From 9b46a4ba64008d9c04330c8950c86c17cca37cf2 Mon Sep 17 00:00:00 2001 From: Andreja Tonev Date: Thu, 17 Jul 2025 11:31:24 +0200 Subject: [PATCH] WIP --- .../authentication-and-authorization.mdx | 6 +- .../authentication-and-authorization/_meta.ts | 3 +- .../role-based-access-control.mdx | 32 ++++- .../user-profiles.mdx | 125 ++++++++++++++++++ .../users.mdx | 38 +++++- .../enabling-memgraph-enterprise.mdx | 1 + 6 files changed, 200 insertions(+), 5 deletions(-) create mode 100644 pages/database-management/authentication-and-authorization/user-profiles.mdx diff --git a/pages/database-management/authentication-and-authorization.mdx b/pages/database-management/authentication-and-authorization.mdx index 9fb2be18e..06c1fefb4 100644 --- a/pages/database-management/authentication-and-authorization.mdx +++ b/pages/database-management/authentication-and-authorization.mdx @@ -25,4 +25,8 @@ authentication and access control using Memgraph's auth module. ## [Impersonate user](/database-management/authentication-and-authorization/impersonate-user) (Enterprise) Learn how the impersonate user feature enables authorized users to execute -queries with the full permissions and context of another user. \ No newline at end of file +queries with the full permissions and context of another user. + +## [User profiles](/database-management/authentication-and-authorization/user-profiles) (Enterprise) + +Learn how to manage user profiles and set resource limits for users and roles to control resource consumption and prevent abuse. \ No newline at end of file diff --git a/pages/database-management/authentication-and-authorization/_meta.ts b/pages/database-management/authentication-and-authorization/_meta.ts index 52e2d13d8..95febdf0b 100644 --- a/pages/database-management/authentication-and-authorization/_meta.ts +++ b/pages/database-management/authentication-and-authorization/_meta.ts @@ -2,5 +2,6 @@ export default { "users": "Users", "role-based-access-control": "Role-based access control", "auth-system-integrations": "Auth system integrations", - "impersonate-user": "Impersonate user" + "impersonate-user": "Impersonate user", + "user-profiles": "User profiles" } diff --git a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx index 7f1f93b87..5511a99a0 100644 --- a/pages/database-management/authentication-and-authorization/role-based-access-control.mdx +++ b/pages/database-management/authentication-and-authorization/role-based-access-control.mdx @@ -18,7 +18,7 @@ role, enhancing security and minimizing risks. With role-based access control, a database administrator can assign various privileges to roles, but for even more control over who can access certain data, Memgraph Enterprise offers [fine-grained access -control](#fine-grained-access-control). +control](#fine-grained-access-control). Additionally, you can use [user profiles](/database-management/authentication-and-authorization/user-profiles) to set resource limits for roles and users. ## User roles @@ -75,6 +75,36 @@ To list all defined user roles run: SHOW ROLES; ``` +## User profiles for roles + +You can assign user profiles to roles to control resource limits for all users with that role. This allows you to set consistent resource limits across multiple users. + +To assign a profile to a role: + +```cypher +SET PROFILE FOR role_name TO profile_name; +``` + +To view the profile assigned to a role: + +```cypher +SHOW PROFILE FOR role_name; +``` + +To clear a role's profile: + +```cypher +CLEAR PROFILE FOR role_name; +``` + +To see all roles assigned to a profile: + +```cypher +SHOW ROLES FOR PROFILE profile_name; +``` + +For detailed information about user profiles, see the [User profiles](/database-management/authentication-and-authorization/user-profiles) documentation. + ## Privileges At the moment, privileges are confined to users' abilities to perform certain diff --git a/pages/database-management/authentication-and-authorization/user-profiles.mdx b/pages/database-management/authentication-and-authorization/user-profiles.mdx new file mode 100644 index 000000000..b5972db73 --- /dev/null +++ b/pages/database-management/authentication-and-authorization/user-profiles.mdx @@ -0,0 +1,125 @@ +--- +title: User profiles +description: Learn how to manage user profiles and set resource limits for users and roles. +--- + +# User profiles + +User profiles allow you to set resource limits for users and roles in Memgraph Enterprise. You can define limits on the number of sessions and transaction memory usage to control resource consumption and prevent abuse. + +## Overview + +User profiles provide a way to: +- Set resource limits for individual users or roles +- Control the number of concurrent sessions per user +- Limit memory usage +- Monitor resource consumption + +## Creating profiles + +You can create a profile with default unlimited limits: + +```cypher +CREATE PROFILE profile_name; +``` + +Or create a profile with specific limits: + +```cypher +CREATE PROFILE profile_name LIMIT sessions 10, transactions_memory 100MB; +``` + +### Available limits + +- **sessions**: Maximum number of concurrent sessions (default: unlimited) +- **transactions_memory**: Maximum memory usage per transaction (default: unlimited) + +### Limit values + +You can specify limits in different formats: + +- **Unlimited**: `UNLIMITED` (default) +- **Quantity**: A number (e.g., `10`) +- **Memory**: A number with unit MB/KB (e.g., `100MB`, `512KB`) + +## Managing profiles + +### Update a profile + +```cypher +UPDATE PROFILE profile_name LIMIT sessions 5, transactions_memory 50MB; +``` + +### Drop a profile + +```cypher +DROP PROFILE profile_name; +``` + +### Show all profiles + +```cypher +SHOW PROFILES; +``` + +### Show a specific profile + +```cypher +SHOW PROFILE profile_name; +``` + +## Assigning profiles to users and roles + +### Set a profile for a user + +```cypher +SET PROFILE FOR username TO profile_name; +``` + +### Set a profile for a role + +```cypher +SET PROFILE FOR role_name TO profile_name; +``` + +### Clear a profile + +```cypher +CLEAR PROFILE FOR username; +``` + +## Viewing profile assignments + +### Show profile for a user or role + +```cypher +SHOW PROFILE FOR username; +``` + +### Show users assigned to a profile + +```cypher +SHOW USERS FOR PROFILE profile_name; +``` + +### Show roles assigned to a profile + +```cypher +SHOW ROLES FOR PROFILE profile_name; +``` + +## Monitoring resource usage + +### Show resource usage for a user + +```cypher +SHOW RESOURCE USAGE FOR username; +``` + +This command shows the current resource consumption for the specified user, including: +- Number of active sessions +- Current transaction memory usage + +## Combining profiles defined for the user and roles + +# TODO Update for multi-role users \ No newline at end of file diff --git a/pages/database-management/authentication-and-authorization/users.mdx b/pages/database-management/authentication-and-authorization/users.mdx index 41b8393ec..1bfb8fab0 100644 --- a/pages/database-management/authentication-and-authorization/users.mdx +++ b/pages/database-management/authentication-and-authorization/users.mdx @@ -12,8 +12,9 @@ In Memgraph, users and their passwords can be created with a simple Cypher query. This level of security is supported within the Community version of Memgraph. For more advanced security features within Memgraph Enterprise, check out [role-based access -control](/database-management/authentication-and-authorization/role-based-access-control) -and [auth system integrations](/database-management/authentication-and-authorization/auth-system-integrations). +control](/database-management/authentication-and-authorization/role-based-access-control), +[auth system integrations](/database-management/authentication-and-authorization/auth-system-integrations), +and [user profiles](/database-management/authentication-and-authorization/user-profiles). ## Administer users @@ -96,6 +97,39 @@ SHOW USERS; If no users exist, `SHOW USERS` returns no results. +## User profiles (Enterprise) + +In Memgraph Enterprise, you can assign user profiles to control resource limits for users. User profiles allow you to set limits on: + +- Number of concurrent sessions +- Transaction memory usage + +To assign a profile to a user: + +```cypher +SET PROFILE FOR username TO profile_name; +``` + +To view the profile assigned to a user: + +```cypher +SHOW PROFILE FOR username; +``` + +To clear a user's profile: + +```cypher +CLEAR PROFILE FOR username; +``` + +To see all users assigned to a profile: + +```cypher +SHOW USERS FOR PROFILE profile_name; +``` + +For detailed information about user profiles, see the [User profiles](/database-management/authentication-and-authorization/user-profiles) documentation. + ### Password encryption algorithm Memgraph offers multiple password encryption algorithms: diff --git a/pages/database-management/enabling-memgraph-enterprise.mdx b/pages/database-management/enabling-memgraph-enterprise.mdx index 7f779092f..301db2da1 100644 --- a/pages/database-management/enabling-memgraph-enterprise.mdx +++ b/pages/database-management/enabling-memgraph-enterprise.mdx @@ -19,6 +19,7 @@ The following Memgraph features are only available in Enterprise Edition: - [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control) - [Label-based access control](/database-management/authentication-and-authorization/role-based-access-control#label-based-access-control) - [Impersonate user](/database-management/authentication-and-authorization/impersonate-user) +- [User profiles](/database-management/authentication-and-authorization/user-profiles) - [High availability](/clustering/high-availability) and [automatic failover](/clustering/high-availability#failover) - [Time to live](/querying/time-to-live) - [Query sharing](/data-visualization/user-manual/query-sharing) in Memgraph Lab