When user authentication is enabled, the TigerGraph system will execute a requested operation only if the requester provides credentials for a user who has the privilege to perform the requested operation.
The TigerGraph system offers two options for credentials.
Username and password pair.
API token: A unique 32-character string that can be used for REST++ requests. A token expires 1 month from the date of creation by default. Users can use their secrets or their username and password pair to generate a token.
The following set of commands are used to create and manage passwords and secrets.
ALTER PASSWORD [user1] CREATE SECRET [alias1] SHOW SECRET DROP SECRET <secret1>
Like any other GSQL commands, the user must supply credentials to run these commands. In order to create a secret, the user must supply their password.
Users can change their own password with the
ALTER PASSWORD command. If the user has the
WRITE_USER privilege, they can change the password of another user.
ALTER PASSWORD [<user1>]
If a username is not provided, the command changes the password of the current user. To change the password of another user, specify the username of the user whose password you wish to change:
herminone:GSQL > ALTER PASSWORD Password: ******* New Password : ************ Re-enter Password : ************ Password has been changed.
tigergraph:GSQL > ALTER PASSWORD hermione Password: ******* New Password : ************ Re-enter Password : ************ Password has been changed.
Users have the option of setting an ACL password. When a user has an ACL password, operations that modify ACL privileges of queries owned by the user requires the ACL password. These operations include:
Changing the owner of a query
Modifying the ACL privileges on a query
Secrets are unique strings that serve as a user’s credentials in certain circumstances. A user can have multiple secret strings. Each secret is associated with one user and their role for one graph. If the role is revoked, the secret also becomes invalid.
CREATE SECRET [<alias>]
CREATE SECRET command to generate a secret for the current user and graph. It is optional to provide an alias for the secret.
Beginning with TigerGraph 3.1.4, the system will generate a random alias for the secret if the user does not provide an alias for that secret. Randomly generated aliases begin with
AUTO_GENERATED_ALIAS_ and include a random 7-character string.
SHOW SECRET to list all secrets of the current user. The secrets will be masked and only the first and last three characters of the secrets will be shown. The alias of the secret and the graph that the secret is associated with will also be listed:
GSQL > SHOW SECRET - Secret: s7s****3k5 - Alias: HH - GraphName: Hogwarts - Secret: 75j****9i2 - Alias: LL - GraphName: London
DROP SECRET <secret>
DROP SECRET command to drop a secret. Since a user can have multiple secrets, the secret to drop must be specified in the command.
You can specify a secret either by the secret string itself or by its alias.
If you drop a secret, the tokens associated with the secret also become invalid.