Roles and privileges¶
A role is a collection of privileges. You can assign a role to a user for access control.
Built-in roles¶
NebulaGraph does not support custom roles, but it has multiple built-in roles:
-
GOD
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
root
in Linux andadministrator
in Windows.
- When the Meta Service is initialized, the one and only GOD role user
root
is automatically created with the passwordnebula
.
Caution
Modify the password for
root
timely for security.-
When the
--enable_authorize
parameter in thenebula-graphd.conf
file (the default directory is/usr/local/nebula/etc/
) is set totrue
:- One cluster can only have one user with the GOD role. This user can manage all graph spaces in a cluster.
- Manual authorization of the God role is not supported. Only the
root
user with the default God role can be used.
- GOD is the original role with all privileges not limited to graph spaces. It is similar to
-
ADMIN
- An ADMIN role can read and write both the Schema and the data in a specific graph space.
-
An ADMIN role of a graph space can grant DBA, USER, and GUEST roles in the graph space to other users.
Note
Only roles lower than ADMIN can be authorized to other users.
-
DBA
- A DBA role can read and write both the Schema and the data in a specific graph space.
- A DBA role of a graph space CANNOT grant roles to other users.
-
USER
- A USER role can read and write data in a specific graph space.
- The Schema information is read-only to the USER roles in a graph space.
- GUEST
- A GUEST role can only read the Schema and the data in a specific graph space.
Note
- NebulaGraph does not support custom roles. Users can only use the default built-in roles.
- A user can have only one role in a graph space. For authenticated users, see User management.
Role privileges and allowed nGQL¶
The privileges of roles and the nGQL statements that each role can use are listed as follows.
Privilege | God | Admin | DBA | User | Guest | Allowed nGQL |
---|---|---|---|---|---|---|
Read space | Y | Y | Y | Y | Y | USE , DESCRIBE SPACE |
Read schema | Y | Y | Y | Y | Y | DESCRIBE TAG , DESCRIBE EDGE , DESCRIBE TAG INDEX , DESCRIBE EDGE INDEX |
Write schema | Y | Y | Y | Y | CREATE TAG , ALTER TAG , CREATE EDGE , ALTER EDGE , DROP TAG , DELETE TAG , DROP EDGE , CREATE TAG INDEX , CREATE EDGE INDEX , DROP TAG INDEX , DROP EDGE INDEX |
|
Write user | Y | CREATE USER , DROP USER , ALTER USER |
||||
Write role | Y | Y | GRANT , REVOKE |
|||
Read data | Y | Y | Y | Y | Y | GO , SET , PIPE , MATCH , ASSIGNMENT , LOOKUP , YIELD , ORDER BY , FETCH VERTICES , Find , FETCH EDGES , FIND PATH , LIMIT , GROUP BY , RETURN |
Write data | Y | Y | Y | Y | INSERT VERTEX , UPDATE VERTEX , INSERT EDGE , UPDATE EDGE , DELETE VERTEX , DELETE EDGES , DELETE TAG |
|
Show operations | Y | Y | Y | Y | Y | SHOW , CHANGE PASSWORD |
Job | Y | Y | Y | Y | SUBMIT JOB COMPACT , SUBMIT JOB FLUSH , SUBMIT JOB STATS , STOP JOB , RECOVER JOB , BUILD TAG INDEX , BUILD EDGE INDEX ,INGEST , DOWNLOAD |
|
Write space | Y | CREATE SPACE , DROP SPACE , CREATE SNAPSHOT , DROP SNAPSHOT , BALANCE , CONFIG |
Caution
- The results of
SHOW
operations are limited to the role of a user. For example, all users can runSHOW SPACES
, but the results only include the graph spaces that the users have privileges. - Only the GOD role can run
SHOW USERS
andSHOW SNAPSHOTS
.
Last update:
October 24, 2023