JanusGraph authentication - restricted privileges
Hi All, we secured our JanusGraph with SaslAuthenticationHandler as desribed in the docs (https://docs.janusgraph.org/operations/server/#advanced-janusgraph-server-configurations).
The defined user now can be used to read/write data in the graph database as well as for managing the schema.
Is there a way to create a user that can only perform read/write on the graph but cannot change the schema? Thank you for any pointer on this.
Solution:Jump to solution
As "hadoopmarc" also answered on janusgraph-users list recently, the main pointers are:
1. authorization section of the Apache TinkerPop documentation (https://tinkerpop.apache.org/docs/current/reference/#authorization)
2. a sample file in the Gremlin server source code (https://github.com/apache/tinkerpop/blob/master/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/authz/AllowListAuthorizer.java)
For reference, I thought it might be useful for others to share some snippets how I made authorization work with JanusGraph 1.0.0. The main purpose of authorization was to restrict users to access the JanusGraph Management System (e.g. open a graph and make schema changes on it)...
2 Replies
Solution
As "hadoopmarc" also answered on janusgraph-users list recently, the main pointers are:
1. authorization section of the Apache TinkerPop documentation (https://tinkerpop.apache.org/docs/current/reference/#authorization)
2. a sample file in the Gremlin server source code (https://github.com/apache/tinkerpop/blob/master/gremlin-server/src/test/java/org/apache/tinkerpop/gremlin/server/authz/AllowListAuthorizer.java)
For reference, I thought it might be useful for others to share some snippets how I made authorization work with JanusGraph 1.0.0. The main purpose of authorization was to restrict users to access the JanusGraph Management System (e.g. open a graph and make schema changes on it)
For implementing a meaningful authorization, first we need authentication. This requires a credentials graph, that can be defined with the below credentials.properties file (for cassandra backend) stored in conf folder:
------
gremlin.graph = org.janusgraph.core.JanusGraphFactory
graph.graphname = credentials
storage.backend = cql
storage.hostname = cassandra
storage.cql.keyspace = credentials
------
In the janusgraph-server.yaml, this is the way to configure authentication:
------
authentication:
config:
defaultUsername: jg_admin
defaultPassword: pw1
credentialsDb: conf/credentials.properties
authenticator: org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphSimpleAuthenticator
authenticationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthenticationHandler
------
Keep reading as the authorization part comes in the next message...
In the janusgraph-server.yaml, this is the way to configure authorization:
------
authorization:
authorizer: my.package.JanusGraphAuthorizer
config:
admins: jg_admin
# for specifying multiple admins, list can be used
# admins:
# - jg_admin1
# - jg_admin2
------
Find enclosed the Java source code for "my.package.JanusGraphAuthorizer". The logic is very simple, if the Gremlin query contains "JanusGraphFactory" or "ConfiguredGraphFactory" or "openManagement" keywords, the query can be executed only by users configured as admin user. This logic was packaged into a JAR and the JAR was added to the lib folder of JanusGraph.
It is probably also useful to mention here how to add new users to JanusGraph (to the credentials graph):
1. open Gremlin console and connect to JanusGraph
2. for creating a jg_user user, execute: JanusGraphFactory.open("conf/credentials.properties").traversal(org.apache.tinkerpop.gremlin.groovy.jsr223.dsl.credential.CredentialTraversalSource.class).user("jg_user", "pw2")
I hope the above helps others in case they want to secure their JanusGraph.