Create and Manage Roles from the Console

AnzoGraph DB supports two basic modes of authentication and access control for users submitting requests to access or perform operations on data. The first mode is one in which both user authentication and authorization of privileges are performed entirely by AnzoGraph DB. In the second mode, a trusted external LDAP or directory service system provides authentication of users to validate their identity before submitting an operation request to AnzoGraph DB, where a user's AnzoGraph DB role permissions determine the operations a user is able to perform.

The particular way in which AnzoGraph DB operates depends on two switch settings in the settings.conf file, enable_acl and enable_external_auth. (See Authentication and Access Control for more information on these two AnzoGraph DB configuration settings.)

When using the Query & Admin Console to access and perform AnzoGraph DB operations, the operations that a user can perform are controlled by the specific attributes of a user's role and the permissions granted to a user or role on specific AnzoGraph DB database objects, for example, graphs, views, and queries. A user with special SUPERUSER administration permissions can login into the Console, create roles that will define permissions granted to new users in those roles, and specify permissions to access specific AnzoGraph DB database objects.

The following sections describe the process to configure AnzoGraph DB for authentication and authorization (also referred to as ACL) and provides more information on how to define new roles for users (or those corresponding to LDAP groups) from the Console, and specify attributes or permissions granted to those roles.

Configure AnzoGraph DB for User Role Management

To use the Query & Admin Console to create and manage roles for AnzoGraph DB authentication and authorization there are a few basic configuration steps you first need to perform:

  1. Create a db.ini file in the InstallDir/anzograph/config directory in which you define a local user role with LOGIN and SUPERUSER attributes. For example:
    CREATE OR REPLACE ROLE <superadmin> SUPERUSER LOGIN PASSWORD = 'superadmin' ;;

    AnzoGraph DB includes a sample file, db.ini-example, that you can rename and use as a starting point for your own custom access control initialization. The sample file defines a default SUPERUSER LOGIN user role named <superadmin> that provides initial administrator access to the Console when AnzoGraph DB access control is first enabled. See Access Control Initialization and Updates for more information on the db.ini file and AnzoGraph DB access control initialization and updates.

  2. In the InstallDir/jetty/frontend directory, include the following line in the anzograph-frontend.properties file to provide administrator access to the Console that matches the SUPERUSER user role defined in the AnzoGraph DB db.ini file:
  3.  database.super.user= superadmin

    Updating the database.super.user setting and restarting the Jetty application, as described in these steps, is not required if you keep the <superadmin> user role name as defined, by default, in the db.ini-example sample file. The Eclipse Jetty application is a Java web server and Java Servlet container that provides the web user interface for the AnzoGraph DB Query & Admin Console.

  4. Restart the Jetty web server.
  5. /usr/sbin/su-exec jetty jetty.sh restart
  6. Update the settings.conf file located in the InstallDir/anzograph/config directory to include the following two settings:
  7. enable_acl=true
    enable_external_auth=false
  8. Run the following commands to stop and reinitialize AnzoGraph DB with the new settings.conf configuration file settings and db.ini entries:
  9. /InstallDir/anzograph/bin/azgctl  -stop
    /InstallDir/anzograph/bin/azgctl -start -init
  10. Log in to the Query & Admin Console using the new superadmin user role credentials defined in the db.ini file.

    After successful user login, the console displays the main Admin tab web page.

Create and Configure User Roles

When you log in to the Query & Admin Console with the AnzoGraph DB superadmin user role credentials, you have full access to AnzoGraph DB operations and data, including permission and access to all options available in the Console, and the User Role Management option in the Admin navigation panel. When you first select the User Role Management option, the Console displays a single role, that of the superadmin user role you defined in the db.ini file.

To view the access and permissions of the superadmin role or any other defined role, you can simply click on the role's name to display the information in a panel display on the right side of the Console.

Access and permission settings correspond to ACL attributes and permissions that may be specified for AnzoGraph DB roles as described in Role Attributes and Database Object Permissions.

Adding a New Role

To create a new role:

  1. Click the Add Role button.
  2. The Console displays a popup dialog in which you can choose a name for the new role and specify other properties of the role.

    New role names may not start with either an @ or $ character. Role names may also not contain spaces or any of the following special characters:

    - < > ? / \ [ ] { } + = ( ) * & ^ % ~ ` ” '

    More generally, role names may not contain any ASCII code control characters ranging from 0 through 32 with ASCII code 32 being the space character.

    Options in the Add Role dialog allow you to specify the following:

    • Make this role a superuser — if enabled, allows user role to access the Admin tab of the Console, versus just the Query Console tab.
    • Inherit permissions from other roles — if enabled, this role may be selected to inherit permissions as a member of other roles.
    • Allow this role to login — when enabled and using local AnzoGraph DB authentication (enable_external_auth=false), allows this user role to login to AnzoGraph DB.
    • Select permissions for this role — specifies operations that a user role is allowed to perform in AnzoGraph DB.
    • Select other roles to inherit permissions from this role — allows you to specify other existing user roles that will inherit permissions from this role.
    • Query Row Limit and Priority — Specifies limits to rows that a user role's query may return; also lets you specify the execution priority of this user role's queries.

    See Role Attributes for more information on attributes or permissions that can be assigned to specific roles.

  3. When you've finished selecting options for the new user role, click Add.

    The new user role now appears in the Admin Console's list of created roles.

Grant Permissions to Database Objects

When an AnzoGraph DB database object is created, for example, a graph, query, or view, the creator of that object is designated as the owner of that object, by default. To allow other roles to access the same object, or to change ownership, the owner may grant specific privileges on that object to other roles.

Besides being able to change ownership, SELECT, UPDATE, and DROP permissions privileges on database objects can be granted or revoked from specific roles.

To assign or change object permissions:

  1. From the Admin tab, click on a database object (Graphs, Views, or Queries) in the left-side navigation panel. For example, selecting the Graphs option displays a list of graphs currently loaded into AnzoGraph DB.

  2. On the far-right side of a listed object (in this example, the tickit graph), click the button.

    The Console displays a popup dialog in which the current owner and permissions of other existing roles are displayed.

    Besides being able to change ownership, privileges that can be granted or revoked on database objects for specific roles are the following:

    • SELECT - grant or revoke read privilege on a named graph, view, or query.
    • UPDATE - grant or revoke permission for SELECT, INSERT, DELETE, COPY, MOVE, ADD, or CLEAR operations on a named graph.
    • DROP - grant or revoke permission to drop a named GRAPH, VIEW, or QUERY.
  3. When you've finished selecting permissions granted or revoked for specific roles, click Save.

The Console confirms that permissions for the object have been updated.

Add Roles Mapped to LDAP Groups

In addition to defining roles for use when local AnzoGraph DB authentication is enabled, you can also define roles that are mapped to LDAP groups for use when external LDAP authentication is used. That way, when users log into the Console using LDAP authentication, the data they can access and the operations they can perform are controlled by the permissions defined in roles corresponding to their LDAP group membership.

To define Console roles based on LDAP groups, you need to first specify and enable the LDAP configuration you want to define AnzoGraph DB roles for. Once the LDAP configuration is enabled, you can define roles based on LDAP directory groups the same way as you defined roles using local AnzoGraph DB authentication.

When using external LDAP authentication, you should define at least one LDAP group role that has SUPERUSER privileges configured, so that member users of that group have access to the Admin tab of the Console.

To add an LDAP group role:

  1. Define the LDAP Configuration that you want to define AnzoGraph DB roles for. For specific instructions on doing that, see Configure AnzoGraph DB for LDAP Authentication.
  2. From the Console, select the Settings menu option, or select the LDAP Configuration option from the Server Context/Server Settting page and make sure the Enable LDAP Configuration checkbox option is selected.

    When you return to the User Role Management display on the Admin tab page, the Console now shows an Add Directory Group button on the far right, next to the Add Role button.

  3. Click the Add Directory Group button.

    The Console now retrieves a list of groups defined in the LDAP directory.

  4. Click the down arrow icon to display a drop-down list of LDAP groups. Note that the Console replaces any spaces in group names with an underscore character.

    AnzoGraph DB role names may not start with either an @ or $ character. Also, role names may not contain spaces or any of the following special characters:

    - < > ? / \ [ ] { } + = ( ) * & ^ % ~ ` ” '

    More generally, role names may not contain any ASCII code control characters ranging from 0 through 32 with ASCII code 32 being the space character.

  5. Select an LDAP group from the list that you want to define an AnzoGraph DB role for.

    The Console now displays a popup dialog, the same as for local roles, to specify group attributes and permissions for the new AnzoGraph DB role.

  6. When you've finished selecting options for the new role based on an existing LDAP group, click Add.

    The new LDAP group role now appears in the Admin Console's list of created roles. Besides the role's basic attributes and permissions, you can also grant or revoke specific object permissions for the new LDAP group role.

Enable External LDAP Authentication

To change the AnzoGraph DB mode of authentication, from authentication of user credentials stored within AnzoGraph DB itself, to authentication of credentials validated by an external LDAP directory service, you need to update ACL settings specified in the AnzoGraph DB settings.conf configuration file.

  1. Update the settings.conf file located in the <install_path>/anzograph/config directory to specify the following two settings:
    enable_acl=true
    enable_external_auth=true
  2. Next, run the following command to stop and restart AnzoGraph DB to use the new configuration settings in the settings.conf file:
    /InstallDir/anzograph/bin/azgctl  -restart

    AnzoGraph DB authentication requests, including login to the Query & Admin Console, will now be authenticated using the LDAP Configuration you specified.

  3. Login to the Query & Admin Console using the user credentials provided by your LDAP directory service administrator.

    With LDAP authentication enabled, users will enter their LDAP user login credentials to be authenticated. However, following authentication, each user's permissions to perform AnzoGraph DB operations will be defined by their membership in LDAP groups for which AnzoGraph DB roles are defined.