Multi-Tenancy
Multi-tenancy is an enterprise-only feature that allows various tenants to co-exist in the same Dgraph
cluster using uint64 namespaces. With multi-tenancy, each tenant can only log into their own
namespace and operate in their own namespace.
Overview
Multi-tenancy is built upon Access Control Lists (ACL),
and enables multiple tenants to share a Dgraph cluster using unique namespaces.
The tenants are logically separated, and their data lies in the same p directory.
Each namespace has a group guardian, which has root access to that namespace.
The default namespace is called a galaxy. Guardians of the Galaxy get
special access to create or delete namespaces and change passwords of
users of other namespaces.
Namespace
A multi-tenancy Namespace acts as a logical silo, so data stored in one namespace is not accessible from another namespace.
Each namespace has a group guardian (with root access to that namespace), and a unique uint64 identifier.
Users are members of a single namespace, and cross-namespace queries are not allowed.
The default namespace (0x00) is called a galaxy. A Guardian of the Galaxy has
special access to create or delete namespaces and change passwords of
users of other namespaces.
Access Control Lists
Multi-tenancy defines certain ACL roles for the shared cluster:
- Guardians of the Galaxy (Super Admins)
- Guardians of the Namespace
- They can add users to groups inside the namespace
- They can remove users from groups inside the namespace
- They can export their namespace
- Normal users
- They can login into a namespace
- They can query in their namespace
- They can mutate in their namespace
- They can’t query or mutate across namespaces
Guardians of the Galaxy
A Guardian of the Galaxy is a Super Admin of the default namespace (0x00).
As a super-admin, a Guardian of the Galaxy can:
- Create and delete namespaces
- Add new users and guardians to any namespace
- Reset the passwords
- Query and mutate the default namespace (
0x00) - Trigger cluster-wide backups (no namespace-specific backup)
- Trigger cluster-wide or namespace-specific exports (exports contain information about the namespace)
For example, if the user rocket is part of the Guardians of the Galaxy group (namespace 0x00),
he can only read/write on namespace 0x00, but he can create new namespaces and add users to them.
Create a Namespace
Only members of the Guardians of the Galaxy group can create a namespace.
A namespace can be created by calling /admin with the addNamespace mutation,
and will return the assigned number for the new namespace.
X-Dgraph-AccessToken header.
For example, to create a new namespace:
mutation {
addNamespace
{
namespaceId
message
}
}
Delete a Namespace
Only members of the Guardians of the Galaxy group can delete a namespace.
A namespace can be dropped by calling /admin with the deleteNamespace mutation.
X-Dgraph-AccessToken header.
For example, to drop the namespace 0x123:
mutation {
deleteNamespace(input: {namespaceId: 0x123})
{
namespaceId
message
}
}
namespace-guardians can’t delete namespaces, they can only perform queries and mutations.
Reset passwords
Only members of the Guardians of the Galaxy can reset passwords across namespaces.
A password can be reset by calling /admin with the resetPassword mutation.
For example, to reset the password for user groot from the namespace 100:
mutation {
resetPassword(input: {userId: "groot", password:"newpassword", namespace: 100}) {
userId
message
}
}
Drop operations
The drop all and drop data operations can only be triggered by a Guardian of the Galaxy.
They’re executed at cluster level and delete data across namespaces.
All other drop operations run at namespace level and are namespace specific.
drop all and drop data operations are executed at cluster level and will delete across namespaces.
Backups
Backups are currently cluster-wide only, but exports can be created by namespace. Only a Guardian of the Galaxy can trigger a backup.
Bulk Loader
Bulk loader can be used to load the data in bulk. By default, Bulk loader preserves the namespace in the data and schema files. If there’s no namespace information available, it loads the data into the default namespace.
Please refer to the Bulk loader documentation for examples and additional information.
Live Loader
Since multi-tenancy works with ACL enabled, when using the Live loader,
you must provide the login credentials using the --creds flag.
By default, Live loader loads the data into the user’s namespace.
Guardians of the Galaxy can load the data into multiple namespaces.
Please refer to the Live loader documentation for examples and additional information.
namespace from the data and schema files exist before loading the data.
Exports
Exports can be generated cluster-wide or at namespace level.
The export function creates a new folder for each namespace, and each folder contains the exported .rdf and schema file.
These exported sets of .rdf files and schemas include the multi-tenancy namespace information.
If a Guardian of the Galaxy exports the whole cluster, a single folder containing the export data of all the namespaces in a single .rdf file and a single schema will be generated.
A namespace-specific export will contain the namespace value in the generated .rdf file:
<0x01> "name" "ibrahim" <0x12> . -> this belongs to namespace 0x12
<0x01> "name" "ibrahim" <0x0> . -> this belongs to namespace 0x00
For example, to export the namespace 0x1234 to a folder in the export directory (by default this directory is export):
mutation {
export(input: {format: "rdf", namespace: 0x1234}) {
response {
message
}
}
}
To export all the namespaces: (this is only valid for Guardians of the Galaxy)
mutation {
export(input: {format: "rdf"}) {
response {
message
}
}
}