Skip to content

Commit 0b45d97

Browse files
andrejtonevas51340matea16
authored
fix: Better explanation of the interaction between users/roles and multi-tenancy (#1516)
* fix: HA reference architectures link (#1513) * better user/role explanation * multi-role <-> multi-tenant fixes --------- Co-authored-by: Andi Skrgat <andi8647@gmail.com> Co-authored-by: Matea Pesic <80577904+matea16@users.noreply.github.com>
1 parent f4b3092 commit 0b45d97

2 files changed

Lines changed: 53 additions & 25 deletions

File tree

pages/database-management/authentication-and-authorization/multiple-roles.mdx

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -336,20 +336,22 @@ The special logic ensures that when accessing a specific database, only roles
336336
assigned to that database are considered:
337337

338338
```cypher
339-
-- Role with access to multiple databases
340-
CREATE ROLE multi_db_role;
341-
GRANT DATABASE db1 TO multi_db_role;
342-
GRANT DATABASE db2 TO multi_db_role;
343-
GRANT MATCH, CREATE ON db1 TO multi_db_role;
344-
GRANT MATCH ON db2 TO multi_db_role;
345-
346-
-- User with this role
339+
-- Create roles with different permissions
340+
CREATE ROLE read_write_role;
341+
GRANT MATCH, CREATE TO read_write_role;
342+
GRANT DATABASE db1 TO read_write_role;
343+
344+
CREATE ROLE read_only_role;
345+
GRANT MATCH TO read_only_role;
346+
GRANT DATABASE db2 TO read_only_role;
347+
348+
-- User with different roles on different databases
347349
CREATE USER user1 IDENTIFIED BY 'password';
348-
SET ROLE multi_db_role FOR user1 ON db1;
349-
SET ROLE multi_db_role FOR user1 ON db2;
350+
SET ROLE read_write_role FOR user1 ON db1;
351+
SET ROLE read_only_role FOR user1 ON db2;
350352
351-
-- When accessing db1: has MATCH, CREATE
352-
-- When accessing db2: has only MATCH
353+
-- When accessing db1: has MATCH, CREATE (from read_write_role)
354+
-- When accessing db2: has only MATCH (from read_only_role)
353355
```
354356

355357
## Best practices for multi-tenant environments

pages/database-management/multi-tenancy.mdx

Lines changed: 39 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,13 @@ In the current version, all isolated databases share the underlying resources so
1616
there is no provision to restrict CPU or RAM usage for a specific database.
1717
Instead, global limitations are imposed on Memgraph as a whole.
1818

19-
## Default database
19+
## Default (memgraph) database
2020

21-
A default database named `memgraph` is automatically created during startup. New
22-
users are granted access only to this default database. The default
23-
database name cannot be altered.
21+
A default database named `memgraph` is automatically created during startup.
22+
When you create a user or role, they have access to the default database
23+
(memgraph) by default. The default database name cannot be altered.
24+
25+
To remove this default access, you should use `REVOKE DATABASE memgraph FROM role_name;`. Using `REVOKE` removes the default grant but allows the role to potentially receive access through other means (e.g., if combined with another role that has access). Using `DENY` would explicitly forbid access regardless of other roles.
2426

2527
### Default database best practices
2628

@@ -41,8 +43,8 @@ access to other databases but not the default one.
4143

4244
#### Recommended setup
4345

44-
1. **Restrict memgraph database access**: Only grant access to the "memgraph"
45-
database to privileged users who need to perform system administration tasks
46+
1. **Restrict memgraph database access**: Treat the "memgraph" database as a
47+
system database and allow only administrators to have access to it
4648
2. **Use tenant-specific databases**: Store all application data in dedicated
4749
tenant databases
4850
3. **Separate concerns**: Keep user management, role management, system
@@ -59,9 +61,13 @@ GRANT DATABASE memgraph TO system_admin;
5961
6062
-- Create tenant-specific roles (no access to memgraph database)
6163
CREATE ROLE tenant1_admin;
64+
REVOKE DATABASE memgraph FROM tenant1_admin;
6265
CREATE ROLE tenant1_user;
66+
REVOKE DATABASE memgraph FROM tenant1_user;
6367
CREATE ROLE tenant2_admin;
68+
REVOKE DATABASE memgraph FROM tenant2_admin;
6469
CREATE ROLE tenant2_user;
70+
REVOKE DATABASE memgraph FROM tenant2_user;
6571
6672
-- Grant appropriate permissions to tenant roles
6773
GRANT MATCH, CREATE, MERGE, SET, DELETE, INDEX TO tenant1_admin;
@@ -78,8 +84,10 @@ GRANT CREATE, READ, UPDATE, DELETE ON NODES CONTAINING LABELS * TO tenant2_user;
7884
GRANT CREATE, READ, UPDATE, DELETE ON EDGES CONTAINING TYPES * TO tenant2_user;
7985
8086
-- Grant access only to tenant databases
81-
GRANT DATABASE tenant1_db TO tenant1_admin, tenant1_user;
82-
GRANT DATABASE tenant2_db TO tenant2_admin, tenant2_user;
87+
GRANT DATABASE tenant1_db TO tenant1_admin;
88+
GRANT DATABASE tenant1_db TO tenant1_user;
89+
GRANT DATABASE tenant2_db TO tenant2_admin;
90+
GRANT DATABASE tenant2_db TO tenant2_user;
8391
8492
-- Create users
8593
CREATE USER system_admin_user IDENTIFIED BY 'admin_password';
@@ -144,14 +152,32 @@ Users interact with multi-tenant features through specialized Cypher queries:
144152
5. `SHOW DATABASES`: Shows only the existing set of multitenant databases.
145153
6. `USE DATABASE name`: Switches focus to a specific database (disabled during
146154
transactions).
147-
7. `GRANT DATABASE name TO user`: Grants a user access to a specified database.
148-
8. `DENY DATABASE name FROM user`: Denies a user's access to a specified
149-
database.
150-
9. `REVOKE DATABASE name FROM user`: Removes database from user's authentication
151-
context.
155+
7. `GRANT DATABASE name TO user_or_role`: Grants a user or role access to a
156+
specified database.
157+
8. `DENY DATABASE name FROM user_or_role`: Explicitly denies a user or role
158+
access to a specified database.
159+
9. `REVOKE DATABASE name FROM user_or_role`: Removes the database from the
160+
user's or role's database access list.
152161
10. `SET MAIN DATABASE name FOR user`: Sets a user's default (landing) database.
153162
11. `SHOW DATABASE PRIVILEGES FOR user`: Lists a user's database access rights.
154163

164+
### Removing database access: DENY vs REVOKE
165+
166+
There are two ways to remove access to a database: `DENY DATABASE x` or `REVOKE
167+
DATABASE x`. They behave differently:
168+
169+
- **DENY** explicitly bans the user or role from the database. If any role that
170+
a user has (or the user itself) is denied access to a database, the user
171+
cannot access it. Deny trumps any other access granted—no combination of
172+
grants can override a deny.
173+
- **REVOKE** removes the database from the user's or role's database access
174+
list. It does not block access: if the user has other roles (or the user
175+
itself has access through another path) that still have access to that
176+
database, the user can still use it when connected to that database
177+
(tenant).
178+
179+
Use **DENY** when you need to explicitly forbid access to a database for any user with that role, regardless of their other roles. Use **REVOKE** when you simply want to remove the default access (like the default "memgraph" database access) or a previously granted access, allowing the user to potentially access the database if another of their roles grants it.
180+
155181
### DROP DATABASE with FORCE
156182

157183
The `DROP DATABASE` command removes an existing database. You can optionally

0 commit comments

Comments
 (0)