Updated on 2022-08-09 GMT+08:00

Authorization

Function

GES graph instances support granular permission control. The granularity is refined to the traverse, read, and write permissions set for specific properties of specific labels. The following table describes the GES granular permission control data model. This API is used to grant permissions to a user.

Access

Operation

Object

Graph Instance

Application Scope

Scenario

Grant/Revoke

traverse

LABEL (* indicates all labels.)

Single

-

Vertex: External IDs and label names of vertices can be accessed.

Edge: Two vertices have the traverse permission to access the edge ID and label name.

Grant/Revoke

read

PROPERTY (Separate multiple values with commas (,).

Single

Label Name (* indicates all labels)

The traverse permission is required.

Grant/Revoke

write

PROPERTY (Separate multiple values with commas (,).

Single

Label Name (* indicates all labels)

The traverse permission is required.

Grant/Revoke

schema

GRAPH

Single

graph

Metadata management (modifying property names, clearing schemas, and importing schemas)

  • The granular permission control APIs are available only when RBAC is enabled for the created graph instance. For details, see the Creating a Graph. You need to add the enableRBAC parameter and set it to true when you call the graph creation API.
  • To authorize granular permission, you must be a . To call the granular permission APIs, the token obtained for accessing a domain is required..
  • Users with the traverse permission can view all vertices and edges with the same label, but cannot view the properties of these vertices and edges.

URI

  • URI format
    POST /ges/v1.0/{project_id}/graphs/{graph_name}/rbac/action?action_id=grant
  • Parameter description
    Table 1 URI parameter description

    Parameter

    Mandatory

    Type

    Description

    project_id

    Yes

    String

    Project ID, which is used for resource isolation. For details, see Obtaining a Project ID.

    graph_name

    Yes

    String

    Graph name

Request

  • Request example
    POST http://{SERVER_URL}/ges/v1.0/{project_id}/graphs/{graph_name}/rbac/action?action_id=grant
    {
    
    	"userId": "test1",
    	"acl": [{
    		"type": "read",
    		"detail": [{
    			"label": "person",
    			"properties": ["crime", "Occupation"]
    		}, {
    			"label": "inmate"
    		}]
    	}, {
    		"type": "write",
    		"detail": [{
    			"label": "person",
    			"properties": ["crime", "Occupation"]
    		}, {
    			"label": "inmate"
    		}, {
    			"label": "Leader"
    		}, {
    			"label": "Friend"
    		}, {
    			"label": "Colleague"
    		}, {
    			"label": "QQGroup"
    		}, {
    			"label": "QQ_owner"
    		}, {
    			"label": "QQ"
    		}, {
    			"label": "phone"
    		}, {
    			"label": "Phone_owner"
    		}]
    	}, {
    		"type": "traverse",
    		"detail": [{
    			"label": "person"
    		}, {
    			"label": "inmate"
    		}, {
    			"label": "Leader"
    		}, {
    			"label": "Friend"
    		}, {
    			"label": "Colleague"
    		}]
    	}]
    }

    SERVER_URL: Address for accessing a graph. For details about its value, see Constraints of Using Service Plane APIs.

  • Request body parameter description
    Table 2 Request body parameter description

    Parameter

    Mandatory

    Type

    Description

    graph_name

    Yes

    String

    Graph name

    userId

    Yes

    String

    Grantee

    acl

    Yes

    JsonArray

    Authorization details

    type

    Yes

    String

    Permission type. The value can be read, write, traverse, or schema.

    detail

    Yes

    JsonArray

    Permission details

    label

    Yes

    String

    Label name

    properties

    No

    List

    Properties

Response

  • Parameter description
    Table 3 Parameter description

    Parameter

    Mandatory

    Type

    Description

    errorMessage

    No

    String

    System prompt. If execution succeeds, this parameter may be left blank. If execution fails, this parameter is used to display the error message.

    errorCode

    No

    String

    System prompt. If execution succeeds, this parameter may be left blank. If execution fails, this parameter is used to display the error code.

  • Response example (successful request)
    Http Status Code: 200
  • Response example (failed request)
    Http Status Code: 400
    {
        "errorMessage": "grant acl is null",
        "errorCode": "GES.8503"
    }

Response Code

  • Normal

    200

  • Abnormal
    Table 4 Return code for failed requests

    Response Code

    Description

    400 Bad Request

    Request error.

    401 Unauthorized

    Authentication failed.

    403 Forbidden

    No operation permission.

    404 Not Found

    The requested resource was not found.

    500 Internal Server Error

    Internal service error.

    503 Service Unavailable

    Service unavailable.