uint64
namespaces. With
multi-tenancy, each tenant can only log into their own namespace and operate in
their own namespace.
p
directory. Each namespace has a group guardian, which has root access to
that namespace.
The default namespace is called a galaxy
.
Guardians of the Galaxy get special access to create
or delete namespaces and change passwords of users of other namespaces.
--limit
superflag’s query-limit
option. There’s no time limit for queries
by default, but you can override it when running Dgraph Alpha. For
multi-tenant environments a suggested query-limit
value is 500ms.John Smith
belonging to the group Data Approvers
for a tenant Accounting
may only
have read-only access over predicates while user Jane Doe
, belonging to the
group Data Editors
within that same tenant, may have access to modify those
predicates. All the ACL rules need to be defined for each tenant in your
backend. The level of granularity available allows for defining rules over
specific predicates or all predicates belonging to that tenant.
uint64
identifier.
Users are members of a single namespace, and cross-namespace queries are not
allowed.
0x00
) is called a galaxy
. A
Guardian of the Galaxy has special access to create
or delete namespaces and change passwords of users of other namespaces.
0x00
).
As a super-admin, a Guardian of the Galaxy can:
0x00
)rocket
is part of the Guardians of the Galaxy group
(namespace 0x00
), he can only read/write on namespace 0x00
.
/admin
with the
addNamespace
mutation, and will return the assigned number for the new
namespace.
X-Dgraph-AccessToken
header.groot
user with password
mypass
(default is password
) is created in the guardian group. You can then
use these credentials to login into the namespace and perform operations like
addUser
.
/state
endpoint.
For example, if you have a multi-tenant Cluster with multiple namespaces, as a
Guardian of the Galaxy you can query state
from GraphQL:
/admin
with the
deleteNamespace
mutation.
X-Dgraph-AccessToken
header.123
:
namespace-guardians
can’t delete namespaces, they can only
perform queries and mutations./admin
with the resetPassword
mutation.
For example, to reset the password for user groot
from the namespace 100
:
drop all
operations can be triggered only by a
Guardian of the Galaxy. They’re executed at Cluster
level and delete data across namespaces. All other drop
operations run at
namespace level and are namespace specific. For information about other drop
operations, see Alter the database.
drop all
operation is executed at Cluster level and the operation deletes
data and schema across namespaces. Guardian of the namespace can trigger drop data
operation within the namespace. The drop data
operation deletes all
the data but retains the schema only..rdf
or .json
files and schemas include the multi-tenancy namespace
information.
If a Guardian of the Galaxy exports the whole Cluster, a single folder
containing the export data of all the namespaces in a single .rdf
or .json
file and a single schema will be generated.
.rdf
file:
0x1234
to a folder in the export directory (by default this
directory is export
):