User Credentials
When user authentication is enabled, the TigerGraph system will execute a requested operation only if the requester provides credentials for a user who has the privilege to perform the requested operation.
The TigerGraph platform offers three options for credentials:
-
A username-password pair used to log in to GSQL and make HTTP requests.
-
An ACL password used to run commands to alter the ACL privileges of a query.
-
A token - a unique 32-character string with an expiration date, used for REST++ requests. See the full API Authentication documentation for details.
The following set of commands are used to create and manage passwords and secrets.
ALTER PASSWORD [user1]
CREATE SECRET [alias1]
SHOW SECRET
DROP SECRET <secret1>
Like any other GSQL commands, the user must supply credentials to run these commands. In order to create a secret, the user must supply their password. |
Passwords
Users can change their own password with the ALTER PASSWORD
command. If the user has the WRITE_USER
privilege, they can change the password of another user.
ALTER PASSWORD [<user1>]
If a username is not provided, the command changes the password of the current user. To change the password of another user, specify the username of the user whose password you wish to change:
<user1>:GSQL > ALTER PASSWORD
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.
tigergraph:GSQL > ALTER PASSWORD <user1>
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.
ACL passwords
Users have the option of setting an ACL password. When a user has an ACL password, operations that modify ACL privileges of queries owned by the user requires the ACL password. These operations include:
-
Changing the owner of a query
-
Modifying the ACL privileges on a query
Secrets
Secrets are unique strings that serve as a user’s credentials in certain circumstances. A user can have multiple secret strings. Each secret is associated with one user and their role for one graph. If the role is revoked, the secret also becomes invalid.
Create a secret
CREATE SECRET [<alias>]
Use the CREATE SECRET
command to generate a secret for the current user and graph. It is optional to provide an alias for the secret.
The system will generate a random alias for the secret if the user does not provide an alias for that secret.
Randomly generated aliases begin with AUTO_GENERATED_ALIAS_
and include a random 7-character string.
List secrets
SHOW SECRET
Use SHOW SECRET
to list all secrets of the current user. The secrets will be masked and only the first and last three characters of the secrets will be shown. The alias of the secret and the graph that the secret is associated with will also be listed:
GSQL > SHOW SECRET
- Secret: s7s****3k5
- Alias: HH
- GraphName: Hogwarts
- Secret: 75j****9i2
- Alias: LL
- GraphName: London
Drop a secret
DROP SECRET <secret>
Use the DROP SECRET
command to drop a secret. Since a user can have multiple secrets, the secret to drop must be specified in the command.
You can specify a secret either by the secret string itself or by its alias.
If you drop a secret, the tokens associated with the secret also become invalid.