How can I secure Ratel with Community Edition DGraph?

We have got a community DGraph cluster deployed in ECS. We also have Ratel in ECS, exposed over a load balancer. From what I can tell, we can only secure DGraph with the Enterprise edition, but I don’t want Ratel exposed to the internet without the possibility of securing data.

So for the Community edition, is it possible to either add a username/password to Ratel or add standard username/password access to the DGraph database (as you usually do with databases)?

Reading your comment, it seems to me that you expose Dgraph directly to the public. This is not recommended. You should create an API between your application and your cluster and create an Auth. Or use GraphQL with Auth(free).

With that in mind, you should put Dgraph behind a firewall or use options like a reverse proxy that is able to isolate and allow access via a simple login. But in general, a total barrier is the ideal. And then you create a VPN between your machine and your cluster. That way you can access the cluster directly. A simple ngrok shall fit the case.

PS. We have plans to support Poor man’s auth soon(in endpoints like query, mutate). That will be integrated with Ratel too.

1 Like

Dgraph Ratel UI is a client (ReactJS single-page-application) whose UI is served by a small web service. You can run this anywhere, such as docker container or directly on your laptop. In this scope, there’s no difference between Enterprise or Community Edition.

The part that does need to be secured are the public-endpoints with the Dgraph Alpha service. Below is a list of some ways you can secure the Dgraph Alpha service and the Dgraph Ratel UI web service:

  • Infrastructure (AWS) layer
    • Security Group: Add a security group for the endpoint to white list only allowed access, such as home office, and remote WFH addresses
    • TLS terminated on LB, such as ACM (AWS Certificate Manager).
    • Internal Facing LB so that it is only accessible to private networks. Then this can be accessed using bastion host or VPN. (ref. Internal Classic Load Balancers)
      • Setup bastion host (example quickstart guide) where you can setup SSH tunnel to access the private internal load balancer endpoint.
      • Setup at VPN (such as AWS Client VPN to get access to the private internal load balancer endpoint.
  • Dgraph Alpha layer
    • Mutual TLS (Community and Enterprise): You can use Mutual TLS, which requires you to submit a client certificate for access. For requiring a client certificate, Dgraph Alpha server must be configured with REQUIREANDVERIFY (ref. docs)
    • Access Control Lists (Enterprise only): Enabling this will requires logging into Dgraph Alpha to get an AccessJWT token that is then used to access Dgraph Alpha. (ref. docs)
  • Dgraph Ratel UI web service:
    • TLS can be added directly to the web service with -tls_crt and -tls_key arguments to dgraph_ratel.
2 Likes

@joaquin & @MichelDiz , thanks very much for your responses.

We are connected to the AWS account via our VPN; so looks like an internal load balancer is the way to go. Thanks @joaquin :slight_smile:

2 Likes