Roles and privileges¶
A role is a collection of privileges. You can assign a role to a user for access control.
Built-in roles¶
NebulaGraph does not support custom roles, but it has multiple built-in roles:
-
GOD
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
rootin Linux andadministratorin Windows.
- When the Meta Service is initialized, the one and only GOD role user
rootis automatically created with the passwordnebula.
Caution
Modify the password for
roottimely for security.- One cluster can only have one user with the GOD role. This user can manage all graph spaces in a cluster.
- Manual authorization of the God role is not supported. Only the
rootuser with the default God role can be used.
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
-
ADMIN
- An ADMIN role can read and write both the Schema and the data in a specific graph space.
-
An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.
Note
Only roles lower than ADMIN can be authorized to other users.
-
DBA
- A DBA role can read and write both the Schema and the data in a specific graph space.
- A DBA role of a graph space CANNOT grant roles to other users.
-
USER
- A USER role can read and write data in a specific graph space.
- The Schema information is read-only to the USER roles in a graph space.
- GUEST
- A GUEST role can only read the Schema and the data in a specific graph space.
Note
- NebulaGraph does not support custom roles. Users can only use the default built-in roles.
- A user can have only one role in a graph space. For authenticated users, see User management.
Role privileges and allowed nGQL¶
The privileges of roles and the nGQL statements that each role can use are listed as follows.
| Privilege | God | Admin | DBA | User | Guest | Allowed nGQL |
|---|---|---|---|---|---|---|
| Read space | Y | Y | Y | Y | Y | USE, DESCRIBE SPACE |
| Read schema | Y | Y | Y | Y | Y | DESCRIBE TAG, DESCRIBE EDGE, DESCRIBE TAG INDEX, DESCRIBE EDGE INDEX |
| Write schema | Y | Y | Y | CREATE TAG, ALTER TAG, CREATE EDGE, ALTER EDGE, DROP TAG, DELETE TAG, DROP EDGE, CREATE TAG INDEX, CREATE EDGE INDEX, DROP TAG INDEX, DROP EDGE INDEX |
||
| Write user | Y | CREATE USER, DROP USER, ALTER USER |
||||
| Write role | Y | Y | GRANT, REVOKE |
|||
| Read data | Y | Y | Y | Y | Y | GO, SET, PIPE, MATCH, ASSIGNMENT, LOOKUP, YIELD, ORDER BY, FETCH VERTICES, Find, FETCH EDGES, FIND PATH, LIMIT, GROUP BY, RETURN |
| Write data | Y | Y | Y | Y | INSERT VERTEX, UPDATE VERTEX, INSERT EDGE, UPDATE EDGE, DELETE VERTEX, DELETE EDGES, DELETE TAG |
|
| Show operations | Y | Y | Y | Y | Y | SHOW, CHANGE PASSWORD |
| Job | Y | Y | Y | Y | SUBMIT JOB COMPACT, SUBMIT JOB FLUSH, SUBMIT JOB STATS, STOP JOB, RECOVER JOB, BUILD TAG INDEX, BUILD EDGE INDEX,INGEST, DOWNLOAD |
|
| Write space | Y | CREATE SPACE, DROP SPACE, CREATE SNAPSHOT, DROP SNAPSHOT, BALANCE, CONFIG |
Caution
- The results of
SHOWoperations are limited to the role of a user. For example, all users can runSHOW SPACES, but the results only include the graph spaces that the users have privileges. - Only the GOD role can run
SHOW USERSandSHOW SNAPSHOTS.
Last update:
February 19, 2024