diff --git a/docs-2.0/7.data-security/1.authentication/1.authentication.md b/docs-2.0/7.data-security/1.authentication/1.authentication.md index 11c41c93798..f213ae2f4bd 100644 --- a/docs-2.0/7.data-security/1.authentication/1.authentication.md +++ b/docs-2.0/7.data-security/1.authentication/1.authentication.md @@ -4,7 +4,7 @@ Nebula Graph replies on local authentication or LDAP authentication to implement Nebula Graph creates a session when a client connects to it. The session stores information about the connection, including the user information. -By default, authentication is disabled and Nebula Graph allows connections with any username and password. If the authentication system is enabled, Nebula Graph checks a session according to the authentication configuration, and decides whether the session should be allowed or denied. +By default, authentication is disabled and Nebula Graph allows connections with the username `root` and any password. If the authentication system is enabled, Nebula Graph checks a session according to the authentication configuration, and decides whether the session should be allowed or denied. ## Local authentication @@ -26,10 +26,10 @@ Local authentication indicates that usernames and passwords are stored locally o ## LDAP authentication -Lightweight Directory Access Protocol (LDAP), is a lightweight client-server protocol for accessing directories and building a centralized account management system. +!!! Enterpriseonly -LDAP authentication and local authentication can be enabled at the same time, but LDAP authentication has a higher priority. If the local authentication server and the LDAP server both have the information of user `Amber`, Nebula Graph reads from the LDAP server first. + LDAP authentication is an Enterprise-only feature. For how to enable LDAP, see Authenticate with an LDAP server (TODO: doc). -### Enable LDAP authentication +Lightweight Directory Access Protocol (LDAP), is a lightweight client-server protocol for accessing directories and building a centralized account management system. -The Nebula Graph Enterprise Edition supports LDAP authentication. For how to enable LDAP, see Authenticate with an LDAP server (TODO: doc). +LDAP authentication and local authentication can be enabled at the same time, but LDAP authentication has a higher priority. If the local authentication server and the LDAP server both have the information of user `Amber`, Nebula Graph reads from the LDAP server first. diff --git a/docs-2.0/7.data-security/1.authentication/2.management-user.md b/docs-2.0/7.data-security/1.authentication/2.management-user.md index 369b61c0f34..51840062856 100644 --- a/docs-2.0/7.data-security/1.authentication/2.management-user.md +++ b/docs-2.0/7.data-security/1.authentication/2.management-user.md @@ -2,7 +2,9 @@ This topic describes how to manage users and roles. -By default, Nebula Graph allows connections with any username and password. After [enabling authentication](1.authentication.md), only valid users can connect to Nebula Graph and access the resources according to the [user roles](3.role-list.md). +By default, Nebula Graph allows connections with the username `root` and any password. After [enabling authentication](1.authentication.md), only valid users can connect to Nebula Graph and access the resources according to the [user roles](3.role-list.md). + +Once the role of a user is modified, the user has to re-login to make the new role takes effect. ## CREATE USER @@ -40,6 +42,27 @@ Users with the GOD role or the ADMIN role can run `GRANT ROLE` to assign a built nebula> GRANT ROLE USER ON basketballplayer TO user1; ``` +## SHOW ROLES + +Run `SHOW ROLES` to list the roles in a graph space. + +* Syntax + + ```ngql + SHOW ROLES IN ; + ``` + +* Example + + ```ngql + nebula> SHOW ROLES IN basketballplayer; + +---------+-----------+ + | Account | Role Type | + +---------+-----------+ + | "user1" | "ADMIN" | + +---------+-----------+ + ``` + ## REVOKE ROLE Users with the GOD role or the ADMIN role can run `REVOKE ROLE` to revoke a user's role in a graph space. diff --git a/docs-2.0/7.data-security/1.authentication/3.role-list.md b/docs-2.0/7.data-security/1.authentication/3.role-list.md index 691c8fd8d46..d4456f3c345 100644 --- a/docs-2.0/7.data-security/1.authentication/3.role-list.md +++ b/docs-2.0/7.data-security/1.authentication/3.role-list.md @@ -41,13 +41,13 @@ The privileges of roles and the nGQL statements that each role can use are liste Privilege|God|Admin|DBA|User|Guest|Allowed nGQL| |-|-|-|-|-|-|-| |Read space|Y|Y|Y|Y|Y|`USE`, `DESCRIBE SPACE`| -|Write space|Y|||||`CREATE SPACE`, `DROP SPACE`, `CREATE SNAPSHOT`, `DROP SNAPSHOT`, `BALANCE`, `ADMIN`, `CONFIG`, `INGEST`, `DOWNLOAD`| +|Write space|Y|||||`CREATE SPACE`, `DROP SPACE`, `CREATE SNAPSHOT`, `DROP SNAPSHOT`, `BALANCE DATA`, `BALANCE DATA STOP`, `BALANCE DATA REMOVE`, `BALANCE LEADER`, `ADMIN`, `CONFIG`, `INGEST`, `DOWNLOAD`, `SUBMIT JOB COMPACT`, `SUBMIT JOB FLUSH`, `SUBMIT JOB STATS`, `STOP JOB`, `RECOVER JOB`, `BUILD TAG INDEX`, `BUILD EDGE INDEX`| |Read schema|Y|Y|Y|Y|Y|`DESCRIBE TAG`, `DESCRIBE EDGE`, `DESCRIBE TAG INDEX`, `DESCRIBE EDGE INDEX`| |Write schema|Y|Y|Y|||`CREATE TAG`, `ALTER TAG`, `CREATE EDGE`, `ALTER EDGE`, `DROP TAG`, `DROP EDGE`, `CREATE TAG INDEX`, `CREATE EDGE INDEX`, `DROP TAG INDEX`, `DROP EDGE INDEX`| |Write user|Y|||||`CREATE USER`, `DROP USER`, `ALTER USER`| |Write role|Y|Y||||`GRANT`, `REVOKE`| |Read data|Y|Y|Y|Y|Y|`GO`, `SET`, `PIPE`, `MATCH`, `ASSIGNMENT`, `LOOKUP`, `YIELD`, `ORDER BY`, `FETCH VERTICES`, `Find`, `FETCH EDGES`, `FIND PATH`, `LIMIT`, `GROUP BY`, `RETURN`| -|Write data|Y|Y|Y|Y||`BUILD TAG INDEX`, `BUILD EDGE INDEX`, `INSERT VERTEX`, `UPDATE VERTEX`, `INSERT EDGE`, `UPDATE EDGE`, `DELETE VERTEX`, `DELETE EDGES`| +|Write data|Y|Y|Y|Y||`INSERT VERTEX`, `UPDATE VERTEX`, `INSERT EDGE`, `UPDATE EDGE`, `DELETE VERTEX`, `DELETE EDGES`, `DELETE TAG`| |Show operations|Y|Y|Y|Y|Y|`SHOW`, `CHANGE PASSWORD`| !!! note diff --git a/docs-2.0/7.data-security/3.manage-snapshot.md b/docs-2.0/7.data-security/3.manage-snapshot.md index 34a18627038..4cfe435b630 100644 --- a/docs-2.0/7.data-security/3.manage-snapshot.md +++ b/docs-2.0/7.data-security/3.manage-snapshot.md @@ -98,6 +98,8 @@ nebula> SHOW SNAPSHOTS; 3. [Restart Nebula Graph](../2.quick-start/5.start-stop-service.md). +