Lindorm Graph Engine allows you to manage multiple isolated subgraphs within the same instance and control access permissions for users and roles at the subgraph level.
Multi-graph overview
Lindorm Graph Engine supports multi-graph management mode. A single Lindorm Graph instance can host multiple logically isolated subgraphs, each with its own independent schema and data. This mode is suitable for data isolation in multi-tenant and multi-business scenarios.
-
Root account: the initial database account created in the Alibaba Cloud console. It has the highest management permissions on the instance and is used to create and manage subgraphs and sub-users.
-
Sub-user: a user created by the Root account through APIs to access specific subgraphs.
-
Role: defines a sub-user's access permissions on a specific subgraph, such as read-only or read-write.
Prerequisites
-
Lindorm Graph Engine has been successfully activated.
-
The access whitelist has been configured for your network environment so that your client can connect to the Lindorm instance.
Quick start: create and authorize a read-only user
The following example walks you through creating a read-only sub-user named graphreader for the subgraph default.
-
(Optional) Create a new subgraph
If the defaultdefaultsubgraph does not meet your business requirements, you can use the root account to create a new subgraph. If you use thedefaultgraph, you can skip this step. -
Create a subgraph user
Use the root account to call the Add a subgraph user endpoint to create a sub-user namedgraphreader. -
Grant a role to the sub-user
Use the root account to call the Grant a role endpoint to grant theREADERrole on thedefaultsubgraph to thegraphreaderuser.
The graphreader user can now use its credentials for read-only access to the default subgraph.
Subgraph management
Create a subgraph
-
Request URL:
POST /db/add -
Description: creates a new subgraph.
-
Permissions: only the root account can call this endpoint.
-
Request example:
curl -X POST 'http://{host}:{port}/db/add' \ -H 'Content-Type: application/json' \ -u 'root_user:root_password' \ -d '{ "db": "my_graph", "params": {} }' -
Parameters:
Field
Type
Required
Description
db
String
Yes
The subgraph name. Only lowercase letters (a-z), digits (0-9), and underscores (_) are allowed. The name
useris reserved and cannot be used.params
JSON
No
Additional configuration parameters for the subgraph, in JSON format.
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Query the subgraph list
-
Request URL:
GET /db/listorGET /db/list?db={dbName} -
Description: queries information about one or all subgraphs.
-
Permissions: all authenticated users (including the root account and sub-users) can call this endpoint.
-
Request example:
# Query all subgraphs curl -X GET 'http://{host}:{port}/db/list' \ -u 'root_user:root_password' # Query a specified subgraph curl -X GET 'http://{host}:{port}/db/list?db=my_graph' \ -u 'root_user:root_password' -
Parameters:
Parameter
Type
Required
Description
db
String
No
The name of the subgraph to query. If not specified, all subgraphs in the current instance are returned.
-
Response example:
{ "status": "200 OK", "payload": [ { "creationTime": 1670813317324, "dbName": "my_graph", "lastModified": 1670813317324, "params": "{}" }, { "creationTime": 1670813326798, "dbName": "my_graph_02", "lastModified": 1670813326798, "params": "{}" } ] }
Delete a subgraph
-
Request URL:
GET /db/del -
Description: deletes a specified subgraph and all the data it contains.
-
Permissions: only the root account (
root_user) can call this endpoint. -
Request example:
curl -X GET 'http://{host}:{port}/db/del?db=my_graph' \ -u 'root_user:root_password'NoteIf db is passed as default, the operation clears the data, but default still exists. If another schema is passed, the entire db will be deleted.
-
Parameters:
Parameter
Type
Required
Description
db
String
Yes
The name of the subgraph to delete.
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Subgraph user management
Add a subgraph user
-
Request URL:
GET /user/add?user={name}&password={pwd} -
Description: creates a sub-user for accessing subgraphs.
-
Permissions: only the root account can call this endpoint.
-
Request example:
curl -X GET 'http://{host}:{port}/user/add?user=sub_user_01&password=sub_pwd_01&comment=subTest_01' \ -u 'root_user:root_password' -
Parameters:
Parameter
Type
Required
Description
user
String
Yes
The name of the new sub-user.
password
String
Yes
The login password of the sub-user.
comment
String
No
The comment for this user.
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Query subgraph users
-
Request URL:
GET /user/listorGET /user/list?user={name} -
Description: queries information about one or all sub-users and their role assignments.
-
Permissions: only the root account can call this endpoint.
-
Request example:
# Query all sub-users curl -X GET 'http://{host}:{port}/user/list' \ -u 'root_user:root_password' # Query a specified sub-user curl -X GET 'http://{host}:{port}/user/list?user=sub_user_01' \ -u 'root_user:root_password' -
Parameters:
Parameter
Type
Required
Description
user
String
No
The name of the sub-user to query. If not specified, all sub-users are returned.
-
Response example:
{ "status": "200 OK", "payload": [ { "comment": "subTest_01", "creationTime": 1668069383040, "lastModified": 1668069383040, "roles": { "my_graph": "ADMIN", "my_graph_02": "WRITER" }, "user": "sub_user_01" }, { "comment": "subTest_02", "creationTime": 1668079691673, "lastModified": 1668079691673, "roles": {}, "user": "sub_user_02" } ] }
Delete a subgraph user
-
Request URL:
GET /user/del?user={name} -
Description: deletes an existing sub-user.
-
Permissions: only the root account can call this endpoint.
-
Request example:
curl -X GET 'http://{host}:{port}/user/del?user=sub_user_01' \ -u 'root_user:root_password' -
Parameters:
Parameter
Type
Required
Description
user
String
Yes
The name of the sub-user to delete.
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Update a subgraph user
-
Request URL:
GET /user/update?user={name} -
Description: updates the password or comment of a sub-user.
-
Permissions: only the root account can call this endpoint.
-
Request example:
# Update password and comment curl -X GET 'http://{host}:{port}/user/update?user=sub_user_01&password=new_pwd&comment=new_comment' \ -u 'root_user:root_password' -
Parameters:
Parameter
Type
Required
Description
user
String
Yes
The name of the sub-user to update.
password
String
No
The new password of the sub-user.
comment
String
No
The new comment of the sub-user.
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Subgraph role management
Grant a role
-
Request URL:
GET /role/grant?db={dbName}&user={name}&role={role} -
Description: grants a role to a specified user for accessing a specific subgraph.
-
Permissions: the root account or users with the
WRITEROLEpermission can call this endpoint. -
Request example:
curl -X GET 'http://{host}:{port}/role/grant?db=my_graph&user=sub_user_01&role=WRITER' \ -u 'root_user:root_password' -
Parameters:
Parameter
Type
Required
Description
db
String
Yes
The name of the target subgraph.
user
String
Yes
The name of the target user.
role
String
Yes
The name of the role to grant. Must be in uppercase.
-
READER: read-only data permission. Can only perform read operations on authorized subgraphs. -
WRITER: read-write data permission. Includes all permissions ofREADERplus write permission.
-
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Revoke a role
-
Request URL:
GET /role/revoke?db={dbName}&user={name} -
Description: revokes all permissions of a specified user on a specific subgraph.
-
Permissions: the root account or users with the
WRITEROLEpermission can call this endpoint. -
Request example:
curl -X GET 'http://{host}:{port}/role/revoke?db=my_graph&user=sub_user_01' \ -u 'root_user:root_password'NoteYou cannot revoke your own ADMIN role.
-
Parameters:
Parameter
Type
Required
Description
db
String
Yes
The name of the target subgraph.
user
String
Yes
The name of the target user.
-
Response example:
{ "status": "200 OK", "payload": { "result": true } }
Query all role assignments
-
Request URL:
GET /role/all -
Description: queries all user-subgraph-role authorization mappings in the current instance for permission auditing.
-
Permissions: only the root account can call this endpoint.
-
Request example:
curl -X GET 'http://{host}:{port}/role/all' \ -u 'root_user:root_password' -
Response example:
{ "status": "200 OK", "payload": [ { "creationTime": 1668133597539, "dbName": "my_graph", "lastModified": 1668133597539, "role": "ADMIN", "user": "sub_user_01" }, { "creationTime": 1668133583866, "dbName": "my_graph_02", "lastModified": 1668133583866, "role": "ADMIN", "user": "sub_user_02" }, { "creationTime": 1668133601893, "dbName": "my_graph_03", "lastModified": 1668133601893, "role": "WRITER", "user": "sub_user_03" } ] }