Roles and privileges¶
A role is a collection of privileges. You can assign a role to a user for access control.
Built-in roles¶
Nebula Graph does not support custom roles, but it has multiple built-in roles:
- GOD
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
rootin Linux andadministratorin Windows. - When the Meta Service is initialized, the one and only GOD role user
rootis automatically created with the passwordnebula.CAUTION: Modify the password for
rootas soon as possible for security. - The default username
rootis immutable. - If authentication is disabled, you can use any username and password to connect to Nebula Graph. This user is regarded as the GOD role.
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
- ADMIN
- An ADMIN role can read and write both the Schema and the data in a specific graph space.
- An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.
- DBA
- A DBA role can read and write both the Schema and the data in a specific graph space.
- A DBA role of a graph space CANNOT grant roles to other users.
- USER
- A USER role can read and write data in a specific graph space.
- The Schema information is read-only to the USER roles in a graph space.
- GUEST
- A GUEST role can only read the Schema and the data in a specific graph space.
NOTE: A user can have only one role in a graph space.
Role privileges and allowed nGQL¶
The privileges of roles and the nGQL statements that each role can use are listed as follows.
| Privilege | God | Admin | DBA | User | Guest | Allowed nGQL |
|---|---|---|---|---|---|---|
| Read space | Y | Y | Y | Y | Y | USE, DESCRIBE SPACE |
| Write space | Y | CREATE SPACE, DROP SPACE, CREATE SNAPSHOT, DROP SNAPSHOT, BALANCE, ADMIN, CONFIG, INGEST, DOWNLOAD |
||||
| Read schema | Y | Y | Y | Y | Y | DESCRIBE TAG, DESCRIBE EDGE, DESCRIBE TAG INDEX, DESCRIBE EDGE INDEX |
| Write schema | Y | Y | Y | CREATE TAG, ALTER TAG, CREATE EDGE, ALTER EDGE, DROP TAG, DROP EDGE, CREATE TAG INDEX, CREATE EDGE INDEX, DROP TAG INDEX, DROP EDGE INDEX |
||
| Write user | Y | CREATE USER, DROP USER, ALTER USER |
||||
| Write role | Y | Y | GRANT, REVOKE |
|||
| Read data | Y | Y | Y | Y | Y | GO, SET, PIPE, MATCH, ASSIGNMENT, LOOKUP, YIELD, ORDER BY, FETCH VERTICES, Find, FETCH EDGES, FIND PATH, LIMIT, GROUP BY, RETURN |
| Write data | Y | Y | Y | Y | BUILD TAG INDEX, BUILD EDGE INDEX, INSERT VERTEX, UPDATE VERTEX, INSERT EDGE, UPDATE EDGE, DELETE VERTEX, DELETE EDGES |
|
| Show operations | Y | Y | Y | Y | Y | SHOW, CHANGE PASSWORD |
NOTE:
- The results of
SHOWoperations are limited to the role of a user. For example, all users can runSHOW SPACES, but the results only include the graph spaces that the users have privileges.- Only the GOD role can run
SHOW USERSandSHOW SNAPSHOTS.
Last update: March 29, 2021