Skip to content

Authentication

NebulaGraph replies on local authentication or LDAP authentication to implement access control.

NebulaGraph creates a session when a client connects to it. The session stores information about the connection, including the user information. If the authentication system is enabled, the session will be mapped to corresponding users.

Note

By default, the authentication is disabled and NebulaGraph allows connections with the username root and any password.

NebulaGraph supports local authentication and LDAP authentication.

Local authentication

Local authentication indicates that usernames and passwords are stored locally on the server, with the passwords encrypted. Users will be authenticated when trying to visit NebulaGraph.

Enable local authentication

  1. Modify the nebula-graphd.conf file (/usr/local/nebula/etc/ is the default path) to set the following parameters:

    • --enable_authorize: Set its value to true to enable authentication.
    • --failed_login_attempts: This parameter is optional, and you need to add this parameter manually. Specify the attempts of continuously entering incorrect passwords for a single Graph service. When the number exceeds the limitation, your account will be locked. For multiple Graph services, the allowed attempts are number of services * failed_login_attempts.
    • --password_lock_time_in_secs: This parameter is optional, and you need to add this parameter manually. Specify the time how long your account is locked after multiple incorrect password entries are entered. Unit: second.

  2. Restart the NebulaGraph services. For how to restart, see Manage NebulaGraph services.

Note

You can use the username root and password nebula to log into NebulaGraph after enabling local authentication. This account has the build-in God role. For more information about roles, see Roles and privileges.

LDAP authentication

Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directories and building a centralized account management system. LDAP authentication and local authentication can be enabled at the same time, but LDAP authentication has a higher priority. If the local authentication server and the LDAP server both have the information of user Amber, NebulaGraph reads from the LDAP server first.

Last update: February 1, 2023