Overview
Privileges are a key access control mechanism that determine the operations a user can perform on the graph database. They enforce security by restricting access to specific operations, such as querying, updating, or administering the database. A set of privileges can be granted to a policy, which can then be assigned to users. Alternatively, individual privileges can be directly assigned to users.
Types of Privileges in Ultipa:
- Graph privileges: Includes operations for manipulating and reading data and structure of specific graphsets, as well as managing their indexes, jobs, HDC graphs, etc.
- System privileges: Includes operations for managing graphsets, processes, privileges, policies, users, servers, etc., within the database.
- Property privileges: Includes
read,write, anddeny, applied specifically to certain properties.
Showing Privileges
To list all privileges of the database:
show().privilege()
This will return a table _privilege, as shown below:
| graphPrivileges | systemPrivileges |
|---|---|
| ["READ","INSERT","UPSERT","UPDATE","DELETE","CREATE_SCHEMA","DROP_SCHEMA","ALTER_SCHEMA","SHOW_SCHEMA","RELOAD_SCHEMA","CREATE_PROPERTY","DROP_PROPERTY","ALTER_PROPERTY","SHOW_PROPERTY","CREATE_FULLTEXT","DROP_FULLTEXT","SHOW_FULLTEXT","CREATE_INDEX","DROP_INDEX","SHOW_INDEX","LTE","UFE","CLEAR_JOB","STOP_JOB","SHOW_JOB","ALGO","CREATE_PROJECT","SHOW_PROJECT","DROP_PROJECT","CREATE_HDC_GRAPH","SHOW_HDC_GRAPH","DROP_HDC_GRAPH","COMPACT_HDC_GRAPH","SHOW_VECTOR_INDEX","CREATE_VECTOR_INDEX","DROP_VECTOR_INDEX","SHOW_CONSTRAINT","CREATE_CONSTRAINT","DROP_CONSTRAINT"] | ["TRUNCATE","COMPACT","CREATE_GRAPH","SHOW_GRAPH","DROP_GRAPH","ALTER_GRAPH","TOP","KILL","STAT","SHOW_POLICY","CREATE_POLICY","DROP_POLICY","ALTER_POLICY","SHOW_USER","CREATE_USER","DROP_USER","ALTER_USER","SHOW_PRIVILEGE","SHOW_META","SHOW_SHARD","ADD_SHARD","DELETE_SHARD","REPLACE_SHARD","SHOW_HDC_SERVER","ADD_HDC_SERVER","DELETE_HDC_SERVER","LICENSE_UPDATE","LICENSE_DUMP","GRANT","REVOKE","SHOW_BACKUP","CREATE_BACKUP","SHOW_VECTOR_SERVER","ADD_VECTOR_SERVER","DELETE_VECTOR_SERVER"] |
All Privileges
Graph Privileges
Privilege |
Description | UQL |
|---|---|---|
READ |
Reads data from graphsets. | find(), ab(), autonet(), spread(), khop(), n()...n() |
INSERT |
Inserts nodes and edges into graphsets. | insert() |
UPSERT |
Updates or inserts nodes and edges in graphsets. | upsert() |
UPDATE |
Updates nodes and edges in graphsets. | update() |
DELETE |
Deletes nodes and edges in graphsets. | delete() |
CREATE_SCHEMA |
Creates schemas in graphsets. | create().node_schema(), create().edge_schema() |
DROP_SCHEMA |
Drops schemas in graphsets. | drop().node_schema(), drop().edge_schema() |
ALTER_SCHEMA |
Alters schemas in graphsets. | alter().node_schema(), alter().edge_schema() |
SHOW_SCHEMA |
Shows schemas in graphsets. | show().schema(), show().node_schema(), show().edge_schema() |
RELOAD_SCHEMA |
Reloads the total number of nodes and edges in graphsets. | db.schema.reload() |
CREATE_PROPERTY |
Creates properties in graphsets. | create().node_property(), create().edge_property() |
DROP_PROPERTY |
Drops properties in graphsets. | drop().node_property(), drop().edge_property() |
ALTER_PROPERTY |
Alters properties in graphsets. | alter().node_property(), alter().edge_property() |
SHOW_PROPERTY |
Shows properties in graphsets. | show().property(), show().node_property(), show().edge_property() |
CREATE_FULLTEXT |
Creates full-text indexes in graphsets. | create().node_fulltext(), create().edge_fulltext() |
DROP_FULLTEXT |
Drop full-text indexes in graphsets. | drop().node_fulltext(), drop().edge_fulltext() |
SHOW_FULLTEXT |
Shows full-text indexes in graphsets. | show().fulltext(), show().node_fulltext(), show().edge_fulltext() |
CREATE_VECTOR_INDEX |
Creates vector indexes in graphs. | create().node_vector_index().on() |
DROP_VECTOR_INDEX |
Drop vector indexes in graphs. | drop().node_vector_index() |
SHOW_VECTOR_INDEX |
Shows vector indexes in graphs. | show().node_vector_index() |
CREATE_INDEX |
Creates indexes in graphsets. | create().node_index(), create().edge_index() |
DROP_INDEX |
Drops indexes in graphsets. | drop().node_index(), drop().edge_index() |
SHOW_INDEX |
Shows indexes in graphsets. | show().index(), show().node_index(), show().edge_index() |
LTE |
Loads properties from disk into the computing engine. | LTE().node_property(), LTE().edge_property() |
UFE |
Unloads properties from the computing engine. | UFE().node_property(), UFE().edge_property() |
CLEAR_JOB |
Clear jobs in graphsets. | clear().job() |
STOP_JOB |
Stops jobs in graphsets. | stop().job() |
SHOW_JOB |
Shows jobs in graphsets. | show().job() |
ALGO |
Runs algorithms for graphsets. | algo() |
CREATE_PROJECT |
Creates distributed projections for graphsets. | create().projection() |
SHOW_PROJECT |
Shows distributed projections of graphsets. | show().projection() |
DROP_PROJECT |
Drops distributed projections of graphsets. | drop().projection() |
CREATE_HDC_GRAPH |
Creates HDC graphs. | hdc.graph.create() |
SHOW_HDC_GRAPH |
Shows HDC graphs. | hdc.graph.show() |
DROP_HDC_GRAPH |
Drops HDC graphs. | hdc.graph.drop() |
COMPACT_HDC_GRAPH |
Compacts HDC graphs. | hdc.graph.compact() |
System Privileges
Privilege |
Description | UQL |
|---|---|---|
TRUNCATE |
Truncates graphsets in database. | truncate().graph() |
COMPACT |
Compacts graphsets in database. | compact().graph() |
CREATE_GRAPH |
Creates graphsets in database. | create().graph() |
SHOW_GRAPH |
Shows graphsets in database. | show().graph() |
DROP_GRAPH |
Drops graphsets in database. | drop().graph() |
ALTER_GRAPH |
Alters graphsets in database. | alter().graph() |
TOP |
Shows processes in database. | top() |
KILL |
Kills processes in database. | kill() |
STAT |
Shows statistics of the database. | stats() |
SHOW_POLICY |
Shows policies in database. | show().policy() |
CREATE_POLICY |
Creates policies in database. | create().policy() |
DROP_POLICY |
Drops policies in database. | drop().policy() |
ALTER_POLICY |
Alters policies in database. | alter().policy() |
SHOW_USER |
Shows users in database. | show().user() |
CREATE_USER |
Creates users in database. | create().user() |
DROP_USER |
Drops users in database. | drop().user() |
ALTER_USER |
Alters users in database. | alter().user() |
SHOW_PRIVILEGE |
Shows privileges in database. | show().privilege() |
GRANT |
Grants privileges and policies to a policy or user. | grant().policy().params(), grant().user().params() |
REVOKE |
Revokes privileges and policies from a policy or user. | revoke().policy().params(), revoke().user().params() |
SHOW_META |
Show meta servers of the database. | show().meta() |
SHOW_SHARD |
Show shard servers of the database. | show().shard() |
ADD_SHARD |
Adds shard servers to the database. | alter().shard().add() |
REPLACE_SHARD |
Alters the replica addresses of a shard server. | alter().shard().replace() |
DELETE_SHARD |
Deletes shard servers from the database. | alter().shard().delete() |
SHOW_HDC_SERVER |
Show HDC servers of the database. | show().hdc() |
ADD_HDC_SERVER |
Adds HDC servers to the database. | alter().hdc().add() |
DELETE_HDC_SERVER |
Deletes HDC servers from the database. | alter().hdc().delete() |
SHOW_VECTOR_SERVER |
Show vector servers of the database. | show().vector() |
ADD_VECTOR_SERVER |
Adds vector servers to the database. | alter().shard().add() |
DELETE_VECTOR_SERVER |
Deletes vector servers from the database. | alter().vector().delete() |
LICENSE_UPDATE |
Updates license of the database. | license().update() |
LICENSE_DUMP |
Dumps license of the database. | license().dump() |
SHOW_BACKUP |
Shows backups of the database. | db.backup.show() |
CREATE_BACKUP |
Creates backups for the database. | db.backup.create() |
Property Privileges
Privilege |
Description |
|---|---|
read |
Allows reading a specific property in graphsets. |
write |
Allows both reading and writing a specific property in graphsets. |
deny |
Denies the right to read or write a specific property in graphsets. deny takes precedence over read and write. If both deny and read (or write) are granted to a user or policy, the effective privilege is deny. |
read
If the read privilege for the name property of the user nodes is not granted:
Operation |
Examples |
|---|---|
| Return the property | find().nodes({@user}) as n return n{*}This query will exclude the name property from the results.find().nodes({@user}) as n return n.nameThis query throws an error as you cannot read the name property. |
| Filter the property | find().nodes({name == "johndoe"}) as n return nThis query throws an error as you cannot read the name property. |
| Export | You cannot export the properties which you cannot read. |
write
If the write privilege for the name property of the user nodes is not granted:
Operation |
Examples |
|---|---|
| Insert | insert().into(@user).nodes({_id: "U873", name:"johndoe"})This query throws an error as you cannot write the name property. |
| Overwrite | insert().overwrite().into(@user).nodes({_id: "U872"})This query throws an error since the insert().overwrite().into() operation requires full write privilege on the target schema. |
| Upsert | upsert().into(@user).nodes({_id: "U873", name:"johndoe"})This query throws an error as you cannot write the name property.upsert().into(@user).nodes({_id: "U873", level: "2"})This query either:
|
| Update | update().nodes({@user._id == "U873"}).nodes({name: "johndoe"})This query throws an error as you cannot write the name property. |
| Delete | You can delete properties, nodes or edges even if you don't have write privileges, as long as you possess the DELETE and DROP_PROPERTY graph privileges. |