Multi-graph management

更新时间:
复制 MD 格式

Lindorm Graph Engine allows you to manage multiple isolated subgraphs within the same instance and control access permissions for users and roles at the subgraph level.

Multi-graph overview

Lindorm Graph Engine supports multi-graph management mode. A single Lindorm Graph instance can host multiple logically isolated subgraphs, each with its own independent schema and data. This mode is suitable for data isolation in multi-tenant and multi-business scenarios.

  • Root account: the initial database account created in the Alibaba Cloud console. It has the highest management permissions on the instance and is used to create and manage subgraphs and sub-users.

  • Sub-user: a user created by the Root account through APIs to access specific subgraphs.

  • Role: defines a sub-user's access permissions on a specific subgraph, such as read-only or read-write.

Prerequisites

  1. Lindorm Graph Engine has been successfully activated.

  2. The access whitelist has been configured for your network environment so that your client can connect to the Lindorm instance.

Quick start: create and authorize a read-only user

The following example walks you through creating a read-only sub-user named graphreader for the subgraph default.

  1. (Optional) Create a new subgraph
    If the default default subgraph does not meet your business requirements, you can use the root account to create a new subgraph. If you use the default graph, you can skip this step.

  2. Create a subgraph user
    Use the root account to call the Add a subgraph user endpoint to create a sub-user named graphreader.

  3. Grant a role to the sub-user
    Use the root account to call the Grant a role endpoint to grant the READER role on the default subgraph to the graphreader user.

The graphreader user can now use its credentials for read-only access to the default subgraph.


Subgraph management

Create a subgraph

  • Request URL: POST /db/add

  • Description: creates a new subgraph.

  • Permissions: only the root account can call this endpoint.

  • Request example:

    curl -X POST 'http://{host}:{port}/db/add' \
      -H 'Content-Type: application/json' \
      -u 'root_user:root_password' \
      -d '{
        "db": "my_graph",
        "params": {}
      }'
    
  • Parameters:

    Field

    Type

    Required

    Description

    db

    String

    Yes

    The subgraph name. Only lowercase letters (a-z), digits (0-9), and underscores (_) are allowed. The name user is reserved and cannot be used.

    params

    JSON

    No

    Additional configuration parameters for the subgraph, in JSON format.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Query the subgraph list

  • Request URL: GET /db/list or GET /db/list?db={dbName}

  • Description: queries information about one or all subgraphs.

  • Permissions: all authenticated users (including the root account and sub-users) can call this endpoint.

  • Request example:

    # Query all subgraphs
    curl -X GET 'http://{host}:{port}/db/list' \
      -u 'root_user:root_password'
    
    # Query a specified subgraph
    curl -X GET 'http://{host}:{port}/db/list?db=my_graph' \
      -u 'root_user:root_password'
    
  • Parameters:

    Parameter

    Type

    Required

    Description

    db

    String

    No

    The name of the subgraph to query. If not specified, all subgraphs in the current instance are returned.

  • Response example:

    {
      "status": "200 OK",
      "payload": [
        {
          "creationTime": 1670813317324,
          "dbName": "my_graph",
          "lastModified": 1670813317324,
          "params": "{}"
        },
        {
          "creationTime": 1670813326798,
          "dbName": "my_graph_02",
          "lastModified": 1670813326798,
          "params": "{}"
        }
      ]
    }
    

Delete a subgraph

  • Request URL: GET /db/del

  • Description: deletes a specified subgraph and all the data it contains.

  • Permissions: only the root account (root_user) can call this endpoint.

  • Request example:

    curl -X GET 'http://{host}:{port}/db/del?db=my_graph' \
      -u 'root_user:root_password'
    
    Note

    If db is passed as default, the operation clears the data, but default still exists. If another schema is passed, the entire db will be deleted.

  • Parameters:

    Parameter

    Type

    Required

    Description

    db

    String

    Yes

    The name of the subgraph to delete.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Subgraph user management

Add a subgraph user

  • Request URL: GET /user/add?user={name}&password={pwd}

  • Description: creates a sub-user for accessing subgraphs.

  • Permissions: only the root account can call this endpoint.

  • Request example:

    curl -X GET 'http://{host}:{port}/user/add?user=sub_user_01&password=sub_pwd_01&comment=subTest_01' \
      -u 'root_user:root_password'
    
  • Parameters:

    Parameter

    Type

    Required

    Description

    user

    String

    Yes

    The name of the new sub-user.

    password

    String

    Yes

    The login password of the sub-user.

    comment

    String

    No

    The comment for this user.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Query subgraph users

  • Request URL: GET /user/list or GET /user/list?user={name}

  • Description: queries information about one or all sub-users and their role assignments.

  • Permissions: only the root account can call this endpoint.

  • Request example:

    # Query all sub-users
    curl -X GET 'http://{host}:{port}/user/list' \
      -u 'root_user:root_password'
    
    # Query a specified sub-user
    curl -X GET 'http://{host}:{port}/user/list?user=sub_user_01' \
      -u 'root_user:root_password'
    
  • Parameters:

    Parameter

    Type

    Required

    Description

    user

    String

    No

    The name of the sub-user to query. If not specified, all sub-users are returned.

  • Response example:

    {
      "status": "200 OK",
      "payload": [
        {
          "comment": "subTest_01",
          "creationTime": 1668069383040,
          "lastModified": 1668069383040,
          "roles": {
            "my_graph": "ADMIN",
            "my_graph_02": "WRITER"
          },
          "user": "sub_user_01"
        },
        {
          "comment": "subTest_02",
          "creationTime": 1668079691673,
          "lastModified": 1668079691673,
          "roles": {},
          "user": "sub_user_02"
        }
      ]
    }
    

Delete a subgraph user

  • Request URL: GET /user/del?user={name}

  • Description: deletes an existing sub-user.

  • Permissions: only the root account can call this endpoint.

  • Request example:

    curl -X GET 'http://{host}:{port}/user/del?user=sub_user_01' \
      -u 'root_user:root_password'
    
  • Parameters:

    Parameter

    Type

    Required

    Description

    user

    String

    Yes

    The name of the sub-user to delete.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Update a subgraph user

  • Request URL: GET /user/update?user={name}

  • Description: updates the password or comment of a sub-user.

  • Permissions: only the root account can call this endpoint.

  • Request example:

    # Update password and comment
    curl -X GET 'http://{host}:{port}/user/update?user=sub_user_01&password=new_pwd&comment=new_comment' \
      -u 'root_user:root_password'
    
  • Parameters:

    Parameter

    Type

    Required

    Description

    user

    String

    Yes

    The name of the sub-user to update.

    password

    String

    No

    The new password of the sub-user.

    comment

    String

    No

    The new comment of the sub-user.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Subgraph role management

Grant a role

  • Request URL: GET /role/grant?db={dbName}&user={name}&role={role}

  • Description: grants a role to a specified user for accessing a specific subgraph.

  • Permissions: the root account or users with the WRITEROLE permission can call this endpoint.

  • Request example:

    curl -X GET 'http://{host}:{port}/role/grant?db=my_graph&user=sub_user_01&role=WRITER' \
      -u 'root_user:root_password'
    
  • Parameters:

    Parameter

    Type

    Required

    Description

    db

    String

    Yes

    The name of the target subgraph.

    user

    String

    Yes

    The name of the target user.

    role

    String

    Yes

    The name of the role to grant. Must be in uppercase.

    • READER: read-only data permission. Can only perform read operations on authorized subgraphs.

    • WRITER: read-write data permission. Includes all permissions of READER plus write permission.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Revoke a role

  • Request URL: GET /role/revoke?db={dbName}&user={name}

  • Description: revokes all permissions of a specified user on a specific subgraph.

  • Permissions: the root account or users with the WRITEROLE permission can call this endpoint.

  • Request example:

    curl -X GET 'http://{host}:{port}/role/revoke?db=my_graph&user=sub_user_01' \
      -u 'root_user:root_password'
    
    Note

    You cannot revoke your own ADMIN role.

  • Parameters:

    Parameter

    Type

    Required

    Description

    db

    String

    Yes

    The name of the target subgraph.

    user

    String

    Yes

    The name of the target user.

  • Response example:

    {
      "status": "200 OK",
      "payload": {
        "result": true
      }
    }
    

Query all role assignments

  • Request URL: GET /role/all

  • Description: queries all user-subgraph-role authorization mappings in the current instance for permission auditing.

  • Permissions: only the root account can call this endpoint.

  • Request example:

    curl -X GET 'http://{host}:{port}/role/all' \
      -u 'root_user:root_password'
    
  • Response example:

    {
      "status": "200 OK",
      "payload": [
        {
          "creationTime": 1668133597539,
          "dbName": "my_graph",
          "lastModified": 1668133597539,
          "role": "ADMIN",
          "user": "sub_user_01"
        },
        {
          "creationTime": 1668133583866,
          "dbName": "my_graph_02",
          "lastModified": 1668133583866,
          "role": "ADMIN",
          "user": "sub_user_02"
        },
        {
          "creationTime": 1668133601893,
          "dbName": "my_graph_03",
          "lastModified": 1668133601893,
          "role": "WRITER",
          "user": "sub_user_03"
        }
      ]
    }