Docker-compose authorization setup

Users GraphQL
1

I throw to run an example from GraphQL: Using Postman with Examples - Dgraph Blog with docker-compose.yaml

version: "3"
services:
  zero:
    image: dgraph/dgraph:latest
    volumes:
      - dgraph:/dgraph
    ports:
      - 5080:5080
      - 6080:6080
    restart: unless-stopped
    command: dgraph zero --my=zero:5080
  alpha:
    image: dgraph/dgraph:latest
    volumes:
      - dgraph:/dgraph
    ports:
      - 8080:8080
      - 9080:9080
    restart: unless-stopped
    command: dgraph alpha --my=alpha:7080 --lru_mb=1024 --zero=zero:5080  --auth_token=test
  ratel:
    image: dgraph/dgraph:latest
    ports:
      - 8000:8000
    command: dgraph-ratel

volumes:
  dgraph:

By requesting

curl -H "X-Dgraph-AccessToken: test" --data "query {getGQLSchema {schema}}" http://localhost:8080/admin

server responded with

{"errors":[{"message":"Request from IP: 172.28.0.1","extensions":{"code":"ErrorUnauthorized"}}]}

What is wrong in my config/query
We can I setup auth access with docker-compose

2

Hi @artemklv,

It seems that the docker container you are running needs to whitelist IP of your machine i.e. 172.28.0.1. So, when starting docker container using docker run, you can whitelist your IP using --whitelist 172.28.0.1 .
Something like:
docker run -it -p 8080:8080 -p 9080:9080 -p 8000:8000 dgraph/standalone:latest --whitelist 172.28.0.1

Hope this helps.

3

Hi, thanks it doesn’t help. I thought that using --auth_token reduce need of whitelist

4

Try this if you are using curl

curl -X POST -H "Content-Type: application/json" --data "{\"query\": \"query { getGQLSchema { schema } }\" }" http://localhost:8080/admin

I think you should not be setting X-Dgraph-AccessToken header. Also, you need to set content-type header as application/json and set the request body as mentioned above. Refer this for how to send query in POST request in GraphQL.

Hope this helps.

5

Hi @artemklv,

auth_token is for securing alter operations so as to allow alter operations only from clients who provide auth_token.

You would need to additionally --whitelist the IP and then curl command suggested by @Rahul would work. Whitelisting is necessary because admin operations can only be done from the host machine where Dgraph is running (see whitelisting-admin-operations).

1 Like
6

Thanks, it makes sense in production, but I have trouble with, setup dev environment (I run dev server on a remote machine).
I can’t use Postman for the schema update. And ratel-ui doesn’t connect to the server. Maybe you have a useful example for this case?

7

CC: @michaelcompton @pawan

8

Hey @artemklv

As you have already figured out, if you have setup your dev environment on a remote machine and your local ip is not whitelisted, you can’t perform admin operations. We can see how this can be an issue while doing local development. Is it possible to whitelist the IP range of your local network? If not, then maybe we can provide a way to turn off the IP whitelisting so that you can do operations like updateGQLSchema from your local machine on a remote server.