Authorization
Function
GES graph instances support granular permission control. The granularity is refined to the traverse, read, and write permissions set for specific properties of specific labels. The following table describes the GES granular permission control data model. This API is used to grant permissions to a user.
Access |
Operation |
Object |
Graph Instance |
Application Scope |
Scenario |
Grant/Revoke |
traverse |
LABEL (* indicates all labels.) |
Single |
- |
Vertex: External IDs and label names of vertices can be accessed. Edge: Two vertices have the traverse permission to access the edge ID and label name. |
Grant/Revoke |
read |
PROPERTY (Separate multiple values with commas (,). |
Single |
Label Name (* indicates all labels) |
The traverse permission is required. |
Grant/Revoke |
write |
PROPERTY (Separate multiple values with commas (,). |
Single |
Label Name (* indicates all labels) |
The traverse permission is required. |
Grant/Revoke |
schema |
GRAPH |
Single |
graph |
Metadata management (modifying property names, clearing schemas, and importing schemas) |
- The granular permission control APIs are available only when RBAC is enabled for the created graph instance. For details, see the Creating a Graph. You need to add the enableRBAC parameter and set it to true when you call the graph creation API.
- To authorize granular permission, you must be a . To call the granular permission APIs, the token obtained for accessing a domain is required..
- Users with the traverse permission can view all vertices and edges with the same label, but cannot view the properties of these vertices and edges.
URI
- URI format
POST /ges/v1.0/{project_id}/graphs/{graph_name}/rbac/action?action_id=grant
- Parameter description
Table 1 URI parameter description Parameter
Mandatory
Type
Description
project_id
Yes
String
Project ID, which is used for resource isolation. For details, see Obtaining a Project ID.
graph_name
Yes
String
Graph name
Request
- Request example
POST http://{SERVER_URL}/ges/v1.0/{project_id}/graphs/{graph_name}/rbac/action?action_id=grant { "userId": "test1", "acl": [{ "type": "read", "detail": [{ "label": "person", "properties": ["crime", "Occupation"] }, { "label": "inmate" }] }, { "type": "write", "detail": [{ "label": "person", "properties": ["crime", "Occupation"] }, { "label": "inmate" }, { "label": "Leader" }, { "label": "Friend" }, { "label": "Colleague" }, { "label": "QQGroup" }, { "label": "QQ_owner" }, { "label": "QQ" }, { "label": "phone" }, { "label": "Phone_owner" }] }, { "type": "traverse", "detail": [{ "label": "person" }, { "label": "inmate" }, { "label": "Leader" }, { "label": "Friend" }, { "label": "Colleague" }] }] }
SERVER_URL: Address for accessing a graph. For details about its value, see Constraints of Using Service Plane APIs.
- Request body parameter description
Table 2 Request body parameter description Parameter
Mandatory
Type
Description
graph_name
Yes
String
Graph name
userId
Yes
String
Grantee
acl
Yes
JsonArray
Authorization details
type
Yes
String
Permission type. The value can be read, write, traverse, or schema.
detail
Yes
JsonArray
Permission details
label
Yes
String
Label name
properties
No
List
Properties
Response
- Parameter description
Table 3 Parameter description Parameter
Mandatory
Type
Description
errorMessage
No
String
System prompt. If execution succeeds, this parameter may be left blank. If execution fails, this parameter is used to display the error message.
errorCode
No
String
System prompt. If execution succeeds, this parameter may be left blank. If execution fails, this parameter is used to display the error code.
- Response example (successful request)
Http Status Code: 200
- Response example (failed request)
Http Status Code: 400 { "errorMessage": "grant acl is null", "errorCode": "GES.8503" }
Response Code
- Normal
- Abnormal
Table 4 Return code for failed requests Response Code
Description
400 Bad Request
Request error.
401 Unauthorized
Authentication failed.
403 Forbidden
No operation permission.
404 Not Found
The requested resource was not found.
500 Internal Server Error
Internal service error.
503 Service Unavailable
Service unavailable.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot