User management¶
User management is an indispensable part of NebulaGraph access control. This topic describes how to manage users and roles.
After enabling authentication, only valid users can connect to NebulaGraph and access the resources according to the user roles.
Note
- By default, the authentication is disabled. NebulaGraph allows connections with the username
root
and any password. - Once the role of a user is modified, the user has to re-login to make the new role takes effect.
CREATE USER¶
The root
user with the GOD role can run CREATE USER
to create a new user.
-
Syntax
CREATE USER [IF NOT EXISTS] <user_name> [WITH PASSWORD '<password>'];
IF NOT EXISTS
: Detects if the user name exists. The user will be created only if the user name does not exist.user_name
: Sets the name of the user.password
: Sets the password of the user. The default password is the empty string (''
).
-
Syntax with enterprise edition
-CREATE USER [IF NOT EXISTS] <user_name> [WITH PASSWORD '<password>'][WITH IP WHITELIST <ip_list>];
ip_list
: Sets the IP address whitelist. The user can connect to NebulaGraph only from IP addresses in the list. Use commas to separate multiple IP addresses.
-
Example
nebula> CREATE USER user1 WITH PASSWORD 'nebula'; nebula> SHOW USERS; +---------+-------------------------------+ | Account | IP Whitelist | +---------+-------------------------------+ | "root" | "" | | "user1" | "" | +---------+-------------------------------+
-
Example with enterprise edition
nebula> CREATE USER user2 WITH PASSWORD 'nebula' WITH IP WHITELIST 192.168.10.10,192.168.10.12; nebula> SHOW USERS; +---------+-------------------------------+ | Account | IP Whitelist | +---------+-------------------------------+ | "root" | "" | | "user2" | "192.168.10.10,192.168.10.12" | +---------+-------------------------------+
GRANT ROLE¶
Users with the GOD role or the ADMIN role can run GRANT ROLE
to assign a built-in role in a graph space to a user. For more information about NebulaGraph built-in roles, see Roles and privileges.
-
Syntax
GRANT ROLE <role_type> ON <space_name> TO <user_name>;
-
Example
nebula> GRANT ROLE USER ON basketballplayer TO user1;
REVOKE ROLE¶
Users with the GOD role or the ADMIN role can run REVOKE ROLE
to revoke the built-in role of a user in a graph space. For more information about NebulaGraph built-in roles, see Roles and privileges.
-
Syntax
REVOKE ROLE <role_type> ON <space_name> FROM <user_name>;
-
Example
nebula> REVOKE ROLE USER ON basketballplayer FROM user1;
DESCRIBE USER¶
Users can run DESCRIBE USER
to list the roles for a specified user.
-
Syntax
DESCRIBE USER <user_name>; DESC USER <user_name>;
-
Example
nebula> DESCRIBE USER user1; +---------+--------------------+ | role | space | +---------+--------------------+ | "ADMIN" | "basketballplayer" | +---------+--------------------+
SHOW ROLES¶
Users can run SHOW ROLES
to list the roles in a graph space.
-
Syntax
SHOW ROLES IN <space_name>;
-
Example
nebula> SHOW ROLES IN basketballplayer; +---------+-----------+ | Account | Role Type | +---------+-----------+ | "user1" | "ADMIN" | +---------+-----------+
CHANGE PASSWORD¶
Users can run CHANGE PASSWORD
to set a new password for a user. The old password is needed when setting a new one.
-
Syntax
CHANGE PASSWORD <user_name> FROM '<old_password>' TO '<new_password>';
-
Example
nebula> CHANGE PASSWORD user1 FROM 'nebula' TO 'nebula123';
ALTER USER¶
The root
user with the GOD role can run ALTER USER
to set a new password. The old password is not needed when altering the user.
-
Syntax
- ExampleALTER USER <user_name> WITH PASSWORD '<password>';
nebula> ALTER USER user2 WITH PASSWORD 'nebula';
-
Syntax with enterprise edition
ALTER USER <user_name> WITH PASSWORD '<password>' [WITH IP WHITELIST <ip_list>];
-
Example with enterprise edition
Enterpriseonly
When
WITH IP WHITELIST
is not used, the IP address whitelist is removed and the user can connect to the NebulaGraph by any IP address.nebula> ALTER USER user2 WITH PASSWORD 'nebula' WITH IP WHITELIST 192.168.10.10;
DROP USER¶
The root
user with the GOD role can run DROP USER
to remove a user.
Note
Removing a user does not close the current session of the user, and the user role still takes effect in the session until the session is closed.
-
Syntax
DROP USER [IF EXISTS] <user_name>;
-
Example
nebula> DROP USER user1;
SHOW USERS¶
The root
user with the GOD role can run SHOW USERS
to list all the users.
-
Syntax
SHOW USERS;
-
Example
nebula> SHOW USERS; +---------+-----------------+ | Account | IP Whitelist | +---------+-----------------+ | "root" | "" | | "user1" | "" | | "user2" | "192.168.10.10" | +---------+-----------------+