User Credentials

When user authentication is enabled, the TigerGraph system will execute a requested operation only if the requester provides credentials for a user who has the privilege to perform the requested operation.

The TigerGraph platform offers three options for credentials:

  • A username-password pair used to log in to GSQL and make HTTP requests.

  • An ACL password used to run commands to alter the ACL privileges of a query.

  • A token - a unique 32-character string with an expiration date, used for REST++ requests. See the full API Authentication documentation for details.

The following set of commands are used to create and manage passwords and secrets.

GSQL Commands for Managing Credentials
ALTER PASSWORD [user1]
CREATE SECRET [alias1]
SHOW SECRET
DROP SECRET <secret1>

Like any other GSQL commands, the user must supply credentials to run these commands. In order to create a secret, the user must supply their password.

Passwords

Users can change their own password with the ALTER PASSWORD command. If the user has the WRITE_USER privilege, they can change the password of another user.

ALTER PASSWORD [<user1>]

If a username is not provided, the command changes the password of the current user. To change the password of another user, specify the username of the user whose password you wish to change:

Example: User changing his/her own password
<user1>:GSQL > ALTER PASSWORD
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.
Example: Admin changing another user’s password
tigergraph:GSQL > ALTER PASSWORD <user1>
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.

ACL passwords

Users have the option of setting an ACL password. When a user has an ACL password, operations that modify ACL privileges of queries owned by the user requires the ACL password. These operations include:

  • Changing the owner of a query

  • Modifying the ACL privileges on a query

Secrets

Secrets are unique strings that serve as a user’s credentials in certain circumstances. A user can have multiple secret strings. Each secret is associated with one user and their role for one graph. If the role is revoked, the secret also becomes invalid.

Create a secret

CREATE SECRET [<alias>]

Use the CREATE SECRET command to generate a secret for the current user and graph. It is optional to provide an alias for the secret.

The system will generate a random alias for the secret if the user does not provide an alias for that secret. Randomly generated aliases begin with AUTO_GENERATED_ALIAS_ and include a random 7-character string.

Required privilege

At least one of the database access privileges on the given graph: READ_DATA, CREATE_DATA, UPDATE_DATA, DELETE_DATA or EXECUTE_LOADINGJOB. The built-in queryreader role satisfies this requirement.

List secrets

SHOW SECRET

Use SHOW SECRET to list all secrets of the current user. The secrets will be masked and only the first and last three characters of the secrets will be shown. The alias of the secret and the graph that the secret is associated with will also be listed:

GSQL > SHOW SECRET
    - Secret: s7s****3k5
      - Alias: HH
      - GraphName: Hogwarts
    - Secret: 75j****9i2
      - Alias: LL
      - GraphName: London

Drop a secret

DROP SECRET <secret>

Use the DROP SECRET command to drop a secret. Since a user can have multiple secrets, the secret to drop must be specified in the command. You can specify a secret either by the secret string itself or by its alias. If you drop a secret, the tokens associated with the secret also become invalid.