Skip to content

Roles and privileges

A role is a collection of privileges. You can assign a role to a user for access control.

Built-in roles

NebulaGraph does not support custom roles, but it has multiple built-in roles:

  • GOD

    • GOD is the original role with all privileges not limited to graph spaces. It is similar to root in Linux and administrator in Windows.
    • When the Meta Service is initialized, the one and only GOD role user root is automatically created with the password nebula.

    Caution

    Modify the password for root timely for security.

    • One cluster can only have one user with the GOD role. This user can manage all graph spaces in a cluster.
    • Manual authorization of the God role is not supported. Only the root user with the default God role can be used.
  • ADMIN

    • An ADMIN role can read and write both the Schema and the data in a specific graph space.
    • An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.

      Note

      Only roles lower than ADMIN can be authorized to other users.

  • DBA

    • A DBA role can read and write both the Schema and the data in a specific graph space.
    • A DBA role of a graph space CANNOT grant roles to other users.
  • USER

    • A USER role can read and write data in a specific graph space.
    • The Schema information is read-only to the USER roles in a graph space.
  • GUEST
    • A GUEST role can only read the Schema and the data in a specific graph space.

Note

  • NebulaGraph does not support custom roles. Users can only use the default built-in roles.
  • A user can have only one role in a graph space. For authenticated users, see User management.

Role privileges and allowed nGQL

The privileges of roles and the nGQL statements that each role can use are listed as follows.

Privilege God Admin DBA User Guest Allowed nGQL
Read space Y Y Y Y Y USE, DESCRIBE SPACE
Read schema Y Y Y Y Y DESCRIBE TAG, DESCRIBE EDGE, DESCRIBE TAG INDEX, DESCRIBE EDGE INDEX
Write schema Y Y Y CREATE TAG, ALTER TAG, CREATE EDGE, ALTER EDGE, DROP TAG, DELETE TAG, DROP EDGE, CREATE TAG INDEX, CREATE EDGE INDEX, DROP TAG INDEX, DROP EDGE INDEX
Write user Y CREATE USER, DROP USER, ALTER USER
Write role Y Y GRANT, REVOKE
Read data Y Y Y Y Y GO, SET, PIPE, MATCH, ASSIGNMENT, LOOKUP, YIELD, ORDER BY, FETCH VERTICES, Find, FETCH EDGES, FIND PATH, LIMIT, GROUP BY, RETURN
Write data Y Y Y Y INSERT VERTEX, UPDATE VERTEX, INSERT EDGE, UPDATE EDGE, DELETE VERTEX, DELETE EDGES, DELETE TAG
Show operations Y Y Y Y Y SHOW, CHANGE PASSWORD
Job Y Y Y Y SUBMIT JOB COMPACT, SUBMIT JOB FLUSH, SUBMIT JOB STATS, STOP JOB, RECOVER JOB, BUILD TAG INDEX, BUILD EDGE INDEX,INGEST, DOWNLOAD
Write space Y CREATE SPACE, DROP SPACE, CREATE SNAPSHOT, DROP SNAPSHOT, BALANCE, ADMIN, CONFIG

Caution

  • The results of SHOW operations are limited to the role of a user. For example, all users can run SHOW SPACES, but the results only include the graph spaces that the users have privileges.
  • Only the GOD role can run SHOW USERS and SHOW SNAPSHOTS.

Last update: September 16, 2022