Skip to content

Authentication

Nebula Graph replies on local authentication or LDAP authentication to implement access control.

Nebula Graph creates a session when a client connects to it. The session stores information about the connection, including the user information.

By default, authentication is disabled and Nebula Graph allows connections with any username and password. If the authentication system is enabled, Nebula Graph checks a session according to the authentication configuration, and decides whether the session should be allowed or denied.

Local authentication

Local authentication indicates that usernames and passwords are stored locally on the server, with the passwords encrypted.

Enable local authentication

  1. In the /usr/local/nebula/etc/nebula-graphd.conf file, set --enable_authorize=true and save the modification.

    NOTE: /usr/local/nebula/ is the default installation path for Nebula Graph. If you have changed it, use the actual path.

  2. Restart the Nebula Graph services. For how to restart, see Manage Nebula Graph services.

NOTE: You can use the username root and password nebula to log into Nebula Graph after enabling local authentication. This account has the build-in God role. For more information about roles, see Roles and privileges.

LDAP authentication

Lightweight Directory Access Protocol (LDAP), is a lightweight client-server protocol for accessing directories and building a centralized account management system.

LDAP authentication and local authentication can be enabled at the same time, but LDAP authentication has a higher priority. If the local authentication server and the LDAP server both have the information of user Amber, Nebula Graph reads from the LDAP server first.

Enable LDAP authentication

The Nebula Graph Enterprise Edition supports LDAP authentication. For how to enable LDAP, see Authenticate with an LDAP server (TODO: doc).


Last update: March 16, 2021