Articles in this section

See more

Using Node Labels and RBAC to differentiate between two sets of (same) data in a single AuraDB Enterprise Instance

Andy
  • Updated
Follow

Within a single AuraDB Enterprise database instance it is possible to house multiple copies of the same graph, to segregate and use for differing reasons. One such possible use case for doing so  might be to combine all of your non-production environments into a single AuraDB database instance to house the differing stages of the development lifecycle (Development, Staging, User Acceptance Test).

The following example illustrates such a use case, as we house a development and staging movie graph in a single AuraDB database instance.

 

We start with a database we have created and populated with our initial data load, we will update the existing node labels to become the development graph. Once that process has been completed we repeat the data load exercise to create a second graph in the same instance, which we then update the node labels to become the staging graph. Finally we create roles and users within the database instance, to manage access to the development and staging graphs.

Updating original dataset to be marked as DEV

Add new DEV label to existing nodes

MATCH (n:Movie) SET n:DEV_Movie;
MATCH (n:Person) SET n:DEV_Person;
At this stage the nodes have two labels, the one they were originally loaded with and also the one we have just added prefixed with DEV_.

Remove ‘old’ Movie label from existing nodes

MATCH (n:DEV_Movie) REMOVE n:Movie;

MATCH (n:DEV_Person) REMOVE n:Person;

Load second dataset into same AuraDB instance

We then create the second copy of our graph in the same instance, from a file. 

Update second dataset to be marked as STG

Add new STG label to existing nodes

MATCH (n:Movie) SET n:STG_Movie;

MATCH (n:Person) SET n:STG_Person;

Remove ‘old’ Movie label from existing nodes

MATCH (n:STG_Movie) REMOVE n:Movie;

MATCH (n:STG_Person) REMOVE n:Person;

 

How to handle Multi-Graph with RBAC

Roles / users

Roles

Here we are creating a new role called devrole that is a copy of the built-in reader role.

CREATE ROLE devrole AS COPY OF reader;

Privileges

We now modify the privileges in the role to deny the devrole access to the staging graph.

DENY READ {*} ON GRAPH neo4j NODES STG_Person TO devrole;

DENY READ {*} ON GRAPH neo4j NODES STG_Movie TO devrole;

DENY TRAVERSE ON GRAPH neo4j NODES `STG_Person` TO devrole;

DENY TRAVERSE ON GRAPH neo4j NODES `STG_Movie` TO devrole;

 

Users

Create a new database user who will have access to the development environment.

CREATE USER ajs_dev

SET PASSWORD 'test123' CHANGE REQUIRED

SET STATUS ACTIVE

SET HOME DATABASE neo4j;

 

Grant roles to users

GRANT role devrole to ajs_dev;

 

Test Queries

We now connect to the database instance using the newly created development user and try to query the staging graph.

Querying the STAGING Nodes - should return no data

MATCH (n:STG_Movie) RETURN n AS node;mceclip0.png

MATCH (n:STG_Person) RETURN n AS node;

mceclip1.png

Querying the Dev Nodes - should return data

MATCH (n:DEV_Movie) RETURN n AS node;

mceclip2.png

MATCH (n:DEV_Person) RETURN n AS node;

mceclip3.png

Related articles

Comments

0 comments

Please sign in to leave a comment.