安全配置 #

一、安全概述 #

text

Milvus安全体系：

┌─────────────────────────────────────────┐
│           安全层级                       │
├─────────────────────────────────────────┤
│                                         │
│  ┌─────────────────────────────────┐   │
│  │  网络安全                        │   │
│  │  - TLS/SSL加密                  │   │
│  │  - 网络隔离                     │   │
│  └─────────────────────────────────┘   │
│                                         │
│  ┌─────────────────────────────────┐   │
│  │  认证授权                        │   │
│  │  - 用户名密码                    │   │
│  │  - RBAC权限控制                 │   │
│  └─────────────────────────────────┘   │
│                                         │
│  ┌─────────────────────────────────┐   │
│  │  数据安全                        │   │
│  │  - 数据加密                      │   │
│  │  - 审计日志                      │   │
│  └─────────────────────────────────┘   │
│                                         │
└─────────────────────────────────────────┘

二、认证配置 #

2.1 启用认证 #

yaml

common:
  security:
    authorizationEnabled: true

2.2 创建用户 #

python

from pymilvus import connections, utility

connections.connect(
    alias="default",
    host="localhost",
    port="19530",
    user="root",
    password="Milvus"
)

utility.create_user("admin", "Admin@123", using="default")

utility.create_user("readonly", "Readonly@123", using="default")

2.3 用户管理 #

python

print(utility.list_usernames())

utility.reset_password("admin", "NewPassword@123")

utility.delete_user("readonly")

2.4 连接认证 #

python

from pymilvus import connections

connections.connect(
    alias="default",
    host="localhost",
    port="19530",
    user="admin",
    password="Admin@123"
)

三、RBAC权限控制 #

3.1 角色管理 #

python

from pymilvus import connections, Role, utility

connections.connect(
    alias="default",
    host="localhost",
    port="19530",
    user="root",
    password="Milvus"
)

role = Role("read_only")

role.create()

print(utility.list_roles())

3.2 权限类型 #

text

权限类型：

┌─────────────────────────────────────────┐
│           全局权限                       │
├─────────────────────────────────────────┤
│  *:CreateCollection                     │
│  *:DropCollection                       │
│  *:DescribeCollection                   │
│  *:ShowCollections                      │
│  *:CreateOwnership                      │
│  *:DropOwnership                        │
│  *:SelectOwnership                      │
└─────────────────────────────────────────┘

┌─────────────────────────────────────────┐
│           集合权限                       │
├─────────────────────────────────────────┤
│  collection:Insert                      │
│  collection:Delete                      │
│  collection:Search                      │
│  collection:Query                       │
│  collection:Load                        │
│  collection:Release                     │
│  collection:CreateIndex                 │
│  collection:DropIndex                   │
└─────────────────────────────────────────┘

3.3 授予权限 #

python

role = Role("read_only")

role.grant("Collection", "documents", "Search")
role.grant("Collection", "documents", "Query")

role.grant("Global", "*", "ShowCollections")

role.grant("Collection", "*", "Search")

3.4 撤销权限 #

python

role = Role("read_only")

role.revoke("Collection", "documents", "Search")

role.revoke("Global", "*", "ShowCollections")

3.5 用户角色绑定 #

python

role = Role("read_only")

role.add_user("readonly")

role.remove_user("readonly")

print(role.get_users())

3.6 查看权限 #

python

role = Role("read_only")

print(role.list_grants())

print(role.list_grant("Collection", "documents"))

四、TLS加密 #

4.1 生成证书 #

bash

openssl genrsa -out ca.key 2048

openssl req -new -x509 -key ca.key -out ca.pem -days 365 \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=Milvus/CN=milvus-ca"

openssl genrsa -out server.key 2048

openssl req -new -key server.key -out server.csr \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=Milvus/CN=localhost"

openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key \
  -CAcreateserial -out server.pem -days 365

openssl genrsa -out client.key 2048

openssl req -new -key client.key -out client.csr \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=Milvus/CN=client"

openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key \
  -CAcreateserial -out client.pem -days 365

4.2 服务端配置 #

yaml

tls:
  serverPemPath: /path/to/server.pem
  serverKeyPath: /path/to/server.key
  caPemPath: /path/to/ca.pem

common:
  security:
    tlsMode: 2

4.3 客户端连接 #

python

from pymilvus import connections

connections.connect(
    alias="default",
    host="localhost",
    port="19530",
    user="root",
    password="Milvus",
    secure=True,
    server_pem_path="/path/to/server.pem",
    server_name="localhost"
)

五、网络安全 #

5.1 网络隔离 #

yaml

networkPolicy:
  enabled: true
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: production
    ports:
    - protocol: TCP
      port: 19530

5.2 限制访问IP #

yaml

proxy:
  service:
    type: LoadBalancer
    loadBalancerSourceRanges:
    - "10.0.0.0/8"
    - "192.168.0.0/16"

六、审计日志 #

6.1 启用审计 #

yaml

audit:
  enabled: true
  logPath: /var/log/milvus/audit.log
  maxSize: 100
  maxBackups: 10
  maxAge: 30

6.2 审计日志格式 #

text

2024-01-01T12:00:00.000Z INFO audit {"method": "Search", "user": "admin", "database": "default", "collection": "documents", "timestamp": 1704067200}

七、安全最佳实践 #

7.1 密码策略 #

text

密码策略建议：

┌─────────────────────────────────────────┐
│           强密码要求                     │
├─────────────────────────────────────────┤
│  - 长度 >= 8位                          │
│  - 包含大小写字母                       │
│  - 包含数字                             │
│  - 包含特殊字符                         │
│  - 定期更换                             │
└─────────────────────────────────────────┘

7.2 最小权限原则 #

python

def create_readonly_role():
    role = Role("readonly")
    role.create()
    
    role.grant("Global", "*", "ShowCollections")
    role.grant("Collection", "*", "Search")
    role.grant("Collection", "*", "Query")
    
    return role

def create_writer_role():
    role = Role("writer")
    role.create()
    
    role.grant("Global", "*", "ShowCollections")
    role.grant("Collection", "*", "Insert")
    role.grant("Collection", "*", "Delete")
    role.grant("Collection", "*", "Search")
    role.grant("Collection", "*", "Query")
    
    return role

7.3 安全配置检查清单 #

text

安全检查清单：

□ 启用认证
□ 配置TLS加密
□ 设置强密码
□ 配置RBAC权限
□ 启用审计日志
□ 配置网络隔离
□ 定期更新密码
□ 定期审计权限
□ 备份安全配置

八、完整示例 #

8.1 安全配置脚本 #

python

from pymilvus import connections, Role, utility

def setup_security():
    connections.connect(
        alias="default",
        host="localhost",
        port="19530",
        user="root",
        password="Milvus"
    )
    
    utility.create_user("admin", "Admin@123456")
    utility.create_user("reader", "Reader@123456")
    utility.create_user("writer", "Writer@123456")
    
    admin_role = Role("admin")
    admin_role.create()
    admin_role.grant("Global", "*", "*")
    admin_role.add_user("admin")
    
    reader_role = Role("reader")
    reader_role.create()
    reader_role.grant("Global", "*", "ShowCollections")
    reader_role.grant("Collection", "*", "Search")
    reader_role.grant("Collection", "*", "Query")
    reader_role.add_user("reader")
    
    writer_role = Role("writer")
    writer_role.create()
    writer_role.grant("Global", "*", "ShowCollections")
    writer_role.grant("Collection", "*", "Insert")
    writer_role.grant("Collection", "*", "Delete")
    writer_role.grant("Collection", "*", "Search")
    writer_role.grant("Collection", "*", "Query")
    writer_role.add_user("writer")
    
    print("安全配置完成")
    print(f"用户列表: {utility.list_usernames()}")
    print(f"角色列表: {utility.list_roles()}")

setup_security()

九、总结 #

安全配置速查表：

配置项	方法
启用认证	authorizationEnabled: true
创建用户	utility.create_user()
创建角色	Role.create()
授予权限	role.grant()
绑定用户	role.add_user()
TLS加密	tlsMode配置