Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Restrict access to '/api/v1' RESTful API #36502

Open
1 task done
ghu613 opened this issue Sep 25, 2024 · 7 comments
Open
1 task done

[Bug]: Restrict access to '/api/v1' RESTful API #36502

ghu613 opened this issue Sep 25, 2024 · 7 comments
Assignees
@smellthemoon
Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@ghu613
Copy link

ghu613 commented Sep 25, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Environment

- Milvus version: v2.4.5
- Deployment mode(standalone or cluster): cluster
- MQ type(rocksmq, pulsar or kafka): kafka   
- SDK version(e.g. pymilvus v2.0.0rc2): v2.4.3
- OS(Ubuntu or CentOS): RockyLinux
- CPU/Memory: 
- GPU: none
- Others:

Current Behavior

A user not granted with DropCollection permission can drop collections via '/api/v1/collection' RESTful API.

Expected Behavior

Enable role based access control to '/api/v1' routes or merge their functionalities with v2 API and then deprecate '/api/v1'

Steps To Reproduce

No response

Milvus Log

No response

Anything else?

No response
@ghu613 ghu613 added kind/bug Issues or changes related a bug needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 25, 2024
@zhuwenxing
Copy link
Contributor

Is it the interface in this link: https://milvus.io/api-reference/restful/v2.4.x/v1/Collection%20(v1)/Drop.md? or something else?

@ghu613
Copy link
Author

ghu613 commented Sep 25, 2024

It was probably created before v1 and v2 API and don't think it's documented.
Reference:
https://github.com/milvus-io/milvus/blob/master/internal/distributed/proxy/httpserver/handler.go#L26

@zhuwenxing
Copy link
Contributor

zhuwenxing commented Sep 25, 2024
edited
Loading

It was probably created before v1 and v2 API and don't think it's documented. Reference: https://github.com/milvus-io/milvus/blob/master/internal/distributed/proxy/httpserver/handler.go#L26

This API was implemented a long time ago by @haorenfsa , but it hasn't been integrated with the authentication system. Should we consider abandoning it?
@czs007 What do you think?

@haorenfsa
Copy link
Contributor

/api/v1 should be deprecated.
@ghu613 You can find the docs in v2.1.x doc https://milvus.io/docs/v2.1.x/create_collection.md, switch to the Curl tab

@haorenfsa
Copy link
Contributor

By the way 9091 is considered an admin api port and should not be exposed to non admin users.

@ghu613
Copy link
Author

ghu613 commented Sep 25, 2024

If it's not too much trouble, please add the health endpoint in v2/v1. Thanks.

@yanliang567
Copy link
Contributor

/assign @smellthemoon
/unassign

@yanliang567 yanliang567 added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smellthemoon smellthemoon

Labels
kind/bug Issues or changes related a bug triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zhuwenxing @haorenfsa @smellthemoon @yanliang567 @ghu613