From d0b561e91fb08f1f3b40ebed172e71e90f5b369f Mon Sep 17 00:00:00 2001 From: kgolubic Date: Thu, 4 Jul 2024 11:01:20 +0200 Subject: [PATCH 1/5] Update README.md --- README.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 56086b2ec..95c1cdd96 100644 --- a/README.md +++ b/README.md @@ -95,14 +95,19 @@ an [issue](https://github.com/memgraph/documentation/issues). ### Contributing guide -If you want to change the documentation, create a new branch and make -the appropriate changes. Then, create a pull request to merge these changes into the +If you want to change the documentation, create a new branch and make the +appropriate changes. Then, create a pull request to merge these changes into the `main` branch. -The pull request should describe the changes it's proposing and all checks must be completed. +The pull request should describe the changes it's proposing and all checks must +be completed. -Add an appropriate label to the PR, either `status: draft` if you are still working on the PR, or `status: ready` if the PR is ready for review. +Add an appropriate label to the PR, either `status: draft` if you are still +working on the PR, or `status: ready` if the PR is ready for review. -When the PR is reviewed and approved, the label will be changed to `status: ship it` and merged into the main by the repo admins. +When the PR is reviewed and approved, the label will be changed to `status: ship +it` and merged into the main by the repo admins. -If the PR requires changes, the label will be changed to `status: change`. Address the comments and change the documentation appropriately, then re-request a review and change the label to `status: ready` again. +If the PR requires changes, the label will be changed to `status: change`. +Address the comments and change the documentation appropriately, then re-request +a review and change the label to `status: ready` again. From d8e94b46432170d5a87fccd46c8c944cad49486c Mon Sep 17 00:00:00 2001 From: tonijurjevic96 <168409767+tonijurjevic96@users.noreply.github.com> Date: Sat, 10 Aug 2024 02:23:36 +0200 Subject: [PATCH 2/5] =?UTF-8?q?Added=20description=20for=20hiding=20sensit?= =?UTF-8?q?ive=20information=20under=20database-man=E2=80=A6=20(#873)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Docs improvements (#799) * Add NuRaft log file flag (#816) * Add health checks docs (#833) * Update HA examples * Add NuRaft log file env (#848) * Add leader/follower role (#857) Co-authored-by: Antonio Filipovic <61245998+antoniofilipovic@users.noreply.github.com> * Add coordinator hostname HA configuration option (#860) * First leader * Update pages/clustering/high-availability.mdx Co-authored-by: Katarina Supe <61758502+katarinasupe@users.noreply.github.com> --------- Co-authored-by: Kruno Golubic <46486712+kgolubic@users.noreply.github.com> Co-authored-by: Katarina Supe <61758502+katarinasupe@users.noreply.github.com> * Add monitoring at runtime docs (#806) * Added description for hiding sensitive information under database-managment/logs * database-less connections update (#853) * Update HA docs * Added link to correct chapter * Fixed issues pointed out in pr * Add comments to PR review --------- Co-authored-by: Andi Co-authored-by: Kruno Golubic <46486712+kgolubic@users.noreply.github.com> Co-authored-by: kgolubic Co-authored-by: Antonio Filipovic <61245998+antoniofilipovic@users.noreply.github.com> Co-authored-by: Katarina Supe <61758502+katarinasupe@users.noreply.github.com> Co-authored-by: Josipmrden Co-authored-by: andrejtonev <29177572+andrejtonev@users.noreply.github.com> Co-authored-by: hal-eisen-MG <145572763+hal-eisen-MG@users.noreply.github.com> --- pages/clustering/high-availability.mdx | 1 + .../enabling-memgraph-enterprise.mdx | 1 + pages/database-management/logs.mdx | 20 +++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/pages/clustering/high-availability.mdx b/pages/clustering/high-availability.mdx index 2f09b6507..56e486d73 100644 --- a/pages/clustering/high-availability.mdx +++ b/pages/clustering/high-availability.mdx @@ -130,6 +130,7 @@ environment variables or configuration flags: - coordinator hostname + #### Data instances Here are the environment variables you need to use to set data instance using only environment variables: diff --git a/pages/database-management/enabling-memgraph-enterprise.mdx b/pages/database-management/enabling-memgraph-enterprise.mdx index 34d69a653..024158923 100644 --- a/pages/database-management/enabling-memgraph-enterprise.mdx +++ b/pages/database-management/enabling-memgraph-enterprise.mdx @@ -9,6 +9,7 @@ The following Memgraph features are only available in Enterprise Edition: - [Audit log](/database-management/logs#audit-log-enterprise) - [Auth system integrations](/database-management/authentication-and-authorization/auth-system-integrations) +- [Hiding sensitive information](/database-management/logs#hiding-sensitive-information-enterprise) - [SAML integration](/database-management/authentication-and-authorization/auth-system-integrations#saml) - [OIDC integration](/database-management/authentication-and-authorization/auth-system-integrations#openid-connect-oidc) - [LDAP integration](/database-management/authentication-and-authorization/auth-system-integrations#ldap) diff --git a/pages/database-management/logs.mdx b/pages/database-management/logs.mdx index 3e8861cec..22d3c8029 100644 --- a/pages/database-management/logs.mdx +++ b/pages/database-management/logs.mdx @@ -114,6 +114,26 @@ container: +## Hiding passwords (Enterprise) + +To enhance security, it's crucial to ensure that sensitive information is not logged. +In the example below we can see how passwords are masked in the Enterprise edition of Memgraph: + +Original log (Community version): + +```plaintext +SET PASSWORD TO 'newpassword' REPLACE 'oldpassword' +``` + +Masked log (Enterprise version): + +```plaintext +SET PASSWORD TO '****' REPLACE '****' +``` + +All passwords are replaced with `****` to prevent their exposure in the logs. +This approach ensures that even if logs are accessed by unauthorized individuals, +they won't be able to retrieve the actual passwords. ## Audit log (Enterprise) From 1176f6dc10a7f50c667adeaf8ca05251eca8a108 Mon Sep 17 00:00:00 2001 From: andrejtonev <29177572+andrejtonev@users.noreply.github.com> Date: Mon, 12 Aug 2024 14:18:47 +0200 Subject: [PATCH 3/5] TTL docs (#913) * TTL page * Update pages/querying/time-to-live.mdx * Update time-to-live.mdx * Update menu * Enterprise tag and timezone callout * PR comments --------- Co-authored-by: Kruno Golubic <46486712+kgolubic@users.noreply.github.com> Co-authored-by: kgolubic --- pages/querying/_meta.json | 1 + pages/querying/time-to-live.mdx | 160 ++++++++++++++++++++++++++++++++ 2 files changed, 161 insertions(+) create mode 100644 pages/querying/time-to-live.mdx diff --git a/pages/querying/_meta.json b/pages/querying/_meta.json index 078820fc8..50d8d594d 100644 --- a/pages/querying/_meta.json +++ b/pages/querying/_meta.json @@ -8,6 +8,7 @@ "expressions": "Expressions", "schema": "Schema", "text-search": "Text search", + "time-to-live": "Time to live", "query-plan": "Query plan", "exploring-datasets": "Exploring datasets" } diff --git a/pages/querying/time-to-live.mdx b/pages/querying/time-to-live.mdx new file mode 100644 index 000000000..0daac7ab5 --- /dev/null +++ b/pages/querying/time-to-live.mdx @@ -0,0 +1,160 @@ +--- +title: Time to live +description: Learn how to use time-to-live in Memgraph. +--- + +import { Callout } from 'nextra/components' + + + +This is an ENTERPRISE feature. + + + +# Time to live (Enterprise) + +Time-to-live allows a user to tag vertices with an expiration time. Once a vertex has expired, the vertex and all associated edges will be deleted. + + + +Time-to-live is implemented as a background job that periodically gets executed. +This is a best effort solution; meaning that even if a vertex expires, that does not mean it gets deleted right away, but eventually, once the background job gets executed. + + + +## Usage + +In order to use the feature the user needs to: +1. [Configure TTL](#configuration) +2. [Tag vertices with an expiration time](#tagging-vertices) + +Once that is done, a background job will periodically delete expired vertices and associated edges. + +### What is indexed + +Time-to-live uses a label `TTL` and property `ttl` to tag vertices. A label+property value index is used to speed up query execution. + +### Executed query + +Time-to-live is implemented as a background job that execute the following query: + +```cypher +MATCH (n:TTL) WHERE n.ttl < $now WITH n LIMIT $batch DETACH DELETE n; +``` + +The query DETACH DELETEs all vertices that have expired at this point in time. +The query is batched to limit the serialization errors and lost work that the error might cause. + + + +Since time-to-live is implemented as a query like any other, the user might get serialization errors. +This can happen if the user is modifying an expired vertex. +The chance of serialization errors can be minimized by limiting the duration of write transactions. +In addition, the user can disable TTL before starting an important write transaction and re-enable it after commit. See [configuration](#configuration). + + + +## Configuration + +Time to live is by default disabled. To enable it, run: + +```cypher +ENABLE TTL [EVERY "period"] [AT "time"]; +``` + + * period: a string literal defining the period of execution. Format: "NdNhNmNs" + * time: a specific time at which the first ttl job will get executed. Format: "24:59:59" + +**NOTE:** If period is omitted while time is not, the default period value will be 1 day + + + +Time is converted between local and system time using the database defined timezone. + + + +Examples demonstrating TTL setup: + +```cypher +# Run TTL every dat at 14:30 (will run immediately once if started after 14:30) +ENABLE TTL AT "14:30:00"; +# Run TTL every 2nd day at 4:00 (will run immediately once if started after 4:00) +ENABLE TTL EVERY "2d" AT "04:00:00"; +# Run TTL every 3 hours, starting from 19:45 today (will run immediately once if started after 19:45) +ENABLE TTL EVERY "3h" AT "19:45:00"; +``` + +The time-to-live job can be stopped and re-enabled via: + +```cypher +STOP TTL; +ENABLE TTL; +``` + +**NOTE:** Once stopped, ttl can be re-enabled with the old configuration or a new one. + +To stop and drop any index created, run: + +```cypher +DISABLE TTL; +``` + +**NOTE:** Once disabled, ttl has to be re-enabled with a new configuration. + +## Tagging vertices + +In order to tag a vertex for expiration, the user needs to add the `TTL` label and `ttl` property. +`ttl` property defines when the vertex has expired as a number of microseconds since POSIX epoch. +POSIX epoch defined as starting from 1st of January 1970. Negative values define time before, while positive numbers the time since. +The user can simply input the number or can use builtin Memgraph functions to define the expiration time. + +Arbitrary time since epoch: +```cypher +MATCH (n) SET n:TTL, n.ttl=123; +``` + +Set vertex to expire now: +```cypher +MATCH (n) SET n:TTL, n.ttl=timestamp(); +``` + +Set vertex to expire 11 hours and 25 minutes from now: +```cypher +MATCH (n) SET n:TTL, n.ttl=timestamp() + timestamp(duration({hour:11, minute:25})); +``` + +Set vertex to expire on July 15th 2024 at 14:15: +```cypher +MATCH (n) SET n:TTL, n.ttl=timestamp(LocalDateTime("2024-07-15T14:15:00")); +``` + +## Authorization + +Time-to-live configuration queries require permissions: +1. CONFIG +2. INDEX +3. MATCH +4. DELETE + +## Compatibility + +List of features and their supported status: + +| Feature | Support | +|-----------------------------|-----------| +| Multitenancy | yes | +| Durability | yes | +| Storage modes | yes (all) | +| Replication | yes | +| Concurrent transactions | yes | +| Fine-grained access control | no | + +### Multitenancy + +Time-to-live configuration is tenant based; meaning that the feature will need to be enabled and configured manually for each tenant. + +### Replication + +Time-to-live background job will be execute only on MAIN and the changes will be replicated. +While the TTL effect is replicated, the configuration is not. TTL needs to be configured manually on every instance that can become MAIN. +If an instance is a REPLICA, the TTL background job will be paused until the instance becomes MAIN. From 2c5dfeeb951808f628e70062f179aa5316f4170b Mon Sep 17 00:00:00 2001 From: andrejtonev <29177572+andrejtonev@users.noreply.github.com> Date: Mon, 12 Aug 2024 14:22:48 +0200 Subject: [PATCH 4/5] Prehashed password (#950) --- .../authentication-and-authorization/users.mdx | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pages/database-management/authentication-and-authorization/users.mdx b/pages/database-management/authentication-and-authorization/users.mdx index 69defa453..f76403f40 100644 --- a/pages/database-management/authentication-and-authorization/users.mdx +++ b/pages/database-management/authentication-and-authorization/users.mdx @@ -58,6 +58,22 @@ Users can change their own password by running the following command: SET PASSWORD TO 'newPassword' REPLACE 'oldPassword'; ``` +Password does not need to be in plain-text, a user can be identified via an already hashed password. + +Example where "user" is identified by "password": +```cypher +CREATE USER user IDENTIFIED BY 'sha256:5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8'; +``` + +The string identifying the hashed password is formatted as: algorithm-name:hash + +Supported algorithms: +1. "bcrypt" +1. "sha256" +1. "sha256-multiple" + +Hash is the alphanumerical string of 64 characters for sha256 and 60 characters form bcrypt; + To delete a user, run the following command: ```cypher From a2930b475815874b0a37ea9e211a2f7b301a5dde Mon Sep 17 00:00:00 2001 From: Andreja Tonev Date: Mon, 12 Aug 2024 16:08:03 +0200 Subject: [PATCH 5/5] Add warning about TTL label and ttl property --- pages/querying/time-to-live.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pages/querying/time-to-live.mdx b/pages/querying/time-to-live.mdx index 0daac7ab5..d88499205 100644 --- a/pages/querying/time-to-live.mdx +++ b/pages/querying/time-to-live.mdx @@ -15,6 +15,12 @@ This is an ENTERPRISE feature. Time-to-live allows a user to tag vertices with an expiration time. Once a vertex has expired, the vertex and all associated edges will be deleted. + + +The `TTL` label and `ttl` property are reserved names for TTL. See [Tagging vertices](#tagging-vertices) for more info. + + + Time-to-live is implemented as a background job that periodically gets executed.