Skip to main content

Set up RBAC in Weaviate

Role-Based Access Control (RBAC) is a powerful security mechanism that lets you manage who can access and modify your Weaviate instance. In this tutorial, you'll learn how to set up RBAC in Weaviate by defining roles with tailored permissions and assigning them to users. This enables granular control over operations—from reading and writing data to managing collections and tenants—ensuring that only authorized users can perform specific actions.

Introduction

In the steps that follow, we’ll cover:

  • Step 1: Connecting to Weaviate
    Ensure you're authenticated with a user who has the necessary role management permissions.
  • Step 2: Creating custom roles
    Define roles with specific permissions, such as read, write, tenant management, etc.
  • Step 3: Assigning roles to new users
    Apply these roles to a new user, limiting their access across different resources.

By the end of this guide, you’ll have a clear roadmap for implementing RBAC in your Weaviate deployment, adding an essential layer of security to your AI powered applications.

We are going to create the following roles:

  • Read and write permissions: rw_role
    Learn how to create a custom role that grants read and write access to collections and data, and assign it to a user.
  • Viewer permissions: viewer_role
    Set up a role that restricts users to read-only access for specific collections.
  • Tenant permissions: tenant_manager
    Configure roles with permissions to manage tenants, including creating, reading, and updating tenant information.

Prerequisites

Before starting this tutorial, ensure you have the following:

  • Docker for running a Weaviate instance locally.
  • Your preferred Weaviate client library installed.

Local instance - root user

In order to follow the rest of the tutorial we will need to connect to Weaviate with a user who has the root role assigned. This will allow us to manage roles and permissions.

Create a Docker Compose file (docker-compose.yml) and copy the following configuration:

---
services:
  weaviate:
    command:
      - --host
      - 0.0.0.0
      - --port
      - '8080'
      - --scheme
      - http
    image: cr.weaviate.io/semitechnologies/weaviate:1.30.1
    ports:
      - 8080:8080
      - 50051:50051
    volumes:
      - weaviate_data:/var/lib/weaviate
    restart: on-failure:0
    environment:
      QUERY_DEFAULTS_LIMIT: 25
      PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
      ENABLE_API_BASED_MODULES: 'true'
      CLUSTER_HOSTNAME: 'node1'
      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
      AUTHENTICATION_DB_USERS_ENABLED: 'true'
      AUTHENTICATION_APIKEY_ENABLED: 'true'
      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'root-user-key'
      AUTHENTICATION_APIKEY_USERS: 'root-user'
      AUTHORIZATION_ENABLE_RBAC: 'true'
      AUTHORIZATION_RBAC_ROOT_USERS: 'root-user'
volumes:
  weaviate_data:

The environment variables in this configuration:

  • Enable RBAC.
  • Configure root-user as a user with built-in root/admin permissions.

We will connect to Weaviate with root-user, and once we create a new role, we will also create a new user custom-user and assign the role to it.

Read and write permissions

Step 1: Connect to Weaviate

Ensure you are connected to Weaviate with a user possessing sufficient permissions to manage roles. You can achieve this by either using the predefined root role during Weaviate configuration or by granting a user the manage_roles permission.

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("root-user-key"),
)
py docs  API docs

Step 2: Create new role with custom permissions

This grants read and write permissions for collections starting with TargetCollection, and read permissions to nodes and cluster metadata.

from weaviate.classes.rbac import Permissions

# Define permissions (example confers read+write rights to collections starting with "TargetCollection")
permissions = [
    # Collection level permissions
    Permissions.collections(
        collection="TargetCollection*",
        create_collection=True,  # Allow creating new collections
        read_config=True,  # Allow reading collection info/metadata
        update_config=True,  # Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
        delete_collection=True,  # Allow deleting collections
    ),
    # Collection data level permissions
    Permissions.data(
        collection="TargetCollection*",
        create=True,  # Allow data inserts
        read=True,  # Allow query and fetch operations
        update=True,  # Allow data updates
        delete=False,  # Allow data deletes
    ),
    Permissions.backup(collection="TargetCollection*", manage=True),
    Permissions.Nodes.verbose(collection="TargetCollection*", read=True),
    Permissions.cluster(read=True),
]

# Create a new role
client.roles.create(role_name="rw_role", permissions=permissions)
py docs  API docs

Step 3: Assign the role to a new user

First, let's create the new user custom-user:

user_api_key = client.users.db.create(user_id="custom-user")
print(user_api_key)
py docs  API docs

Now, you can assign the role rw_role to custom-user:

# Assign the role to a user
client.users.assign_roles(user_id="custom-user", role_names=["rw_role"])
py docs  API docs

Viewer permissions

Step 1: Connect to Weaviate

Ensure you are connected to Weaviate with a user possessing sufficient permissions to manage roles. You can achieve this by either using the predefined root role during Weaviate configuration or by granting a user the manage_roles permission.

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("root-user-key"),
)
py docs  API docs

Step 2: Create new role with custom permissions

This grants viewer permissions for collections starting with TargetCollection.

from weaviate.classes.rbac import Permissions

# Define permissions (example confers viewer rights to collections starting with "TargetCollection")
permissions = [
    Permissions.collections(
        collection="TargetCollection*",
        read_config=True,
    ),
    Permissions.data(collection="TargetCollection*", read=True),
]

# Create a new role
client.roles.create(role_name="viewer_role", permissions=permissions)
py docs  API docs

Step 3: Assign the role to a new user

First, let's create the new user custom-user:

user_api_key = client.users.db.create(user_id="custom-user")
print(user_api_key)
py docs  API docs

Now, you can assign the role viewer_role to custom-user:

# Assign the role to a user
client.users.assign_roles(user_id="custom-user", role_names="viewer_role")
py docs  API docs

Tenant permissions

Step 1: Connect to Weaviate

Ensure you are connected to Weaviate with a user possessing sufficient permissions to manage roles. You can achieve this by either using the predefined root role during Weaviate configuration or by granting a user the manage_roles permission.

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("root-user-key"),
)
py docs  API docs

Step 2: Create new role with custom permissions

This grants permissions to:

  • Completely manage tenants starting with TargetTenant in collections starting with TargetCollection.
  • Create, read, update and delete data for tenants starting with TargetTenant in collections starting with TargetCollection.
from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.tenants(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        tenant="TargetTenant*",  # Applies to all tenants starting with "TargetTenant"
        create=True,  # Allow creating new tenants
        read=True,  # Allow reading tenant info/metadata
        update=True,  # Allow updating tenant states
        delete=True,  # Allow deleting tenants
    ),
    Permissions.data(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        tenant="TargetTenant*",  # Applies to all tenants starting with "TargetTenant"
        create=True,  # Allow data inserts
        read=True,  # Allow query and fetch operations
        update=True,  # Allow data updates
        delete=True,  # Allow data deletes
    ),
]

# Create a new role
client.roles.create(role_name="tenant_manager", permissions=permissions)
py docs  API docs

Step 3: Assign the role to a new user

First, let's create the new user custom-user:

user_api_key = client.users.db.create(user_id="custom-user")
print(user_api_key)
py docs  API docs

Now, you can assign the role tenant_manager to custom-user:

# Assign the role to a user
client.users.assign_roles(user_id="custom-user", role_names="tenant_manager")
py docs  API docs

Summary

This tutorial provides a comprehensive guide to configuring RBAC in Weaviate, helping you secure your vector database by managing user access with tailored roles and permissions.

It walks you through connecting to Weaviate using a user with role management capabilities, then demonstrates how to create custom roles for different access levels. You’ll learn how to set up roles with read and write permissions to manage collections and data, configure viewer permissions for read-only access, and establish tenant permissions for managing tenant operations.

Additional resources

Questions and feedback

If you have any questions or feedback, let us know in the user forum.