Enabling User Authentication

Enabling user authentication on TigerGraph enforces access control, requiring users to identify themselves and ensuring that users can only perform actions allowed by their roles.

When the TigerGraph platform is first installed, user authentication is disabled. The installation process creates a gsql superuser who has the name tigergraph and password tigergraph. As long as this user’s password is tigergraph, GSQL authentication remains disabled.

It is strongly suggested that you at least change the default user password to enable GSQL user authentication. Not enabling GSQL authentication has the potential to give unauthorized users broad control over your database and the underlying system.

Because there are two ways to access the TigerGraph system, either through the GSQL shell or through REST++ requests, there are two steps needed to secure your system with authentication enabled for both points of entry:

Enable GSQL authentication

To enable user authentication for GSQL, change the password of the default user whose username tigergraph to something other than tigergraph.

Procedure

  1. Log in to the GSQL shell as the default user tigergraph. Since authentication is not enabled, entering gsql into the Linux terminal under the TigerGraph Linux user will log you in as user tigergraph automatically.

  2. Run the following command to change the password, and enter the new password as prompted:

    GSQL > ALTER PASSWORD
  3. User authentication has been enabled. Exit the GSQL shell and try to reenter, and confirm that GSQL will now prompt for your password.

    $ gsql
    Password for tigergraph : ********
  4. To log in as a different user, use the -u option when you enter the GSQL shell. You can also supply the password in the same command with the -p option.

    $ gsql -u newuser -p mypassword

Enable RESTPP authentication

To enable RESTPP authentication, set the RESTPP.Factory.EnableAuth parameter to true.

Procedure

  1. As the TigerGraph Linux user, run the following command:

    Enabling REST++ Authentication
    $ gadmin config set RESTPP.Factory.EnableAuth true
  2. Run the following commands to save the configuration and restart system services:

    Enabling REST++ Authentication
    $ gadmin config apply
    $ gadmin restart restpp nginx gui gsql -y

After enabling user authentication, the /requesttoken endpoint becomes available for you to generate tokens used to authenticate your REST requests to the REST++ server.