Built-in User Authentication and Authorization Configuration and Usage in HugeGraph
Overview
To facilitate authentication usage in different user scenarios, HugeGraph currently provides built-in authorization StandardAuthenticator
mode,
which supports multi-user authentication and fine-grained access control. It adopts a 4-layer design based on “User-UserGroup-Operation-Resource” to
flexibly control user roles and permissions (supports multiple GraphServers).
Some key designs of the StandardAuthenticator
mode include:
- During initialization, a super administrator (
admin
) user is created. Subsequently, other users can be created by the super administrator. Once newly created users are assigned sufficient permissions, they can create or manage more users. - It supports dynamic creation of users, user groups, and resources, as well as dynamic allocation or revocation of permissions.
- Users can belong to one or multiple user groups. Each user group can have permissions to operate on any number of resources. The types of operations include read, write, delete, execute, and others.
- “Resource” describes the data in the graph database, such as vertices that meet certain criteria. Each resource consists of three elements:
type
,label
, andproperties
. There are 18 types in total, with the ability to combine any label and properties. The internal condition of a resource is an AND relationship, while the condition between multiple resources is an OR relationship.
Here is an example to illustrate:
Configure User Authentication
By default, HugeGraph does not enable user authentication, and it needs to be enabled by modifying the configuration file (Note: If used in a production environment or over the internet, please use a Java11 version and enable auth-system to avoid security risks.)
You need to modify the configuration file to enable this feature. HugeGraph provides built-in authentication mode: StandardAuthenticator
. This mode supports multi-user authentication and fine-grained permission control. Additionally, developers can implement their own HugeAuthenticator
interface to integrate with their existing authentication systems.
HugeGraph authentication modes adopt HTTP Basic Authentication. In simple terms, when sending an HTTP request, you need to set the Authentication
header to Basic
and provide the corresponding username and password. The corresponding HTTP plaintext format is as follows:
Warning: Versions of HugeGraph-Server prior to 1.5.0 have a JWT-related security vulnerability in the Auth mode.
Users are advised to update to a newer version or manually set the JWT token’s secretKey. It can be set in the rest-server.properties
file by setting the auth.token_secret
information:
You can also generate it with the following command:
StandardAuthenticator Mode
The StandardAuthenticator
mode supports user authentication and permission control by storing user information in the database backend. This
implementation authenticates users based on their names and passwords (encrypted) stored in the database and controls user permissions based on their
roles. Below is the specific configuration process (requires service restart):
Configure the authenticator
and its rest-server
file path in the gremlin-server.yaml
configuration file:
Configure the authenticator
and graph_store
information in the rest-server.properties
configuration file:
In the above configuration, the graph_store
option specifies which graph to use for storing user information. If there are multiple graphs, you can choose any of them.
In the hugegraph{n}.properties
configuration file, configure the gremlin.graph
information:
For detailed API calls and explanations regarding permissions, please refer to the Authentication-API documentation.
Custom User Authentication System
If you need to support a more flexible user system, you can customize the authenticator for extension.
Simply implement the org.apache.hugegraph.auth.HugeAuthenticator
interface with your custom authenticator,
and then modify the authenticator
configuration item in the configuration file to point to your implementation.
Switching authentication mode
After the authentication configuration completed, enter the admin password on the command line when executing init store.sh
for the first time. (For non-Docker mode)
If deployed based on Docker image or if HugeGraph has already been initialized and needs to be converted to authentication mode, relevant graph data needs to be deleted and HugeGraph needs to be restarted. If there is already business data in the diagram, it is temporarily not possible to directly convert the authentication mode (version<=1.2.0)
Improvements for this feature have been included in the latest release (available in the latest docker image), please refer to PR 2411. Seamless switching is now available.
Use docker to enable authentication mode
For versions of the hugegraph/hugegraph image equal to or greater than 1.2.0, you can enable authentication mode while starting the Docker image.
The steps are as follows:
1. Use docker run
To enable authentication mode, add the environment variable PASSWORD=123456
(you can freely set the password) in the docker run
command:
2. Use docker-compose
Use docker-compose
and set the environment variable PASSWORD=123456
:
3. Enter the container to enable authentication mode
Enter the container first:
Then follow Switching authentication mode