Skip to main content

Authorization

Authentication and authorization

Authentication and authorization are closely related concepts, and sometimes abbreviated as AuthN and AuthZ. Authentication (AuthN) is the process of verifying the identity of a user, while authorization (AuthZ) is the process of determining what permissions the user has.

Weaviate provides differentiated access through authorization levels, based on the user's authentication status. A user can be granted admin permission, read-only permission, or no permission at all. From v1.29.0, Weaviate also supports Role-Based Access Control (RBAC) for more fine-grained control over user permissions.

The following diagram illustrates the flow of a user request through the authentication and authorization process:

Available authorization schemes

The following authorization schemes are available in Weaviate:

In the Admin list authorization scheme, anonymous users can be granted permissions.

The way to configure authorization differs by your deployment method, depending on whether you are running Weaviate in Docker or Kubernetes. Below, we provide examples for both.

What about Weaviate Cloud (WCD)?

For Weaviate Cloud (WCD) instances, authorization is pre-configured with Admin list access. You can authenticate against Weaviate with your WCD credentials using OIDC, or with admin or read-only API keys.


RBAC access will be available in WCD in a future release.

Role-Based Access Control (RBAC)

Available from v1.29

Role-based access control (RBAC) is generally available in Weaviate from version v1.29.

Role-based access control (RBAC) is a method of restricting access to resources based on the roles of users. In Weaviate, RBAC allows you to define roles and assign permissions to those roles. Users can then be assigned to roles, and inherit the permissions associated with those roles.

Check out the dedicated RBAC documentation for instructions on how to configure RBAC in your Weaviate instance and examples on how to manage roles an users.

Admin list

The "Admin list" authorization scheme allows you to specify a list of admin users with full permissions to perform all actions in Weaviate, and a list of read-only users with permissions to perform only read operations.

These permissions cannot be customized or extended. For more fine-grained control over user permissions, use RBAC instead.

Admin list authorization scheme cannot be used in combination with RBAC.

Admin list: Docker

Admin list authorization can be configured using environment variables. In Docker Compose, set them in the configuration file (docker-compose.yml) such as in the following example:

services:
weaviate:
...
environment:
...
# Example authentication configuration using API keys
# OIDC access can also be used with RBAC
AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
AUTHENTICATION_APIKEY_ENABLED: 'true'
AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key,user-b-key,user-c-key'
AUTHENTICATION_APIKEY_USERS: 'user-a,user-b,user-c'

# Authorization configuration
# Enable admin list
AUTHORIZATION_ADMINLIST_ENABLED: 'true'

# Provide pre-configured roles to users
# This assumes that the relevant user has been authenticated and identified
#
# You MUST define at least one admin user
AUTHORIZATION_ADMINLIST_USERS: 'user-a'
AUTHORIZATION_ADMINLIST_READONLY_USERS: 'user-b'

This configuration:

  • Enables Admin list authorization
  • Configures user-a as a user with built-in admin permissions
  • Configures user-b as a user with built-in viewer permissions

Note that in this configuration, user-c has no permissions.

Admin list: Kubernetes

For Kubernetes deployments using Helm, API key authentication can be configured in the values.yaml file under the authorization section. Here's an example configuration:

# Example authentication configuration using API keys
authentication:
anonymous_access:
enabled: false
apikey:
enabled: true
allowed_keys:
- user-a-key
- user-b-key
- user-c-key
users:
- user-a
- user-b
- user-c

# Authorization configuration
authorization:
admin_list:
# Enable admin list
enabled: true

# Provide pre-configured roles to users
# This assumes that the relevant user has been authenticated and identified
#
# You MUST define at least one admin user
users:
- user-a
read_only_users:
- user-b

Anonymous users

Anonymous users are identified as anonymous in Weaviate. In the Admin list authorization scheme, you can apply permissions to anonymous users. The RBAC authorization scheme is not compatible with anonymous users.

To confer permissions to anonymous users in the Admin list scheme, you can use the anonymous keyword in the configuration as shown below.

services:
weaviate:
...
environment:
...
# Enable anonymous access
AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'true'

# Configure admin user API key
AUTHORIZATION_ADMINLIST_ENABLED: 'true'
AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key'
AUTHENTICATION_APIKEY_USERS: 'user-a'

# Enable admin list and provide admin access to "user-a" only
AUTHORIZATION_ADMINLIST_USERS: 'user-a'
# Provide read-only access to anonymous users
AUTHORIZATION_ADMINLIST_READONLY_USERS: 'anonymous'

Undifferentiated access

Weaviate can be configured to provide undifferentiated access, by disabling authentication for example and enabling anonymous access. This configuration is strongly discouraged except for development or evaluation purposes.

Further resources

Questions and feedback

If you have any questions or feedback, let us know in the user forum.