Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create if not exists 2.17 #780

Merged
merged 5 commits into from
May 21, 2024
Merged

Create if not exists 2.17 #780

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
401ac80
Added description for if not exists for users and roles
tonijurjevic96 May 21, 2024
c43e6a9
Added changes to description for if not exists for users and roles
tonijurjevic96 May 21, 2024
c39e5ae
Update role-based-access-control.mdx
kgolubic May 21, 2024
898d11b
Update users.mdx
kgolubic May 21, 2024
a9331c4
Merge branch 'memgraph-2-17' into create-if-not-exists-2.17
kgolubic May 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 15 additions & 13 deletions ...abase-management/authentication-and-authorization/role-based-access-control.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ might have different access levels than an employee's role. Through RBAC,
organizations efficiently ensure that users only access data relevant to their
role, enhancing security and minimizing risks.

With role-based access control, database administrator can assign various
priviledges to roles, but for even more control over who can access certain
With role-based access control, a database administrator can assign various
privileges to roles, but for even more control over who can access certain
data, Memgraph Enterprise offers [fine-grained access
control](/database-management/authentication-and-authorization/role-based-access-control#fine-grained-access-control).

Expand All @@ -23,10 +23,10 @@ control](/database-management/authentication-and-authorization/role-based-access
Each user can be assigned at most one user role. User roles are abstractions
that capture the privilege levels of a set of users.

For example, suppose that `Dominik` and `Marko` belong to upper management of a
For example, suppose that `Dominik` and `Marko` belong to the upper management of a
certain company. It makes sense to grant them a set of privileges that other
users are not entitled to so, instead of granting those privileges to each of
them, we can create a role with those privileges called `manager` which we
them, we can create a role with those privileges called `manager`, which we
assign to `Dominik` and `Marko`.

In other words, each privilege that is granted to a user role is automatically
Expand All @@ -35,13 +35,15 @@ to that user). Similarly, each privilege that is denied to a user role is
automatically denied to all users with that role (even if it has been
explicitly granted to that user).

To creat a user role, run the following query:
To create a user role, run the following query:

```cypher
CREATE ROLE role_name;
CREATE ROLE [IF NOT EXISTS] role_name;
```

To assigning a user with a certain user role, run the following query:
If a role already exists, you can use `IF NOT EXISTS` to only create new roles.

To assign a user with a certain user role, run the following query:

```cypher
SET ROLE FOR user_name TO role_name;
Expand Down Expand Up @@ -74,7 +76,7 @@ SHOW ROLES;
## Privileges

At the moment, privileges are confined to users' abilities to perform certain
`OpenCypher` queries. Namely users can be given permission to execute a subset
`OpenCypher` queries. Namely, users can be given permission to execute a subset
of the following commands:

| Privilege description | Clause |
Expand Down Expand Up @@ -110,7 +112,7 @@ role are denied that privilege. Otherwise, Memgraph will not execute that
specific query. Note that `DENY` is a stronger operation than `GRANT`. This is
also notable from the fact that if neither the user nor its role are explicitly
granted or denied a certain privilege, that user will not be able to perform
that specific query. This effect also is known as a silent deny. The information
that specific query. This effect is also known as a silent deny. The information
above is neatly condensed in the following table:

User Status | Role Status | Effective Status
Expand All @@ -125,7 +127,7 @@ NULL | GRANT | GRANT
NULL | DENY | DENY
NULL | NULL | DENY

Once the privilages are changed, they take full effect once the user reconnects
Once the privileges are changed, they take full effect once the user reconnects
to the database.

#### Grant privileges
Expand Down Expand Up @@ -172,12 +174,12 @@ raised by using `REVOKE`. For instance, if a user has been denied the `INDEX`
privilege, but the role it belongs to is granted that privilege, the user is
unable to use indexing features.

If the user's `INDEX` privilege is revoked, they will be able to do use indexing
features because his role is granted that privilege.
If the user's `INDEX` privilege is revoked, they will be able to use indexing
features because the role is granted that privilege.

#### Manage all privileges at once

To grant, deny or revoke all privileges use the `ALL PRIVILEGES` construct:
To grant, deny or revoke all privileges, use the `ALL PRIVILEGES` construct:

```cypher
GRANT ALL PRIVILEGES FROM <user>;
Expand Down
13 changes: 7 additions & 6 deletions pages/database-management/authentication-and-authorization/users.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ and [auth system integrations](/database-management/authentication-and-authoriza
Creating a user can be done by executing the following command:

```cypher
CREATE USER user_name [IDENTIFIED BY 'password'];
CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password'];
```
If the user already exists, you can use `IF NOT EXISTS` to only create new users.

If the username is an email address, you need to enclose it in backticks (``` ` ```):

Expand All @@ -35,22 +36,22 @@ the `--auth-user-or-role-regex` flag to include spaces. For example,

If the user should authenticate themselves on each session, i.e. provide their
password on each session, the part within the brackets is mandatory. Otherwise,
the password is set to `null` and the user will be allowed to log-in using
the password is set to `null`, and the user will be allowed to log-in using
any password, provided that they use the correct username.

To set or alter a user's password run the following command:
To set or alter a user's password, run the following command:

```cypher
SET PASSWORD FOR user_name TO 'new_password';
```

Setting the users's password to null removes the password, allowing the user to
Setting the user's password to null removes the password, allowing the user to
log-in using any password:

```cypher
SET PASSWORD FOR user_name TO null;
```
To delete a user run the following command:
To delete a user, run the following command:

```cypher
DROP USER user_name;
Expand All @@ -68,7 +69,7 @@ appropriate values of `bcrypt`, `sha256` or `sha256-multiple`.

**BCrypt**
This algorithm is the default algorithm for password encryption. It's the most secure algorithm and has the best
protection against brute-force attack. However, if you're running connecting multiple concurrent enterprise users with
protection against brute-force attacks. However, if you're connecting multiple concurrent enterprise users with
passwords at the same time, it may not be the best choice for you as you might experience slower performance. The performance
is slower only during authentication of the users, and should not degrade once the connection has been established.

Expand Down