Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[doc] user-permission-mng #1929

Merged
merged 7 commits into from
Mar 23, 2020
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# ALTER USER 语法

```ngql
ALTER USER <user_name> WITH PASSWORD <password>
```

使用 `ALTER USER` 语句修改 **Nebula Graph** 帐户。使用 `ALTER USER` 必须拥有全局的 `CREATE USER` 权限。尝试修改一个不存在的用户会发生错误。
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# Built-in Roles

**Nebula Graph** 角色可分为以下几类:

- God
- 初始用户,与 Linux 系统中的 Root 用户类似。
- 拥有创建/删除 space 的权限。
- 拥有读/写 space 中的 schema 和 data 的权限。
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
- Admin
- 管理员用户。
- 对权限内的 space 拥有 schema 和 data 的读/写权限。
- 可对权限内的 space 进行用户受权。
- DBA
- 对权限内的 space 拥有 schema 和 data 的读/写权限。
- 没有对用户受权的权限。
- User
- 对权限内的 space 拥有 data 的读/写权限。
- 对权限内的 space 拥有 schema 只读权限。
- Guest
- 对权限内的 space 拥有 schema 和 data 的只读权限。

未被分配角色的用户将无权访问该 space。一个用户只能分配一个角色。一个用户在不同 space 可拥有不同权限。
amber-moe marked this conversation as resolved.
Show resolved Hide resolved

各角色的 Executor 权限见下表。

| Operation | God | Admin | DBA | User | Guest |
| --- | --- | --- | --- | --- | --- |
| **kGo** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kSet** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kPipe** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kUse** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kMatch** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kAssignment** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateTag** | ✅ | ✅ | ✅ | | |
| **kAlterTag** | ✅ | ✅ | ✅ | | |
| **kCreateEdge** | ✅ | ✅ | ✅ | | |
| **kAlterEdge** | ✅ | ✅ | ✅ | | |
| **kDescribeTag** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDescribeEdge** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateTagIndex** | ✅ | ✅ | ✅ | | |
| **kCreateEdgeIndex** | ✅ | ✅ | ✅ | | |
| **kDropTagIndex** | ✅ | ✅ | ✅ | | |
| **kDropEdgeIndex** | ✅ | ✅ | ✅ | | |
| **kDescribeTagIndex** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDescribeEdgeIndex** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kBuildTagIndex** | ✅ | ✅ | ✅ | ✅ | |
| **kBuildEdgeIndex** | ✅ | ✅ | ✅ | ✅ | |
| **kDropTag** | ✅ | ✅ | ✅ | | |
| **kDropEdge** | ✅ | ✅ | ✅ | | |
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
| **kInsertVertex** | ✅ | ✅ | ✅ | ✅ | |
| **kUpdateVertex** | ✅ | ✅ | ✅ | ✅ | |
| **kInsertEdge** | ✅ | ✅ | ✅ | ✅ | |
| **kUpdateEdge** | ✅ | ✅ | ✅ | ✅ | |
| **kShow** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDeleteVertex** | ✅ | ✅ | ✅ | ✅ | |
| **kDeleteEdges** | ✅ | ✅ | ✅ | ✅ | |
| **kLookup** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateSpace** | ✅ | | | | |
| **kDropSpace** | ✅ | | | | |
| **kDescribeSpace** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kYield** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateUser** | ✅ | ✅ | | | |
| **kDropUser** | ✅ | ✅ | | | |
| **kAlterUser** | ✅ | ✅ | | | |
| **kGrant** | ✅ | ✅ | | | |
| **kRevoke** | ✅ | ✅ | | | |
| **kChangePassword** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDownload** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kIngest** | ✅ | ✅ | ✅ | ✅ | |
| **kOrderBy** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kConfig** | ✅ | ✅ | ✅ | | |
| **kFetchVertices** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kFetchEdges** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kBalance** | ✅ | ✅ | ✅ | | |
| **kFindPath** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kLimit** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **KGroupBy** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kReturn** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateSnapshot** | ✅ | ✅ | ✅ | | |
| **kDropSnapshot** | ✅ | ✅ | ✅ | | |
| **kAdmin** | ✅ | ✅ | ✅ | | |

按操作权限划分:

- _Read space_: kUse, kDescribeSpace
- _Write space_: kCreateSpace, kDropSpace, kCreateSnapshot, kDropSnapshot, kBalance, kAdmin, kConfig, kIngest, kDownload
- _Read schema_: kDescribeTag, kDescribeEdge, kDescribeTagIndex, kDescribeEdgeIndex
- _Write schema_: kCreateTag, kAlterTag, kCreateEdge, kAlterEdge, kDropTag, kDropEdge, kCreateTagIndex, kCreateEdgeIndex, kDropTagIndex, kDropEdgeIndex,
- _Read user_:
- _Write user_: kCreateUser, kDropUser, kAlterUser, kGrant, kRevoke
- _Read data_: kGo , kSet, kPipe, kMatch, kAssignment, kLookup, kYield, kOrderBy, kFetchVertices, kFind, kFetchEdges, kFindPath, kLimit, KGroupBy, kReturn
- _Write data_: kBuildTagIndex, kBuildEdgeIndex, kInsertVertex, kUpdateVertex, kInsertEdge, kUpdateEdge, kDeleteVertex, kDeleteEdges
- _Special operation_: kShow, kChangePassword
amber-moe marked this conversation as resolved.
Show resolved Hide resolved

按操作划分。

| OP | GOD | ADMIN | DBA | USER | GUEST |
| --- | --- | --- | --- | --- | --- |
| Read space | ✅ | ✅ | ✅ | | |
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
| Write space | ✅ | | | | |
| Read schema | ✅ | ✅ | ✅ | | |
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
| Write schema | ✅ | ✅ | | | |
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
| Read user | ✅ | ✅ | ✅ | | |
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
| Write user | ✅ | ✅ | | | |
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
| Read data | ✅ | ✅ | ✅ | ✅ | ✅ |
| Write data | ✅ | ✅ | ✅ | ✅ | |
| Special operation | ✅ | ✅ | ✅ | ✅ | ✅ |
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# CHANGE PASSWORD 语法

```ngql
CHANGE PASSWORD <user_name> FROM <old_psw> TO <new-psw>
```

`CHANGE PASSWORD` 更改 **Nebula Graph** 用户账户密码。更改密码需同时提供新密码和旧密码。为指正账户更改密码需要 `CREATE USER` 权限。为自己更改密码无需特殊权限。
amber-moe marked this conversation as resolved.
Show resolved Hide resolved
3 changes: 3 additions & 0 deletions docs/manual-CN/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,9 @@
* [rpm 安装](3.build-develop-and-administration/3.deploy-and-administrations/deployment/install-with-rpm-deb.md)
* 服务器管理操作
* 账号管理
* [Alter User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/alter-user-syntax.md)
* [Built-in Roles](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/built-in-roles.md)
* [Change Password](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/change-password.md)
* [Create User](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/create-user-syntax.md)
* [Drop User](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/drop-user-syntax.md)
* [Grant Role](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/grant-role-syntax.md)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Alter User Syntax

```ngql
ALTER USER <user_name> WITH PASSWORD <password>
```

The `ALTER USER` statement modifies **Nebula Graph** user accounts. `ALTER USER` requires the global `CREATE USER` privilege. An error occurs if you try to modify a user that does not exist.
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# Built-in Roles

**Nebula Graph** provides the following roles:

- God
- The initial user similar to the root in Linux.
- Create/delete access to spaces.
- Read/write access to both the schema and data in the space.
- Admin
- The administration user.
- Read/write access to both the schema and data limited to its authorized space.
- Authorization access to users limited to its authorized space.
- DBA
- Read/write access to both the schema and data limited to its authorized space.
- No authorization access to users.
- User
- Read/write access to data limited to its authorized space.
- Read-only access to the schema limited to its authorized space.
- Guest
- Read-only access to both the schema and data limited to its authorized space.

A user who has no assigned roles will not have any accesses to the space. A user can only have one assigned role. A user can have different roles in different spaces.

The set of executor prescribed by each role are described below.

| Operation | God | Admin | DBA | User | Guest |
| --- | --- | --- | --- | --- | --- |
| **kGo** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kSet** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kPipe** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kUse** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kMatch** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kAssignment** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateTag** | ✅ | ✅ | ✅ | | |
| **kAlterTag** | ✅ | ✅ | ✅ | | |
| **kCreateEdge** | ✅ | ✅ | ✅ | | |
| **kAlterEdge** | ✅ | ✅ | ✅ | | |
| **kDescribeTag** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDescribeEdge** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateTagIndex** | ✅ | ✅ | ✅ | | |
| **kCreateEdgeIndex** | ✅ | ✅ | ✅ | | |
| **kDropTagIndex** | ✅ | ✅ | ✅ | | |
| **kDropEdgeIndex** | ✅ | ✅ | ✅ | | |
| **kDescribeTagIndex** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDescribeEdgeIndex** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kBuildTagIndex** | ✅ | ✅ | ✅ | ✅ | |
| **kBuildEdgeIndex** | ✅ | ✅ | ✅ | ✅ | |
| **kDropTag** | ✅ | ✅ | ✅ | | |
| **kDropEdge** | ✅ | ✅ | ✅ | | |
| **kInsertVertex** | ✅ | ✅ | ✅ | ✅ | |
| **kUpdateVertex** | ✅ | ✅ | ✅ | ✅ | |
| **kInsertEdge** | ✅ | ✅ | ✅ | ✅ | |
| **kUpdateEdge** | ✅ | ✅ | ✅ | ✅ | |
| **kShow** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDeleteVertex** | ✅ | ✅ | ✅ | ✅ | |
| **kDeleteEdges** | ✅ | ✅ | ✅ | ✅ | |
| **kLookup** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateSpace** | ✅ | | | | |
| **kDropSpace** | ✅ | | | | |
| **kDescribeSpace** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kYield** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateUser** | ✅ | ✅ | | | |
| **kDropUser** | ✅ | ✅ | | | |
| **kAlterUser** | ✅ | ✅ | | | |
| **kGrant** | ✅ | ✅ | | | |
| **kRevoke** | ✅ | ✅ | | | |
| **kChangePassword** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kDownload** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kIngest** | ✅ | ✅ | ✅ | ✅ | |
| **kOrderBy** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kConfig** | ✅ | ✅ | ✅ | | |
| **kFetchVertices** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kFetchEdges** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kBalance** | ✅ | ✅ | ✅ | | |
| **kFindPath** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kLimit** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **KGroupBy** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kReturn** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **kCreateSnapshot** | ✅ | ✅ | ✅ | | |
| **kDropSnapshot** | ✅ | ✅ | ✅ | | |
| **kAdmin** | ✅ | ✅ | ✅ | | |

Divided by operation permissions.

- _Read space_: kUse, kDescribeSpace
- _Write space_: kCreateSpace, kDropSpace, kCreateSnapshot, kDropSnapshot, kBalance, kAdmin, kConfig, kIngest, kDownload
- _Read schema_: kDescribeTag, kDescribeEdge, kDescribeTagIndex, kDescribeEdgeIndex
- _Write schema_: kCreateTag, kAlterTag, kCreateEdge, kAlterEdge, kDropTag, kDropEdge, kCreateTagIndex, kCreateEdgeIndex, kDropTagIndex, kDropEdgeIndex,
- _Read user_:
- _Write user_: kCreateUser, kDropUser, kAlterUser, kGrant, kRevoke
- _Read data_: kGo , kSet, kPipe, kMatch, kAssignment, kLookup, kYield, kOrderBy, kFetchVertices, kFind, kFetchEdges, kFindPath, kLimit, KGroupBy, kReturn
- _Write data_: kBuildTagIndex, kBuildEdgeIndex, kInsertVertex, kUpdateVertex, kInsertEdge, kUpdateEdge, kDeleteVertex, kDeleteEdges
- _Special operation_: kShow, kChangePassword

Divided by operations.

| OP | GOD | ADMIN | DBA | USER | GUEST |
| --- | --- | --- | --- | --- | --- |
| Read space | ✅ | ✅ | ✅ | | |
| Write space | ✅ | | | | |
| Read schema | ✅ | ✅ | ✅ | | |
| Write schema | ✅ | ✅ | | | |
| Read user | ✅ | ✅ | ✅ | | |
| Write user | ✅ | ✅ | | | |
| Read data | ✅ | ✅ | ✅ | ✅ | ✅ |
| Write data | ✅ | ✅ | ✅ | ✅ | |
| Special operation | ✅ | ✅ | ✅ | ✅ | ✅ |
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# CHANGE PASSWORD Syntax

```ngql
CHANGE PASSWORD <user_name> FROM <old_psw> TO <new-psw>
```

The `CHANGE PASSWORD` statement changes a password to a **Nebula Graph** user account. The old password is required in addition to the new one. Changing the password for a named account requires the `CREATE USER` privilege. Changing the password for yourself requires no special privileges.
3 changes: 3 additions & 0 deletions docs/manual-EN/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,9 @@ It is the optimal solution in the world capable of hosting graphs with dozens of

* Server Administration
* Account Management Statements
* [Alter User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/alter-user-syntax.md)
* [Built-in Roles](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/built-in-roles.md)
* [Change Password](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/change-password.md)
* [Create User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/create-user-syntax.md)
* [Drop User Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/drop-user-syntax.md)
* [Grant Role Syntax](3.build-develop-and-administration/3.deploy-and-administrations/server-administration/account-management-statements/grant-role-syntax.md)
Expand Down