Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minor updates to RBAC docs #2920

Merged
merged 3 commits into from
Jan 20, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions developers/weaviate/config-refs/env-vars.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ default hostname has changed and a single node cluster believes there are suppos

## Authentication and authorization

:::info Authentication & Authorization documentation
For more information on authentication and authorization, see the [Authentication](../configuration/authentication.md) and [Authorization](../configuration/authorization.md) pages.
:::

| Variable | Description | Type | Example Value |
| --- | --- | --- | --- |
| `AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED` | Allow users to interact with weaviate without auth | `boolean` | `true` <br/> Starting in v1.24, defaults to `true` |
Expand All @@ -100,9 +104,21 @@ default hostname has changed and a single node cluster believes there are suppos
| `AUTHENTICATION_OIDC_GROUPS_CLAIM` | OIDC Groups Claim | `string` | `groups` |
| `AUTHENTICATION_OIDC_ISSUER` | OIDC Token Issuer | `string - URL` | `https://myissuer.com` |
| `AUTHENTICATION_OIDC_USERNAME_CLAIM` | OIDC Username Claim | `string` | `email` |
| `AUTHORIZATION_ADMINLIST_ENABLED` | Enable AdminList Authorization mode | `boolean` | `true` |
| `AUTHORIZATION_ADMINLIST_USERS` | Users with admin permission| `string - comma-separated list` | `[email protected],[email protected]` |
| `AUTHORIZATION_ADMINLIST_READONLY_USERS` | Users with read-only permission| `string - comma-separated list` | `[email protected],[email protected]` |
| `AUTHORIZATION_ADMINLIST_ENABLED` | Enable AdminList authorization scheme (mutually exclusive with `AUTHORIZATION_RBAC_ENABLED`) | `boolean` | `true` |
| `AUTHORIZATION_ADMINLIST_USERS` | Users with admin permission when AdminList scheme used | `string - comma-separated list` | `[email protected],[email protected]` |
| `AUTHORIZATION_ADMINLIST_READONLY_USERS` | Users with read-only permission when AdminList scheme used | `string - comma-separated list` | `[email protected],[email protected]` |

### RBAC Authorization

:::caution RBAC technical preview
Role-based access control (RBAC) is added `v1.28` as a **technical preview**. This means that the feature is still under development and may change in future releases, including potential breaking changes. **We do not recommend using this feature in production environments at this time.**
:::

| Variable | Description | Type | Example Value |
| --- | --- | --- | --- |
| `AUTHORIZATION_RBAC_ENABLED` | Enable RBAC authorization scheme (mutually exclusive with `AUTHORIZATION_ADMINLIST_ENABLED`). Introduced in `v1.28.3`. Previously called `AUTHORIZATION_ENABLE_RBAC` | `boolean` | `true` |
| `AUTHORIZATION_ADMIN_USERS` | Users with the built-in administrator role when RBAC scheme used. At least one admin user must be defined with RBAC. | `string - comma-separated list` | `admin-user,another-admin-user` |
| `AUTHORIZATION_VIEWER_USERS` | Users with the built-in viewer role when RBAC scheme used. | `string - comma-separated list` | `viewer-user,another-viewer-user` |

## Multi-node instances

Expand Down
2 changes: 1 addition & 1 deletion developers/weaviate/configuration/authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ services:

# Authorization configuration
# Enable RBAC
AUTHORIZATION_ENABLE_RBAC: 'true'
AUTHORIZATION_RBAC_ENABLED: 'true'

# Provide pre-configured roles to users
# This assumes that the relevant user has been authenticated and identified
Expand Down
2 changes: 1 addition & 1 deletion tests/docker-compose-rbac.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ services:
AUTHENTICATION_APIKEY_ENABLED: 'true'
AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key,user-b-key,user-c-key'
AUTHENTICATION_APIKEY_USERS: 'user-a,user-b,user-c'
AUTHORIZATION_ENABLE_RBAC: 'true'
AUTHORIZATION_RBAC_ENABLED: 'true'
AUTHORIZATION_ADMIN_USERS: 'user-a'
AUTHORIZATION_VIEWER_USERS: 'user-b'
...
Loading