Managing access to DSE Graph keyspaces
DSE Graph authentication and authorization is accomplished with DSE Unified Authentication because the underlying storage is the DSE database, see Configuring DSE Unified Authentication. Each graph has the following three keyspaces. Manage permissions to each graph using CQL GRANT and REVOKE commands.
-
<graph_name>: Keyspace with the same name as the graph. -
<graph_name_pvt>: Keyspace with the same name as the graph followed by underscore pvt. Contains the partitioned vertex tables. -
<graph_name_system>Keyspace with the graph name followed by underscore system that stores shared information.
GRANT <permission type> ON KEYSPACE <graphname> TO <rolename>; GRANT <permission type> ON KEYSPACE <graphname_pvt> TO <rolename>; GRANT <permission type> ON KEYSPACE <graphname_system> TO <rolename>;
The following tables show scenarios of how role permissions affect access to graph operations:
| Operation | Superuser | Non-user | Plain user (no role with graph permissions) | ALL PERMISSIONS |
|---|---|---|---|---|
Connection |
T |
F |
F |
T |
Select |
T |
F |
F |
T |
Schema change |
T |
F |
F |
T |
Add vertex |
T |
F |
F |
T |
Create/Drop vertex |
T,T |
F,n/a |
F |
T,T |
| Operation | CREATE | SELECT | ALTER | MODIFY |
|---|---|---|---|---|
Connection |
T |
T |
T |
T |
Select |
F |
T |
F |
F |
Schema change |
F |
F |
F |
F |
Add vertex |
F |
F |
T |
T |
Create/Drop vertex |
F |
F |
F |
F |
| Operation | CREATE/SELECT | CREATE/ALTER | CREATE/MODIFY | CREATE/ALTER/DROP |
|---|---|---|---|---|
Connection |
T |
T |
T |
T |
Select |
T |
F |
F |
F |
Schema change |
F |
F |
F |
T |
Add vertex |
F |
F |
T |
F |
Create/Drop vertex |
F |
F |
F |
F |
|
Connection refers to the ability to connect to the DSE Graph Server. |
