Managing Credentials
When user authentication is enabled, the TigerGraph system will execute a requested operation only if the requester provides credentials for a user who has the privilege to perform the requested operation.
The TigerGraph system offers two options for credentials.
-
Username and password pair.
-
API token: A unique 32-character string that can be used for REST++ requests. A token expires 1 month from the date of creation by default. Users can use their secrets or their username and password pair to generate a token.
The following set of commands are used to create and manage passwords and secrets.
ALTER PASSWORD [user1]
CREATE SECRET [alias1]
SHOW SECRET
DROP SECRET <secret1>
Like any other GSQL commands, the user must supply credentials to run these commands. In order to create a secret, the user must supply their password. |
Passwords
Users can change their own passwords with the ALTER PASSWORD
command. If the user has the WRITE_USER
privilege, they can change the password of another user.
ALTER PASSWORD [<user1>]
If a username is not provided, the command changes the password of the current user. To change the password of another user, specify the username of the user whose password you wish to change:
herminone:GSQL > ALTER PASSWORD
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.
tigergraph:GSQL > ALTER PASSWORD hermione
Password: *******
New Password : ************
Re-enter Password : ************
Password has been changed.
Secrets
Secrets are unique strings that serve as a user’s credentials in certain circumstances. A user can have multiple secret strings. Each secret is associated with one user and their role for one graph. If the role is revoked, the secret also becomes invalid.
Create a secret
CREATE SECRET [<alias>]
Use the CREATE SECRET
command to generate a secret for the current user and graph. It is optional to provide an alias for the secret.
Beginning with TigerGraph 3.1.4, the system will generate a random alias for the secret if the user does not provide an alias for that secret. Randomly generated aliases begin with AUTO_GENERATED_ALIAS_
and include a random 7-character string.
List secrets
SHOW SECRET
Use SHOW SECRET
to list all secrets of the current user. The secrets will be masked and only the first and last three characters of the secrets will be shown. The alias of the secret and the graph that the secret is associated with will also be listed:
GSQL > SHOW SECRET
- Secret: s7s****3k5
- Alias: HH
- GraphName: Hogwarts
- Secret: 75j****9i2
- Alias: LL
- GraphName: London
Drop a secret
DROP SECRET <secret>
Use the DROP SECRET
command to drop a secret. Since a user can have multiple secrets, the secret to drop must be specified in the command.
You can specify a secret either by the secret string itself or by its alias.
If you drop a secret, the tokens associated with the secret also become invalid.