Roles and privileges¶
A role is a collection of privileges. You can assign a role to a user for access control.
Built-in roles¶
Nebula Graph does not support custom roles, but it has multiple built-in roles:
- GOD
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
root
in Linux andadministrator
in Windows. - When the Meta Service is initialized, the one and only GOD role user
root
is automatically created with the passwordnebula
.
Note
Modify the password for
root
as soon as possible for security.- The default username
root
is immutable. - If authentication is disabled, you can use any username and password to connect to Nebula Graph. This user is regarded as the GOD role.
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
- ADMIN
- An ADMIN role can read and write both the Schema and the data in a specific graph space.
- An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.
- DBA
- A DBA role can read and write both the Schema and the data in a specific graph space.
- A DBA role of a graph space CANNOT grant roles to other users.
- USER
- A USER role can read and write data in a specific graph space.
- The Schema information is read-only to the USER roles in a graph space.
- GUEST
- A GUEST role can only read the Schema and the data in a specific graph space.
Note
A user can have only one role in a graph space.
Role privileges and allowed nGQL¶
The privileges of roles and the nGQL statements that each role can use are listed as follows.
Privilege | God | Admin | DBA | User | Guest | Allowed nGQL |
---|---|---|---|---|---|---|
Read space | Y | Y | Y | Y | Y | USE , DESCRIBE SPACE |
Write space | Y | CREATE SPACE , DROP SPACE , CREATE SNAPSHOT , DROP SNAPSHOT , BALANCE DATA , BALANCE DATA STOP , BALANCE DATA REMOVE , BALANCE LEADER , ADMIN , CONFIG , INGEST , DOWNLOAD , SUBMIT JOB COMPACT , SUBMIT JOB FLUSH , SUBMIT JOB STATS , STOP JOB , RECOVER JOB , BUILD TAG INDEX , BUILD EDGE INDEX |
||||
Read schema | Y | Y | Y | Y | Y | DESCRIBE TAG , DESCRIBE EDGE , DESCRIBE TAG INDEX , DESCRIBE EDGE INDEX |
Write schema | Y | Y | Y | CREATE TAG , ALTER TAG , CREATE EDGE , ALTER EDGE , DROP TAG , DROP EDGE , CREATE TAG INDEX , CREATE EDGE INDEX , DROP TAG INDEX , DROP EDGE INDEX |
||
Write user | Y | CREATE USER , DROP USER , ALTER USER |
||||
Write role | Y | Y | GRANT , REVOKE |
|||
Read data | Y | Y | Y | Y | Y | GO , SET , PIPE , MATCH , ASSIGNMENT , LOOKUP , YIELD , ORDER BY , FETCH VERTICES , Find , FETCH EDGES , FIND PATH , LIMIT , GROUP BY , RETURN |
Write data | Y | Y | Y | Y | INSERT VERTEX , UPDATE VERTEX , INSERT EDGE , UPDATE EDGE , DELETE VERTEX , DELETE EDGES , DELETE TAG |
|
Show operations | Y | Y | Y | Y | Y | SHOW , CHANGE PASSWORD |
Note
- The results of
SHOW
operations are limited to the role of a user. For example, all users can runSHOW SPACES
, but the results only include the graph spaces that the users have privileges. - Only the GOD role can run
SHOW USERS
andSHOW SNAPSHOTS
.
Last update: September 1, 2021