You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm starting to work on a graphql endpoint for a web ui where I want to differentiate access control based on the following:
whether or not the session is authenticated (ie some resources will be public, others private)
who the authenticated user is (ie they should only be able to see resources belonging to themselves or their organizations)
whether the user is an admin (ie admins should see admin-only fields for resources and have access to all resources)
Pretty much all of the resources I intend to provide access for are defined using sea-orm and I am aware that it is possible with the latest 1.0.0-rc2 release of the seaography crate to easily dynamically build a more or less complete async-graphql schema.
The broad strokes of what I would like is to be able to do something like the following:
add axum middleware to a /graphql/endpoint route that authenticates requests
somehow pass authenticated user information (eg user uuid, organization uuids, role id/enum/something) on to the async-graphql request context
create a async-graphql extension from the Oso instance (this is probably the bulk of the work i want to do)
register the extension with the schema builder
This is where it gets a bit fuzzy for me. What I want is for the Oso policy to determine whether a given query can be returned to the user, but because of the dynamic nature of graphql queries it's not clear to me how to do this without simply writing my own custom graphql endpoints integrating the Oso policy engine directly whereas my preference would be some way to do this that can be simply applied to a schema build from sea-orm types.
Anyway, maybe I am overthinking this. Would definitely appreciate any thoughts/pointers as to whether something like this exists or whether it sounds doable.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Howdy!
I'm starting to work on a graphql endpoint for a web ui where I want to differentiate access control based on the following:
Pretty much all of the resources I intend to provide access for are defined using
sea-orm
and I am aware that it is possible with the latest1.0.0-rc2
release of theseaography
crate to easily dynamically build a more or less complete async-graphql schema.The broad strokes of what I would like is to be able to do something like the following:
/graphql/
endpoint route that authenticates requestsoso
RBAC policyOso
instance (this is probably the bulk of the work i want to do)This is where it gets a bit fuzzy for me. What I want is for the
Oso
policy to determine whether a given query can be returned to the user, but because of the dynamic nature of graphql queries it's not clear to me how to do this without simply writing my own custom graphql endpoints integrating theOso
policy engine directly whereas my preference would be some way to do this that can be simply applied to a schema build fromsea-orm
types.Anyway, maybe I am overthinking this. Would definitely appreciate any thoughts/pointers as to whether something like this exists or whether it sounds doable.
Beta Was this translation helpful? Give feedback.
All reactions