<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<p>Authentication and authorization are critical components of Geode’s enterprise security architecture. As a production-ready graph database handling sensitive data, Geode provides comprehensive security controls to ensure only authorized users and applications can access your data.</p>
<p>Geode implements multiple authentication mechanisms, fine-grained authorization policies, and integration with enterprise identity providers. Combined with Row-Level Security (RLS), encryption, and audit logging, Geode delivers the security guarantees required for regulated industries and mission-critical applications.</p>
<p>This guide explores Geode’s authentication and authorization capabilities, from basic username/password authentication through advanced integration patterns with LDAP, OAuth2, and SAML.</p>
<h3 id="authentication-mechanisms" class="position-relative d-flex align-items-center group">
<span>Authentication Mechanisms</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authentication-mechanisms"
aria-haspopup="dialog"
aria-label="Share link: Authentication Mechanisms">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Geode supports multiple authentication methods to accommodate different deployment scenarios:</p>
<p><strong>Username/Password Authentication</strong>: The default authentication mechanism uses password hashing with bcrypt or Argon2. Credentials are stored securely in Geode’s system catalogs:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">password</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">secure_password_123</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Connect</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">credentials</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="p">(</span><span class="py">Implementation</span><span class="w"> </span><span class="py">depends</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">client</span><span class="w"> </span><span class="py">library</span><span class="p">)</span><span class="w">
</span></span></span></code></pre></div><p><strong>TLS Client Certificates</strong>: For machine-to-machine authentication, Geode supports mutual TLS (mTLS) where clients present X.509 certificates:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Start server requiring client certificates</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert server.crt --tls-key server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-client-ca ca.crt --tls-client-auth required
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Connect with client certificate</span>
</span></span><span class="line"><span class="cl">geode shell --tls-cert client.crt --tls-key client.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-ca ca.crt
</span></span></code></pre></div><p><strong>API Tokens</strong>: Long-lived tokens for service accounts and automation:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Generate</span><span class="w"> </span><span class="py">an</span><span class="w"> </span><span class="py">API</span><span class="w"> </span><span class="py">token</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">TOKEN</span><span class="w"> </span><span class="py">service_token</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">api_service</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXPIRES</span><span class="w"> </span><span class="err">'</span><span class="py">2025</span><span class="err">-</span><span class="py">12</span><span class="err">-</span><span class="py">31</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SCOPES</span><span class="w"> </span><span class="err">'</span><span class="py">read</span><span class="p">:</span><span class="nc">nodes</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">write</span><span class="p">:</span><span class="nc">edges</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">token</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">TOKEN</span><span class="w"> </span><span class="py">service_token</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>LDAP Integration</strong>: Authenticate users against existing LDAP directories:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># geode.toml configuration</span>
</span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">auth</span><span class="p">.</span><span class="nx">ldap</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="nx">url</span> <span class="p">=</span> <span class="s2">"ldaps://ldap.example.com:636"</span>
</span></span><span class="line"><span class="cl"><span class="nx">bind_dn</span> <span class="p">=</span> <span class="s2">"cn=geode,ou=services,dc=example,dc=com"</span>
</span></span><span class="line"><span class="cl"><span class="nx">bind_password_file</span> <span class="p">=</span> <span class="s2">"/secure/ldap_password"</span>
</span></span><span class="line"><span class="cl"><span class="nx">user_search_base</span> <span class="p">=</span> <span class="s2">"ou=users,dc=example,dc=com"</span>
</span></span><span class="line"><span class="cl"><span class="nx">user_search_filter</span> <span class="p">=</span> <span class="s2">"(uid=%s)"</span>
</span></span></code></pre></div><p><strong>OAuth2/OIDC</strong>: Integrate with identity providers like Auth0, Okta, or Azure AD:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">auth</span><span class="p">.</span><span class="nx">oidc</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="nx">issuer</span> <span class="p">=</span> <span class="s2">"https://auth.example.com"</span>
</span></span><span class="line"><span class="cl"><span class="nx">client_id</span> <span class="p">=</span> <span class="s2">"geode-production"</span>
</span></span><span class="line"><span class="cl"><span class="nx">client_secret_file</span> <span class="p">=</span> <span class="s2">"/secure/oidc_secret"</span>
</span></span><span class="line"><span class="cl"><span class="nx">redirect_url</span> <span class="p">=</span> <span class="s2">"https://geode.example.com/auth/callback"</span>
</span></span></code></pre></div><p><strong>SAML 2.0</strong>: Enterprise single sign-on for web-based access:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">auth</span><span class="p">.</span><span class="nx">saml</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="nx">idp_metadata_url</span> <span class="p">=</span> <span class="s2">"https://idp.example.com/metadata"</span>
</span></span><span class="line"><span class="cl"><span class="nx">sp_entity_id</span> <span class="p">=</span> <span class="s2">"geode-production"</span>
</span></span><span class="line"><span class="cl"><span class="nx">assertion_consumer_service_url</span> <span class="p">=</span> <span class="s2">"https://geode.example.com/saml/acs"</span>
</span></span></code></pre></div>
<h3 id="authorization-and-access-control" class="position-relative d-flex align-items-center group">
<span>Authorization and Access Control</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authorization-and-access-control"
aria-haspopup="dialog"
aria-label="Share link: Authorization and Access Control">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Once authenticated, Geode’s authorization system controls what users can do:</p>
<p><strong>Role-Based Access Control (RBAC)</strong>: Users are assigned roles that define their permissions:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">readonly</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">social_network</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">readonly</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">social_network</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">social_network</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Assign</span><span class="w"> </span><span class="py">roles</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">users</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">readonly</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">guest_user</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">john_doe</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Graph-Level Permissions</strong>: Control access at the graph level:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">graph</span><span class="err">-</span><span class="py">level</span><span class="w"> </span><span class="py">privileges</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">developer</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">DROP</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Revoke</span><span class="w"> </span><span class="py">privileges</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">REVOKE</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">sensitive_data</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Label-Level Permissions</strong>: Restrict access to specific node or relationship types:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Restrict</span><span class="w"> </span><span class="py">access</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">labels</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Transaction</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">auditor</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">CreditCard</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Property-Level Security</strong>: Hide sensitive properties from unauthorized users:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Allow</span><span class="w"> </span><span class="py">reading</span><span class="w"> </span><span class="py">most</span><span class="w"> </span><span class="py">properties</span><span class="w"> </span><span class="py">but</span><span class="w"> </span><span class="py">hide</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="kd">on</span><span class="py">es</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">email</span><span class="p">,</span><span class="w"> </span><span class="py">created_at</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">support</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DENY</span><span class="w"> </span><span class="py">SELECT</span><span class="p">(</span><span class="py">password_hash</span><span class="p">,</span><span class="w"> </span><span class="py">ssn</span><span class="p">,</span><span class="w"> </span><span class="py">salary</span><span class="p">)</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">support</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="row-level-security-rls" class="position-relative d-flex align-items-center group">
<span>Row-Level Security (RLS)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="row-level-security-rls"
aria-haspopup="dialog"
aria-label="Share link: Row-Level Security (RLS)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>RLS enables fine-grained access control where users can only see data matching specific criteria:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">multi</span><span class="err">-</span><span class="py">tenant</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">tenant_isolation</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">tenant_id</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">tenant_id</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">RLS</span><span class="w"> </span><span class="py">policy</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">regional</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">regional_access</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Customer</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">regional_manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">region</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">authorized_regions</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Department</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">access</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">POLICY</span><span class="w"> </span><span class="py">department_data</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">ALL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="p">(</span><span class="py">department</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">current_user_property</span><span class="p">(</span><span class="err">'</span><span class="py">department</span><span class="err">'</span><span class="p">))</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>RLS Use Cases</strong>:</p>
<ul>
<li><strong>Multi-tenancy</strong>: Isolate tenant data in shared databases</li>
<li><strong>Hierarchical access</strong>: Managers see their team’s data only</li>
<li><strong>Regional compliance</strong>: Restrict data access by geography</li>
<li><strong>Privacy controls</strong>: Users can only access their own data</li>
</ul>
<h3 id="user-and-role-management" class="position-relative d-flex align-items-center group">
<span>User and Role Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="user-and-role-management"
aria-haspopup="dialog"
aria-label="Share link: User and Role Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p><strong>Creating and Managing Users</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">role</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">secure_password</span><span class="err">'</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Modify</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">properties</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">SET</span><span class="w"> </span><span class="py">email</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">alice</span><span class="nd">@example</span><span class="err">.</span><span class="py">com</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Change</span><span class="w"> </span><span class="py">password</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">new_secure_password</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Disable</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">account</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="w"> </span><span class="py">DISABLE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Delete</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">DROP</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Role Hierarchy</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">hierarchy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">manager</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">director</span><span class="w"> </span><span class="py">INHERITS</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">privileges</span><span class="w"> </span><span class="py">at</span><span class="w"> </span><span class="py">each</span><span class="w"> </span><span class="py">level</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">employee</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="p">,</span><span class="w"> </span><span class="py">UPDATE</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">manager</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Employee</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">director</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="authentication-best-practices" class="position-relative d-flex align-items-center group">
<span>Authentication Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authentication-best-practices"
aria-haspopup="dialog"
aria-label="Share link: Authentication Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p><strong>Use Strong Password Policies</strong>: Enforce minimum password requirements:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">auth</span><span class="p">.</span><span class="nx">password_policy</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="nx">min_length</span> <span class="p">=</span> <span class="mi">12</span>
</span></span><span class="line"><span class="cl"><span class="nx">require_uppercase</span> <span class="p">=</span> <span class="kc">true</span>
</span></span><span class="line"><span class="cl"><span class="nx">require_lowercase</span> <span class="p">=</span> <span class="kc">true</span>
</span></span><span class="line"><span class="cl"><span class="nx">require_numbers</span> <span class="p">=</span> <span class="kc">true</span>
</span></span><span class="line"><span class="cl"><span class="nx">require_special_chars</span> <span class="p">=</span> <span class="kc">true</span>
</span></span><span class="line"><span class="cl"><span class="nx">max_age_days</span> <span class="p">=</span> <span class="mi">90</span>
</span></span><span class="line"><span class="cl"><span class="nx">prevent_reuse</span> <span class="p">=</span> <span class="mi">5</span>
</span></span></code></pre></div><p><strong>Implement Multi-Factor Authentication (MFA)</strong>: Add second factor for critical accounts:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Enable</span><span class="w"> </span><span class="py">TOTP</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">ENABLE</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">TOTP</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Require</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">privileged</span><span class="w"> </span><span class="py">roles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">REQUIRE</span><span class="w"> </span><span class="py">MFA</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Rotate Credentials Regularly</strong>: Set expiration on passwords and tokens:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Set</span><span class="w"> </span><span class="py">password</span><span class="w"> </span><span class="py">expiration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">PASSWORD_EXPIRES</span><span class="w"> </span><span class="err">'</span><span class="py">90</span><span class="w"> </span><span class="py">days</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">short</span><span class="err">-</span><span class="py">lived</span><span class="w"> </span><span class="py">tokens</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">TOKEN</span><span class="w"> </span><span class="py">temp_access</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">consultant</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXPIRES</span><span class="w"> </span><span class="err">'</span><span class="py">24</span><span class="w"> </span><span class="py">hours</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div><p><strong>Implement Least Privilege</strong>: Grant minimal permissions necessary:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Instead</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">granting</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">GRANT</span><span class="w"> </span><span class="py">ALL</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w"> </span><span class="err">--</span><span class="w"> </span><span class="py">Too</span><span class="w"> </span><span class="py">broad</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">specific</span><span class="w"> </span><span class="py">permissions</span><span class="w"> </span><span class="py">needed</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">analytics</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">Event</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">analyst</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Audit Authentication Events</strong>: Monitor authentication attempts:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">authentication</span><span class="w"> </span><span class="py">logs</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">auth_log</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">event_type</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="p">(</span><span class="err">'</span><span class="py">login_success</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">login_failure</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">24</span><span class="w"> </span><span class="py">hours</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Alert</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">suspicious</span><span class="w"> </span><span class="py">activity</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ALERT</span><span class="w"> </span><span class="py">failed_login_attempts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="p">(</span><span class="py">SELECT</span><span class="w"> </span><span class="py">count</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">auth_log</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">event_type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">login_failure</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">5</span><span class="w"> </span><span class="py">minutes</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">username</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nv">$username</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ACTION</span><span class="w"> </span><span class="py">notify_security_team</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="secure-connection-setup" class="position-relative d-flex align-items-center group">
<span>Secure Connection Setup</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="secure-connection-setup"
aria-haspopup="dialog"
aria-label="Share link: Secure Connection Setup">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p><strong>TLS Configuration</strong>: Always use TLS in production:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">server</span><span class="p">.</span><span class="nx">tls</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span>
</span></span><span class="line"><span class="cl"><span class="nx">cert_file</span> <span class="p">=</span> <span class="s2">"/etc/geode/tls/server.crt"</span>
</span></span><span class="line"><span class="cl"><span class="nx">key_file</span> <span class="p">=</span> <span class="s2">"/etc/geode/tls/server.key"</span>
</span></span><span class="line"><span class="cl"><span class="nx">ca_file</span> <span class="p">=</span> <span class="s2">"/etc/geode/tls/ca.crt"</span>
</span></span><span class="line"><span class="cl"><span class="nx">min_version</span> <span class="p">=</span> <span class="s2">"1.3"</span>
</span></span><span class="line"><span class="cl"><span class="nx">cipher_suites</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"TLS_AES_256_GCM_SHA384"</span><span class="p">,</span> <span class="s2">"TLS_CHACHA20_POLY1305_SHA256"</span><span class="p">]</span>
</span></span></code></pre></div><p><strong>QUIC Security</strong>: Geode uses QUIC with mandatory TLS 1.3:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Server automatically uses QUIC+TLS</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert cert.pem --tls-key key.pem
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Client verifies server certificate</span>
</span></span><span class="line"><span class="cl">geode shell --tls-ca ca.pem
</span></span></code></pre></div>
<h3 id="integration-patterns" class="position-relative d-flex align-items-center group">
<span>Integration Patterns</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="integration-patterns"
aria-haspopup="dialog"
aria-label="Share link: Integration Patterns">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p><strong>Microservices Authentication</strong>: Use service accounts with limited scopes:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">recommendation_service</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">User</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Product</span><span class="p">,</span><span class="w"> </span><span class="p">:</span><span class="nc">Purchase</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">recommendation_service</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">TOKEN</span><span class="w"> </span><span class="py">rec_service_token</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">recommendation_service</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Web Application Integration</strong>: Implement session management:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode</span> <span class="kn">import</span> <span class="n">connect</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">session</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">'/api/users'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="nd">@require_authentication</span>
</span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">get_users</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Use session credentials</span>
</span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">connect</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s1">'geode.example.com'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">username</span><span class="o">=</span><span class="n">session</span><span class="p">[</span><span class="s1">'username'</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="o">=</span><span class="n">session</span><span class="p">[</span><span class="s1">'geode_token'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"> <span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">conn</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">"MATCH (u:User) RETURN u LIMIT 100"</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>Data Pipeline Authentication</strong>: Use long-lived tokens for batch jobs:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode</span> <span class="kn">import</span> <span class="n">connect</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Use token from environment</span>
</span></span><span class="line"><span class="cl"><span class="n">conn</span> <span class="o">=</span> <span class="n">connect</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s1">'geode.example.com'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">token</span><span class="o">=</span><span class="n">os</span><span class="o">.</span><span class="n">environ</span><span class="p">[</span><span class="s1">'GEODE_TOKEN'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Process data with read-only token</span>
</span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">batch</span> <span class="ow">in</span> <span class="n">data_batches</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="n">insert_query</span><span class="p">,</span> <span class="n">batch</span><span class="p">)</span>
</span></span></code></pre></div>
<h3 id="troubleshooting-authentication-issues" class="position-relative d-flex align-items-center group">
<span>Troubleshooting Authentication Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting-authentication-issues"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting Authentication Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p><strong>Login Failures</strong>: Check authentication logs:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="py">SELECT</span><span class="w"> </span><span class="py">timestamp</span><span class="p">,</span><span class="w"> </span><span class="py">username</span><span class="p">,</span><span class="w"> </span><span class="py">client_ip</span><span class="p">,</span><span class="w"> </span><span class="py">failure_reason</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">auth_log</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">event_type</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">'</span><span class="py">login_failure</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="py">DESC</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">LIMIT</span><span class="w"> </span><span class="py">50</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Permission Denied Errors</strong>: Verify user privileges:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">user</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">effective</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">GRANTS</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">role</span><span class="w"> </span><span class="py">hierarchy</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SHOW</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">HIERARCHY</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">alice</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Token Expiration</strong>: Monitor token validity:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">List</span><span class="w"> </span><span class="py">active</span><span class="w"> </span><span class="py">tokens</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w"> </span><span class="py">token_id</span><span class="p">,</span><span class="w"> </span><span class="py">username</span><span class="p">,</span><span class="w"> </span><span class="py">expires_at</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">tokens</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">expires_at</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">expires_at</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>TLS Certificate Issues</strong>: Validate certificate chain:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Verify server certificate</span>
</span></span><span class="line"><span class="cl">openssl s_client -connect geode.example.com:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -CAfile ca.crt
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Check certificate expiration</span>
</span></span><span class="line"><span class="cl">openssl x509 -in server.crt -noout -dates
</span></span></code></pre></div>
<h3 id="security-compliance" class="position-relative d-flex align-items-center group">
<span>Security Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-compliance"
aria-haspopup="dialog"
aria-label="Share link: Security Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Geode’s authentication system helps meet compliance requirements:</p>
<ul>
<li><strong>SOC 2</strong>: User access controls, audit logging</li>
<li><strong>HIPAA</strong>: Fine-grained access, encryption, audit trails</li>
<li><strong>GDPR</strong>: Data access restrictions, user consent management</li>
<li><strong>PCI DSS</strong>: Strong authentication, privileged access management</li>
</ul>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/row-level-security/"
>Row-Level Security (RLS)</a>
</li>
<li><a
href="/tags/encryption/"
>Encryption and Data Protection</a>
</li>
<li><a
href="/tags/audit-logging/"
>Audit Logging and Compliance</a>
</li>
<li><a
href="/tags/security/"
>Security Best Practices</a>
</li>
<li><a
href="/tags/sessions/"
>User and Session Management</a>
</li>
<li><a
href="/tags/networking/"
>TLS and Network Security</a>
</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li>Enterprise Security Architecture Guide</li>
<li>Authentication Integration Patterns</li>
<li>Compliance and Regulatory Requirements</li>
<li>Security Hardening Checklist</li>
<li>Incident Response Playbook</li>
</ul>
<h3 id="advanced-authentication-patterns" class="position-relative d-flex align-items-center group">
<span>Advanced Authentication Patterns</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="advanced-authentication-patterns"
aria-haspopup="dialog"
aria-label="Share link: Advanced Authentication Patterns">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="jwt-token-based-authentication" class="position-relative d-flex align-items-center group">
<span>JWT Token-Based Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="jwt-token-based-authentication"
aria-haspopup="dialog"
aria-label="Share link: JWT Token-Based Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Integrate Geode with JSON Web Tokens for stateless authentication:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">jwt</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate JWT for user</span>
</span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">generate_token</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">roles</span><span class="p">):</span>
</span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'user_id'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'roles'</span><span class="p">:</span> <span class="n">roles</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'exp'</span><span class="p">:</span> <span class="n">datetime</span><span class="o">.</span><span class="n">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="n">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="mi">24</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">jwt</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">SECRET_KEY</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="s1">'HS256'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Connect with JWT</span>
</span></span><span class="line"><span class="cl"><span class="n">token</span> <span class="o">=</span> <span class="n">generate_token</span><span class="p">(</span><span class="s1">'user123'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'analyst'</span><span class="p">])</span>
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="s1">'localhost:3141'</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">token</span><span class="p">)</span>
</span></span></code></pre></div><p>Configure Geode to validate JWTs:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">auth</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">jwt</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret_key_file</span><span class="p">:</span><span class="w"> </span><span class="l">/secure/jwt_secret</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">algorithm</span><span class="p">:</span><span class="w"> </span><span class="l">HS256</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">issuer</span><span class="p">:</span><span class="w"> </span><span class="l">myapp.example.com</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audience</span><span class="p">:</span><span class="w"> </span><span class="l">geode-api</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">token_lifetime_seconds</span><span class="p">:</span><span class="w"> </span><span class="m">86400</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="service-account-authentication" class="position-relative d-flex align-items-center group">
<span>Service Account Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="service-account-authentication"
aria-haspopup="dialog"
aria-label="Share link: Service Account Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Create service accounts for automated systems:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Create</span><span class="w"> </span><span class="py">service</span><span class="w"> </span><span class="py">account</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">etl_service</span><span class="w"> </span><span class="py">TYPE</span><span class="w"> </span><span class="py">service_account</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Grant</span><span class="w"> </span><span class="py">minimal</span><span class="w"> </span><span class="py">required</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">RawData</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">etl_service</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">GRANT</span><span class="w"> </span><span class="py">INSERT</span><span class="w"> </span><span class="py">ON</span><span class="w"> </span><span class="p">:</span><span class="nc">ProcessedData</span><span class="w"> </span><span class="py">TO</span><span class="w"> </span><span class="py">etl_service</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Generate</span><span class="w"> </span><span class="py">long</span><span class="err">-</span><span class="py">lived</span><span class="w"> </span><span class="py">API</span><span class="w"> </span><span class="py">key</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">API_KEY</span><span class="w"> </span><span class="py">FOR</span><span class="w"> </span><span class="py">etl_service</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">DESCRIPTION</span><span class="w"> </span><span class="err">'</span><span class="py">ETL</span><span class="w"> </span><span class="py">pipeline</span><span class="w"> </span><span class="py">data</span><span class="w"> </span><span class="py">ingestion</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">EXPIRES</span><span class="w"> </span><span class="err">'</span><span class="py">2027</span><span class="err">-</span><span class="py">01</span><span class="err">-</span><span class="py">01</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div><p>Use service accounts in applications:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># etl_pipeline.py</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Load API key from environment</span>
</span></span><span class="line"><span class="cl"><span class="n">API_KEY</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">environ</span><span class="p">[</span><span class="s1">'GEODE_API_KEY'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'geode.prod.example.com:3141'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">api_key</span><span class="o">=</span><span class="n">API_KEY</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Service account has limited permissions</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Can only read RawData and write ProcessedData</span>
</span></span></code></pre></div>
<h4 id="multi-factor-authentication-setup" class="position-relative d-flex align-items-center group">
<span>Multi-Factor Authentication Setup</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="multi-factor-authentication-setup"
aria-haspopup="dialog"
aria-label="Share link: Multi-Factor Authentication Setup">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Enable MFA for administrative accounts:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Enable</span><span class="w"> </span><span class="py">TOTP</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">user</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">ENABLE</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">USING</span><span class="w"> </span><span class="py">TOTP</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SECRET</span><span class="w"> </span><span class="py">generate_qr_code</span><span class="p">()</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Require</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">all</span><span class="w"> </span><span class="py">admins</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">ROLE</span><span class="w"> </span><span class="py">admin</span><span class="w"> </span><span class="py">REQUIRE</span><span class="w"> </span><span class="py">MFA</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Verify</span><span class="w"> </span><span class="py">MFA</span><span class="w"> </span><span class="py">code</span><span class="w"> </span><span class="py">during</span><span class="w"> </span><span class="py">login</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">AUTHENTICATE</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">admin</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">PASSWORD</span><span class="w"> </span><span class="err">'</span><span class="py">secure_password</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MFA_CODE</span><span class="w"> </span><span class="err">'</span><span class="py">123456</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div><p>Implement MFA in client applications:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">login_with_mfa</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">mfa_code</span><span class="p">):</span>
</span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'localhost:3141'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">username</span><span class="o">=</span><span class="n">username</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">password</span><span class="o">=</span><span class="n">password</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">mfa_code</span><span class="o">=</span><span class="n">mfa_code</span>
</span></span><span class="line"><span class="cl"> <span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">client</span>
</span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="n">MFARequired</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Prompt user for MFA code</span>
</span></span><span class="line"><span class="cl"> <span class="n">mfa_code</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">"Enter MFA code: "</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="k">await</span> <span class="n">login_with_mfa</span><span class="p">(</span><span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">mfa_code</span><span class="p">)</span>
</span></span></code></pre></div>
<h4 id="sso-integration-with-saml" class="position-relative d-flex align-items-center group">
<span>SSO Integration with SAML</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="sso-integration-with-saml"
aria-haspopup="dialog"
aria-label="Share link: SSO Integration with SAML">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Configure SAML 2.0 for enterprise single sign-on:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="c"><!-- geode-saml-config.xml --></span>
</span></span><span class="line"><span class="cl"><span class="nt"><EntityDescriptor</span> <span class="na">entityID=</span><span class="s">"https://geode.example.com/saml/metadata"</span>
</span></span><span class="line"><span class="cl"> <span class="na">xmlns=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:metadata"</span><span class="nt">></span>
</span></span><span class="line"><span class="cl"> <span class="nt"><SPSSODescriptor</span> <span class="na">protocolSupportEnumeration=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:protocol"</span><span class="nt">></span>
</span></span><span class="line"><span class="cl"> <span class="nt"><KeyDescriptor</span> <span class="na">use=</span><span class="s">"signing"</span><span class="nt">></span>
</span></span><span class="line"><span class="cl"> <span class="nt"><ds:KeyInfo</span> <span class="na">xmlns:ds=</span><span class="s">"http://www.w3.org/2000/09/xmldsig#"</span><span class="nt">></span>
</span></span><span class="line"><span class="cl"> <span class="nt"><ds:X509Data></span>
</span></span><span class="line"><span class="cl"> <span class="nt"><ds:X509Certificate></span>MIIDXTCCAkWgAwIBAgIJ...<span class="nt"></ds:X509Certificate></span>
</span></span><span class="line"><span class="cl"> <span class="nt"></ds:X509Data></span>
</span></span><span class="line"><span class="cl"> <span class="nt"></ds:KeyInfo></span>
</span></span><span class="line"><span class="cl"> <span class="nt"></KeyDescriptor></span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="nt"><SingleLogoutService</span>
</span></span><span class="line"><span class="cl"> <span class="na">Binding=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"</span>
</span></span><span class="line"><span class="cl"> <span class="na">Location=</span><span class="s">"https://geode.example.com/saml/slo"</span><span class="nt">/></span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="nt"><AssertionConsumerService</span>
</span></span><span class="line"><span class="cl"> <span class="na">Binding=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"</span>
</span></span><span class="line"><span class="cl"> <span class="na">Location=</span><span class="s">"https://geode.example.com/saml/acs"</span>
</span></span><span class="line"><span class="cl"> <span class="na">index=</span><span class="s">"1"</span><span class="nt">/></span>
</span></span><span class="line"><span class="cl"> <span class="nt"></SPSSODescriptor></span>
</span></span><span class="line"><span class="cl"><span class="nt"></EntityDescriptor></span>
</span></span></code></pre></div>
<h4 id="oauth-20-authorization-code-flow" class="position-relative d-flex align-items-center group">
<span>OAuth 2.0 Authorization Code Flow</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="oauth-20-authorization-code-flow"
aria-haspopup="dialog"
aria-label="Share link: OAuth 2.0 Authorization Code Flow">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Integrate with OAuth providers:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">auth</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">oauth2</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"> </span><span class="l">okta</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">client_id</span><span class="p">:</span><span class="w"> </span><span class="l">${OAUTH_CLIENT_ID}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">client_secret_file</span><span class="p">:</span><span class="w"> </span><span class="l">/secure/oauth_secret</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authorization_endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">https://dev-123.okta.com/oauth2/v1/authorize</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">token_endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">https://dev-123.okta.com/oauth2/v1/token</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">userinfo_endpoint</span><span class="p">:</span><span class="w"> </span><span class="l">https://dev-123.okta.com/oauth2/v1/userinfo</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scopes</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">openid</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">profile</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">email</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">redirect_url</span><span class="p">:</span><span class="w"> </span><span class="l">https://geode.example.com/oauth/callback</span><span class="w">
</span></span></span></code></pre></div><p>Implement OAuth flow in web application:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">session</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">app</span> <span class="o">=</span> <span class="n">Flask</span><span class="p">(</span><span class="vm">__name__</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">'/login'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">login</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Redirect to OAuth provider</span>
</span></span><span class="line"><span class="cl"> <span class="n">auth_url</span> <span class="o">=</span> <span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">"</span><span class="si">{</span><span class="n">OAUTH_AUTH_ENDPOINT</span><span class="si">}</span><span class="s2">?"</span>
</span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">"client_id=</span><span class="si">{</span><span class="n">CLIENT_ID</span><span class="si">}</span><span class="s2">&"</span>
</span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">"redirect_uri=</span><span class="si">{</span><span class="n">REDIRECT_URL</span><span class="si">}</span><span class="s2">&"</span>
</span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">"response_type=code&"</span>
</span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">"scope=openid profile email"</span>
</span></span><span class="line"><span class="cl"> <span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">auth_url</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">'/oauth/callback'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">oauth_callback</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="n">code</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">args</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'code'</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Exchange code for token</span>
</span></span><span class="line"><span class="cl"> <span class="n">token_response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">OAUTH_TOKEN_ENDPOINT</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'grant_type'</span><span class="p">:</span> <span class="s1">'authorization_code'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'code'</span><span class="p">:</span> <span class="n">code</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'redirect_uri'</span><span class="p">:</span> <span class="n">REDIRECT_URL</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'client_id'</span><span class="p">:</span> <span class="n">CLIENT_ID</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'client_secret'</span><span class="p">:</span> <span class="n">CLIENT_SECRET</span>
</span></span><span class="line"><span class="cl"> <span class="p">})</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="n">access_token</span> <span class="o">=</span> <span class="n">token_response</span><span class="o">.</span><span class="n">json</span><span class="p">()[</span><span class="s1">'access_token'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Create Geode client with OAuth token</span>
</span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="p">[</span><span class="s1">'geode_client'</span><span class="p">]</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'localhost:3141'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">oauth_token</span><span class="o">=</span><span class="n">access_token</span>
</span></span><span class="line"><span class="cl"> <span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="s1">'/dashboard'</span><span class="p">)</span>
</span></span></code></pre></div>
<h4 id="dynamic-permission-management" class="position-relative d-flex align-items-center group">
<span>Dynamic Permission Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="dynamic-permission-management"
aria-haspopup="dialog"
aria-label="Share link: Dynamic Permission Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Implement runtime permission checks:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">user</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">permissions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">showUserPermissions</span><span class="p">(</span><span class="err">'</span><span class="py">analyst</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">YIELD</span><span class="w"> </span><span class="py">role</span><span class="p">,</span><span class="w"> </span><span class="py">permission</span><span class="p">,</span><span class="w"> </span><span class="py">resource</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">role</span><span class="p">,</span><span class="w"> </span><span class="py">permission</span><span class="p">,</span><span class="w"> </span><span class="py">resource</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Temporarily</span><span class="w"> </span><span class="py">elevate</span><span class="w"> </span><span class="py">privileges</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">BEGIN</span><span class="w"> </span><span class="py">TRANSACTION</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">AUTHORIZATION</span><span class="w"> </span><span class="py">admin</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Perform</span><span class="w"> </span><span class="py">privileged</span><span class="w"> </span><span class="py">operation</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">GRAPH</span><span class="w"> </span><span class="py">sensitive_data</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Restore</span><span class="w"> </span><span class="py">normal</span><span class="w"> </span><span class="py">privileges</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RESET</span><span class="w"> </span><span class="py">SESSION</span><span class="w"> </span><span class="py">AUTHORIZATION</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">COMMIT</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="audit-logging-for-compliance" class="position-relative d-flex align-items-center group">
<span>Audit Logging for Compliance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-logging-for-compliance"
aria-haspopup="dialog"
aria-label="Share link: Audit Logging for Compliance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Track all authentication events:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">View</span><span class="w"> </span><span class="py">recent</span><span class="w"> </span><span class="py">authentication</span><span class="w"> </span><span class="py">attempts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SELECT</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">timestamp</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">username</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">client_ip</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">user_agent</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">auth_method</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">success</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">failure_reason</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">auth_audit</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">24</span><span class="w"> </span><span class="py">hours</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Alert</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">suspicious</span><span class="w"> </span><span class="py">patterns</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">ALERT</span><span class="w"> </span><span class="py">brute_force_detection</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHEN</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SELECT</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">failed_attempts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">FROM</span><span class="w"> </span><span class="py">system</span><span class="err">.</span><span class="py">auth_audit</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">success</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">false</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">username</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nv">$username</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">current_timestamp</span><span class="p">()</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">INTERVAL</span><span class="w"> </span><span class="err">'</span><span class="py">5</span><span class="w"> </span><span class="py">minutes</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ACTION</span><span class="w"> </span><span class="py">notify_security_team</span><span class="p">(</span><span class="nv">$username</span><span class="p">,</span><span class="w"> </span><span class="nv">$client_ip</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p>Export audit logs for SIEM integration:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># export_audit_logs.py</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">asyncio</span>
</span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span>
</span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">json</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="k">async</span> <span class="k">def</span> <span class="nf">export_audit_logs_to_splunk</span><span class="p">():</span>
</span></span><span class="line"><span class="cl"> <span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span><span class="s1">'localhost:3141'</span><span class="p">,</span> <span class="n">token</span><span class="o">=</span><span class="n">ADMIN_TOKEN</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"> <span class="k">async</span> <span class="k">with</span> <span class="n">client</span><span class="o">.</span><span class="n">connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="c1"># Fetch recent audit events</span>
</span></span><span class="line"><span class="cl"> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="s2">"""
</span></span></span><span class="line"><span class="cl"><span class="s2"> SELECT * FROM system.auth_audit
</span></span></span><span class="line"><span class="cl"><span class="s2"> WHERE timestamp > current_timestamp() - INTERVAL '1 hour'
</span></span></span><span class="line"><span class="cl"><span class="s2"> """</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="c1"># Send to Splunk HTTP Event Collector</span>
</span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">event</span> <span class="ow">in</span> <span class="n">result</span><span class="o">.</span><span class="n">rows</span><span class="p">:</span>
</span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'time'</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="s1">'timestamp'</span><span class="p">]</span><span class="o">.</span><span class="n">isoformat</span><span class="p">(),</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'source'</span><span class="p">:</span> <span class="s1">'geode-auth'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'sourcetype'</span><span class="p">:</span> <span class="s1">'geode:auth:audit'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'event'</span><span class="p">:</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'username'</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="s1">'username'</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'success'</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="s1">'success'</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'client_ip'</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="s1">'client_ip'</span><span class="p">],</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'auth_method'</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="s1">'auth_method'</span><span class="p">]</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">SPLUNK_HEC_URL</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="s1">'Authorization'</span><span class="p">:</span> <span class="sa">f</span><span class="s1">'Splunk </span><span class="si">{</span><span class="n">SPLUNK_TOKEN</span><span class="si">}</span><span class="s1">'</span><span class="p">},</span>
</span></span><span class="line"><span class="cl"> <span class="n">json</span><span class="o">=</span><span class="n">payload</span>
</span></span><span class="line"><span class="cl"> <span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">asyncio</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">export_audit_logs_to_splunk</span><span class="p">())</span>
</span></span></code></pre></div>
<h4 id="certificate-based-authentication" class="position-relative d-flex align-items-center group">
<span>Certificate-Based Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-based-authentication"
aria-haspopup="dialog"
aria-label="Share link: Certificate-Based Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Use X.509 certificates for strong authentication:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate client certificate</span>
</span></span><span class="line"><span class="cl">openssl req -new -newkey rsa:4096 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -days <span class="m">365</span> -nodes -x509 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -subj <span class="s2">"/CN=analyst/O=Example Corp"</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -keyout client-key.pem <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -out client-cert.pem
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Configure Geode to require client certificates</span>
</span></span><span class="line"><span class="cl">geode serve <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-cert server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-client-ca ca.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-client-auth required
</span></span></code></pre></div><p>Map certificates to users:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Map</span><span class="w"> </span><span class="py">certificate</span><span class="w"> </span><span class="py">subject</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">account</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CREATE</span><span class="w"> </span><span class="py">CERTIFICATE_MAPPING</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">FOR</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">analyst</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">SUBJECT</span><span class="w"> </span><span class="err">'/</span><span class="py">CN</span><span class="p">=</span><span class="py">analyst</span><span class="err">/</span><span class="py">O</span><span class="p">=</span><span class="py">Example</span><span class="w"> </span><span class="py">Corp</span><span class="err">';</span><span class="w">
</span></span></span></code></pre></div><p>Connect with certificate:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s1">'geode.example.com:3141'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">tls_cert</span><span class="o">=</span><span class="s1">'client-cert.pem'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">tls_key</span><span class="o">=</span><span class="s1">'client-key.pem'</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">tls_ca</span><span class="o">=</span><span class="s1">'ca.crt'</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span></code></pre></div>
<h4 id="password-policy-enforcement" class="position-relative d-flex align-items-center group">
<span>Password Policy Enforcement</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="password-policy-enforcement"
aria-haspopup="dialog"
aria-label="Share link: Password Policy Enforcement">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Configure strong password requirements:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">auth</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password_policy</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">min_length</span><span class="p">:</span><span class="w"> </span><span class="m">14</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_uppercase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_lowercase</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_numbers</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_special_chars</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">special_chars</span><span class="p">:</span><span class="w"> </span><span class="s2">"!@#$%^&*()_+-=[]{}|;:,.<>?"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_age_days</span><span class="p">:</span><span class="w"> </span><span class="m">90</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">prevent_reuse_count</span><span class="p">:</span><span class="w"> </span><span class="m">10</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lockout_threshold</span><span class="p">:</span><span class="w"> </span><span class="m">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">lockout_duration_minutes</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password_history_count</span><span class="p">:</span><span class="w"> </span><span class="m">24</span><span class="w">
</span></span></span></code></pre></div><p>Enforce password changes:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Force</span><span class="w"> </span><span class="py">password</span><span class="w"> </span><span class="py">change</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">next</span><span class="w"> </span><span class="py">login</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">REQUIRE</span><span class="w"> </span><span class="py">PASSWORD_CHANGE</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Set</span><span class="w"> </span><span class="py">password</span><span class="w"> </span><span class="py">expiration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ALTER</span><span class="w"> </span><span class="py">USER</span><span class="w"> </span><span class="py">analyst</span><span class="w"> </span><span class="py">PASSWORD_EXPIRES</span><span class="w"> </span><span class="err">'</span><span class="py">90</span><span class="w"> </span><span class="py">days</span><span class="err">';</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">password</span><span class="w"> </span><span class="py">compliance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="py">dbms</span><span class="err">.</span><span class="py">security</span><span class="err">.</span><span class="py">validatePassword</span><span class="p">(</span><span class="err">'</span><span class="py">proposed_password</span><span class="err">'</span><span class="p">)</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="authentication-best-practices-summary" class="position-relative d-flex align-items-center group">
<span>Authentication Best Practices Summary</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="authentication-best-practices-summary"
aria-haspopup="dialog"
aria-label="Share link: Authentication Best Practices Summary">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ol>
<li><strong>Always use TLS</strong> in production to protect credentials in transit</li>
<li><strong>Implement principle of least privilege</strong> - grant minimum required permissions</li>
<li><strong>Enable audit logging</strong> for compliance and security monitoring</li>
<li><strong>Use strong authentication</strong> - multi-factor for admin accounts</li>
<li><strong>Rotate credentials regularly</strong> - passwords, API keys, certificates</li>
<li><strong>Monitor failed login attempts</strong> - detect and respond to attacks</li>
<li><strong>Separate user types</strong> - different auth methods for users, services, admins</li>
<li><strong>Integrate with enterprise identity</strong> - LDAP, OAuth, SAML for centralized management</li>
<li><strong>Encrypt sensitive auth data</strong> - passwords, tokens, secrets</li>
<li><strong>Test disaster recovery</strong> - ensure you can restore access after failures</li>
</ol>
Related Articles
Security and Compliance Guide
Configure Geode authentication and policies, enable row-level security, use TDE/FLE with KMS integration, and deploy tamper-evident audit logging
Authentication
Current Geode authentication surface: username/password, sessions, API keys, MFA, mTLS, offline auth integrity tooling, and planned LDAP/OIDC work
Security
Enterprise security features including encryption, authentication, authorization, and compliance for Geode
Password Hashing with Argon2id
Enterprise-grade password hashing in Geode using Argon2id algorithm with OWASP-compliant parameters for secure credential storage and authentication.