Authentication for admin endpoints

Starting with this PR, all the admin endpoints now require three kinds of auth:

  1. IP White-listing, if --whitelist flag is passed to alpha.
  2. Poor-man’s auth, if --auth_token flag is passed to alpha (means you will need to pass the auth_token as X-Dgraph-AuthToken header while making the HTTP request if this is enabled).
  3. Guardian only access, if ACL is enabled (means you need to pass the ACL JWT of a Guardian user as X-Dgraph-AccessToken header while making the HTTP request if this is enabled).

Admin endpoint means any http endpoint which provides admin functionalities. Normally, the path starts with /admin for such endpoints, except a few. So, at present this list includes:

  • /admin
  • /admin/backup
  • /admin/config/lru_mb
  • /admin/draining
  • /admin/export
  • /admin/shutdown
  • /admin/schema
  • /alter
  • /login

There are a few exceptions to the general rule described above:

  1. /admin: This endpoint provides GraphQL queries/mutations for administration purposes. All the queries/mutations on /admin have all the 3 auth checks, except for the following one:
    • login (mutation): This mutation logs-in an ACL user, and provides them with JWT. Only IP Whitelisting and Poor-man’s auth checks are performed for this. As one won’t be able to login using ACL if we mandate Guardian only access on this.
  2. /login: The same behavior as the above GraphQL admin login mutation.

Apart from the above-mentioned points, when ACL is enabled, querying dgraph schema now returns only those predicates for which the ACL user has read access.

cc: @pawan, @michaelcompton, @gja, @mrjn

Related PRs:

1 Like

I think we should consider what their behavior “should be”, not what it has been. We can make breaking changes in major releases. So, let’s think about that and apply the checks accordingly.

I’d think that GQL schema retrievals and updates would require all 3 checks, just based on a cursory look.

IP whitelisting was introduced for Admin operations and updating and fetching the schema are Admin operations. So it should apply to Alter and updateGQLSchema. We can also apply it to getGQLSchema but then we should probably also apply it to the schema {} query within Dgraph.