20250117/v1.28.3 patches (#2929)

* Bump Weaviate versions * Replace "admin-user" and "admin-key" with "user-a" and "user-a-key" * Replace "viewer-user" and "viewer-key" with "user-b" and "user-b-key" * Replace "other-user" and "other-key" with "user-c" and "user-c-key" * Replace jane-doe with user-c * Update RBAC notes
weaviate · Jan 17, 2025 · c960548 · c960548
1 parent 1a17144
commit c960548
Show file tree

Hide file tree

Showing 13 changed files with 171 additions and 82 deletions.
diff --git a/_includes/code/python/howto.configure.rbac.permissions.py b/_includes/code/python/howto.configure.rbac.permissions.py
@@ -11,7 +11,7 @@
     # Use custom port defined in tests/docker-compose-rbac.yml (without showing the user)
     port=8580,
     grpc_port=50551,
-    auth_credentials=Auth.api_key("admin-key")
+    auth_credentials=Auth.api_key("user-a-key")
 )
 
 def reset_user(user: str, client: WeaviateClient):
@@ -25,7 +25,7 @@ def reset_user(user: str, client: WeaviateClient):
 # =================================================================
 
 # Clean slate
-reset_user("other-user", client=admin_client)
+reset_user("user-c", client=admin_client)
 admin_client.roles.delete("rw_role_target_collections")  # delete if exists
 
 # START ReadWritePermissionDefinition
@@ -52,11 +52,11 @@ def reset_user(user: str, client: WeaviateClient):
 
 # Create a new role and assign it to a user
 admin_client.roles.create(role_name="rw_role_target_collections", permissions=admin_permissions)
-admin_client.roles.assign_to_user(role_names="rw_role_target_collections", user="other-user")
+admin_client.roles.assign_to_user(role_names="rw_role_target_collections", user="user-c")
 # END ReadWritePermissionDefinition
 
 # ===== TEST ===== basic checks to see if the role was created
-user_permissions = admin_client.roles.by_user("other-user")
+user_permissions = admin_client.roles.by_user("user-c")
 
 assert "rw_role_target_collections" in user_permissions.keys()
 assert user_permissions["rw_role_target_collections"].collections_permissions[0].collection == "TargetCollection_*"
@@ -67,7 +67,7 @@ def reset_user(user: str, client: WeaviateClient):
 # =================================================================
 
 # Clean slate
-reset_user("other-user", client=admin_client)
+reset_user("user-c", client=admin_client)
 admin_client.roles.delete("viewer_role_target_collections")  # delete if exists
 
 # START ViewerPermissionDefinition
@@ -82,11 +82,41 @@ def reset_user(user: str, client: WeaviateClient):
 
 # Create a new role and assign it to a user
 admin_client.roles.create(role_name="viewer_role_target_collections", permissions=viewer_permissions)
-admin_client.roles.assign_to_user(role_names="viewer_role_target_collections", user="other-user")
+admin_client.roles.assign_to_user(role_names="viewer_role_target_collections", user="user-c")
 # END ViewerPermissionDefinition
 
+# Clean slate - delete `tenant_manager` role if exists
+admin_client.roles.delete("tenant_manager")
+
+# START MTPermissionsExample
+permissions = [
+    Permissions.collections(
+        collection="TargetCollection_*",
+        create_collection=True,
+        read_config=True,
+        update_config=True,
+        delete_collection=True
+    ),
+    # Without the below permission, the user would not
+    # be able to create tenants in collections starting with "TargetCollection_"
+    Permissions.tenants(
+        collection="TargetCollection_*",
+        create=True,
+        read=True,
+        update=True,
+        delete=False
+    )
+]
+
+admin_client.roles.create(
+    role_name="tenant_manager", permissions=permissions
+)
+
+admin_client.roles.assign_to_user(role_names="tenant_manager", user="user-c")
+# END MTPermissionsExample
+
 # ===== TEST ===== basic checks to see if the role was created
-user_permissions = admin_client.roles.by_user("other-user")
+user_permissions = admin_client.roles.by_user("user-c")
 
 assert "viewer_role_target_collections" in user_permissions.keys()
 assert user_permissions["viewer_role_target_collections"].collections_permissions[0].collection == "TargetCollection_*"

diff --git a/_includes/code/python/howto.configure.rbac.roles.py b/_includes/code/python/howto.configure.rbac.roles.py
@@ -11,14 +11,17 @@
     port=8580,
     grpc_port=50551,
     # START AdminClient
-    auth_credentials=Auth.api_key("admin-key")
+    auth_credentials=Auth.api_key("user-a-key")
 )
 # END AdminClient
 
-jane_client = weaviate.connect_to_local(
-    port=8580, grpc_port=50551, auth_credentials=Auth.api_key("jane-key")
+custom_user_client = weaviate.connect_to_local(
+    port=8580, grpc_port=50551, auth_credentials=Auth.api_key("user-c-key")
 )
 
+admin_client.roles.delete("devrel")
+admin_client.roles.delete("devrel-admin")
+
 # # START CreateRole
 # admin_client.roles.create(role_name="devrel")
 # # END CreateRole
@@ -82,16 +85,16 @@
 
 
 # START AssignRole
-admin_client.roles.assign_to_user(role_names="devrel", user="jane-doe")
+admin_client.roles.assign_to_user(role_names="devrel", user="user-c")
 # END AssignRole
-assert "devrel" in admin_client.roles.by_user(user="jane-doe")
+assert "devrel" in admin_client.roles.by_user(user="user-c")
 
 # START ListCurrentUserRoles
 print(admin_client.roles.of_current_user())
 # END ListCurrentUserRoles
 
 # START ListUserRoles
-user_roles = admin_client.roles.by_user(user="jane-doe")
+user_roles = admin_client.roles.by_user(user="user-c")
 
 for role in user_roles:
     print(role)
@@ -112,7 +115,7 @@
 for user in assigned_users:
     print(user)
 # END AssignedUsers
-assert "jane-doe" in assigned_users
+assert "user-c" in assigned_users
 
 # START ListAllRoles
 all_roles = admin_client.roles.list_all()
@@ -140,13 +143,13 @@
 # END RemovePermissions
 
 # START RevokeRoles
-admin_client.roles.revoke_from_user(role_names=["devrel"], user="jane-doe")
+admin_client.roles.revoke_from_user(role_names=["devrel"], user="user-c")
 # END RevokeRoles
-assert "devrel" not in admin_client.roles.by_user(user="jane-doe")
+assert "devrel" not in admin_client.roles.by_user(user="user-c")
 
 # START DeleteRole
 admin_client.roles.delete(role_name="devrel")
 # END DeleteRole
 
 admin_client.close()
-jane_client.close()
+custom_user_client.close()
diff --git a/developers/weaviate/configuration/authentication.md b/developers/weaviate/configuration/authentication.md
@@ -97,10 +97,10 @@ services:
       AUTHENTICATION_APIKEY_ENABLED: 'true'
 
       # List one or more keys in plaintext separated by commas. Each key corresponds to a specific user identity below.
-      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'viewer-key,admin-key'
+      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key,user-b-key'
 
       # List one or more user identities, separated by commas. Each identity corresponds to a specific key above.
-      AUTHENTICATION_APIKEY_USERS: 'viewer-user,admin-user'
+      AUTHENTICATION_APIKEY_USERS: 'user-a,user-b'
 ```
 
 This configuration:
@@ -127,13 +127,13 @@ authentication:
 
     # List one or more keys in plaintext separated by commas. Each key corresponds to a specific user identity below.
     allowed_keys:
-      - admin-key
-      - viewer-key
+      - user-a-key
+      - user-b-key
 
     # List one or more user identities, separated by commas. Each identity corresponds to a specific key above.
     users:
-      - admin-user
-      - viewer-user
+      - user-a
+      - user-b
 ```
 
 This configuration:

diff --git a/developers/weaviate/configuration/authorization.md b/developers/weaviate/configuration/authorization.md
@@ -135,8 +135,8 @@ services:
       # OIDC access can also be used with RBAC
       AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
       AUTHENTICATION_APIKEY_ENABLED: 'true'
-      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'viewer-key,admin-key,other-key'
-      AUTHENTICATION_APIKEY_USERS: 'viewer-user,admin-user,other-user'
+      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key,user-b-key,user-c-key'
+      AUTHENTICATION_APIKEY_USERS: 'user-a,user-b,user-c'
 
       # Authorization configuration
       # Enable RBAC
@@ -146,17 +146,17 @@ services:
       # This assumes that the relevant user has been authenticated and identified
       #
       # You MUST define at least one admin user
-      AUTHORIZATION_ADMIN_USERS: 'admin-user'
-      AUTHORIZATION_VIEWER_USERS: 'viewer-user'
+      AUTHORIZATION_ADMIN_USERS: 'user-a'
+      AUTHORIZATION_VIEWER_USERS: 'user-b'
 ```
 
 This configuration:
 - Enables RBAC
-- Configures `admin-user` as a user with built-in admin permissions
-- Configures `viewer-user` as a user with built-in viewer permissions
-- Configures `other-user` as a user with no built-in permissions
+- Configures `user-a` as a user with built-in admin permissions
+- Configures `user-b` as a user with built-in viewer permissions
+- Configures `user-c` as a user with no built-in permissions
 
-The `other-user` can now be assigned custom roles and permissions using the [RBAC Roles API](./roles.md).
+The `user-c` can now be assigned custom roles and permissions using the [RBAC Roles API](./roles.md).
 
 ### RBAC: Kubernetes
 
@@ -170,13 +170,13 @@ authentication:
   apikey:
     enabled: true
     allowed_keys:
-      - admin-key
-      - viewer-key
-      - other-key
+      - user-a-key
+      - user-b-key
+      - user-c-key
     users:
-      - admin-user
-      - viewer-user
-      - other-user
+      - user-a
+      - user-b
+      - user-c
 
 # Authorization configuration
 authorization:
@@ -188,18 +188,18 @@ authorization:
     #
     # You MUST define at least one admin user
     admins:
-    - admin-user
+    - user-a
     viewers:
-    - viewer-user
+    - user-b
 ```
 
 This configuration:
 - Enables RBAC
-- Configures `admin-user` as a user with built-in admin permissions
-- Configures `viewer-user` as a user with built-in viewer permissions
-- Configures `other-user` as a user with no built-in permissions
+- Configures `user-a` as a user with built-in admin permissions
+- Configures `user-b` as a user with built-in viewer permissions
+- Configures `user-c` as a user with no built-in permissions
 
-The `other-user` can now be assigned custom roles and permissions using the [RBAC Roles API](./roles.md).
+The `user-c` can now be assigned custom roles and permissions using the [RBAC Roles API](./roles.md).
 
 ## Admin list
 
@@ -223,8 +223,8 @@ services:
       # OIDC access can also be used with RBAC
       AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
       AUTHENTICATION_APIKEY_ENABLED: 'true'
-      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'viewer-key,admin-key,other-key'
-      AUTHENTICATION_APIKEY_USERS: 'viewer-user,admin-user,other-user'
+      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key,user-b-key,user-c-key'
+      AUTHENTICATION_APIKEY_USERS: 'user-a,user-b,user-c'
 
       # Authorization configuration
       # Enable admin list
@@ -234,16 +234,16 @@ services:
       # This assumes that the relevant user has been authenticated and identified
       #
       # You MUST define at least one admin user
-      AUTHORIZATION_ADMINLIST_USERS: 'admin-user'
-      AUTHORIZATION_ADMINLIST_READONLY_USERS: 'viewer-user'
+      AUTHORIZATION_ADMINLIST_USERS: 'user-a'
+      AUTHORIZATION_ADMINLIST_READONLY_USERS: 'user-b'
 ```
 
 This configuration:
 - Enables Admin list authorization
-- Configures `admin-user` as a user with built-in admin permissions
-- Configures `viewer-user` as a user with built-in viewer permissions
+- Configures `user-a` as a user with built-in admin permissions
+- Configures `user-b` as a user with built-in viewer permissions
 
-Note that in this configuration, `other-user` has no permissions.
+Note that in this configuration, `user-c` has no permissions.
 
 ### Admin list: Kubernetes
 
@@ -257,13 +257,13 @@ authentication:
   apikey:
     enabled: true
     allowed_keys:
-      - admin-key
-      - viewer-key
-      - other-key
+      - user-a-key
+      - user-b-key
+      - user-c-key
     users:
-      - admin-user
-      - viewer-user
-      - other-user
+      - user-a
+      - user-b
+      - user-c
 
 # Authorization configuration
 authorization:
@@ -276,9 +276,9 @@ authorization:
     #
     # You MUST define at least one admin user
     users:
-    - admin-user
+    - user-a
     read_only_users:
-    - viewer-user
+    - user-b
 ```
 
 ### Anonymous users
@@ -305,11 +305,11 @@ services:
 
       # Configure admin user API key
       AUTHORIZATION_ADMINLIST_ENABLED: 'true'
-      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'admin-key'
-      AUTHENTICATION_APIKEY_USERS: 'admin-user'
+      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key'
+      AUTHENTICATION_APIKEY_USERS: 'user-a'
 
-      # Enable admin list and provide admin access to "admin-user" only
-      AUTHORIZATION_ADMINLIST_USERS: 'admin-user'
+      # Enable admin list and provide admin access to "user-a" only
+      AUTHORIZATION_ADMINLIST_USERS: 'user-a'
       # Provide read-only access to anonymous users
       AUTHORIZATION_ADMINLIST_READONLY_USERS: 'anonymous'
 ```
@@ -329,17 +329,17 @@ authentication:
   apikey:
     enabled: true
     allowed_keys:
-      - admin-key
+      - user-a-key
     users:
-      - admin-user
+      - user-a
 
 authorization:
-  # Enable admin list and provide admin access to "admin-user" only
+  # Enable admin list and provide admin access to "user-a" only
   admin_list:
     # Enable admin list
     enabled: true
     users:
-    - admin-user
+    - user-a
     # Provide read-only access to anonymous users
     read_only_users:
     - anonymous