概述
策略是专为特定用户角色制定的一组权限,通常包含多项权限和其他策略。合理设计和使用策略可实现基于角色的访问控制。
显示策略
获取数据库中的所有策略:
show().policy()
获取一个特定策略信息,如名为manager的策略:
show().policy("manager")
返回的_policy表包含策略信息:
字段 |
描述 |
|---|---|
name |
策略名 |
graphPrivileges |
策略包含的图集权限 |
systemPrivileges |
策略包含的系统权限 |
propertyPrivileges |
策略包含的属性权限 |
policies |
策略包含的其他策略 |
创建策略
使用语句create().policy().params()在数据库中创建策略。
语法
create().policy("<name>").params({
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
| 方法 | 参数 | 描述 |
|---|---|---|
policy() |
<name> |
策略名,需唯一。命名规范:
|
params() |
graph_privileges |
策略包含的图集权限;使用"*"指定所有图集 |
system_privileges |
策略包含的系统权限 | |
property_privileges |
策略包含的node属性权限和edge属性权限;使用["*", "*", "*"]指定所有图集、schema和属性 |
|
policies |
策略包含的其他策略 |
示例
创建名为superADM的策略,包含所有图集权限、所有系统权限以及对所有属性的write权限,但不包含其他策略:
create().policy("superADM").params({
graph_privileges: {"*":["READ","INSERT","UPSERT","UPDATE","DELETE","CREATE_SCHEMA","DROP_SCHEMA","ALTER_SCHEMA","SHOW_SCHEMA","RELOAD_SCHEMA","CREATE_PROPERTY","DROP_PROPERTY","ALTER_PROPERTY","SHOW_PROPERTY","CREATE_FULLTEXT","DROP_FULLTEXT","SHOW_FULLTEXT","CREATE_INDEX","DROP_INDEX","SHOW_INDEX","LTE","UFE","CLEAR_JOB","STOP_JOB","SHOW_JOB","ALGO","CREATE_PROJECT","SHOW_PROJECT","DROP_PROJECT","CREATE_HDC_GRAPH","SHOW_HDC_GRAPH","DROP_HDC_GRAPH","COMPACT_HDC_GRAPH"]},
system_privileges: ["TRUNCATE","COMPACT","CREATE_GRAPH","SHOW_GRAPH","DROP_GRAPH","ALTER_GRAPH","TOP","KILL","STAT","SHOW_POLICY","CREATE_POLICY","DROP_POLICY","ALTER_POLICY","SHOW_USER","CREATE_USER","DROP_USER","ALTER_USER","SHOW_PRIVILEGE","SHOW_META","SHOW_SHARD","ADD_SHARD","DELETE_SHARD","SHOW_HDC_SERVER","ADD_HDC_SERVER","DELETE_HDC_SERVER","LICENSE_UPDATE","LICENSE_DUMP"],
property_privileges: {
"node": {"write": [["*", "*", "*"]]},
"edge": {"write": [["*", "*", "*"]]}
}
})
创建名为Tester的策略,其中包含:
- 图集权限:所有图集的
UPDATE权限 - 系统权限:
SHOW_POLICY,ALTER_GRAPH - 属性权限:
- 点属性:所有点属性的
read权限 - 边属性:
- 图集
Tax所有边属性value和time的write权限 - 禁止图集
miniCircle中rateschema的属性score的read和write权限
- 图集
- 点属性:所有点属性的
- 策略:
manager
create().policy("Tester").params({
graph_privileges: {"*": ["UPDATE"]},
system_privileges: ["SHOW_POLICY", "ALTER_GRAPH"],
property_privileges: {
"node": {
"read": [
["*", "*", "*"]
]
},
"edge": {
"write": [
["Tax", "*", "value"],
["Tax", "*", "time"]
],
"deny": [
["miniCircle", "rates", "score"]
]
}
},
policies: ["manager"]
})
修改策略
使用语句alter().policy().set()修改策略中包含的图集权限、系统权限、属性权限和策略。请留意,语句中包含的权限类型或策略会被修改,其余保持不变。
语法
alter().policy("<name>").set({
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
| 方法 | 参数 | 描述 |
|---|---|---|
policy() |
<name> |
策略名 |
set() |
graph_privileges |
修改后策略包含的所有图集权限;使用"*"指定所有图集 |
system_privileges |
修改后策略包含的所有系统权限 | |
property_privileges |
修改后策略包含的所有node属性权限和edge属性权限;使用["*", "*", "*"]指定所有图集、schema和属性 |
|
policies |
修改后策略包含的所有其他策略 |
示例
修改策略sales的图集权限,其他类型的权限和策略保持不变:
alter().policy("Tester").set({graph_privileges: {"Tax": ["UPDATE"]}})
修改策略manager中的图集权限、属性权限和策略,系统权限保持不变:
alter().policy("manager").set({
graph_privileges: {"*": ["UPDATE", "DELETE"]},
property_privileges: {
"node": {
"write": [["miniCircle","*","*"]]
},
"edge": {
"write": [["miniCircle","*","*"]]
}
},
policies: ["sales"]
})
给策略追加权限
使用语句grant().policy().params()为策略追加指定的图集权限、系统权限、属性权限和策略。请留意,策略原本包含的权限和策略保持不变。
语法
grant().policy("<policyName>").params({
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
| 方法 | 参数 | 描述 |
|---|---|---|
|
|
策略名 |
params() |
graph_privileges |
给策略追加的图集权限;使用"*"指定所有图集 |
system_privileges |
给策略追加的系统权限 | |
property_privileges |
给策略追加的node属性权限和edge属性权限;使用["*", "*", "*"]指定所有图集、schema和属性 |
|
policies |
给策略追加的其他策略 |
示例
给策略manager追加图集Tax的权限CREATE_SCHEMA和DROP_SCHEMA以及系统权限ADD_HDC_SERVER:
grant().policy("manager").params({
graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]},
system_privileges: ["ADD_HDC_SERVER"]
})
从策略撤销权限
使用语句revoke().policy().params()从策略撤销指定的图集权限、系统权限、属性权限和策略。
语法
revoke().policy("<policyName>").params({
graph_privileges: {
"<graph>": ["<graphPriv>", "<graphPriv>", ...],
...
},
system_privileges: ["<systemPriv>", "<systemPriv>", ...],
property_privileges: {
"node": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
},
"edge": {
"<propertyPriv>": [
["<graph>", "<schema>", "<property>"],
...
],
...
}
},
policies: ["<policyName>", "<policyName>", ...]
})
| 方法 | 参数 | 描述 |
|---|---|---|
policy() |
<ploicyName> |
策略名 |
params() |
graph_privileges |
从策略撤销的图集权限;使用"*"指定所有图集 |
system_privileges |
从策略撤销的系统权限 | |
property_privileges |
从策略撤销的node属性权限和edge属性权限;使用["*", "*", "*"]指定所有图集、schema和属性 |
|
policies |
从策略撤销的其他策略 |
示例
从策略manager撤销图集Tax的权限CREATE_SCHEMA和DROP_SCHEMA以及系统权限ADD_HDC_SERVER:
revoke().policy("manager").params({
graph_privileges: {"Tax": ["CREATE_SCHEMA", "DROP_SCHEMA"]},
system_privileges: ["ADD_HDC_SERVER"]
})
删除策略
使用语句drop().policy()删除策略。
删除策略manager:
drop().policy("manager")