search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.2k stars 2.77k forks source link

A way to use third-party authorization systems with Hasura permissions #9298

Open osdiab opened 1 year ago

osdiab commented 1 year ago

Is your proposal related to a problem?

Yes, building a flexible permissions system in Hasura can be difficult because it has a specific RBAC model that has limitations in how you can express permissions.

Simultaneously there are a number of external authorization systems that appear really nice and flexible to use, but to use them would basically mean to let go of the row-level filtering that Hasura does. Doesn't really seem like there's a good way to combine these exciting technologies.

I'm not building with Hasura any more, sorry! We never managed to satisfyingly solve the authz problem. This was one of the contributing factors to our product's demise - far too much time spent trying to hack custom, performant authz solutions around Hasura, reducing the amount of time spent building the actual product.

Until Hasura make it possible to really hook into/call out from the authz system I think this problem would stop me using it for another customer-facing product.

There are a few interesting options emerging: Auth0 Fine Grained Authorization, Authzed, Ory Keto, Oso. But adopting any of these basically means you will have to drop Hasura and use something like Prisma instead.

Originally posted by @rossng in https://github.com/hasura/graphql-engine/issues/2575#issuecomment-1344067312

Describe the solution you'd like

If there were some kind of middleware such that results could be processed and passed to a third party API for permissions checking, that would be super cool.

Describe alternatives you've considered

My company has just spent a lot of time and energy figuring out how to get Hasura to cooperate with our business needs - it was tough but we managed to hack something together. Unsure how it will scale, though.

coco98 commented 1 year ago

@osdiab Thanks for the detailed comment here!

We're working on a set of enhancements to make authorization much easier to handle including things to make external entitlements possible to integrate as well:

Would love to get on a quick chat with you if you're open to it to: a) discuss your current authz system you've built around Hasura and help review it b) review what we're planning and see how that might be of immediate help to you

My email is tanmaig@hasura.io - please do reach out!

osdiab commented 1 year ago

Reached out, looking forward to it!

tuanalumi commented 1 year ago

Any updates on this? We're in need of this feature.

sgtsquiggs commented 1 month ago

Any updates? Those of us already using authzed, spicedb, casbin need options!