Graph Server, User Authentication and Authorization for Database Authentication

September 12, 2025 admin Oracle AI Database 26ai, 0

In this demo, we will first install and configure the graph server

for reverences, refer to oracle documentation

You can run Oracle Graph Server in standalone mode or using a webserver like Oracle WebLogic Server or Apache Tomcat.
The installation steps for installing Oracle Graph Server in standalone mode are as shown:As a root user or using sudo, install the RPM file using the rpm command line utility
sudo rpm -i oracle-graph-<version>.rpm
sudo rpm -i oracle-graph-24.2.0.x86_64.rpm[oracle@localhost graphdl]$ sudo rpm -i oracle-graph-24.2.0.x86_64.rpm
[sudo] password for oracle:
Starting post-installation process …
1. Creating PGX temp directory /opt/oracle/graph/pgx/tmp_data
2. Creating log directory /var/log/oracle/graph
3. Generating demo server keystore …
changed ownership of ‘server_keystore.jks’ from root:root to oraclegraph:oraclegraph
Server keystore successfully generated in /etc/oracle/graph
Warning: server keystore generated using localhost
Post-installation process completed
[oracle@localhost graphdl]$

The .rpm file is the graph server.
The following post-installation steps are carried out at the time of the RPM file installation:Creation of a working directory in /opt/oracle/graph/pgx/tmp_data
Creation of a log directory in /var/log/oracle/graphAs a root user or using sudo, start the graph server (PGX) by executing the following command:

sudo systemctl start pgx

[root@localhost oracle]# systemctl status pgx
● pgx.service – Oracle Graph In-Memory Server
Loaded: loaded (/etc/systemd/system/pgx.service; disabled; preset: disabled)
Active: active (running) since Mon 2024-07-01 12:27:57 EDT; 1s ago
Main PID: 25661 (bash)
Tasks: 25 (limit: 21735)
Memory: 139.2M
CPU: 2.768s
CGroup: /system.slice/pgx.service
├─25661 /bin/bash start-server
└─25700 java –add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED –add-exports=jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED ->

The graph server is now ready to accept requests.
If the graph server has not started, then you must check the log files in /var/log/oracle/graph for errors. Additionally, you can also run the following command to view any systemd errors:

As <graphuser>, configure the server by modifying the files under /etc/oracle/graph by following the steps under Prepare the Graph Server for Database Authentication.

Basic Steps for Using an Oracle Database for Authentication
You can follow the steps explained in this section to authenticate users to the graph server (PGX).
Prepare the Graph Server for Database Authentication
Locate the pgx.conf file of your installation.
/etc/oracle/graph/pgx.conf

Check the server status

[oracle@localhost ~]$ systemctl status pgx
○ pgx.service – Oracle Graph In-Memory Server
Loaded: loaded (/etc/systemd/system/pgx.service; disabled; preset: disabled)
Active: inactive (dead)
[oracle@localhost ~]$ sudo systemctl start pgx
[sudo] password for oracle:
[oracle@localhost ~]$ systemctl status pgx
● pgx.service – Oracle Graph In-Memory Server
Loaded: loaded (/etc/systemd/system/pgx.service; disabled; preset: disabled)
Active: active (running) since Mon 2024-07-01 13:42:02 EDT; 7s ago
Main PID: 7269 (bash)
Tasks: 34 (limit: 21735)
Memory: 2.8G
CPU: 12.195s
CGroup: /system.slice/pgx.service
├─7269 /bin/bash start-server
└─7312 java –add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED –add-exports=j>

Jul 01 13:42:03 localhost.localdomain bash[7312]: Jul. 01, 2024 1:42:03 P.M. org.apache.tomcat.util.net>
Jul 01 13:42:03 localhost.localdomain bash[7312]: INFO: Connector [https-jsse-nio-7007], TLS virtual ho>
Jul 01 13:42:03 localhost.localdomain bash[7312]: Jul. 01, 2024 1:42:03 P.M. org.apache.catalina.core.S>
Jul 01 13:42:03 localhost.localdomain bash[7312]: INFO: Starting service [Tomcat]
Jul 01 13:42:03 localhost.localdomain bash[7312]: Jul. 01, 2024 1:42:03 P.M. org.apache.catalina.core.S>
Jul 01 13:42:03 localhost.localdomain bash[7312]: INFO: Starting Servlet engine: [Apache Tomcat/9.0.86]
Jul 01 13:42:06 localhost.localdomain bash[7312]: Jul. 01, 2024 1:42:06 P.M. org.apache.catalina.startu>
Jul 01 13:42:06 localhost.localdomain bash[7312]: INFO: No global web.xml found
Jul 01 13:42:09 localhost.localdomain bash[7312]: Jul. 01, 2024 1:42:09 P.M. org.apache.jasper.servlet.>
Jul 01 13:42:09 localhost.localdomain bash[7312]: INFO: At least one JAR was scanned for TLDs yet conta>
lines 1-21/21 (END)

User Authentication and AuthorizationThe Oracle Graph server (PGX) uses an Oracle Database as identity manager. Both username and password based as well as Kerberos based authentication is supported.The actions that you are allowed to do on the graph server are determined by the privileges enabled by roles that have been granted to you in the Oracle Database.

[graphuser@localhost ~]$ cd /opt/oracle/graph/scripts/
[graphuser@localhost scripts]$ ls -altr
total 8
-rwxr-xr-x. 1 root oraclegraph 417 Apr 17 03:00 patch-opg-oracle-home.sh
-rwxr-xr-x. 1 root oraclegraph 1087 Apr 17 03:00 create_graph_roles.sql
[graphuser@localhost scripts]$

Assign roles to all the database developers who should have access to the graph server (PGX).

GRANT graph_administrator to <administratoruser>

where <administratoruser> is a user in the database.
-- create graphuser
drop user if exists graphuser cascade;
create user graphuser identified by salem2020 quota unlimited on users;
grant graph_developer to graphuser;

-- Only used for tracing and execution plan examples.
grant alter session to graphuser;
grant select_catalog_role to graphuser;

Find all granted roles
select * --granted_role
from role_role_privs
where upper(granted_role) like '%PGX%';

User Authentication and Authorization

The Oracle Graph server (PGX) uses an Oracle Database as identity manager.
All database users that work with graphs require the CREATE SESSION privilege in the database.
The privileges enabled by roles that have been granted to the user in the Oracle Database define actions allowed on the graph server.
These roles are created when you install the PL/SQL package of the Oracle Graph Server and Client distribution on the target database.
Example of particular roles granted to graph users depending on their tasks

Role                                                                      Grantee
GX_SESSION_CREATE, PGX_SESSION_NEW_GRAPH, PGX_SESSION_GET_PUBLISHED_GRAPH Graph developers && users
PGX_SERVER_GET_INFO, PGX_SERVER_MANAGE                                    Users who administer PGX
PGX_SESSION_ADD_PUBLISHED_GRAPH, PGX_SESSION_COMPILE_ALGORITHM, PGX_SESSION_READ_MODEL, PGX_SESSION_MODIFY_MODEL                                                  Graph developers

If you install the PL/SQL packages of the Oracle Graph Server and Client distribution on the target Oracle Database, the following roles are automatically created and assigned the default permissions as shown in the following table:

Roles	Description	Permission
GRAPH_ADMINISTRATOR	Performs operations on the graph server (PGX) using the Java API.	PGX_SESSION_CREATE PGX_SERVER_GET_INFO PGX_SERVER_MANAGE
GRAPH_DEVELOPER	Creates/publishes/modifies/ queries/and views graphs using the Java API or SQLcl or the graph visualization application.	PGX_SESSION_CREATE PGX_SESSION_NEW_GRAPH PGX_SESSION_GET_PUBLISHED_GRAPH PGX_SESSION_MODIFY_MODEL PGX_SESSION_READ_MODEL
GRAPH_USER	Queries graphs and views graphs Java API or SQLcl or the graph visualization application	PGX_SESSION_CREATE PGX_SESSION_GET_PUBLISHED_GRAPH

1.2.3 Install the required Pl/Sql Packages.

Download the Oracle Graph PL/SQL patch component, which is a part of the Oracle Graph Server and Client download from Oracle Software Delivery Cloud.

Unzip the file oracle-graph-plsql-<ver>.zip into a directory of your choice.

<ver> denotes the version downloaded for the Oracle Graph PL/SQL Patch for PL/SQL.

Install the PL/SQL packages:

— plsql packages -rw-r–r–. 1 oracle oinstall 159188 Jan 20 09:46 V1033700-01.zip

— V1033700-01.zip
— Oracle Graph PL/SQL Patch 23.1.0 for (Linux x86-64), 155.5 KB

There are two directories, one for users with Oracle Database 18c or below, and one for users with Oracle Database 19c or above.

As a database user with DBA privilges, follow the instructions in the README.md file in the appropriate directory (that matches your database version).

This has to be done for every PDB you will use the graph feature in. For example:

[oracle@oel8 graph_dnlds]$ ls -altr
total 164
drwxr-xr-x. 4 oracle oinstall 48 Jan 19 00:55 optional_pg_schema
-rwxrwxrwx. 1 oracle oinstall 3145 Jan 19 00:55 create_graph_roles.sql
-rw-r–r–. 1 oracle oinstall 158980 Jan 20 09:11 oracle-graph-plsql-23.1.0.zip
[oracle@oel8 graph_dnlds]$

Before installing the packages, refer to the README.md – file for important recommendations

This patch upgrades the PL/SQL packages required by the Oracle Graph feature. If there are critical data involved, please make sure to perform a full database backup first.

To install this patch on top of an existing Oracle Database 12.2x, 18.x or 19.x, copy the files of this patch onto the machine which runs the Oracle Database.

1) Connect to the database server as the ORACLE user. Make sure ORACLE_HOME is correctly defined.

2) Change into the directory of the patch variant applicable for your database version

cd <directory-in-which-patch-was-unzipped>/optional_pg_schema/18c_and_below

cd <directory-in-which-patch-was-unzipped>/optional_pg_schema/19c_and_above

3) Re-install Oracle Spatial and Graph Property Graph schema PL/SQL packages.

You need to perform this step for each pluggable database (PDB) you use to hold graphs. If your database is not multi-tenant, then you can skip the “alter session” step.

Install the plsql-packages

/home/oracle/graph_dnlds/optional_pg_schema/19c_and_above
[oracle@oel8 19c_and_above]$
cd /home/oracle/graph_dnlds/optional_pg_schema/19c_and_above
sqlplus / as sysdba
alter session set container=pdb1;
@opgremov.sql
@catopg.sql
exit
Let's create graph - database users and grant them the roles defined in the previous table

graph_adm
graph-dev
graph_usr

GRAPH_ADM : Performs operations on the graph server (PGX) using the Java API
CREATE USER GRAPH_ADM IDENTIFIED BY ******
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
ACCOUNT UNLOCK ;

–– ROLES
GRANT RESOURCE, DBA TO GRAPH_ADM;
GRANT ALTER SESSION, CREATE PROCEDURE, CREATE SEQUENCE, CREATE SESSION, CREATE TABLE, CREATE TRIGGER, CREATE TYPE, CREATE VIEW TO GRAPH_ADM;
GRANT GRAPH_ADMINISTRATOR TO GRAPH_ADM;

GRAPH_DEV : Creates/publishes/modifies/ queries/and views graphs using the Java API or SQLcl or the graph visualization application.
CREATE USER GRAPH_DEV IDENTIFIED BY xxxxxxx
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
ACCOUNT UNLOCK ;

— ROLES
GRANT RESOURCE TO GRAPH_DEV;
GRANT ALTER SESSION, CREATE PROCEDURE, CREATE SEQUENCE, CREATE SESSION, CREATE TABLE, CREATE TRIGGER, CREATE TYPE, CREATE VIEW TO GRAPH_DEV;
GRANT GRAPH_DEVELOPER TO GRAPH_DEV;
/

GRAPH_USR : Queries graphs and views graphs Java API or SQLcl or the graph visualization application
CREATE USER GRAPH_USR IDENTIFIED BY xxxxxx
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
ACCOUNT UNLOCK ;

— ROLES
GRANT RESOURCE TO GRAPH_USR;
GRANT ALTER SESSION, CREATE PROCEDURE, CREATE SEQUENCE, CREATE SESSION, CREATE TABLE, CREATE TRIGGER, CREATE TYPE, CREATE VIEW TO GRAPH_USR;
GRANT GRAPH_USER TO GRAPH_USR;
/

Let’s run the following scripts to create the graph- database users
graph_adm.sql
grah_dev.sql
grah_usr.sql

[oracle@oel8 manage_graph_users]$ sqlplus / as sysdba
SQL*Plus: Release 21.0.0.0.0 - Production on Sat Mar 11 13:15:12 2023
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.
Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0
SQL> alter session set container=pdb1;
Session altered.
SQL> @graph_adm.sql;
User dropped.
User created.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
SQL> @graph_dev.sql;
User dropped.
User created.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
SQL> @graph_usr.sql;
DROP USER GRAPH_USR CASCADE
*
ERROR at line 1:
ORA-01918: user 'GRAPH_USR' does not exist
User created.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
SQL>

As a graph_adm user in the database, check that the PL/SQL update is successful:

[oracle@oel8 manage_graph_users]$ sqlplus graph_adm/xxxxxxxx@pdb1;

SQL*Plus: Release 21.0.0.0.0 - Production on Sat Mar 11 13:25:36 2023
Version 21.3.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.

Connected to:
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.3.0.0.0

SQL> show user;
USER is "GRAPH_ADM"
SQL> SELECT opg_apis.get_opg_version() FROM DUAL;

OPG_APIS.GET_OPG_VERSION()
--------------------------------------------------------------------------------
23.1

SQL>