Federation, API Key gated Mutations

Fizzi · July 30, 2021, 12:01am

I’m looking to use DGraph as part of my Apollo Federation. I’m currently running DGraph on GKE, not using Cloud.

What I’d like is to be able to hide to add/update/delete mutations from the outside, perhaps authenticating them with an API key so they can be accessible to my backend services.

I saw this, but it seems to be only referring to cloud: https://dgraph.io/docs/cloud/admin/authentication/

What is the best way to accomplish what I’m looking for?

jdgamble555 · July 30, 2021, 12:10am

Update - So I didn’t read your entire post when I responded, but I am assuming if you’re not using the dgraph graphql which is part of dgraph cloud, you’re going to have to create your own graphql endpoints, which gets complicated to use with Apollo Federation. Basically, you start from scratch with just dql, someone who knows this subject better than me can respond here…

You could create an @auth directive for each node like this:

type User @auth(
    add: { rule:  "{$DENIED: { eq: \"DENIED\" } }"},
    update: { rule:  "{$DENIED: { eq: \"DENIED\" } }"}
    delete: { rule:  "{$DENIED: { eq: \"DENIED\" } }"}
) {

but that could get redundant with a bunch of nodes.

The other way of course is to go to Schema → Access → Edit Permissions and uncheck all writes. I believe that covers everything but queries.

J

Fizzi · July 30, 2021, 12:27am

Thanks for the response.

Sounds like your second suggestion might be what I’ll look at first. I don’t want to add nodes later and forget to add the auth rules. Would this configuration be found in Ratel? I couldn’t find much about permissions in there.

Additionally, how would I go about accessing the writes from my backend in this scenario? I’d still like to be able to run the mutations but only from my backend, they should not be visible to any external clients.

To respond to your edit: I’m not sure exactly. I do have a graphql endpoint though from my GKE instance, and I was able to use curl -X POST localhost:8080/admin/schema --data-binary '@dgraph/schema.graphql' (after forwarding those ports) to upload my GraphQL schema just fine.

jdgamble555 · July 30, 2021, 12:33am

Someone else is going to have to chime in here.

I believe that doesn’t block any admin from doing any mutations, just regular users.

As far as any server questions, that is out of my depth, hence, why I use Dgraph Cloud in the first place

J

Topic		Replies	Views
Dgraph graphql query integration wtih custom grapql server GraphQL kind:question , dgraph	9	667	September 22, 2020
Can I perform queries / mutations to /admin endpoint ignoring the auth rule? Dgraph Cloud kind:question	6	483	July 27, 2021
Using Dgraph GraphQL with attribute-based access control GraphQL example , graphql	2	1336	April 29, 2020
Putting it All Together - Dgraph Authentication, Authorization, and Granular Access Control (PART 4) - Dgraph Blog Blog	5	872	January 28, 2021
Dgraph v21.03: Resilient Rocket Release - Dgraph Blog Blog	8	1358	May 24, 2021

Federation, API Key gated Mutations

Related topics