Database management
Authentication and authorization
Users

Users

In Memgraph, users and their passwords can be created with a simple Cypher query. This level of security is supported within the Community version of Memgraph. For more advanced security features within Memgraph Enterprise, check out role-based access control and auth system integrations.

Administer users

Creating a user can be done by executing the following command:

CREATE USER [IF NOT EXISTS] user_name [IDENTIFIED BY 'password'];

If the user already exists, you can use IF NOT EXISTS to only create new users.

If the username is an email address, you need to enclose it in backticks (`):

CREATE USER `alice@memgraph.com` IDENTIFIED BY '0042';

If you want to create a username that includes a space character, you must set the --auth-user-or-role-regex flag to include spaces. For example, --auth-user-or-role-name-regex=[a-zA-Z0-9_.+\-@ ]+.

If the user should authenticate themselves on each session, i.e. provide their password on each session, the part within the brackets is mandatory. Otherwise, the password is set to null, and the user will be allowed to log-in using any password, provided that they use the correct username.

To set or alter a user's password, run the following command:

SET PASSWORD FOR user_name TO 'new_password';

Setting the user's password to null removes the password, allowing the user to log-in using any password:

SET PASSWORD FOR user_name TO null;

Users can change their own password by running the following command:

SET PASSWORD TO 'newPassword' REPLACE 'oldPassword';

Password does not need to be in plain-text, a user can be identified via an already hashed password.

Example where "user" is identified by "password":

CREATE USER user IDENTIFIED BY 'sha256:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8';

The string identifying the hashed password is formatted as: algorithm-name:hash

Supported algorithms:

  1. "bcrypt"
  2. "sha256"
  3. "sha256-multiple"

Hash is the alphanumerical string of 64 characters for sha256 and 60 characters form bcrypt;

To delete a user, run the following command:

DROP USER user_name;

The following query lets you see which user is logged-in to the ongoing session:

SHOW CURRENT USER;

In case of userless log-in, SHOW CURRENT USER returns a null value.

To see all users, use the following command:

SHOW USERS;

If no users exist, SHOW USERS returns no results.

Password encryption algorithm

Memgraph offers multiple password encryption algorithms:

  • BCrypt
  • SHA256
  • SHA256 with multiple iterations (currently set to 1024 iterations)

The above algorithms can be specified at runtime using the flag --password-encryption-algorithm with the appropriate values of bcrypt, sha256 or sha256-multiple.

BCrypt This algorithm is the default algorithm for password encryption. It's the most secure algorithm and has the best protection against brute-force attacks. However, if you're connecting multiple concurrent enterprise users with passwords at the same time, it may not be the best choice for you as you might experience slower performance. The performance is slower only during authentication of the users, and should not degrade once the connection has been established.

SHA256 and SHA256 with multiple iterations SHA256 is an encryption algorithm that's usually not used for password encryption but is fast and secure enough to offer optimal performance when running a lot of concurrent opening connections to Memgraph.

Authentication

memgraph and memgraph-mage images

If you are using Docker and memgraph or memgraph-mage image enter username and password when connecting manually to Memgraph Lab.

If you are connecting with mgconsole you should add the username and password flags to the docker run command:

docker run -it --entrypoint=mgconsole memgraph/memgraph --host CONTAINER_IP --username=<username> --password=<password>

Example:

docker run -it --entrypoint=mgconsole memgraph/memgraph --host 172.17.0.2 --username=vlasta --password=vp

Owners

The privileges of the owners of streams and triggers are propagated to the corresponding query executions:

  • in case of streams for the queries returned by the transformations
  • in case of triggers for trigger statements.

This means the execution of the queries will fail if the owner doesn't have the required privileges. There are a few important details:

  • If there are no existing users, no privilege check is performed similarly to regular queries.
  • If a stream or trigger is created without using a logged-in user session, the owner will be Null. From the point when the first user is created such streams and triggers will fail because the lack of owner is treated as a user without any privileges, so no queries are allowed to be executed.
  • Currently, there is no way of changing the owner. The only workaround for this is to delete the stream or trigger and then create it again with another user.

The user who executes the CREATE STREAM query is going to be the owner of the stream. Authentication and authorization are not supported in Memgraph Community, thus the owner will always be Null, and the privileges are not checked in Memgraph Community. In Memgraph Enterprise the privileges of the owner are used when executing the queries returned from a transformation, in other words, the execution of the queries will fail if the owner doesn't have the required privileges.