角色（策略） - 运行与维护

修改密码

提交

Change Email

Submit

修改昵称

当前昵称：

提交

基础信息

用户邮箱：

用户昵称：
手机号：
公司名称：
公司邮箱:
地区：
语言：

修改密码

申请证书

当前未申请证书.

申请证书

Certificate	Issued at	Valid until	Serial No.	File

Serial No.	Valid until	File

Not having one? Apply now! >>>

ProductName	CreateTime	ID	Price	File

ProductName	CreateTime	ID	Price	File

No Invoice

创建嬴图账号

已有嬴图账号？去登录！

忘记密码

重置密码

返回登录

角色（策略）

概述

角色（或策略）聚合了多个权限，并可包含其他角色，从而实现层级化、模块化访问控制。合理设计和使用角色可以实现基于角色的访问控制（RBAC），简化权限管理，提升系统安全性。

嬴图支持使用GQL和UQL管理数据库中的角色。

命名规范

数据库中的角色名必须唯一，并符合以下规则：

2~64个字符
以字母开头（A–Z或a–z）
可以包含字母，数字（0–9），下划线（_）

使用GQL

显示角色

列出数据库中所有定义的角色：

SHOW ROLE

创建角色

创建名为Tester的角色：

CREATE ROLE Tester

重命名角色

将角色Tester重命名为sales：

ALTER ROLE Tester RENAME TO sales

授予角色

您可为角色授予权限和角色，且不会覆盖该角色已有权限和角色。

系统权限

授予角色Tester系统权限SHOW_GRAPH和ALTER_GRAPH：

GRANT ["SHOW_GRAPH", "ALTER_GRAPH"] TO ROLE Tester

授予角色superADM所有系统权限：

GRANT * TO ROLE superADM

图权限

授予角色Tester对所有图的图权限READ：

GRANT ["READ"] ON * TO ROLE Tester

授予角色Tester对图amz的图权限SHOW_INDEX和SHOW_JOB：

GRANT ["SHOW_INDEX","SHOW_JOB"] ON amz TO ROLE Tester

授予角色superADM对所有图的图权限：

GRANT * ON * TO ROLE superADM

属性权限

授予角色Tester对当前图中点Person的name和age属性的READ权限：

GRANT ['READ','WRITE'] ON NODE Person (name, age) TO ROLE Tester

授予角色sales对当前图中所有边属性的DENY权限：

GRANT ["DENY"] ON EDGE * * TO ROLE sales

角色

授予角色Tester一个manager角色：

GRANT ROLE manager TO ROLE Tester

从角色中撤销

您可从角色中撤销权限和角色。

系统权限

撤销角色Tester的系统权限SHOW_POLICY和ALTER_GRAPH：

REVOKE ["SHOW_POLICY", "ALTER_GRAPH"] FROM ROLE Tester

撤销角色sales的所有系统权限：

REVOKE * FROM ROLE sales

图权限

撤销角色Tester对图amz的READ和UPDATE权限：

REVOKE ["READ", "UPDATE"] ON amz FROM ROLE Tester

撤销角色sales对所有图的图权限：

REVOKE * ON * FROM ROLE sales

属性权限

撤销角色Tester对当前图中点Person的name和age属性的READ和WRITE权限：

REVOKE ['READ','WRITE'] ON NODE Person (name, age) FROM ROLE Tester

撤销角色sales对当前图中所有边属性的DENY权限：

REVOKE ["DENY"] ON EDGE * * FROM ROLE sales

角色

撤销角色Tester中的角色manager：

REVOKE ROLE manager FROM ROLE Tester

删除角色

删除角色Tester：

DROP ROLE Tester

使用UQL

显示角色（策略）

列出数据库中所有定义的角色（策略）：

show().policy()

获取指定角色（策略）信息，如角色（策略）manager：

show().policy("manager")

创建角色（策略）

您可在创建角色（策略）的同时为其分配权限和其他角色（策略）：

create().policy("<name>").params({
  system_privileges: ["<systemPriv>", "<systemPriv>", ...], 
  // Set <graph> as * to specify all graphs
  graph_privileges: {
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    ...
  }, 
  // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
  property_privileges: {
    "node": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    },
    "edge": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    }
  },
  policies: ["<policy>", "<policy>", ...]
})

创建名为superADM的角色（策略），并授予其所有图权限和系统权限：

create().policy("superADM").params({
  graph_privileges: {"*":["READ","INSERT","UPSERT","UPDATE","DELETE","CREATE_SCHEMA","DROP_SCHEMA","ALTER_SCHEMA","SHOW_SCHEMA","RELOAD_SCHEMA","CREATE_PROPERTY","DROP_PROPERTY","ALTER_PROPERTY","SHOW_PROPERTY","CREATE_FULLTEXT","DROP_FULLTEXT","SHOW_FULLTEXT","CREATE_INDEX","DROP_INDEX","SHOW_INDEX","LTE","UFE","CLEAR_JOB","STOP_JOB","SHOW_JOB","ALGO","CREATE_PROJECT","SHOW_PROJECT","DROP_PROJECT","CREATE_HDC_GRAPH","SHOW_HDC_GRAPH","DROP_HDC_GRAPH","COMPACT_HDC_GRAPH","SHOW_VECTOR_INDEX","CREATE_VECTOR_INDEX","DROP_VECTOR_INDEX","SHOW_CONSTRAINT","CREATE_CONSTRAINT","DROP_CONSTRAINT"]},
  system_privileges: ["TRUNCATE","COMPACT","CREATE_GRAPH","SHOW_GRAPH","DROP_GRAPH","ALTER_GRAPH","TOP","KILL","STAT","SHOW_POLICY","CREATE_POLICY","DROP_POLICY","ALTER_POLICY","SHOW_USER","CREATE_USER","DROP_USER","ALTER_USER","SHOW_PRIVILEGE","SHOW_META","SHOW_SHARD","ADD_SHARD","DELETE_SHARD","REPLACE_SHARD","SHOW_HDC_SERVER","ADD_HDC_SERVER","DELETE_HDC_SERVER","LICENSE_UPDATE","LICENSE_DUMP","GRANT","REVOKE","SHOW_BACKUP","CREATE_BACKUP","SHOW_VECTOR_SERVER","ADD_VECTOR_SERVER","DELETE_VECTOR_SERVER"]
})

创建角色（策略）Tester，并为其分配：

系统权限：SHOW_GRAPH，ALTER_GRAPH
图权限：对所有图的READ权限，对图amz和trans的SHOW_INDEX和SHOW_JOB权限
属性权限：
- 点：对所有点属性的read权限
- 边：图amz中，对边edgx的rank和asset属性的write权限，以及对所有边的mark属性的read权限
角色（策略）：manager

create().policy("Tester").params({
  system_privileges: ["SHOW_GRAPH", "ALTER_GRAPH"],
  graph_privileges: {
    "*": ["READ", "SHOW_SCHEMA", "SHOW_PROPERTY"],
    "amz": ["SHOW_INDEX", "SHOW_JOB"],
    "trans": ["SHOW_INDEX", "SHOW_JOB"]
  }, 
  property_privileges: {
    "node": {
      "read": [["*", "*", "*"]]
    },
    "edge": {
      "read": [["amz", "*", "mark"]],
      "write": [
        ["amz", "edgx", "rank"],
        ["amz", "edgx", "asset"]
      ]
    }
  },    
  policies: ["manager"]
})

授予角色（策略）

您可为角色（策略）授予权限和角色（策略），且不会覆盖该角色已有权限和角色（策略）。

grant().policy("<name>").params({
  system_privileges: ["<systemPriv>", "<systemPriv>", ...], 
  // Set <graph> as * to specify all graphs
  graph_privileges: {
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    ...
  }, 
  // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
  property_privileges: {
    "node": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    },
    "edge": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    }
  },
  policies: ["<policy>", "<policy>", ...]
})

为角色（策略）Tester授予对图集Tax的图权限CREATE_SCHEMA和DROP_SCHEMA，以及系统权限ADD_HDC_SERVER：

grant().policy("Tester").params({
  graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]}, 
  system_privileges: ["ADD_HDC_SERVER"]
})

从角色（策略）中撤销

您可从角色（策略）中撤销权限和角色。

revoke().policy("<name>").params({
  system_privileges: ["<systemPriv>", "<systemPriv>", ...], 
  // Set <graph> as * to specify all graphs
  graph_privileges: {
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    ...
  }, 
  // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
  property_privileges: {
    "node": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    },
    "edge": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    }
  },
  policies: ["<policy>", "<policy>", ...]
})

撤销角色（策略）Tester中，对图Tax的图权限CREATE_SCHEMA和DROP_SCHEMA，以及系统权限ADD_HDC_SERVER：

revoke().policy("Tester").params({
  graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]}, 
  system_privileges: ["ADD_HDC_SERVER"]
})

修改角色（策略）

您可修改角色（策略）中包含的权限和角色（策略）。请留意，只有指定的项目会被修改，其余保持不变。

alter().policy("<name>").set({
  system_privileges: ["<systemPriv>", "<systemPriv>", ...], 
  // Set <graph> as * to specify all graphs
  graph_privileges: {
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    "<graph>": ["<graphPriv>", "<graphPriv>", ...],
    ...
  }, 
  // Set <graph>/<schema>/<property> as * to specify all graphs/schemas/properties
  property_privileges: {
    "node": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    },
    "edge": {
      "read": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "write": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...],
      "deny": [["<graph>", "<schema>", "<property>"],["<graph>", "<schema>", "<property>"],...]
    }
  },
  policies: ["<policy>", "<policy>", ...]
})

仅修改角色（策略）Tester中的图权限：

alter().policy("Tester").set({graph_privileges: {"Tax": ["UPDATE"]}})

修改角色（策略）Tester中的图权限、属性权限和角色：

alter().policy("Tester").set({
  graph_privileges: {"*": ["UPDATE", "DELETE"]},
  property_privileges: {
    "node": {
      "write": [["miniCircle","*","*"]]
    },
    "edge": {
      "write": [["miniCircle","*","*"]]
    }
  },
  policies: ["sales"]
})

删除角色（策略）

删除角色（策略）Tester：

drop().policy("Tester")

ID
产品
状态
核数
Shard 服务最大数量
Shard 服务最大总核数
HDC 服务最大数量
HDC 服务最大总核数
申请天数
审批日期
过期日期
MAC地址
申请理由
审核信息