(
role_name="role_a",
privilege="CollectionReadWrite",
collection_name='collection_01',
db_name='default',
)

[xiaofan-luan]

btw, did you hit rbac issue before you upgrade?

[shaiktas]

Hi @xiaofan-luan , thank you for acknowledging. We created read only user in 2.4.x with search, Load, HasPartition privileges, post upgrade to 2.5.x it broke. And we are aiming to get this user back with same privileges in 2.5.x. Just small clarification, if we give CollectionReadWrite, user will get insert records as well into Collection which we don't want ,
client.grant_privilege_v2(
role_name="role_a",
privilege="CollectionReadWrite",
collection_name='collection_01',
db_name='default',
)

It is just read only user.

[xiaofan-luan]

I think you can do either:

1. assign read access and load access to this role
2. define your new priviledge group, like this
   Here's how to create a privilege group with read and load access using Python:

python
from pymilvus import MilvusClient
client.create_privileg_group(group_name='read_load_group')

client.add_privileges_to_group(group_name='read_load_group', privileges=[
'Query',
'Search',
'Load',
'GetLoadState',
'GetLoadingProgress'
])

and then assign to user
client.grant_privilege_v2(
role_name="role_name",
privilege="read_load_group",
collection_name='collection_name',
db_name='default',
)

[shaiktas]

Thanks for this info @xiaofan-luan , i tried below JAVA SDK API's but still load API giving permission denied error:

client.createPrivilegeGroup(CreatePrivilegeGroupReq.builder().groupName(role).build());
List privileges = new ArrayList<>();
privileges.add("Search");
privileges.add("Load");
privileges.add("Query");
privileges.add("GetLoadState");
privileges.add("GetLoadingProgress");

    client.addPrivilegesToGroup(AddPrivilegesToGroupReq.builder().groupName(role).privileges(privileges).build());
    client.grantPrivilegeV2(GrantPrivilegeReqV2.builder().privilege(role).roleName(role).collectionName("*").dbName(db).build());

---

Also how to describe role, when i am trying to describe role to verify privileges it is always returning blank/empty

DescribeRoleResp resp = client.describeRole(DescribeRoleReq.builder().roleName(role).build());
the resp is always returns empty output . Is above API good to verify the role privileges?

[xiaofan-luan]

Thanks for this info @xiaofan-luan , i tried below JAVA SDK API's but still load API giving permission denied error:

client.createPrivilegeGroup(CreatePrivilegeGroupReq.builder().groupName(role).build()); List privileges = new ArrayList<>(); privileges.add("Search"); privileges.add("Load"); privileges.add("Query"); privileges.add("GetLoadState"); privileges.add("GetLoadingProgress");

    client.addPrivilegesToGroup(AddPrivilegesToGroupReq.builder().groupName(role).privileges(privileges).build());
    client.grantPrivilegeV2(GrantPrivilegeReqV2.builder().privilege(role).roleName(role).collectionName("*").dbName(db).build());

Also how to describe role, when i am trying to describe role to verify privileges it is always returning blank/empty

DescribeRoleResp resp = client.describeRole(DescribeRoleReq.builder().roleName(role).build()); the resp is always returns empty output . Is above API good to verify the role privileges?

did the user you try to grantPrivilege with has admin access?

[shaiktas]

Hi @xiaofan-luan Yes i connected to MilvusClient with root user, and trying to grant privileges to newly created ReadOnly User.

[xiaofan-luan]

Hi @xiaofan-luan Yes i connected to MilvusClient with root user, and trying to grant privileges to newly created ReadOnly User.
Hi @shaiktas
this should be fixed by 2.5.7.It will be released next week and please upgrade and let me know if it's not fixed