6a4ef55e90
* Stop auth module from creating users * Explicit about auth policy (check if no users defined OR auth module used) * Role supports database access definition * Authenticate() returns user or role * AuthChecker generates QueryUserOrRole (can be empty) * QueryUserOrRole actually authorizes * Add auth cache invalidation * Better database access queries (GRANT, DENY, REVOKE DATABASE)
189 lines
8.0 KiB
YAML
189 lines
8.0 KiB
YAML
args: &args
|
|
- "--bolt-port"
|
|
- "7687"
|
|
- "--log-level=TRACE"
|
|
|
|
create_delete_filtering_setup_queries: &create_delete_filtering_setup_queries
|
|
- "CREATE USER admin IDENTIFIED BY 'test';"
|
|
- "CREATE USER user IDENTIFIED BY 'test';"
|
|
- "GRANT ALL PRIVILEGES TO admin;"
|
|
- "GRANT DATABASE * TO admin;"
|
|
- "GRANT ALL PRIVILEGES TO user;"
|
|
- "GRANT DATABASE * TO user;"
|
|
|
|
edge_type_filtering_setup_queries: &edge_type_filtering_setup_queries
|
|
- "CREATE USER admin IDENTIFIED BY 'test';"
|
|
- "CREATE USER user IDENTIFIED BY 'test';"
|
|
- "GRANT ALL PRIVILEGES TO admin;"
|
|
- "GRANT DATABASE * TO admin;"
|
|
- "GRANT ALL PRIVILEGES TO user;"
|
|
- "GRANT DATABASE * TO user;"
|
|
- "GRANT CREATE_DELETE ON LABELS * TO admin;"
|
|
- "GRANT CREATE_DELETE ON EDGE_TYPES * TO admin;"
|
|
- "MERGE (l1:label1 {name: 'test1'});"
|
|
- "MERGE (l2:label2 {name: 'test2'});"
|
|
- "MATCH (l1:label1),(l2:label2) WHERE l1.name = 'test1' AND l2.name = 'test2' CREATE (l1)-[r:edgeType1]->(l2);"
|
|
- "MERGE (l3:label3 {name: 'test3'});"
|
|
- "MATCH (l1:label1),(l3:label3) WHERE l1.name = 'test1' AND l3.name = 'test3' CREATE (l1)-[r:edgeType2]->(l3);"
|
|
- "MERGE (mix:label3:label1 {name: 'test4'});"
|
|
- "MATCH (l1:label1),(mix:label3) WHERE l1.name = 'test1' AND mix.name = 'test4' CREATE (l1)-[r:edgeType2]->(mix);"
|
|
- "CREATE DATABASE clean;"
|
|
- "USE DATABASE clean"
|
|
- "MATCH (n) DETACH DELETE n;"
|
|
- "MERGE (l1:label1 {name: 'test1'});"
|
|
- "MERGE (l2:label2 {name: 'test2'});"
|
|
- "MATCH (l1:label1),(l2:label2) WHERE l1.name = 'test1' AND l2.name = 'test2' CREATE (l1)-[r:edgeType1]->(l2);"
|
|
- "MERGE (l3:label3 {name: 'test3'});"
|
|
- "MATCH (l1:label1),(l3:label3) WHERE l1.name = 'test1' AND l3.name = 'test3' CREATE (l1)-[r:edgeType2]->(l3);"
|
|
- "MERGE (mix:label3:label1 {name: 'test4'});"
|
|
- "MATCH (l1:label1),(mix:label3) WHERE l1.name = 'test1' AND mix.name = 'test4' CREATE (l1)-[r:edgeType2]->(mix);"
|
|
- "USE DATABASE memgraph"
|
|
|
|
path_filtering_setup_queries: &path_filtering_setup_queries
|
|
- "CREATE USER admin IDENTIFIED BY 'test';"
|
|
- "CREATE USER user IDENTIFIED BY 'test';"
|
|
- "GRANT ALL PRIVILEGES TO admin;"
|
|
- "GRANT DATABASE * TO admin;"
|
|
- "GRANT ALL PRIVILEGES TO user;"
|
|
- "GRANT DATABASE * TO user;"
|
|
- "MERGE (a:label0 {id: 0}) MERGE (b:label1 {id: 1}) CREATE (a)-[:edge_type_1 {weight: 6}]->(b);"
|
|
- "MERGE (a:label0 {id: 0}) MERGE (b:label2 {id: 2}) CREATE (a)-[:edge_type_1 {weight: 14}]->(b);"
|
|
- "MERGE (a:label1 {id: 1}) MERGE (b:label2 {id: 2}) CREATE (a)-[:edge_type_2 {weight: 1}]->(b);"
|
|
- "MERGE (a:label2 {id: 2}) MERGE (b:label3 {id: 4}) CREATE (a)-[:edge_type_2 {weight: 10}]->(b);"
|
|
- "MERGE (a:label1 {id: 1}) MERGE (b:label3 {id: 3}) CREATE (a)-[:edge_type_3 {weight: 5}]->(b);"
|
|
- "MERGE (a:label2 {id: 2}) MERGE (b:label3 {id: 3}) CREATE (a)-[:edge_type_3 {weight: 7}]->(b);"
|
|
- "MERGE (a:label3 {id: 3}) MERGE (b:label3 {id: 4}) CREATE (a)-[:edge_type_4 {weight: 1}]->(b);"
|
|
- "MERGE (a:label3 {id: 4}) MERGE (b:label3 {id: 3}) CREATE (a)-[:edge_type_4 {weight: 1}]->(b);"
|
|
- "MERGE (a:label3 {id: 3}) MERGE (b:label4 {id: 5}) CREATE (a)-[:edge_type_4 {weight: 14}]->(b);"
|
|
- "MERGE (a:label3 {id: 4}) MERGE (b:label4 {id: 5}) CREATE (a)-[:edge_type_4 {weight: 8}]->(b);"
|
|
- "CREATE DATABASE clean;"
|
|
- "USE DATABASE clean"
|
|
- "MATCH (n) DETACH DELETE n;"
|
|
- "MERGE (a:label0 {id: 0}) MERGE (b:label1 {id: 1}) CREATE (a)-[:edge_type_1 {weight: 6}]->(b);"
|
|
- "MERGE (a:label0 {id: 0}) MERGE (b:label2 {id: 2}) CREATE (a)-[:edge_type_1 {weight: 14}]->(b);"
|
|
- "MERGE (a:label1 {id: 1}) MERGE (b:label2 {id: 2}) CREATE (a)-[:edge_type_2 {weight: 1}]->(b);"
|
|
- "MERGE (a:label2 {id: 2}) MERGE (b:label3 {id: 4}) CREATE (a)-[:edge_type_2 {weight: 10}]->(b);"
|
|
- "MERGE (a:label1 {id: 1}) MERGE (b:label3 {id: 3}) CREATE (a)-[:edge_type_3 {weight: 5}]->(b);"
|
|
- "MERGE (a:label2 {id: 2}) MERGE (b:label3 {id: 3}) CREATE (a)-[:edge_type_3 {weight: 7}]->(b);"
|
|
- "MERGE (a:label3 {id: 3}) MERGE (b:label3 {id: 4}) CREATE (a)-[:edge_type_4 {weight: 1}]->(b);"
|
|
- "MERGE (a:label3 {id: 4}) MERGE (b:label3 {id: 3}) CREATE (a)-[:edge_type_4 {weight: 1}]->(b);"
|
|
- "MERGE (a:label3 {id: 3}) MERGE (b:label4 {id: 5}) CREATE (a)-[:edge_type_4 {weight: 14}]->(b);"
|
|
- "MERGE (a:label3 {id: 4}) MERGE (b:label4 {id: 5}) CREATE (a)-[:edge_type_4 {weight: 8}]->(b);"
|
|
- "USE DATABASE memgraph"
|
|
|
|
show_databases_w_user_setup_queries: &show_databases_w_user_setup_queries
|
|
- "CREATE USER admin IDENTIFIED BY 'test';"
|
|
- "CREATE USER user IDENTIFIED BY 'test';"
|
|
- "CREATE USER user2 IDENTIFIED BY 'test';"
|
|
- "CREATE USER user3 IDENTIFIED BY 'test';"
|
|
- "CREATE DATABASE db1;"
|
|
- "CREATE DATABASE db2;"
|
|
- "GRANT ALL PRIVILEGES TO admin;"
|
|
- "GRANT DATABASE * TO admin;"
|
|
- "GRANT ALL PRIVILEGES TO user;"
|
|
- "GRANT DATABASE db1 TO user;"
|
|
- "GRANT ALL PRIVILEGES TO user2;"
|
|
- "GRANT DATABASE db2 TO user2;"
|
|
- "GRANT DATABASE memgraph TO user2;"
|
|
- "REVOKE DATABASE memgraph FROM user2;"
|
|
- "SET MAIN DATABASE db2 FOR user2"
|
|
- "GRANT ALL PRIVILEGES TO user3;"
|
|
- "GRANT DATABASE * TO user3;"
|
|
- "DENY DATABASE memgraph FROM user3;"
|
|
- "SET MAIN DATABASE db1 FOR user3"
|
|
|
|
create_delete_filtering_in_memory_cluster: &create_delete_filtering_in_memory_cluster
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "fine_grained_access.log"
|
|
setup_queries: *create_delete_filtering_setup_queries
|
|
validation_queries: []
|
|
|
|
create_delete_filtering_disk_cluster: &create_delete_filtering_disk_cluster
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "disk_fine_grained_access.log"
|
|
setup_queries:
|
|
- "STORAGE MODE ON_DISK_TRANSACTIONAL"
|
|
- *create_delete_filtering_setup_queries
|
|
validation_queries: []
|
|
|
|
edge_type_filtering_in_memory_cluster: &edge_type_filtering_in_memory_cluster
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "fine_grained_access.log"
|
|
setup_queries: *edge_type_filtering_setup_queries
|
|
validation_queries: []
|
|
|
|
edge_type_filtering_disk_cluster: &edge_type_filtering_disk_cluster
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "disk_fine_grained_access.log"
|
|
setup_queries:
|
|
- "STORAGE MODE ON_DISK_TRANSACTIONAL"
|
|
- *edge_type_filtering_setup_queries
|
|
validation_queries: []
|
|
|
|
path_filtering_in_memory_cluster: &path_filtering_in_memory_cluster
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "fine_grained_access.log"
|
|
setup_queries: *path_filtering_setup_queries
|
|
|
|
path_filtering_disk_cluster: &path_filtering_disk_cluster
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "disk_fine_grained_access.log"
|
|
setup_queries:
|
|
- "STORAGE MODE ON_DISK_TRANSACTIONAL"
|
|
- *path_filtering_setup_queries
|
|
|
|
show_databases_w_user: &show_databases_w_user
|
|
cluster:
|
|
main:
|
|
args: *args
|
|
log_file: "fine_grained_access.log"
|
|
setup_queries: *show_databases_w_user_setup_queries
|
|
|
|
workloads:
|
|
- name: "Create delete filtering"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/create_delete_filtering_tests.py"]
|
|
<<: *create_delete_filtering_in_memory_cluster
|
|
|
|
- name: "Create delete filtering on disk"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/create_delete_filtering_tests.py"]
|
|
<<: *create_delete_filtering_disk_cluster
|
|
|
|
- name: "EdgeType filtering"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/edge_type_filtering_tests.py"]
|
|
<<: *edge_type_filtering_in_memory_cluster
|
|
|
|
- name: "EdgeType filtering on disk"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/edge_type_filtering_tests.py"]
|
|
<<: *edge_type_filtering_disk_cluster
|
|
|
|
- name: "Path filtering"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/path_filtering_tests.py"]
|
|
<<: *path_filtering_in_memory_cluster
|
|
|
|
- name: "Show databases with users"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/show_db.py"]
|
|
<<: *show_databases_w_user
|
|
|
|
- name: "Path filtering on disk"
|
|
binary: "tests/e2e/pytest_runner.sh"
|
|
args: ["fine_grained_access/path_filtering_tests.py"]
|
|
<<: *path_filtering_disk_cluster
|