[doc] user-permission-mng (#1929)

* alter user & change psw * built in roles * cbs comments * fix comments * update table * addenable_authorize doc
vesoft-inc · Mar 23, 2020 · 01b008c · 01b008c
1 parent 806459e
commit 01b008c
Show file tree

Hide file tree

Showing 8 changed files with 140 additions and 0 deletions.
diff --git a/...ations/server-administration/account-management-statements/alter-user-syntax.md b/...ations/server-administration/account-management-statements/alter-user-syntax.md
@@ -0,0 +1,7 @@
+# ALTER USER 语法
+
+```ngql
+ALTER USER <user_name> WITH PASSWORD <password>
+```
+
+使用 `ALTER USER` 语句修改 **Nebula Graph** 帐户。使用 `ALTER USER` 必须拥有全局的 `CREATE USER` 权限。尝试修改一个不存在的用户会发生错误。`ALTER` 无需密码校验。
diff --git a/...strations/server-administration/account-management-statements/built-in-roles.md b/...strations/server-administration/account-management-statements/built-in-roles.md
@@ -0,0 +1,53 @@
+# Built-in Roles
+
+**Nebula Graph** 角色可分为以下几类：
+
+- God
+  - 初始 Root 用户，与 Linux 系统中的 Root 用户类似。
+  - 拥有所有操作权限。
+- Admin
+  - 管理员用户。
+  - 对权限内的 space 拥有 schema 和 data 的读/写权限。
+  - 可对权限内的 space 进行用户受权。
+- DBA
+  - 对权限内的 space 拥有 schema 和 data 的读/写权限。
+  - 没有对用户受权的权限。
+- User
+  - 对权限内的 space 拥有 data 的读/写权限。
+  - 对权限内的 space 拥有 schema 只读权限。
+- Guest
+  - 对权限内的 space 拥有 schema 和 data 的只读权限。
+
+如果开启用户权限开关，则默认用户名为 root，默认密码为 nebula，且用户名不可更改。将 `/usr/local/nebula/etc/nebula-graphd.conf` 文件中的 `enable_authorize` 设置为 `true` 即可打开权限开关。
+
+未被分配角色的用户将无权访问该 space。一个用户在同一个 space 中只能分配一个角色。一个用户在不同 space 可拥有不同权限。
+
+各角色的 Executor 权限见下表。
+
+按操作权限划分。
+
+| OPERATION | STATEMENTS |
+| --- | --- |
+| Read space | Use, DescribeSpace |
+| Write space | CreateSpace, DropSpace, CreateSnapshot, DropSnapshot, Balance, Admin, Config, Ingest, Download |
+| Read schema |  DescribeTag, DescribeEdge,  DescribeTagIndex, DescribeEdgeIndex |
+| Write schema | CreateTag, AlterTag, CreateEdge,  AlterEdge, DropTag, DropEdge, CreateTagIndex, CreateEdgeIndex, DropTagIndex, DropEdgeIndex |
+| Write user | CreateUser, DropUser, AlterUser |
+| Write role | Grant, Revoke |
+| Read data | Go, Set, Pipe, Match, Assignment, Lookup, Yield, OrderBy, FetchVertices, Find, FetchEdges, FindPath, Limit, GroupBy, Return |
+| Write data | BuildTagIndex, BuildEdgeIndex, InsertVertex, UpdateVertex, InsertEdge, UpdateEdge, DeleteVertex, DeleteEdges |
+| Special operation | Show, ChangePassword |
+
+按操作划分。
+
+| OPERATION | GOD | ADMIN | DBA | USER | GUEST |
+| --- | --- | --- | --- | --- | --- |
+| Read space | Y | Y | Y | Y | Y |
+| Write space | Y |  |  |  |  |
+| Read schema | Y | Y | Y | Y | Y |
+| Write schema | Y | Y | Y |  |  |
+| Write user | Y |  |  |  |  |
+| Write role | Y | Y |  |  |  |
+| Read data | Y | Y | Y | Y | Y |
+| Write data | Y | Y | Y | Y |  |
+| Special operation | Y | Y | Y | Y | Y |
diff --git a/...trations/server-administration/account-management-statements/change-password.md b/...trations/server-administration/account-management-statements/change-password.md
@@ -0,0 +1,7 @@
+# CHANGE PASSWORD 语法
+
+```ngql
+CHANGE PASSWORD <user_name> FROM <old_psw> TO <new-psw>
+```
+
+`CHANGE PASSWORD` 更改 **Nebula Graph** 用户账户密码。更改密码需同时提供新密码和旧密码。
diff --git a/docs/manual-CN/README.md b/docs/manual-CN/README.md
@@ -105,6 +105,9 @@
     * [rpm 安装](3.build-develop-and-administration/3.deploy-and-administrations/deployment/install-with-rpm-deb.md)
   * 服务器管理操作
     * 账号管理
+      * [Alter User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/alter-user-syntax.md)
+      * [Built-in Roles](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/built-in-roles.md)
+      * [Change Password](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/change-password.md)
       * [Create User](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/create-user-syntax.md)
       * [Drop User](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/drop-user-syntax.md)
       * [Grant Role](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/grant-role-syntax.md)

diff --git a/...ations/server-administration/account-management-statements/alter-user-syntax.md b/...ations/server-administration/account-management-statements/alter-user-syntax.md
@@ -0,0 +1,7 @@
+# Alter User Syntax
+
+```ngql
+ALTER USER <user_name> WITH PASSWORD <password>
+```
+
+The `ALTER USER` statement modifies **Nebula Graph** user accounts. `ALTER USER` requires the global `CREATE USER` privilege. An error occurs if you try to modify a user that does not exist. `ALTER` does not require password verification.
diff --git a/...strations/server-administration/account-management-statements/built-in-roles.md b/...strations/server-administration/account-management-statements/built-in-roles.md
@@ -0,0 +1,53 @@
+# Built-in Roles
+
+**Nebula Graph** provides the following roles:
+
+- God
+  - The initial root user similar to the root in Linux.
+  - All the operation access.
+- Admin
+  - The administration user.
+  - Read/write access to both the schema and data limited to its authorized space.
+  - Authorization access to users limited to its authorized space.
+- DBA
+  - Read/write access to both the schema and data limited to its authorized space.
+  - No authorization access to users.
+- User
+  - Read/write access to data limited to its authorized space.
+  - Read-only access to the schema limited to its authorized space.
+- Guest
+  - Read-only access to both the schema and data limited to its authorized space.
+
+If the authorization is enabled, the default user name and password are `root` and `nebula` respectively, and the user name is immutable. Set the `enable_authorize` parameter in the `/usr/local/nebula/etc/nebula-graphd.conf` file to `true` to enable the authorization.
+
+A user who has no assigned roles will not have any accesses to the space. A user can only have one assigned role in the same space. A user can have different roles in different spaces.
+
+The set of executor prescribed by each role are described below.
+
+Divided by operation permissions.
+
+| OPERATION | STATEMENTS |
+| --- | --- |
+| Read space | Use, DescribeSpace |
+| Write space | CreateSpace, DropSpace, CreateSnapshot, DropSnapshot, Balance, Admin, Config, Ingest, Download |
+| Read schema |  DescribeTag, DescribeEdge,  DescribeTagIndex, DescribeEdgeIndex |
+| Write schema | CreateTag, AlterTag, CreateEdge,  AlterEdge, DropTag, DropEdge, CreateTagIndex, CreateEdgeIndex, DropTagIndex, DropEdgeIndex |
+| Write user | CreateUser, DropUser, AlterUser |
+| Write role | Grant, Revoke |
+| Read data | Go, Set, Pipe, Match, Assignment, Lookup, Yield, OrderBy, FetchVertices, Find, FetchEdges, FindPath, Limit, GroupBy, Return |
+| Write data | BuildTagIndex, BuildEdgeIndex, InsertVertex, UpdateVertex, InsertEdge, UpdateEdge, DeleteVertex, DeleteEdges |
+| Special operation | Show, ChangePassword |
+
+Divided by operations.
+
+| OPERATION | GOD | ADMIN | DBA | USER | GUEST |
+| --- | --- | --- | --- | --- | --- |
+| Read space | Y | Y | Y | Y | Y |
+| Write space | Y |  |  |  |  |
+| Read schema | Y | Y | Y | Y | Y |
+| Write schema | Y | Y | Y |  |  |
+| Write user | Y |  |  |  |  |
+| Write role | Y | Y |  |  |  |
+| Read data | Y | Y | Y | Y | Y |
+| Write data | Y | Y | Y | Y |  |
+| Special operation | Y | Y | Y | Y | Y |
diff --git a/...trations/server-administration/account-management-statements/change-password.md b/...trations/server-administration/account-management-statements/change-password.md
@@ -0,0 +1,7 @@
+# CHANGE PASSWORD Syntax
+
+```ngql
+CHANGE PASSWORD <user_name> FROM <old_psw> TO <new-psw>
+```
+
+The `CHANGE PASSWORD` statement changes a password to a **Nebula Graph** user account. The old password is required in addition to the new one.
diff --git a/docs/manual-EN/README.md b/docs/manual-EN/README.md
@@ -107,6 +107,9 @@ It is the optimal solution in the world capable of hosting graphs with dozens of
 
   * Server Administration
     * Account Management Statements
+      * [Alter User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/alter-user-syntax.md)
+      * [Built-in Roles](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/built-in-roles.md)
+      * [Change Password](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/change-password.md)
       * [Create User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/create-user-syntax.md)
       * [Drop User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/drop-user-syntax.md)
       * [Grant Role Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/grant-role-syntax.md)