Managing Users

The user management in ArangoDB 3 is similar to the one found in MySQL, Postgres, or other database systems.

An ArangoDB server contains a list of users. Each user can have access to one or more databases (or none for that matter).

In order to manage users use the web interface. Log into the _system database and go to the "User" section.

Using the ArangoDB shell

Alternatively, you can use the ArangoDB shell. Fire up arangosh and require the users module.

arangosh> var users = require("@arangodb/users");
arangosh> users.save("admin@testapp", "mypassword");

Creates an user call admin@testapp. This user will have no access at all.

arangosh> users.grantDatabase("admin@testapp", "testdb");

This grants the user access to the database testdb. revokeDatabase will revoke the right.

Save

users.save(user, passwd, active, extra)

This will create a new ArangoDB user. The username must be specified in user and must not be empty.

The password must be given as a string, too, but can be left empty if required. If you pass the special value ARANGODB_DEFAULT_ROOT_PASSWORD, the password will be set the value stored in the environment variable ARANGODB_DEFAULT_ROOT_PASSWORD. This can be used to pass an instance variable into ArangoDB. For example, the instance identifier from Amazon.

If the active attribute is not specified, it defaults to true. The extra attribute can be used to save custom data with the user.

This method will fail if either the username or the passwords are not specified or given in a wrong format, or there already exists a user with the specified name.

Note: the user will not have permission to access any database. You need to grant the access rights for one or more databases using grantDatabase.

Examples

arangosh> require("@arangodb/users").save("my-user", "my-secret-password");
show execution results

Grant Database

users.grantDatabase(user, database)

This grants read/write access to the database for the user.

If a user has access rights to the _system database, he is considered superuser.

Revoke Database

users.revokeDatabase(user, database)

This revokes read/write access to the database for the user.

Replace

users.replace(user, passwd, active, extra)

This will look up an existing ArangoDB user and replace its user data.

The username must be specified in user, and a user with the specified name must already exist in the database.

The password must be given as a string, too, but can be left empty if required.

If the active attribute is not specified, it defaults to true. The extra attribute can be used to save custom data with the user.

This method will fail if either the username or the passwords are not specified or given in a wrong format, or if the specified user cannot be found in the database.

Note: this function will not work from within the web interface

Examples

arangosh> require("@arangodb/users").replace("my-user", "my-changed-password");
show execution results

Update

users.update(user, passwd, active, extra)

This will update an existing ArangoDB user with a new password and other data.

The username must be specified in user and the user must already exist in the database.

The password must be given as a string, too, but can be left empty if required.

If the active attribute is not specified, the current value saved for the user will not be changed. The same is true for the extra attribute.

This method will fail if either the username or the passwords are not specified or given in a wrong format, or if the specified user cannot be found in the database.

Examples

arangosh> require("@arangodb/users").update("my-user", "my-secret-password");
show execution results

isValid

users.isValid(user, password)

Checks whether the given combination of username and password is valid. The function will return a boolean value if the combination of username and password is valid.

Each call to this function is penalized by the server sleeping a random amount of time.

Examples

arangosh> require("@arangodb/users").isValid("my-user", "my-secret-password");
true

Remove

users.remove(user)

Removes an existing ArangoDB user from the database.

The username must be specified in User and the specified user must exist in the database.

This method will fail if the user cannot be found in the database.

Examples

arangosh> require("@arangodb/users").remove("my-user");

Document

users.document(user)

Fetches an existing ArangoDB user from the database.

The username must be specified in user.

This method will fail if the user cannot be found in the database.

Examples

arangosh> require("@arangodb/users").document("my-user");
show execution results

all()

users.all()

Fetches all existing ArangoDB users from the database.

Examples

arangosh> require("@arangodb/users").all();
show execution results

Reload

users.reload()

Reloads the user authentication data on the server

All user authentication data is loaded by the server once on startup only and is cached after that. When users get added or deleted, a cache flush is done automatically, and this can be performed by called this method.

Examples

arangosh> require("@arangodb/users").reload();

Comparison to ArangoDB 2

ArangoDB 2 contained separate users per database. It was not possible to give an user access to two or more databases. This proved impractical. Therefore we switch to a more common user model in ArangoDB 3.

Command-Line Options for the Authentication and Authorization

--server.authentication Setting this option to false will turn off authentication on the server side so all clients can execute any action without authorization and privilege checks. The default value is true.

--server.authentication-system-only boolean Controls whether incoming requests need authentication only if they are directed to the ArangoDB's internal APIs and features, located at /_api/, /_admin/ etc. If the flag is set to true, then HTTP authentication is only required for requests going to URLs starting with /_, but not for other URLs. The flag can thus be used to expose a user-made API without HTTP authentication to the outside world, but to prevent the outside world from using the ArangoDB API and the admin interface without authentication. Note that checking the URL is performed after any database name prefix has been removed. That means when the actual URL called is /_db/_system/myapp/myaction, the URL /myapp/myaction will be used for authentication-system-only check. The default is true. Note that authentication still needs to be enabled for the server regularly in order for HTTP authentication to be forced for the ArangoDB API and the web interface. Setting only this flag is not enough. You can control ArangoDB's general authentication feature with the --server.authentication flag.