Federation, API Key gated Mutations

Users GraphQL
#1

I’m looking to use DGraph as part of my Apollo Federation. I’m currently running DGraph on GKE, not using Cloud.

What I’d like is to be able to hide to add/update/delete mutations from the outside, perhaps authenticating them with an API key so they can be accessible to my backend services.

I saw this, but it seems to be only referring to cloud: https://dgraph.io/docs/cloud/admin/authentication/

What is the best way to accomplish what I’m looking for?

#2

Update - So I didn’t read your entire post when I responded, but I am assuming if you’re not using the dgraph graphql which is part of dgraph cloud, you’re going to have to create your own graphql endpoints, which gets complicated to use with Apollo Federation. Basically, you start from scratch with just dql, someone who knows this subject better than me can respond here…

You could create an @auth directive for each node like this:

type User @auth(
    add: { rule:  "{$DENIED: { eq: \"DENIED\" } }"},
    update: { rule:  "{$DENIED: { eq: \"DENIED\" } }"}
    delete: { rule:  "{$DENIED: { eq: \"DENIED\" } }"}
) {

but that could get redundant with a bunch of nodes.

The other way of course is to go to SchemaAccessEdit Permissions and uncheck all writes. I believe that covers everything but queries.

J

Is it possible to allow certain graphql mutations to only be executed by a lambda?
#3

Thanks for the response.

Sounds like your second suggestion might be what I’ll look at first. I don’t want to add nodes later and forget to add the auth rules. Would this configuration be found in Ratel? I couldn’t find much about permissions in there.

Additionally, how would I go about accessing the writes from my backend in this scenario? I’d still like to be able to run the mutations but only from my backend, they should not be visible to any external clients.

To respond to your edit: I’m not sure exactly. I do have a graphql endpoint though from my GKE instance, and I was able to use curl -X POST localhost:8080/admin/schema --data-binary '@dgraph/schema.graphql' (after forwarding those ports) to upload my GraphQL schema just fine.

#4

Someone else is going to have to chime in here.

I believe that doesn’t block any admin from doing any mutations, just regular users.

As far as any server questions, that is out of my depth, hence, why I use Dgraph Cloud in the first place :slight_smile:

J

1 Like