User management¶

User management is an indispensable part of NebulaGraph access control. This topic describes how to manage users and roles.

After enabling authentication, only valid users can connect to NebulaGraph and access the resources according to the user roles.

Note

By default, the authentication is disabled. NebulaGraph allows connections with the username root and any password.
Once the role of a user is modified, the user has to re-login to make the new role takes effect.

CREATE USER¶

The root user with the GOD role can run CREATE USER to create a new user.

Syntax
```
CREATE USER [IF NOT EXISTS] <user_name> [WITH PASSWORD '<password>'];
```
- IF NOT EXISTS: Detects if the user name exists. The user will be created only if the user name does not exist.
- user_name: Sets the name of the user. The maximum length is 16 characters.
- password: Sets the password of the user. The default password is the empty string (''). The maximum length is 24 characters.

Example

nebula> CREATE USER user1 WITH PASSWORD 'nebula';
nebula> SHOW USERS;
+---------+-------------------------------+
| Account | IP Whitelist                  |
+---------+-------------------------------+
| "root"  | ""                            |
| "user1" | ""                            |
+---------+-------------------------------+

GRANT ROLE¶

Users with the GOD role or the ADMIN role can run GRANT ROLE to assign a built-in role in a graph space to a user. For more information about NebulaGraph built-in roles, see Roles and privileges.

Syntax

GRANT ROLE <role_type> ON <space_name> TO <user_name>;

Example

nebula> GRANT ROLE USER ON basketballplayer TO user1;

REVOKE ROLE¶

Users with the GOD role or the ADMIN role can run REVOKE ROLE to revoke the built-in role of a user in a graph space. For more information about NebulaGraph built-in roles, see Roles and privileges.

Syntax

REVOKE ROLE <role_type> ON <space_name> FROM <user_name>;

Example

nebula> REVOKE ROLE USER ON basketballplayer FROM user1;

DESCRIBE USER¶

Users can run DESCRIBE USER to list the roles for a specified user.

Syntax

DESCRIBE USER <user_name>;
DESC USER <user_name>;

Example

nebula> DESCRIBE USER user1;
+---------+--------------------+
| role    | space              |
+---------+--------------------+
| "ADMIN" | "basketballplayer" |
+---------+--------------------+

SHOW ROLES¶

Users can run SHOW ROLES to list the roles in a graph space.

Syntax
```
SHOW ROLES IN <space_name>;
```

Example

nebula> SHOW ROLES IN basketballplayer;
+---------+-----------+
| Account | Role Type |
+---------+-----------+
| "user1" | "ADMIN"   |
+---------+-----------+

CHANGE PASSWORD¶

Users can run CHANGE PASSWORD to set a new password for a user. The old password is needed when setting a new one.

Syntax

CHANGE PASSWORD <user_name> FROM '<old_password>' TO '<new_password>';

Example

nebula> CHANGE PASSWORD user1 FROM 'nebula' TO 'nebula123';

ALTER USER¶

The root user with the GOD role can run ALTER USER to set a new password. The old password is not needed when altering the user.

Syntax

ALTER USER <user_name> WITH PASSWORD '<password>';

- Example

nebula> ALTER USER user2 WITH PASSWORD 'nebula';

DROP USER¶

The root user with the GOD role can run DROP USER to remove a user.

Note

Removing a user does not close the current session of the user, and the user role still takes effect in the session until the session is closed.

Syntax
```
DROP USER [IF EXISTS] <user_name>;
```

Example
```
nebula> DROP USER user1;
```

SHOW USERS¶

The root user with the GOD role can run SHOW USERS to list all the users.

Syntax
```
SHOW USERS;
```

Example

nebula> SHOW USERS;
+---------+-----------------+
| Account | IP Whitelist    |
+---------+-----------------+
| "root"  | ""              |
| "user1" | ""              |
| "user2" | "192.168.10.10" |
+---------+-----------------+

Last update: November 10, 2023