Starting with this PR, all the admin endpoints now require three kinds of auth:
- IP White-listing, if
--whitelistflag is passed to alpha.
- Poor-man’s auth, if
--auth_tokenflag is passed to alpha (means you will need to pass the
X-Dgraph-AuthTokenheader while making the HTTP request if this is enabled).
- Guardian only access, if ACL is enabled (means you need to pass the ACL JWT of a Guardian user as
X-Dgraph-AccessTokenheader while making the HTTP request if this is enabled).
Admin endpoint means any http endpoint which provides admin functionalities. Normally, the path starts with
/admin for such endpoints, except a few. So, at present this list includes:
There are a few exceptions to the general rule described above:
/admin: This endpoint provides GraphQL queries/mutations for administration purposes. All the queries/mutations on
/adminhave all the 3 auth checks, except for the following one:
login (mutation): This mutation logs-in an ACL user, and provides them with JWT. Only IP Whitelisting and Poor-man’s auth checks are performed for this. As one won’t be able to login using ACL if we mandate Guardian only access on this.
/login: The same behavior as the above GraphQL admin
Apart from the above-mentioned points, when ACL is enabled, querying dgraph schema now returns only those predicates for which the ACL user has read access.
cc: @pawan, @michaelcompton, @gja, @mrjn