Use the graphql endpoint for lineage queries

[rokroskar]

SwissDataScienceCenter/renku#587 introduces the graphql endpoint - the gateway should forward lineage requests to this endpoint instead of submitting sparql queries itself.

[jachro]

Do you think UI should be going through the gateway? I was thinking if UI can maybe call the knowledge-graph service directly...

[rokroskar]

Eventually we'll want authentication on those requests - then going through the gateway will make sense.

[jachro]

Yes, I'll put some auth to the Knowledge Graph endpoint soon, I hope. Shouldn't we then do a similar solution on the Gateway as we do for other services like GitLab or Keycloack? I mean so there's no single purpose lineage endpoint on the Gateway but something more general which would be more like a proxy with auth? Then anyone can use it for all the calls on the Knowledge Graph?

[ableuler]

Absolutely, the current lineage endpoint in the GW will go away, instead I would just like to define a forwarding rule in the traefik part of the gateway together with a rule for swapping the cookie for a token.

[jachro]

👍

[rokroskar]

But the gateway doesn't do the authentication. You'll want to put the KG endpoint behind something like a keycloak-proxy, won't you?

[ableuler]

We have agreed that the GW will forward requests to /api/graphql/... to the graphQL endpoint and swap the cookie for a keycloak oAuth token. I don't know if the keycloak-proxy is easier than just validating the oAuth token directly in the graph service. But I agree that one or the other should happen.

[rokroskar]

Yes but the /graphql endpoint has to be exposed if the browser is to access it - that means that going there directly won't require any tokens to be present in the request, hence it should probably be protected.

[jachro]

Am I right that we have two choices:

• add a forwarding rule to the Gateway so it will swap UI cookie for an OAuth token and then knowledge-graph service validates the OAuth token with Keycloak - I think that's what we agreed with Andreas the other day;
• don't add any forwarding rules to the Gateway and then knowledge-graph service has to validate the cookie with the Gateway (or extracts the OAuth token from the cookie and validates that with Keycloak but I'm guessing we don't encrypt any tokens into our cookies).
  For me adding the authorization to the graphql endpoint on the knowledge-graph service is a must and I simply haven't done it yet as the data is public anyway (we have the consent from the users) and simply I didn't want to blow up the story with some functionality.