@@ -78,53 +78,42 @@ you are using `accountadmin` to grant and create roles. Lets do that
7878now:
7979
8080....
81- USE ROLE accountadmin;
82- ....
83-
84- Next let’s set up the necessary roles, permissions, and resource access
85- to enable Graph Analytics to operate on data within the
86- `mta.public schema`. It creates a consumer role (gds++_++user++_++role)
87- for users and administrators, grants the Neo4j Graph Analytics
88- application access to read from and write to tables and views, and
89- ensures that future tables are accessible.
90-
91- It also provides the application with access to the required compute
92- pool and warehouse resources needed to run graph algorithms at scale.
93-
94- ....
95- -- Create a consumer role for users and admins of the GDS application
96- CREATE ROLE IF NOT EXISTS gds_user_role;
97- CREATE ROLE IF NOT EXISTS gds_admin_role;
98- GRANT APPLICATION ROLE neo4j_graph_analytics.app_user TO ROLE gds_user_role;
99- GRANT APPLICATION ROLE neo4j_graph_analytics.app_admin TO ROLE gds_admin_role;
100-
101- CREATE DATABASE ROLE IF NOT EXISTS gds_db_role;
102- GRANT DATABASE ROLE gds_db_role TO ROLE gds_user_role;
103- GRANT DATABASE ROLE gds_db_role TO APPLICATION neo4j_graph_analytics;
104-
105- -- Grant access to consumer data
106- GRANT USAGE ON DATABASE MTA TO ROLE gds_user_role;
107- GRANT USAGE ON SCHEMA MTA.PUBLIC TO ROLE gds_user_role;
108-
109- -- Required to read tabular data into a graph
110- GRANT SELECT ON ALL TABLES IN DATABASE MTA TO DATABASE ROLE gds_db_role;
111-
112- -- Ensure the consumer role has access to created tables/views
113- GRANT ALL PRIVILEGES ON FUTURE TABLES IN SCHEMA MTA.PUBLIC TO DATABASE ROLE gds_db_role;
114- GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA MTA.PUBLIC TO DATABASE ROLE gds_db_role;
115- GRANT CREATE TABLE ON SCHEMA MTA.PUBLIC TO DATABASE ROLE gds_db_role;
116- GRANT CREATE VIEW ON SCHEMA MTA.PUBLIC TO DATABASE ROLE gds_db_role;
117- GRANT ALL PRIVILEGES ON FUTURE VIEWS IN SCHEMA MTA.PUBLIC TO DATABASE ROLE gds_db_role;
118- GRANT ALL PRIVILEGES ON ALL VIEWS IN SCHEMA MTA.PUBLIC TO DATABASE ROLE gds_db_role;
119-
120- -- Compute and warehouse access
121- GRANT USAGE ON WAREHOUSE NEO4J_GRAPH_ANALYTICS_APP_WAREHOUSE TO APPLICATION neo4j_graph_analytics;
122- ....
123-
124- Then we need to switch the role we created:
125-
126- ....
127- USE ROLE gds_user_role;
81+ -- Use a role with the required privileges
82+ USE ROLE ACCOUNTADMIN;
83+
84+ -- Create a consumer role for users of the Graph Analytics application
85+ CREATE ROLE IF NOT EXISTS MY_CONSUMER_ROLE;
86+ GRANT APPLICATION ROLE Neo4j_Graph_Analytics.app_user TO ROLE MY_CONSUMER_ROLE;
87+ SET MY_USER = (SELECT CURRENT_USER());
88+ GRANT ROLE MY_CONSUMER_ROLE TO USER IDENTIFIER($MY_USER);
89+
90+ USE SCHEMA MTA.PUBLIC;
91+ CREATE TABLE NODES (nodeId Number);
92+ INSERT INTO NODES VALUES (1), (2), (3), (4), (5), (6);
93+ CREATE TABLE RELATIONSHIPS (sourceNodeId Number, targetNodeId Number);
94+ INSERT INTO RELATIONSHIPS VALUES (1, 2), (2, 3), (4, 5), (5, 6);
95+
96+ -- Grants needed for the app to read consumer data stored in tables and views, using a database role
97+ USE DATABASE MTA;
98+ CREATE DATABASE ROLE IF NOT EXISTS MY_DB_ROLE;
99+ GRANT USAGE ON DATABASE MTA TO DATABASE ROLE MY_DB_ROLE;
100+ GRANT USAGE ON SCHEMA MTA.PUBLIC TO DATABASE ROLE MY_DB_ROLE;
101+ GRANT SELECT ON ALL TABLES IN SCHEMA MTA.PUBLIC TO DATABASE ROLE MY_DB_ROLE;
102+ GRANT SELECT ON ALL VIEWS IN SCHEMA MTA.PUBLIC TO DATABASE ROLE MY_DB_ROLE;
103+ -- Future tables also include tables that are created by the application itself.
104+ -- This is useful as many use-cases require running algorithms in a sequence and using the output of a prior algorithm as input.
105+ GRANT SELECT ON FUTURE TABLES IN SCHEMA MTA.PUBLIC TO DATABASE ROLE MY_DB_ROLE;
106+ GRANT SELECT ON FUTURE VIEWS IN SCHEMA MTA.PUBLIC TO DATABASE ROLE MY_DB_ROLE;
107+ GRANT CREATE TABLE ON SCHEMA MTA.PUBLIC TO DATABASE ROLE MY_DB_ROLE;
108+ GRANT DATABASE ROLE MY_DB_ROLE TO APPLICATION Neo4j_Graph_Analytics;
109+
110+ -- Ensure the consumer role has access to tables created by the application
111+ GRANT USAGE ON DATABASE MTA TO ROLE MY_CONSUMER_ROLE;
112+ GRANT USAGE ON SCHEMA MTA.PUBLIC TO ROLE MY_CONSUMER_ROLE;
113+ GRANT SELECT ON FUTURE TABLES IN SCHEMA MTA.PUBLIC TO ROLE MY_CONSUMER_ROLE;
114+
115+ -- Use the consumer role to run the algorithm and inspect the output
116+ USE ROLE MY_CONSUMER_ROLE;
128117....
129118
130119=== Cleaning Our Data
0 commit comments