7.1.4.4. 기본 사용자 및 역할 관리 절차 Enterprise Edition

이 절에서는 Neo4j Cluster의 기본 사용자 및 역할 관리하는 절차에 대해서 설명합니다.

Neo4j에서는 Cypher를 통해 내장 프로 시저를 사용하여 기본 사용자 및 역할 관리를 관리합니다. 이 절에서는 몇 가지 간단한 예제와 함께 사용자 관리를위한 모든 보안 절차 목록을 제공합니다. 제공된 예제를 실행하려면 Neo4j Browser 또는 Neo4j Cypher Shell을 사용하십시오.

이 절에서는 다음을 설명합니다.

List all users

administrator는 모든 user에 대해서 내용을 확인이 가능합니다.

문법:

CALL dbms.security.listUsers()

결과값:

이름 타입 설 명
username String 사용자의 이름입니다.
roles List 사용자에게 할당된 역할의 목록입니다.
flags List 사용자가 일시 중지되었거나 암호를 변경해야하는지 여부를 나타내는 일련의 플래그입니다.

예외:

예제 7.1. List all users
아래의 예제는 시스템의 각 user 는 사용자이름, 사용자에 할당된 roles, 그리고 사용자가 일지 중지되었거나 비밀번호를 변경해야 하는지 여부를 보여줍니다.

CALL dbms.security.listUsers() 


+---------------------------------------------------------------------+
| username | roles                     | flags                        |
+---------------------------------------------------------------------+
| "neo4j"  | ["admin"]                 | []                           |
| "anne"   | []                        | ["password_change_required"] |
| "bill"   | ["reader"]                | ["is_suspended"]             |
| "john"   | ["architect","publisher"] | []                           |
+---------------------------------------------------------------------+
4 rows

List all roles

administrator는 시스템의 각 역할에 대해 할당 된 모든 사용자를 볼 수 있습니다.

문법:

CALL dbms.security.listRoles()

결과값:

이름 타입 설 명
role String 역할의 이름입니다.
users List 역할을 할당받은 모든 사용자의 사용자 이름 목록입니다.

예외:

예제 7.2. List all roles
아래 예제는 시스템의 각 역할에 대해 할당 된 모든 사용자의 역할 이름과 사용자 이름을 보여줍니다.

CALL dbms.security.listRoles() 


+------------------------------+
| role        | users          |
+------------------------------+
| "reader"    | ["bill"]       |
| "architect" | []             |
| "admin"     | ["neo4j"]      |
| "publisher" | ["john","bob"] |
+------------------------------+
4 rows

List all roles for a user

active user는 할당 된 roles을 모두 볼 수 있습니다. administrator는 시스템의 모든 user에 대해 할당 된 모든 역할을 볼 수 있습니다.

문법:

CALL dbms.security.listRolesForUser(*username*)

인수:

이름 타입 설 명
username String 사용자의 사용자 이름입니다.

결과값:

이름 타입 설 명
value String 요청한 사용자에게 할당 된 모든 역할을 반환합니다.

예외:

현재 사용자가 관리자가 아니며 사용자 이름이 현재 사용자의 사용자 이름과 일치하지 않습니다.
사용자 이름이 시스템에 없습니다.

고려사항:

  • 현재 사용자가 관리자인지 여부에 관계없이 이 절차는 현재 사용자가 자신의 역할을 보기 위해 호출 할 수 있습니다.
  • 관리자가 이 절차를 호출하여 다른 사용자의 역할을 볼 수 있습니다.
예제 7.3. List all roles for a user
다음 예제는 사용자 이름이 'johnsmith'인 사용자의 rolesreaderpublisher을 보여줍니다.

CALL dbms.security.listRolesForUser('johnsmith') 


+-------------+
| value       |
+-------------+
| "reader"    |
| "publisher" |
+-------------+
2 rows

List all users for a role

administratorroles에 대해 할당 된 모든 user를 볼 수 있습니다.

문법:

CALL dbms.security.listUsersForRole(*roleName*)

인수:

이름 타입 설 명
roleName String 역할의 이름입니다.

결과값:

이름 타입 설 명
value String 요청 된 역할에 대해 할당 된 모든 사용자가 반환됩니다.

예외:

현재 사용자는 관리자가 아닙니다.
역할 이름이 시스템에 없습니다.
예제 7.4. List all users for a role
다음 예는 roles publisher에 할당된 모든 사용자인 'bill'과 'anne'를 나열합니다.

CALL dbms.security.listUsersForRole('publisher') 


+--------+
| value  |
+--------+
| "bill" |
| "anne" |
+--------+
2 rows

Create a user

administrator는 새 user를 만들 수 있습니다. 이 작업은 사용자에게 roles을 할당하여 수행해야합니다. 설명은 여기를 참조하세요.

문법:

CALL dbms.security.createUser(*username*, *password*, *requirePasswordChange*)

인수:

이름 타입 설 명
username String 사용자의 사용자 이름입니다.
password String 사용자의 암호입니다.
requirePasswordChange Boolean 선택값이며 기본은 true입니다. true이면 (i) 사용자는 처음 로그인시에 필수로 패스워드를 변경해야 합니다. (ii) 비밀번호를 변경하기 전까지 사용자는 다른 작업을 수행할 수 없습니다.

예외:

현재사용자는 관리자가 아닙니다.
사용자 이름은 !~ 사이에 ASCII 문자 이외의 문자를 포함하거나 :, 를 포함합니다.
사용자 이름은 이미 시스템 내에서 사용 중입니다.
암호는 빈 문자열입니다.
예제 7.5. Create a user
아래 예제는 사용자 이름이 'johnsmith'이며 암호가 'h6u4%kr'인 user를 생성합니다. 사용자 'johnsmith'는 처음 로그인시 [암호를 변경](/security/authentication-authorization/native-user-and-role-management/procedures-for-native-user-and-role-management.md/#change-a-users-password)해야 합니다.

CALL dbms.security.createUser('johnsmith', 'h6u4%kr')

Delete a user

An administrator is able to delete permanently a user from the system. It is not possible to undo this action, so, if in any doubt, consider suspending the user instead.

문법:

CALL dbms.security.deleteUser(*username*)

인수:

이름 타입 설 명
username String This is the username of the user to be deleted.

예외:

The current user is not an administrator.
The username does not exist in the system.
The username matches that of the current user (i.e. deleting the current user is not permitted).

고려사항:

  • It is not necessary to remove any assigned roles from the user prior to deleting the user.
  • Deleting a user will terminate with immediate effect all of the user’s sessions and roll back any running transactions.
  • As it is not possible for the current user to delete themselves, there will always be at least one administrator in the system.
예제 7.6. Delete a user
The following example deletes a [user](/security/authentication-authorization/terminology.md/#term-user) with the username '**janebrown**'.

CALL dbms.security.deleteUser('janebrown')

Assign a role to a user

An administrator is able to assign a role to any user in the system, thus allowing the user to perform a series of actions upon the data.

문법:

CALL dbms.security.addRoleToUser(*roleName*, *username*)

인수:

이름 타입 설 명
roleName String This is the name of the role to be assigned to the user.
username String This is the username of the user who is to be assigned the role.

예외:

The current user is not an administrator.
The username does not exist in the system.
The username contains characters other than alphanumeric characters and the ‘_’ character.
The role name does not exist in the system.
The role name contains characters other than alphanumeric characters and the ‘_’ character.

고려사항:

  • This is an idempotent procedure.
예제 7.7. Assign a role to a user
The following example assigns the [role](/security/authentication-authorization/native-user-role-management/native-roles/) `publisher` to the user with username '**johnsmith**'. CALL dbms.security.addRoleToUser('publisher', 'johnsmith')
Remove a role from a user

An administrator is able to remove a role from any user in the system, thus preventing the user from performing upon the data any actions prescribed by the role.

문법:

CALL dbms.security.removeRoleFromUser(*roleName*, *username*)

인수:

이름 타입 설 명
roleName String This is the name of the role which is to be removed from the user.
username String This is the username of the user from which the role is to be removed.

예외:

The current user is not an administrator.
The username does not exist in the system.
The role name does not exist in the system.
The username is that of the current user and the role is admin.

고려사항:

  • If the username is that of the current user and the role name provided is admin, an error will be thrown; i.e. the current user may not be demoted from being an administrator.
  • As it is not possible for the current user to remove the admin role from themselves, there will always be at least one administrator in the system.
  • This is an idempotent procedure.
예제 7.8. Remove a role from a user
The following example removes the [role](/security/authentication-authorization/native-user-role-management/native-roles/) `publisher` from the user with username '**johnsmith**'. CALL dbms.security.removeRoleFromUser('publisher', 'johnsmith')
Create a custom role

An administrator is able to create custom roles in the system.

문법:

CALL dbms.security.createRole(*roleName*)

인수:

이름 타입 설 명
roleName String This is the name of the role to be created.

예외:

The current user is not an administrator.
The role name already exists in the system.
The role name is empty.
The role name contains characters other than alphanumeric characters and the ‘_’ character.
The role name matches one of the native roles: reader, publisher, architect, and admin.
예제 7.9. Create a new custom role
The following example creates a new custom role. CALL dbms.security.createRole('operator')
Delete a custom role

An administrator is able to delete custom roles from the system. The native roles reader, publisher, architect, and admin (see Section 7.1.4.1, “Native roles”) cannot be deleted.

문법:

CALL dbms.security.deleteRole(*roleName*)

인수:

이름 타입 설 명
roleName String This is the name of the role to be deleted.

예외:

The current user is not an administrator.
The role name does not exist in the system.
The role name matches one of the native roles: reader, publisher, architect, and admin.

고려사항:

  • Any role assignments will be removed.
예제 7.10. Delete a custom role
The following example deletes the custom role '**operator**' from the system. CALL dbms.security.deleteRole('operator')
Suspend a user

An administrator is able to suspend a user from the system. The suspended user may be activated at a later stage.

문법:

CALL dbms.security.suspendUser(*username*)

인수:

이름 타입 설 명
username String This is the username of the user to be suspended.

예외:

The current user is not an administrator.
The username does not exist in the system.
The username matches that of the current user (i.e. suspending the current user is not permitted).

고려사항:

  • Suspending a user will terminate with immediate effect all of the user’s sessions and roll back any running transactions.
  • All of the suspended user’s attributes — assigned roles and password — will remain intact.
  • A suspended user will not be able to log on to the system.
  • As it is not possible for the current user to suspend themselves, there will always be at least one active administrator in the system.
  • This is an idempotent procedure.
예제 7.11. Suspend a user
The following example suspends a [user](/security/authentication-authorization/terminology.md/#term-user) with the username '**billjones**'. CALL dbms.security.suspendUser('billjones')
Activate a user

An administrator is able to activate a suspended user so that the user is once again able to access the data in their original capacity.

문법:

CALL dbms.security.activateUser(*username*, *requirePasswordChange*)

인수:

이름 타입 설 명
username String This is the username of the user to be activated.
requirePasswordChange Boolean This is optional, with a default of true. If this is true, (i) the user will be forced to change their password when they next log in, and (ii) until the user has changed their password, they will be forbidden from performing any other operation.

예외:

The current user is not an administrator.
The username does not exist in the system.
The username matches that of the current user (i.e. activating the current user is not permitted).

고려사항:

  • This is an idempotent procedure.
예제 7.12. Activate a user
The following example activates a [user](/security/authentication-authorization/terminology.md/#term-user) with the username '**jackgreen**'. When the user '**jackgreen**' next logs in, he will be required to [change his password](/security/authentication-authorization/native-user-role-management/procedures/#userauth-change-your-password). CALL dbms.security.activateUser('jackgreen')
Change a user’s password

An administrator is able to change the password of any user within the system. Alternatively, the current user may change their own password.

문법:

CALL dbms.security.changeUserPassword(*username*, *newPassword*, *requirePasswordChange*)

인수:

이름 타입 설 명
username String This is the username of the user whose password is to be changed.
newPassword String This is the new password for the user.
requirePasswordChange Boolean This is optional, with a default of true. If this is true, (i) the user will be forced to change their password when they next log in, and (ii) until the user has changed their password, they will be forbidden from performing any other operation.

예외:

The current user is not an administrator and the username does not match that of the current user.
The username does not exist in the system.
The password is the empty string.
The password is the same as the user’s previous password.

고려사항:

  • This procedure may be invoked by the current user to change their own password, irrespective of whether or not the current user is an administrator.
  • This procedure may be invoked by an administrator to change another user’s password.
  • In addition to changing the user’s password, this will terminate with immediate effect all of the user’s sessions and roll back any running transactions.

예제 7.13. Change a user’s password

The following example changes the password of the user with the username 'joebloggs' to 'h6u4%kr'. When the user 'joebloggs' next logs in, he will be required to change his password.

CALL dbms.security.changeUserPassword('joebloggs', 'h6u4%kr')
Change the current user’s password

Any active user is able to change their own password at any time.

문법:

CALL dbms.security.changePassword(*password*, *requirePasswordChange*)

인수:

이름 타입 설 명
password String This is the new password for the current user.
requirePasswordChange Boolean This is optional, with a default of false. If this is true, (i) the current user will be forced to change their password when they next log in, and (ii) until the current user has changed their password, they will be forbidden from performing any other operation.

예외:

The password is the empty string.
The password is the same as the current user’s previous password.
예제 7.14. Change the current user’s password
The following example changes the password of the current user to '**h6u4%kr**'. CALL dbms.security.changePassword('h6u4%kr')
List roles per procedure

Any active user is able to view all procedures in the system, including which role(s) have the privilege to execute them.

문법:

CALL dbms.procedures()

결과값:

이름 타입 설 명
name String This is the name of the procedure.
signature String This is the signature of the procedure.
description String This is a description of the procedure.
roles List This is a list of roles having the privilege to execute the procedure.
예제 7.15. List role per procedure
The following example shows, for four of the security procedures, the procedure name, the description, and which roles have the privilege to execute the procedure. 

CALL dbms.procedures()
YIELD name, signature, description, roles
WITH name, description, roles
WHERE name contains 'security'
RETURN name, description, roles
ORDER BY name
LIMIT 4
+--------------------------------------------------------------------------------------------------------------+
|name                              |description                          |roles                                |
+--------------------------------------------------------------------------------------------------------------+
|"dbms.security.activateUser"      |"Activate a suspended user."         | ["admin"]                           |
|"dbms.security.addRoleToUser"     |"Assign a role to the user."         | ["admin"]                           |
|"dbms.security.changePassword"    |"Change the current user's password."| ["reader","editor","publisher", ... |
|"dbms.security.changeUserPassword"|"Change the given user's password."  | ["admin"]                           |
+--------------------------------------------------------------------------------------------------------------+
4 rows

results matching ""

    No results matching ""