dgraph acl
command is deprecated and will be removed in a future release.
ACL changes can be made by using the /admin
GraphQL endpoint on any Alpha
node.LC_CTYPE=C; tr -dc 'a-zA-Z0-9' < /dev/urandom | dd bs=1 count=32 of=enc_key_file
.cat enc_key_file
.
hmac_secret_file
, and store a randomly
generated <SECRET KEY VALUE>
in it. The secret key is used by Dgraph Alpha
nodes to sign JSON Web Tokens (JWT).
--acl secret-file="/path/to/secret"
, and make sure that they use the same
secret key file created in Step 1. Alternatively, you can
store the secret in HashiCorp Vault.
--acl secret-file="/path/to/secret"
and
--security "whitelist=<permitted-ip-addresses>"
, you can also configure Dgraph
using a configuration file (config.yaml
, config.json
). You can also use
environment variables such as DGRAPH_ALPHA_ACL="secret-file=</path/to/secret>"
and DGRAPH_ALPHA_SECURITY="whitelist=<permitted-ip-addresses>"
. See
Config for more information in general about configuring
Dgraph.docker-compose.yaml
configuration:
dgraph_values.yaml
. We want to copy the results of encoded
secret as paste this into the hmac_secret_file
like the example below:
http://fqdn[ip]:port
.
secret/data/dgraph/alpha
:
secret/data/dgraph/alpha
:
role_id
generated from the previous step, create a corresponding
secret_id
, and copy the role_id
and secret_id
over to local files, like
./dgraph/vault/role_id
and ./dgraph/vault/secret_id
, that will be used by
Dgraph Alpha nodes.
acl-field
option can be defined using acl-format
with the values base64
(default) or raw
.docker-compose.yaml
configuration:
vault
in the
above docker-compose.yaml
, and then run through this sequence:
vault
service: docker-compose up --detach vault
vault
with the required prerequisites (see
Configuring a HashiCorp Vault Server)../role_id
and secret_id
docker-compose up --detach
dgraph_values.yaml
.
X-Dgraph-AccessToken
header field.
/admin
with the GraphQL mutation. For
example, to log in as the root user groot
:
X-Dgraph-AccessToken
header. Add the header X-Dgraph-AccessToken
with
the accessJWT
value which you got in the login response in the GraphQL tool
which you’re using to make the request.
For example, if you were using the GraphQL Playground, you would add this in the
headers section:
/admin
POST GraphQL mutation to receive
new access and refresh JWTs, which is useful to renew the authenticated session
once the ACL access TTL expires (controlled by Dgraph Alpha’s flag
--acl_access_ttl
which is set to 6h0m0s by default).
.login(USER_ID, USER_PASSWORD)
method.
Here are some code samples using a client:
acl_over_tls_test.go
(here)AclTest.java
(here)curl
from the command line, you can use the following with
the above login mutation saved to login.graphql
:
groot
, with a password of
password
. The groot
user is part of administrative group called guardians
that have access to everything. You can add more users to the guardians
group
as needed.
alice
, with password whiterabbit
, you should execute the
following GraphQL mutation:
dev
, you should execute:
alice
to both the group dev
and the group sre
, the
mutation should be
alice
from the dev
group, the mutation should be
alice
, you should execute
sre
, the mutation should be
Permission | Value | Binary |
---|---|---|
READ | 4 | 100 |
WRITE | 2 | 010 |
MODIFY | 1 | 001 |
READ + WRITE | 6 | 110 |
READ + WRITE + MODIFY | 7 | 111 |
READ
- group has permission to read read the predicateWRITE
- group has permission to write or update the predicateMODIFY
- group has permission to change the predicate’s schemadev
. If there are no rules for a predicate, the default behavior is to block
all (READ
, WRITE
and MODIFY
) operations.
friend
predicate to the group:
dgraph.all
keyword.
The following example provides read+write
access to the dev
group over all
the predicates of a given namespace using the dgraph.all
keyword.
dev
is the union of permissions from
dgraph.all
and permissions for a specific predicate name
. So if the group
is assigned READ
permission for dgraph.all
and WRITE
permission for
predicate name
it will have both, READ
and WRITE
permissions for the
name
predicate, as a result of the union.dev
, the mutation should be:
alice
and the dev
group along with rules for
friend
and ~friend
predicates.
alice
:
dev
group:
dev
group information:
groot
user, then you may reset the
groot
password (or the password for any user) by following these steps.
--acl_hmac_secret
config flag in the Alpha
config. This leaves the Alpha open with no ACL rules, so be sure to restrict
access, including stopping request traffic to this Alpha.
groot
password to newpassword
(choose your own secure
password):
--acl_hmac_secret
config flag.