repl/mt database

Author: andrejtonev

pages/clustering/replication.mdx

@@ -145,6 +145,42 @@ When dropping a database used on a REPLICA, the REPLICA will receive the command
 and will partially drop the database. It will hide the database and prevent any new
 usage. Once all clients have released the database, it will be deleted entirely.
 
+## Replication queries and the memgraph database
+
+Recent changes to Memgraph have modified how replication queries are executed. Replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) now target the default "memgraph" database and require access to it.
+
+### Requirements for replication queries
+
+To execute replication queries, users must have:
+1. The `REPLICATION` privilege
+2. Access to the default "memgraph" database
+
+### Impact on multi-tenant environments
+
+In multi-tenant environments where users might not have access to the "memgraph" database, replication management operations will fail. This reinforces the recommendation to treat the "memgraph" database as an administrative/system database.
+
+#### Example: Admin user with replication privileges
+
+```cypher
+-- Create admin role with replication privileges
+CREATE ROLE replication_admin;
+GRANT REPLICATION TO replication_admin;
+GRANT DATABASE memgraph TO replication_admin;
+
+-- Create user with replication admin role
+CREATE USER repl_admin IDENTIFIED BY 'admin_password';
+SET ROLE FOR repl_admin TO replication_admin;
+```
+
+In this setup, `repl_admin` can:
+- Execute all replication queries (`REGISTER REPLICA`, `SHOW REPLICAS`, etc.)
+- Access the "memgraph" database for administrative operations
+- Manage the replication cluster configuration
+
+### Best practice
+
+For replication management, ensure that users who need to perform replication operations have both the `REPLICATION` privilege and access to the "memgraph" database. This aligns with the overall recommendation to treat the "memgraph" database as an administrative database in multi-tenant environments.
+
 ## Running multiple instances
 
 When running multiple instances, each on its own machine, run Memgraph as you

pages/database-management/authentication-and-authorization.mdx

@@ -21,15 +21,19 @@ Authentication and authorization queries (such as `CREATE USER`, `CREATE ROLE`,
 
 In addition to the `AUTH` privilege, users must also have access to the default "memgraph" database to execute authentication and authorization queries. This requirement applies even when the user is working in other databases within a multi-tenant environment.
 
+### Replication and multi-database queries
+
+Replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) also now target the "memgraph" database and require access to it.
+
 ### Multi-tenant recommendations
 
 For multi-tenant environments, we recommend:
 - Treating the default "memgraph" database as an administrative/system database
 - Restricting access to the "memgraph" database to privileged users only
 - Storing application data in tenant-specific databases
-- Ensuring users who need to perform authentication operations have appropriate access
+- Ensuring users who need to perform authentication, replication, or multi-database operations have appropriate access
 
-For detailed information about these requirements and best practices, see the [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control#authentication-and-authorization-requirements) and [Multi-tenancy](/database-management/multi-tenancy#default-database-best-practices) documentation.
+For detailed information about these requirements and best practices, see the [Role-based access control](/database-management/authentication-and-authorization/role-based-access-control#authentication-and-authorization-requirements), [Multi-tenancy](/database-management/multi-tenancy#default-database-best-practices), and [Replication](/clustering/replication#replication-queries-and-the-memgraph-database) documentation.
 
 ## [Users](/database-management/authentication-and-authorization/users)
 

pages/database-management/authentication-and-authorization/multiple-roles.mdx

@@ -29,14 +29,18 @@ Authentication and authorization queries (such as `CREATE USER`, `CREATE ROLE`,
 
 In addition to the `AUTH` privilege, users must also have access to the default "memgraph" database to execute authentication and authorization queries. This requirement applies even when the user is working in other databases within a multi-tenant environment.
 
+### Replication and multi-database queries
+
+Replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) also now target the "memgraph" database and require access to it.
+
 <Callout type="warning">
-**Multi-tenant environments**: This requirement is only a concern in multi-tenant environments where users have access to databases other than the default "memgraph" database. In single-database deployments, this requirement is automatically satisfied.
+**Multi-tenant environments**: These requirements are only a concern in multi-tenant environments where users have access to databases other than the default "memgraph" database. In single-database deployments, these requirements are automatically satisfied.
 </Callout>
 
 ### Impact on multi-tenant role management
 
-When using multi-tenant roles, ensure that users who need to perform authentication and authorization operations have:
-1. The `AUTH` privilege granted to their roles
+When using multi-tenant roles, ensure that users who need to perform authentication, authorization, replication, or multi-database operations have:
+1. The appropriate privileges (`AUTH`, `REPLICATION`, `MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`)
 2. Access to the default "memgraph" database
 3. Appropriate role assignments for the "memgraph" database
 
@@ -67,6 +71,7 @@ SET ROLE FOR admin_user TO tenant2_admin ON tenant2_db;
 
 In this setup, `admin_user` can:
 - Perform authentication/authorization operations when connected to the "memgraph" database
+- Execute replication and multi-database queries when connected to the "memgraph" database
 - Manage tenant1_db data when connected to tenant1_db
 - Manage tenant2_db data when connected to tenant2_db
 
@@ -342,5 +347,7 @@ SET ROLE multi_db_role FOR user1 ON db2;
 6. **Use deny sparingly**: Remember that deny takes precedence over grant across all databases
 7. **Treat memgraph database as admin database**: In multi-tenant environments, restrict access to the default "memgraph" database to privileged users only
 8. **Ensure AUTH privilege access**: Users who need to perform authentication/authorization operations must have both the `AUTH` privilege and access to the "memgraph" database
-9. **Separate application data**: Store all application data in tenant-specific databases, not in the default "memgraph" database
-10. **Plan for authentication operations**: Design your role structure to ensure that users who need to manage users and roles have appropriate access to the "memgraph" database
+9. **Ensure replication privilege access**: Users who need to perform replication operations must have both the `REPLICATION` privilege and access to the "memgraph" database
+10. **Ensure multi-database privilege access**: Users who need to perform multi-database operations must have the appropriate privileges (`MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`) and access to the "memgraph" database
+11. **Separate application data**: Store all application data in tenant-specific databases, not in the default "memgraph" database
+12. **Plan for administrative operations**: Design your role structure to ensure that users who need to manage users, roles, replication, or multi-database operations have appropriate access to the "memgraph" database

pages/database-management/authentication-and-authorization/role-based-access-control.mdx

@@ -133,17 +133,25 @@ Authentication and authorization queries (such as `CREATE USER`, `CREATE ROLE`,
 
 In addition to the `AUTH` privilege, users must also have access to the default "memgraph" database to execute authentication and authorization queries. This requirement applies even when the user is working in other databases within a multi-tenant environment.
 
+### Replication and multi-database queries
+
+Replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) also now target the "memgraph" database and require access to it.
+
+To execute these queries, users must have:
+- The appropriate privileges (`REPLICATION`, `MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`)
+- Access to the default "memgraph" database
+
 <Callout type="warning">
-**Multi-tenant environments**: This requirement is only a concern in multi-tenant environments where users have access to databases other than the default "memgraph" database. In single-database deployments, this requirement is automatically satisfied.
+**Multi-tenant environments**: These requirements are only a concern in multi-tenant environments where users have access to databases other than the default "memgraph" database. In single-database deployments, these requirements are automatically satisfied.
 </Callout>
 
 ### Recommended approach for multi-tenant environments
 
 In multi-tenant environments, we recommend treating the default "memgraph" database as an administrative/system database rather than storing application data in it. This approach provides better security and isolation:
 
-1. **Restrict access to the memgraph database**: Only grant access to privileged users who need to perform authentication and authorization operations
+1. **Restrict access to the memgraph database**: Only grant access to privileged users who need to perform authentication, authorization, replication, or multi-database management operations
 2. **Use tenant-specific databases**: Store application data in dedicated tenant databases rather than the default database
-3. **Separate administrative functions**: Keep user management and system administration separate from application data
+3. **Separate administrative functions**: Keep user management, system administration, replication management, and multi-database management separate from application data
 
 #### Example setup for multi-tenant environments
 
@@ -177,7 +185,7 @@ SET ROLE FOR tenant2_user_account TO tenant2_user;
 ```
 
 In this setup:
-- `admin_user` has access to the "memgraph" database and can perform all authentication/authorization operations
+- `admin_user` has access to the "memgraph" database and can perform all authentication/authorization, replication, and multi-database operations
 - `tenant1_user_account` and `tenant2_user_account` can only access their respective tenant databases
 - Application data is stored in tenant-specific databases, not in the default "memgraph" database
 

pages/database-management/multi-tenancy.md

@@ -26,13 +26,13 @@ In multi-tenant environments, we recommend treating the default "memgraph" datab
 
 #### Why treat memgraph as an admin database?
 
-Recent changes to Memgraph require that users have both the `AUTH` privilege and access to the default "memgraph" database to execute authentication and authorization queries. This requirement affects multi-tenant environments where users might have access to other databases but not the default one.
+Recent changes to Memgraph require that users have both the `AUTH` privilege and access to the default "memgraph" database to execute authentication and authorization queries. Additionally, replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, etc.) and multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, etc.) also now target the "memgraph" database and require access to it. This requirement affects multi-tenant environments where users might have access to other databases but not the default one.
 
 #### Recommended setup
 
 1. **Restrict memgraph database access**: Only grant access to the "memgraph" database to privileged users who need to perform system administration tasks
 2. **Use tenant-specific databases**: Store all application data in dedicated tenant databases
-3. **Separate concerns**: Keep user management, role management, and system administration separate from application data
+3. **Separate concerns**: Keep user management, role management, system administration, replication management, and multi-database management separate from application data
 
 #### Example configuration
 
@@ -74,7 +74,7 @@ SET ROLE FOR tenant2_regular_user TO tenant2_user;
 ```
 
 In this configuration:
-- `system_admin_user` can perform all authentication/authorization operations and has access to the "memgraph" database
+- `system_admin_user` can perform all authentication/authorization, replication, and multi-database operations and has access to the "memgraph" database
 - Tenant users can only access their respective tenant databases
 - Application data is completely isolated in tenant-specific databases
 - The "memgraph" database serves purely as an administrative database
@@ -140,6 +140,42 @@ Access to all databases can be granted or revoked using wildcards:
 `GRANT DATABASE * TO user;`, `DENY DATABASE * TO user;` or 
 `REVOKE DATABASE * FROM user;`.
 
+### Multi-database queries and the memgraph database
+
+Recent changes to Memgraph have modified how multi-database queries are executed. Multi-database queries (such as `SHOW DATABASES`, `CREATE DATABASE`, `DROP DATABASE`, etc.) now target the default "memgraph" database and require access to it.
+
+#### Requirements for multi-database queries
+
+To execute multi-database queries, users must have:
+1. The appropriate multi-database privileges (`MULTI_DATABASE_USE`, `MULTI_DATABASE_EDIT`)
+2. Access to the default "memgraph" database
+
+#### Impact on multi-tenant environments
+
+In multi-tenant environments where users might not have access to the "memgraph" database, multi-database management operations will fail. This reinforces the recommendation to treat the "memgraph" database as an administrative/system database.
+
+#### Example: Admin user with multi-database privileges
+
+```cypher
+-- Create admin role with multi-database privileges
+CREATE ROLE multi_db_admin;
+GRANT MULTI_DATABASE_USE, MULTI_DATABASE_EDIT TO multi_db_admin;
+GRANT DATABASE memgraph TO multi_db_admin;
+
+-- Create user with multi-database admin role
+CREATE USER db_admin IDENTIFIED BY 'admin_password';
+SET ROLE FOR db_admin TO multi_db_admin;
+```
+
+In this setup, `db_admin` can:
+- Execute all multi-database queries (`SHOW DATABASES`, `CREATE DATABASE`, etc.)
+- Access the "memgraph" database for administrative operations
+- Manage the multi-tenant database configuration
+
+#### Best practice
+
+For multi-database management, ensure that users who need to perform multi-database operations have both the appropriate multi-database privileges and access to the "memgraph" database. This aligns with the overall recommendation to treat the "memgraph" database as an administrative database in multi-tenant environments.
+
 ### Additional multi-tenant privileges
 
 Administrators manage multi-tenant privileges with:

pages/help-center/errors/auth.mdx

@@ -73,5 +73,65 @@ GRANT DATABASE memgraph TO role_name;
 
 In multi-tenant environments, we recommend treating the "memgraph" database as an administrative/system database and restricting access to privileged users only. See the [multi-tenancy documentation](/database-management/multi-tenancy#default-database-best-practices) for recommended setup patterns.
 
+## User doesn't have REPLICATION privilege
+
+This error occurs when a user attempts to execute replication queries (such as `REGISTER REPLICA`, `SHOW REPLICAS`, `DROP REPLICA`, etc.) without the required `REPLICATION` privilege.
+
+### Solution
+
+Grant the `REPLICATION` privilege to the user or their role:
+
+```cypher
+-- Grant REPLICATION privilege to a user
+GRANT REPLICATION TO username;
+
+-- Grant REPLICATION privilege to a role
+GRANT REPLICATION TO role_name;
+```
+
+### Multi-tenant environments
+
+In multi-tenant environments, users must also have access to the default "memgraph" database to execute replication queries. See the [replication documentation](/clustering/replication#replication-queries-and-the-memgraph-database) for more details.
+
+## User doesn't have MULTI_DATABASE_USE privilege [#error-6]
+
+This error occurs when a user attempts to execute multi-database queries (such as `SHOW DATABASES`, `USE DATABASE`) without the required `MULTI_DATABASE_USE` privilege.
+
+### Solution
+
+Grant the `MULTI_DATABASE_USE` privilege to the user or their role:
+
+```cypher
+-- Grant MULTI_DATABASE_USE privilege to a user
+GRANT MULTI_DATABASE_USE TO username;
+
+-- Grant MULTI_DATABASE_USE privilege to a role
+GRANT MULTI_DATABASE_USE TO role_name;
+```
+
+### Multi-tenant environments
+
+In multi-tenant environments, users must also have access to the default "memgraph" database to execute multi-database queries. See the [multi-tenancy documentation](/database-management/multi-tenancy#multi-database-queries-and-the-memgraph-database) for more details.
+
+## User doesn't have MULTI_DATABASE_EDIT privilege [#error-7]
+
+This error occurs when a user attempts to execute multi-database management queries (such as `CREATE DATABASE`, `DROP DATABASE`) without the required `MULTI_DATABASE_EDIT` privilege.
+
+### Solution
+
+Grant the `MULTI_DATABASE_EDIT` privilege to the user or their role:
+
+```cypher
+-- Grant MULTI_DATABASE_EDIT privilege to a user
+GRANT MULTI_DATABASE_EDIT TO username;
+
+-- Grant MULTI_DATABASE_EDIT privilege to a role
+GRANT MULTI_DATABASE_EDIT TO role_name;
+```
+
+### Multi-tenant environments
+
+In multi-tenant environments, users must also have access to the default "memgraph" database to execute multi-database management queries. See the [multi-tenancy documentation](/database-management/multi-tenancy#multi-database-queries-and-the-memgraph-database) for more details.
+
 
 <CommunityLinks/>