JanusGraph authentication - restricted privileges

Hi All, we secured our JanusGraph with SaslAuthenticationHandler as desribed in the docs (https://docs.janusgraph.org/operations/server/#advanced-janusgraph-server-configurations). The defined user now can be used to read/write data in the graph database as well as for managing the schema. Is there a way to create a user that can only perform read/write on the graph but cannot change the schema? Thank you for any pointer on this.
Solution:
As "hadoopmarc" also answered on janusgraph-users list recently, the main pointers are: 1. authorization section of the Apache TinkerPop documentation (https://tinkerpop.apache.org/docs/current/reference/#authorization) 2. a sample file in the Gremlin server source code (https://github.com/apache/tinkerpop/blob/master/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/authz/AllowListAuthorizer.java) For reference, I thought it might be useful for others to share some snippets how I made authorization work with JanusGraph 1.0.0. The main purpose of authorization was to restrict users to access the JanusGraph Management System (e.g. open a graph and make schema changes on it)...
Jump to solution
2 Replies
Solution
pm_osc
pm_osc8mo ago
As "hadoopmarc" also answered on janusgraph-users list recently, the main pointers are: 1. authorization section of the Apache TinkerPop documentation (https://tinkerpop.apache.org/docs/current/reference/#authorization) 2. a sample file in the Gremlin server source code (https://github.com/apache/tinkerpop/blob/master/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/authz/AllowListAuthorizer.java) For reference, I thought it might be useful for others to share some snippets how I made authorization work with JanusGraph 1.0.0. The main purpose of authorization was to restrict users to access the JanusGraph Management System (e.g. open a graph and make schema changes on it) For implementing a meaningful authorization, first we need authentication. This requires a credentials graph, that can be defined with the below credentials.properties file (for cassandra backend) stored in conf folder: ------ gremlin.graph = org.janusgraph.core.JanusGraphFactory graph.graphname = credentials storage.backend = cql storage.hostname = cassandra storage.cql.keyspace = credentials ------ In the janusgraph-server.yaml, this is the way to configure authentication: ------ authentication: config: defaultUsername: jg_admin defaultPassword: pw1 credentialsDb: conf/credentials.properties authenticator: org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphSimpleAuthenticator authenticationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthenticationHandler ------ Keep reading as the authorization part comes in the next message...
pm_osc
pm_oscOP8mo ago
In the janusgraph-server.yaml, this is the way to configure authorization: ------ authorization: authorizer: my.package.JanusGraphAuthorizer config: admins: jg_admin # for specifying multiple admins, list can be used # admins: # - jg_admin1 # - jg_admin2 ------ Find enclosed the Java source code for "my.package.JanusGraphAuthorizer". The logic is very simple, if the Gremlin query contains "JanusGraphFactory" or "ConfiguredGraphFactory" or "openManagement" keywords, the query can be executed only by users configured as admin user. This logic was packaged into a JAR and the JAR was added to the lib folder of JanusGraph. It is probably also useful to mention here how to add new users to JanusGraph (to the credentials graph): 1. open Gremlin console and connect to JanusGraph 2. for creating a jg_user user, execute: JanusGraphFactory.open("conf/credentials.properties").traversal(org.apache.tinkerpop.gremlin.groovy.jsr223.dsl.credential.CredentialTraversalSource.class).user("jg_user", "pw2") I hope the above helps others in case they want to secure their JanusGraph.
Want results from more Discord servers?
Add your server