Set up RBAC in Weaviate

Role-Based Access Control (RBAC) is a powerful security mechanism that lets you manage who can access and modify your Weaviate instance. In this tutorial, you'll learn how to set up RBAC in Weaviate by defining roles with tailored permissions and assigning them to users. This enables granular control over operations—from reading and writing data to managing collections and tenants—ensuring that only authorized users can perform specific actions.

Introduction

In the steps that follow, we’ll cover:

• Step 1: Connecting to Weaviate
  Ensure you're authenticated with a user who has the necessary role management permissions.
• Step 2: Creating custom roles
  Define roles with precise permissions tailored for various access levels, such as read/write, viewer, or tenant management.
• Step 3: Assigning roles to users
  Apply these roles to users, effectively controlling their access across different resources.

By the end of this guide, you’ll have a clear roadmap for implementing RBAC in your Weaviate deployment, adding an essential layer of security to your AI powered applications.

---

We are going to create the following roles:

• Read and write permissions: rw_role
  Learn how to create a custom role that grants read and write access to collections and data, and assign it to a user.
• Viewer permissions: viewer_role
  Set up a role that restricts users to read-only access for specific collections.
• Tenant permissions: tenant_manager
  Configure roles with permissions to manage tenants, including creating, reading, and updating tenant information.

Prerequisites

Before starting this tutorial, ensure you have the following:

• Docker for running a Weaviate instance locally.
• Your preferred Weaviate client library installed.

Local instance - root user

In order to follow the rest of the tutorial we will need to connect to Weaviate with a user who has the root role assigned. This will allow us to manage roles and permissions.

Create a Docker Compose file (docker-compose.yml) and copy the following configuration:

---
services:
  weaviate:
    command:
    - --host
    - 0.0.0.0
    - --port
    - '8080'
    - --scheme
    - http
    image: cr.weaviate.io/semitechnologies/weaviate:1.29.1
    ports:
    - 8080:8080
    - 50051:50051
    volumes:
    - weaviate_data:/var/lib/weaviate
    restart: on-failure:0
    environment:
      QUERY_DEFAULTS_LIMIT: 25
      PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
      ENABLE_API_BASED_MODULES: 'true'
      CLUSTER_HOSTNAME: 'node1'
      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
      AUTHENTICATION_APIKEY_ENABLED: 'true'
      AUTHENTICATION_APIKEY_ALLOWED_KEYS: 'user-a-key,user-b-key'
      AUTHENTICATION_APIKEY_USERS: 'user-a,user-b'
      AUTHORIZATION_ENABLE_RBAC: 'true'
      AUTHORIZATION_RBAC_ROOT_USERS: 'user-a'
volumes:
  weaviate_data:
...

The environment variables in this configuration:

• Enable RBAC.
• Configure user-a as a user with built-in root/admin permissions.
• Configure user-b as a user with no built-in permissions.

We will connect to Weaviate with user-a, and once we create a new role, we will assign it to user-b.

Read and write permissions

Step 1: Connect to Weaviate

Ensure you are connected to Weaviate with a user possessing sufficient permissions to manage roles. You can achieve this by either using the predefined root role during Weaviate configuration or by granting a user the manage_roles permission.

Python Client v4

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("user-a-key"),
)

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Step 2: Create new role with custom permissions

This grants read and write permissions for collections starting with TargetCollection, and read permissions to nodes and cluster metadata.

Python Client v4

from weaviate.classes.rbac import Permissions

# Define permissions (example confers read+write rights to collections starting with "TargetCollection")
permissions = [
    # Collection level permissions
    Permissions.collections(
        collection="TargetCollection*",
        create_collection=True,  # Allow creating new collections
        read_config=True,  # Allow reading collection info/metadata
        update_config=True,  # Allow updating collection configuration, i.e. update schema properties, when inserting data with new properties
        delete_collection=True,  # Allow deleting collections
    ),
    # Collection data level permissions
    Permissions.data(
        collection="TargetCollection*",
        create=True,  # Allow data inserts
        read=True,  # Allow query and fetch operations
        update=True,  # Allow data updates
        delete=False,  # Allow data deletes
    ),
    Permissions.backup(collection="TargetCollection*", manage=True),
    Permissions.Nodes.verbose(collection="TargetCollection*", read=True),
    Permissions.cluster(read=True),
]

# Create a new role
client.roles.create(role_name="rw_role", permissions=permissions)

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Step 3: Assign the role to a user

Python Client v4

# Assign the role to a user
client.users.assign_roles(user_id="user-b", role_names=["rw_role"])

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Viewer permissions

Step 1: Connect to Weaviate

Ensure you are connected to Weaviate with a user possessing sufficient permissions to manage roles. You can achieve this by either using the predefined root role during Weaviate configuration or by granting a user the manage_roles permission.

Python Client v4

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("user-a-key"),
)

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Step 2: Create new role with custom permissions

This grants viewer permissions for collections starting with TargetCollection.

Python Client v4

from weaviate.classes.rbac import Permissions

# Define permissions (example confers viewer rights to collections starting with "TargetCollection")
permissions = [
    Permissions.collections(
        collection="TargetCollection*",
        read_config=True,
    ),
    Permissions.data(collection="TargetCollection*", read=True),
]

# Create a new role
client.roles.create(role_name="viewer_role", permissions=permissions)

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Step 3: Assign the role to a user

Python Client v4

# Assign the role to a user
client.users.assign_roles(user_id="user-b", role_names="viewer_role")

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Tenant permissions

Step 1: Connect to Weaviate

Ensure you are connected to Weaviate with a user possessing sufficient permissions to manage roles. You can achieve this by either using the predefined root role during Weaviate configuration or by granting a user the manage_roles permission.

Python Client v4

import weaviate
from weaviate.classes.init import Auth

# Connect to Weaviate as root user
client = weaviate.connect_to_local(
    auth_credentials=Auth.api_key("user-a-key"),
)

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Step 2: Create new role with custom permissions

This grants permissions to manage collections starting with TargetCollection, and to create, read, and update tenants in the same collection.

Python Client v4

from weaviate.classes.rbac import Permissions

permissions = [
    Permissions.collections(
        collection="TargetCollection*",
        create_collection=True,
        read_config=True,
        update_config=True,
        delete_collection=True,
    ),
    # Without the below permission, the user would not
    # be able to create tenants in collections starting with "TargetCollection"
    Permissions.tenants(
        collection="TargetCollection*",  # Applies to all collections starting with "TargetCollection"
        create=True,  # Allow creating new tenants
        read=True,  # Allow reading tenant info/metadata
        update=True,  # Allow updating tenant states
        delete=False,  # Dont't allow deleting tenants
    ),
]

# Create a new role
client.roles.create(role_name="tenant_manager", permissions=permissions)

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Step 3: Assign the role to a user

Python Client v4

# Assign the role to a user
client.users.assign_roles(user_id="user-b", role_names="tenant_manager")

  API docs

JS/TS Client v3

// TS support coming soon

Go

// Go support coming soon

Java

// Java support coming soon

Summary

This tutorial provides a comprehensive guide to configuring RBAC in Weaviate, helping you secure your vector database by managing user access with tailored roles and permissions.

It walks you through connecting to Weaviate using a user with role management capabilities, then demonstrates how to create custom roles for different access levels. You’ll learn how to set up roles with read and write permissions to manage collections and data, configure viewer permissions for read-only access, and establish tenant permissions for managing tenant operations.

Additional resources

• RBAC: Configuration
• RBAC: Manage roles & users

Questions and feedback

If you have any questions or feedback, let us know in the user forum.

• Technical questions
• Documentation feedback