Is there a way to setup auth key and slash key on DGraph community edition?
Can you give more context? By Auth do you mean GraphQL Auth feature?
Slash key, we are not using this name for a long time. Slash was the old name of our Cloud Service.
HI @MichelDiz. Thank you for your quick response.
Here is a background of what I am trying to achieve:
I want to have the DGraph Community Edition on a kubernetes cluster and connect to it via my app service running on the cluster and create schema and query for the data.
Till now, we have been using the DGraph cloud which provided us with the slash api admin key.
However, the DGraph Community Edition does not seem to provide any such option to generate any secret keys, that we might require to connect and run queries on the Dgraph instance.
Any idea if any such authentication keys are provided or required to be generated for the community edition?
This specific feature is part of the Cloud - You can have something similar using ACL(which is Enterprise). It’s not native to the Dgraph binary. Dgraph does have a “Poor man’s auth” option. However, you’ll need to generate your own token and use a different header for it.
Generally, those who opt for the Community Edition must address security concerns on their own. This means placing Dgraph behind a firewall and managing it all manually. With the Community Edition, we only provide the core database functionalities. We don’t recommend exposing Dgraph directly to end-users.
Cheers!
ok Thanks. Also, we are exposing DGraph to the application service since the service needs to perform queries on DGraph, so it has to communicate to the DGraph securely by means of some tokens. Is there a process for manual generation of the auth token for Dgraph and example of using that in a query?
It’s not advisable to expose Dgraph directly. Individuals could reverse-engineer your application, potentially discovering things like tokens, and try to access it directly. What we recommend is implementing an API. The API acts as an intermediary, communicating between Dgraph and your application, thus offering better control. The Dgraph cluster should only be accessible to this API and nothing else.
Regarding the custom token, there isn’t a standardized approach. You’ll need to develop one yourself. And any time you want to change the token, you’ll have to restart the cluster. The ideal setup is to have an API, and let this API manage access control using JWT.
There’s no Auth Token for community edition. UNLESS you use GraphQL Auth. Which is another step.
1 Like
Are you saying that there is no way for an API to securely communicate with Dgraph Community Edition using DQL queries?
In other words, if we have a Dgraph Community Edition server running behind a firewall, any client also running behind that firewall has full read/write access to that server (without using any kind of client secret or password)?
I’m not saying that. What I’m saying is that the Auth Token option isn’t available in Dgraph Community version. But You need to shield your cluster from the public. However, if you have the expertise, there are other strategies you can employ. You can utilize TLS(free) if you wish, among other more intricate approaches. But none of these are available out of the box. You have to configure.
Yes. That is as it is since 2016. You have this feature activating ACL. But as I said, you can mitigate this by employing several strategies. Some individuals, whether they are engineers, CTOs, or other professionals, might not have the knowledge or patience to implement common market strategies or understand that they need it. This is why many choose to use the Cloud. With the Cloud, everything is handed to you on a silver platter, and you have access to Dgraph database engineers at your disposal.
2 Likes