概述
策略是专为特定用户角色制定的一组权限,通常包含多项权限和其他策略。合理设计和使用策略可以实现基于角色的访问控制。
显示策略
获取数据库中的所有策略:
show().policy()
获取一个特定策略信息,如名为manager的策略:
show().policy("manager")
策略信息呈现在表格_policy中,包含以下字段:
字段 |
描述 |
|---|---|
name |
策略名 |
graphPrivileges |
策略包含的图集权限 |
systemPrivileges |
策略包含的系统权限 |
propertyPrivileges |
策略包含的属性权限 |
policies |
策略包含的其他策略 |
创建策略
使用语句create().policy().params()在数据库中创建策略。
语法
create().policy("<name>").params({
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
| 方法 | 参数 | 描述 |
|---|---|---|
policy() |
<name> |
策略名,需唯一。命名规范:
|
params() |
graph_privileges |
为各图集指定需包含在策略中的图集权限;使用"*"指定所有图集 |
system_privileges |
指定需包含在策略中的系统权限 | |
property_privileges |
指定需包含在策略中的点属性权限和边属性权限;使用["*", "*", "*"]指定所有图集、所有schema和所有属性 |
|
policies |
指定需包含在策略中的策略 |
示例
创建名为superADM的策略,其中包含所有图集权限、所有系统权限以及对所有属性的write权限,但不包含其他策略:
create().policy("superADM").params({
graph_privileges: {"*":["READ","INSERT","UPSERT","UPDATE","DELETE","CREATE_SCHEMA","DROP_SCHEMA","ALTER_SCHEMA","SHOW_SCHEMA","RELOAD_SCHEMA","CREATE_PROPERTY","DROP_PROPERTY","ALTER_PROPERTY","SHOW_PROPERTY","CREATE_FULLTEXT","DROP_FULLTEXT","SHOW_FULLTEXT","CREATE_INDEX","DROP_INDEX","SHOW_INDEX","LTE","UFE","CLEAR_JOB","STOP_JOB","SHOW_JOB","ALGO","CREATE_PROJECT","SHOW_PROJECT","DROP_PROJECT","CREATE_HDC_GRAPH","SHOW_HDC_GRAPH","DROP_HDC_GRAPH","COMPACT_HDC_GRAPH"]},
system_privileges: ["TRUNCATE","COMPACT","CREATE_GRAPH","SHOW_GRAPH","DROP_GRAPH","ALTER_GRAPH","TOP","KILL","STAT","SHOW_POLICY","CREATE_POLICY","DROP_POLICY","ALTER_POLICY","SHOW_USER","CREATE_USER","DROP_USER","ALTER_USER","SHOW_PRIVILEGE","SHOW_META","SHOW_SHARD","ADD_SHARD","DELETE_SHARD","SHOW_HDC_SERVER","ADD_HDC_SERVER","DELETE_HDC_SERVER","LICENSE_UPDATE","LICENSE_DUMP"],
property_privileges: {
"node": {"write": [["*", "*", "*"]]},
"edge": {"write": [["*", "*", "*"]]}
}
})
创建名为Tester的策略,其中包含:
- 图集权限:对所有图集的
UPDATE权限 - 系统权限:
SHOW_POLICY,ALTER_GRAPH - 属性权限:
- 对所有图集所有schema所有点属性的
read权限 - 对图集
Tax所有schema下的边属性value和time的write权限 - 图集
miniCircle中,名为rate的schema下,对边属性score的deny权限(即不允许read和write权限)
- 对所有图集所有schema所有点属性的
- 策略:
manager
create().policy("Tester").params({
graph_privileges: {"*": ["UPDATE"]},
system_privileges: ["SHOW_POLICY", "ALTER_GRAPH"],
property_privileges: {
"node": {
"read": [
["*", "*", "*"]
]
},
"edge": {
"write": [
["Tax", "*", "value"],
["Tax", "*", "time"]
],
"deny": [
["miniCircle", "rates", "score"]
]
}
},
policies: ["manager"]
})
修改策略
使用语句alter().policy().set()可以修改策略中包含的权限和策略。
语法
alter().policy("<name>").set({
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
| 方法 | 参数 | 描述 |
|---|---|---|
policy() |
<name> |
策略名 |
set() |
graph_privileges |
为各图集指定需在策略中增加的图集权限;使用"*"指定所有图集 |
system_privileges |
指定需在策略中增加的系统权限 | |
property_privileges |
指定需在策略增加的点属性权限和边属性权限;使用["*", "*", "*"]指定所有图集、所有schema和所有属性 |
|
policies |
指定需在策略中增加的策略 |
示例
修改包含在策略sales中的图集权限,其他类型权限和策略保持不变:
alter().policy("Tester").set({graph_privileges: {"Tax": ["UPDATE"]}})
修改策略manager中的图集权限、属性权限和策略,系统权限保持不变:
alter().policy("manager").set({
graph_privileges: {"*": ["UPDATE", "DELETE"]},
property_privileges: {
"node": {
"write": [["miniCircle","*","*"]]
},
"edge": {
"write": [["miniCircle","*","*"]]
}
},
policies: ["sales"]
})
删除策略
使用语句drop().policy()删除策略。
删除策略manager:
drop().policy("manager")