Using ratel with secured backend (google oauth)

My alpha installation is secured by google IAP (oauth provider)

It works fine, i.e. only logged user with token can access to alpha endpoints.

How can I provide JWT token for connection from ratel?

You can try openresty.

Sorry, I dont really understand.

Open resty for what?

My problem is that I don’t know how to make ratel to use jwt token, or how to make it to redirect browser for authentication.

openresty can do it.

Okay, where i should place openresty in my schema?

In my application, openresty is similar to nginx. I use it to protect all my api and static resources (using lua-resty-openidc).

Okay, good
But my api (alpha) already secured with oauth2.

My problem now how to make ratel to connect to it.

I use ratel to connect to the alpha connection after the openresty reverse proxy, and the authentication tasks are all handled by openresty.

So, for ratel it’s already authentificated, right?

Do you store your permanent token in open resty, or how it’s done?

Yes.

I haven’t stored the token, lua-resty-openidc will help me manage the sessions.

Sorry, I still don’t understand.

Could you please share configuration?

Sorry, I can’t. You can visit it’s wiki to get some examples

I still think there is some misunderstanding of my task.

I don’t see what resty adds to my schema.

my gce-backed ingress for alpha already does all the things to get jwt token if I go there by browser.

The difference with ratel is that it’s not a browser, and don’t follow redirect to auth endpoint.

Google OAuth? As far as I remember Dgraph doesn’t supports it in its binaries. Are you using Dgraph Cloud or something?

In Ratel’s connection modal you have the option to add Slash API Key or Auth Token. If you are using TLS, you have to load the certificate in the browser. That’s it, there’s no other auth or token feature in Ratel.

Also, Ratel doesn’t need an Auth logic. Only if you gonna provide it for third parties. So it is up to you to add such a mechanism. Even tho, it doesn’t make sense. As the Auth doesn’t manage the connection between Ratel and the cluster.

Yes, google OAUTH.

I started my cluster in my gcloud project, and I want to secure it.

So, I decided to close it with IAP Proxy = oauth provider from google.

All I need is to get and pass jwt with my requests as header.

I’d like to have such ability in ratel.

As far as I understand I can use it for grpc entrypoint with

	conn, err = grpc.Dial(*address,
		grpc.WithTransportCredentials(ce),
		grpc.WithPerRPCCredentials(rpcCreds))

It still doesn’t make sense to me. Any Auth implementation is treated outside Dgraph’s binaries. Which means any use of WithTransportCredentials is useless. Cuz the Auth implementation isn’t native in Dgraph’s code, but your code. Which also means that you can have Auth in front of your application, but you can put Ratel to access the cluster directly via a proxy or even expose a secure endpoint.

Okay, let me elaborate more.

Could be I explain bad, or I chose a wrong solution.

SItuation:
I have a dgraph installation inside my google cloud project, with some personal data.

I use google IAM for authentificating operators who can access to this data.

For others web services I use Google IAP to protect/secure them from the external world.

Only users who passed google oauth (i.e. logged to their google account and have access) can reach this services.

I want to do the same for my dgraph installation.

I am not going to secure ratel endpoint - it’s accessible for everyone.
But I protected my alpha endpoint with google IAP. Thus now only authorized people can see this message

Dgraph browser is available for running separately using the dgraph-ratel binary

When they open alpha endpoint in their browser.

For those who is anauthorized they see - access disabled.

There is no support from dgraph binary needed. We can look on all this as on reverse-proxy with authorization.

Now, I want to connect to this endpoint from ratel.

For this I need to add jwt token somewhere on connection tab. Or I want ratel to show me this “login” screen on which my IAP proxy redirects all the requests.

How to manage this?

You have to clone Ratel and implement it yourself. We don’t support this implementation you have. Our solution is ACL for cases like yours.

If I were you, I would create my own Access control over the DB too. Cuz giving direct access to the whole DB isn’t safe at all.

Okay, thank you.

What about this TLS/Cert solution, is it accessible in open-source version?

Can I give/revoke access by giving or revoking SSL certs?

Yes.

Not sure, you have to generate them using a internal tool. So I don’t think it is easy to revoke. Cuz you need to restart the cluster I think.