Tables provided by a remote schema can be queried directly

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.

https://hasura.io

Apache License 2.0

31.17k stars 2.76k forks source link

Tables provided by a remote schema can be queried directly #5840

Open stephendeyoung opened 4 years ago

stephendeyoung commented 4 years ago

It seems that when you add a remote schema provided by another hasura instance, all the tables in that schema can be queried. For our use case we have an events table that contains the id of the person who sent that event. We want to get the name of this person by joining onto a table in the remote schema. But when we enable the remote schema it's then possible to query the entire table.

Is there a way of only allowing access to the table if it's part of a join?

GavinRay97 commented 4 years ago

Currently, Remote Schema's don't have integrated role-based permission management like regular tables and Actions do.

There's an RFC being worked on for this, and it's a feature that we should hopefully see in the next coming releases:

https://github.com/hasura/graphql-engine/pull/5675

For now, the approach you can use is to check the authorization token from Hasura and use an auth middleware or auth guards in your resolver. You can use the X-Hasura-Default-Role and X-Hasura-Allowed-Roles claims for example.

Does this answer your question/is it useful? Don't have enough background context to know whether this implementation is feasible for your scenario or not.

stephendeyoung commented 4 years ago

@GavinRay97 thank you for getting back to me!

It's not clear to me how we can achieve what we want with auth middleware or guards. The remote schema we're using is another hasura instance so we don't have the ability to define a custom resolver if that's what you were getting at. We only want the tables exposed by the remote schema to be available in a join. We don't want these tables to be directly queryable through our hasura service.

tirumaraiselvan commented 4 years ago

This RFC is also related: https://github.com/hasura/graphql-engine/pull/4110 (particularly this part) but I guess you don't want to hide the select fields from the original hasura instance but only when it's added via remote schema?

stephendeyoung commented 4 years ago

@tirumaraiselvan We want the field to be available in our original hasura instance's schema but the table provided by the remote schema should not be queryable. Not sure if that's what you meant. For clarity's sake let's say person is the field we want in our schema and this is available in a people table in the remote schema. This query should be allowed:

query MyQuery {
  live_event {
    person
  }
}

But this should be disallowed:

query MyQuery {
  people {
    person
  }
}

tirumaraiselvan commented 4 years ago

@stephendeyoung Sorry for the delay, with the introduction of Remote schema permissions, you can customize what parts of remote schema you want to expose while keeping the remote relationships accessible. Hope that will solve your problem.

stephendeyoung commented 4 years ago

@tirumaraiselvan that's great thank you!