Roles and privileges¶

A role is a collection of privileges. You can assign a role to a user for access control.

Built-in roles¶

NebulaGraph does not support custom roles, but it has multiple built-in roles:

GOD
- GOD is the original role with all privileges not limited to graph spaces. It is similar to root in Linux and administrator in Windows.
- When the Meta Service is initialized, the one and only GOD role user root is automatically created with the password nebula.
Caution

Modify the password for root timely for security.
- When the --enable_authorize parameter in the nebula-graphd.conf file (the default directory is /usr/local/nebula/etc/) is set to true:
  - One cluster can only have one user with the GOD role. This user can manage all graph spaces in a cluster.
  - Manual authorization of the God role is not supported. Only the root user with the default God role can be used.

ADMIN
- An ADMIN role can read and write both the Schema and the data in a specific graph space.
- An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.
  
  Note
  
  Only roles lower than ADMIN can be authorized to other users.

DBA
- A DBA role can read and write both the Schema and the data in a specific graph space.
- A DBA role of a graph space CANNOT grant roles to other users.

USER
- A USER role can read and write data in a specific graph space.
- The Schema information is read-only to the USER roles in a graph space.

GUEST
- A GUEST role can only read the Schema and the data in a specific graph space.

BASIC
- A BASIC role can read the Schema in a specific graph space.
- ( Additional authorization required ) A BASIC role can read and write the Tag and Edge Type in a specific graph space.

Enterpriseonly

The Basic role is only available in the Enterprise edition.

Note

NebulaGraph does not support custom roles. Users can only use the default built-in roles.
A user can have only one role in a graph space. For authenticated users, see User management.

Role privileges and allowed nGQL¶

The privileges of roles and the nGQL statements that each role can use are listed as follows.

Privilege	God	Admin	DBA	User	Guest	Basic	Allowed nGQL
Read space	Y	Y	Y	Y	Y	Y	`USE`, `DESCRIBE SPACE`
Read schema	Y	Y	Y	Y	Y	Y	`DESCRIBE TAG`, `DESCRIBE EDGE`, `DESCRIBE TAG INDEX`, `DESCRIBE EDGE INDEX`
Write schema	Y	Y	Y		Y		`CREATE TAG`, `ALTER TAG`, `CREATE EDGE`, `ALTER EDGE`, `DROP TAG`, `DELETE TAG`, `DROP EDGE`, `CREATE TAG INDEX`, `CREATE EDGE INDEX`, `DROP TAG INDEX`, `DROP EDGE INDEX`
Write user	Y						`CREATE USER`, `DROP USER`, `ALTER USER`
Write role	Y	Y					`GRANT`, `REVOKE`
Read data	Y	Y	Y	Y	Y	C	`GO`, `SET`, `PIPE`, `MATCH`, `ASSIGNMENT`, `LOOKUP`, `YIELD`, `ORDER BY`, `FETCH VERTICES`, `Find`, `FETCH EDGES`, `FIND PATH`, `LIMIT`, `GROUP BY`, `RETURN`
Write data	Y	Y	Y	Y		C	`INSERT VERTEX`, `UPDATE VERTEX`, `INSERT EDGE`, `UPDATE EDGE`, `DELETE VERTEX`, `DELETE EDGES`, `DELETE TAG`
Show operations	Y	Y	Y	Y	Y	Y	`SHOW`, `CHANGE PASSWORD`
Job	Y	Y	Y	Y			`SUBMIT JOB COMPACT`, `SUBMIT JOB FLUSH`, `SUBMIT JOB STATS`, `STOP JOB`, `RECOVER JOB`, `BUILD TAG INDEX`, `BUILD EDGE INDEX`,`INGEST`, `DOWNLOAD`
Write space	Y						`CREATE SPACE`, `DROP SPACE`, `CREATE SNAPSHOT`, `DROP SNAPSHOT`, `BALANCE`, `CONFIG`

Enterpriseonly

Only the Enterprise Edition supports fine-grain (Tag/Edge type level) permission management based on Basic roles.

Caution

The results of SHOW operations are limited to the role of a user. For example, all users can run SHOW SPACES, but the results only include the graph spaces that the users have privileges.
Only the GOD role can run SHOW USERS and SHOW SNAPSHOTS.

Basic role(Enterprise Edition)¶

Syntax¶

Caution

The following commands can be executed only after entering the graph space.

Grant Basic user Tag/Edge Permissions.

GRANT { OPTION[,OPTION] } [ TAG {  * | <tag>[,...] } | EDGE {  * | <edge_type>[, ...] }] TO <user_name>;
OPTION = { READ | WRITE }

Revoke Basic user Tag/Edge Permissions.

REVOKE { OPTION[,OPTION] } [ TAG {  * | <tag>[,...] } | EDGE {  * | <edge_type>[, ...] }] TO <user_name>;
OPTION = { READ | WRITE }

Show Basic user Tag/Edge Permissions.

SHOW GRANTS [<user_name>]

Precautions¶

The default Basic role does not have any Tag/Edge read and write permissions.
Only GOD and ADMIN role users can perform GRANT and REVOKE operations.
Only allow users to GRANT and REVOKE the Basic role in the specified graph space, and are not allowed to grant authorization to other role users.
The Basic role cannot insert vertices without a tag.
Both read and write privileges are required when performing an UPDATE or UPSERT operation.

Examples¶

# Create `test` user
nebula> CREATE USER test WITH PASSWORD 'nebula';

# Grant Basic role permissions for the `test` user
nebula> GRANT ROLE BASIC ON basketballplayer TO test;

# Choose graph space `basketballplayer`
nebula> use basketballplayer;

# Grant read and write permissions to `test` user Tag `player` and Edge Type `follow` and `serve`
# Granting the user the read and write permissions of the specified Tag/Edge must be after specifying the graph space
nebula> GRANT READ, WRITE TAG player EDGE follow, serve TO test;

# Show `test` user permissions
nebula> > SHOW GRANTS test;
+--------+------------+---------------------+------------+---------------------+
| user   | READ(TAG)  | READ(EDGE)          | WRITE(TAG) | WRITE(EDGE)         |
+--------+------------+---------------------+------------+---------------------+
| "test" | ["player"] | ["follow", "serve"] | ["player"] | ["follow", "serve"] |
+--------+------------+---------------------+------------+---------------------+

# Revoke `test` user all Edge Type read and write permissions
nebula> REVOKE READ,WRITE EDGE * FROM test;

# Show `test` user permissions
nebula> SHOW GRANTS test;
+--------+------------+------------+------------+-------------+
| user   | READ(TAG)  | READ(EDGE) | WRITE(TAG) | WRITE(EDGE) |
+--------+------------+------------+------------+-------------+
| "test" | ["player"] | []         | ["player"] | []          |
+--------+------------+------------+------------+-------------+

# When Basic role users read data without permission, the following error will occur.
nebula>  MATCH (v:player)-[:likex]-() RETURN v;
[ERROR (-1008)]: PermissionError: Edge `likex' does not exist or is not readable.

Caution

For Basic role users, an error will be reported for Tag/Edge Type that explicitly specify no read permission, and no errors will be reported for Tag/Edge Types that do not explicitly specify no read permission. During the traverse process, all queries cannot read the unprivileged Tag/Edge Type and its properties. The read permission of the Edge Type can control the expansion behavior of the edge. During the traversal process, if the Edge Type has no permission, it will not be expanded; the read permission of the Tag does not control the expansion behavior of the vertex. Even if the Tag has no permission during the expansion process, also can be expanded.

Last update: February 7, 2023