2021-01-07 12:04:22 +03:00
|
|
|
-- | The RQL metadata query ('/v1/metadata')
|
|
|
|
module Hasura.Server.API.Metadata where
|
|
|
|
|
2021-01-09 02:09:15 +03:00
|
|
|
import Hasura.Prelude
|
|
|
|
|
|
|
|
import qualified Data.Environment as Env
|
|
|
|
import qualified Network.HTTP.Client.Extended as HTTP
|
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
import Control.Monad.Trans.Control (MonadBaseControl)
|
|
|
|
import Control.Monad.Unique
|
|
|
|
import Data.Aeson
|
|
|
|
import Data.Aeson.Casing
|
|
|
|
import Data.Aeson.TH
|
|
|
|
|
2021-01-09 02:09:15 +03:00
|
|
|
import qualified Hasura.Tracing as Tracing
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
import Hasura.EncJSON
|
|
|
|
import Hasura.Metadata.Class
|
|
|
|
import Hasura.RQL.DDL.Action
|
2021-02-11 20:54:25 +03:00
|
|
|
import Hasura.RQL.DDL.ApiLimit
|
2021-01-07 12:04:22 +03:00
|
|
|
import Hasura.RQL.DDL.ComputedField
|
|
|
|
import Hasura.RQL.DDL.CustomTypes
|
2021-01-29 04:02:34 +03:00
|
|
|
import Hasura.RQL.DDL.Endpoint
|
2021-01-07 12:04:22 +03:00
|
|
|
import Hasura.RQL.DDL.EventTrigger
|
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
|
|
|
import Hasura.RQL.DDL.InheritedRoles
|
2021-01-07 12:04:22 +03:00
|
|
|
import Hasura.RQL.DDL.Metadata
|
|
|
|
import Hasura.RQL.DDL.Permission
|
|
|
|
import Hasura.RQL.DDL.QueryCollection
|
|
|
|
import Hasura.RQL.DDL.Relationship
|
|
|
|
import Hasura.RQL.DDL.Relationship.Rename
|
|
|
|
import Hasura.RQL.DDL.RemoteRelationship
|
|
|
|
import Hasura.RQL.DDL.RemoteSchema
|
|
|
|
import Hasura.RQL.DDL.ScheduledTrigger
|
|
|
|
import Hasura.RQL.DDL.Schema
|
|
|
|
import Hasura.RQL.DDL.Schema.Source
|
|
|
|
import Hasura.RQL.Types
|
|
|
|
import Hasura.RQL.Types.Run
|
2021-02-18 19:46:14 +03:00
|
|
|
import Hasura.Server.Types (InstanceId (..), MaintenanceMode (..))
|
2021-02-16 11:08:19 +03:00
|
|
|
import Hasura.Server.Utils (APIVersion (..))
|
2021-01-07 12:04:22 +03:00
|
|
|
import Hasura.Server.Version (HasVersion)
|
|
|
|
import Hasura.Session
|
|
|
|
|
|
|
|
|
2021-02-16 11:08:19 +03:00
|
|
|
data RQLMetadataV1
|
2021-04-22 00:44:37 +03:00
|
|
|
= RMPgAddSource !(AddSource ('Postgres 'Vanilla))
|
2021-02-23 20:37:27 +03:00
|
|
|
| RMPgDropSource !DropSource
|
2021-01-07 12:04:22 +03:00
|
|
|
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgTrackTable !(TrackTableV2 ('Postgres 'Vanilla))
|
|
|
|
| RMPgUntrackTable !(UntrackTable ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
| RMPgSetTableIsEnum !SetTableIsEnum
|
2021-01-08 10:41:50 +03:00
|
|
|
| RMPgSetTableCustomization !SetTableCustomization
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
-- Postgres functions
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgTrackFunction !(TrackFunctionV2 ('Postgres 'Vanilla))
|
|
|
|
| RMPgUntrackFunction !(UnTrackFunction ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
2021-01-29 08:48:17 +03:00
|
|
|
-- Postgres function permissions
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgCreateFunctionPermission !(CreateFunctionPermission ('Postgres 'Vanilla))
|
|
|
|
| RMPgDropFunctionPermission !(DropFunctionPermission ('Postgres 'Vanilla))
|
2021-01-29 08:48:17 +03:00
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
-- Postgres table relationships
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgCreateObjectRelationship !(CreateObjRel ('Postgres 'Vanilla))
|
|
|
|
| RMPgCreateArrayRelationship !(CreateArrRel ('Postgres 'Vanilla))
|
|
|
|
| RMPgDropRelationship !(DropRel ('Postgres 'Vanilla))
|
|
|
|
| RMPgSetRelationshipComment !(SetRelComment ('Postgres 'Vanilla))
|
|
|
|
| RMPgRenameRelationship !(RenameRel ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
-- Postgres computed fields
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgAddComputedField !(AddComputedField ('Postgres 'Vanilla))
|
|
|
|
| RMPgDropComputedField !(DropComputedField ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
-- Postgres tables remote relationships
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgCreateRemoteRelationship !(RemoteRelationship ('Postgres 'Vanilla))
|
|
|
|
| RMPgUpdateRemoteRelationship !(RemoteRelationship ('Postgres 'Vanilla))
|
|
|
|
| RMPgDeleteRemoteRelationship !(DeleteRemoteRelationship ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
-- Postgres tables permissions
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgCreateInsertPermission !(CreateInsPerm ('Postgres 'Vanilla))
|
|
|
|
| RMPgCreateSelectPermission !(CreateSelPerm ('Postgres 'Vanilla))
|
|
|
|
| RMPgCreateUpdatePermission !(CreateUpdPerm ('Postgres 'Vanilla))
|
|
|
|
| RMPgCreateDeletePermission !(CreateDelPerm ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgDropInsertPermission !(DropPerm ('Postgres 'Vanilla) (InsPerm ('Postgres 'Vanilla)))
|
|
|
|
| RMPgDropSelectPermission !(DropPerm ('Postgres 'Vanilla) (SelPerm ('Postgres 'Vanilla)))
|
|
|
|
| RMPgDropUpdatePermission !(DropPerm ('Postgres 'Vanilla) (UpdPerm ('Postgres 'Vanilla)))
|
|
|
|
| RMPgDropDeletePermission !(DropPerm ('Postgres 'Vanilla) (DelPerm ('Postgres 'Vanilla)))
|
|
|
|
| RMPgSetPermissionComment !(SetPermComment ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
-- Postgres tables event triggers
|
2021-04-22 00:44:37 +03:00
|
|
|
| RMPgCreateEventTrigger !(CreateEventTriggerQuery ('Postgres 'Vanilla))
|
|
|
|
| RMPgDeleteEventTrigger !(DeleteEventTriggerQuery ('Postgres 'Vanilla))
|
|
|
|
| RMPgRedeliverEvent !(RedeliverEventQuery ('Postgres 'Vanilla))
|
|
|
|
| RMPgInvokeEventTrigger !(InvokeEventTriggerQuery ('Postgres 'Vanilla))
|
2021-01-07 12:04:22 +03:00
|
|
|
|
2021-02-23 20:37:27 +03:00
|
|
|
-- MSSQL sources
|
|
|
|
| RMMssqlAddSource !(AddSource 'MSSQL)
|
|
|
|
| RMMssqlDropSource !DropSource
|
|
|
|
| RMMssqlTrackTable !(TrackTableV2 'MSSQL)
|
|
|
|
| RMMssqlUntrackTable !(UntrackTable 'MSSQL)
|
|
|
|
|
|
|
|
| RMMssqlCreateObjectRelationship !(CreateObjRel 'MSSQL)
|
|
|
|
| RMMssqlCreateArrayRelationship !(CreateArrRel 'MSSQL)
|
|
|
|
| RMMssqlDropRelationship !(DropRel 'MSSQL)
|
|
|
|
| RMMssqlSetRelationshipComment !(SetRelComment 'MSSQL)
|
|
|
|
| RMMssqlRenameRelationship !(RenameRel 'MSSQL)
|
|
|
|
|
|
|
|
| RMMssqlCreateInsertPermission !(CreateInsPerm 'MSSQL)
|
|
|
|
| RMMssqlCreateSelectPermission !(CreateSelPerm 'MSSQL)
|
|
|
|
| RMMssqlCreateUpdatePermission !(CreateUpdPerm 'MSSQL)
|
|
|
|
| RMMssqlCreateDeletePermission !(CreateDelPerm 'MSSQL)
|
|
|
|
|
|
|
|
| RMMssqlDropInsertPermission !(DropPerm 'MSSQL (InsPerm 'MSSQL))
|
|
|
|
| RMMssqlDropSelectPermission !(DropPerm 'MSSQL (SelPerm 'MSSQL))
|
|
|
|
| RMMssqlDropUpdatePermission !(DropPerm 'MSSQL (UpdPerm 'MSSQL))
|
|
|
|
| RMMssqlDropDeletePermission !(DropPerm 'MSSQL (DelPerm 'MSSQL))
|
|
|
|
| RMMssqlSetPermissionComment !(SetPermComment 'MSSQL)
|
|
|
|
|
2021-04-12 13:18:29 +03:00
|
|
|
-- BigQuery sources
|
|
|
|
| RMBigqueryAddSource !(AddSource 'BigQuery)
|
|
|
|
| RMBigqueryDropSource !DropSource
|
|
|
|
| RMBigqueryTrackTable !(TrackTableV2 'BigQuery)
|
|
|
|
| RMBigqueryUntrackTable !(UntrackTable 'BigQuery)
|
|
|
|
| RMBigqueryCreateObjectRelationship !(CreateObjRel 'BigQuery)
|
|
|
|
| RMBigqueryCreateArrayRelationship !(CreateArrRel 'BigQuery)
|
|
|
|
| RMBigqueryDropRelationship !(DropRel 'BigQuery)
|
|
|
|
| RMBigquerySetRelationshipComment !(SetRelComment 'BigQuery)
|
|
|
|
| RMBigqueryRenameRelationship !(RenameRel 'BigQuery)
|
|
|
|
|
|
|
|
| RMBigqueryCreateInsertPermission !(CreateInsPerm 'BigQuery)
|
|
|
|
| RMBigqueryCreateSelectPermission !(CreateSelPerm 'BigQuery)
|
|
|
|
| RMBigqueryCreateUpdatePermission !(CreateUpdPerm 'BigQuery)
|
|
|
|
| RMBigqueryCreateDeletePermission !(CreateDelPerm 'BigQuery)
|
|
|
|
|
|
|
|
| RMBigqueryDropInsertPermission !(DropPerm 'BigQuery (InsPerm 'BigQuery))
|
|
|
|
| RMBigqueryDropSelectPermission !(DropPerm 'BigQuery (SelPerm 'BigQuery))
|
|
|
|
| RMBigqueryDropUpdatePermission !(DropPerm 'BigQuery (UpdPerm 'BigQuery))
|
|
|
|
| RMBigqueryDropDeletePermission !(DropPerm 'BigQuery (DelPerm 'BigQuery))
|
|
|
|
| RMBigquerySetPermissionComment !(SetPermComment 'BigQuery)
|
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
-- Inconsistent metadata
|
|
|
|
| RMGetInconsistentMetadata !GetInconsistentMetadata
|
|
|
|
| RMDropInconsistentMetadata !DropInconsistentMetadata
|
|
|
|
|
|
|
|
-- Remote schemas
|
|
|
|
| RMAddRemoteSchema !AddRemoteSchemaQuery
|
|
|
|
| RMRemoveRemoteSchema !RemoteSchemaNameQuery
|
|
|
|
| RMReloadRemoteSchema !RemoteSchemaNameQuery
|
|
|
|
| RMIntrospectRemoteSchema !RemoteSchemaNameQuery
|
|
|
|
|
2021-01-18 13:38:34 +03:00
|
|
|
-- remote-schema permissions
|
|
|
|
| RMAddRemoteSchemaPermissions !AddRemoteSchemaPermissions
|
|
|
|
| RMDropRemoteSchemaPermissions !DropRemoteSchemaPermissions
|
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
-- scheduled triggers
|
|
|
|
| RMCreateCronTrigger !CreateCronTrigger
|
|
|
|
| RMDeleteCronTrigger !ScheduledTriggerName
|
|
|
|
| RMCreateScheduledEvent !CreateScheduledEvent
|
|
|
|
| RMDeleteScheduledEvent !DeleteScheduledEvent
|
|
|
|
| RMGetScheduledEvents !GetScheduledEvents
|
|
|
|
| RMGetEventInvocations !GetEventInvocations
|
|
|
|
|
|
|
|
-- query collections, allow list related
|
|
|
|
| RMCreateQueryCollection !CreateCollection
|
|
|
|
| RMDropQueryCollection !DropCollection
|
|
|
|
| RMAddQueryToCollection !AddQueryToCollection
|
|
|
|
| RMDropQueryFromCollection !DropQueryFromCollection
|
|
|
|
| RMAddCollectionToAllowlist !CollectionReq
|
|
|
|
| RMDropCollectionFromAllowlist !CollectionReq
|
|
|
|
|
|
|
|
-- basic metadata management
|
|
|
|
| RMReplaceMetadata !ReplaceMetadata
|
|
|
|
| RMExportMetadata !ExportMetadata
|
|
|
|
| RMClearMetadata !ClearMetadata
|
|
|
|
| RMReloadMetadata !ReloadMetadata
|
|
|
|
|
|
|
|
-- actions
|
|
|
|
| RMCreateAction !CreateAction
|
|
|
|
| RMDropAction !DropAction
|
|
|
|
| RMUpdateAction !UpdateAction
|
|
|
|
| RMCreateActionPermission !CreateActionPermission
|
|
|
|
| RMDropActionPermission !DropActionPermission
|
|
|
|
|
2021-01-29 04:02:34 +03:00
|
|
|
| RMCreateRestEndpoint !CreateEndpoint
|
|
|
|
| RMDropRestEndpoint !DropEndpoint
|
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
| RMSetCustomTypes !CustomTypes
|
|
|
|
|
|
|
|
| RMDumpInternalState !DumpInternalState
|
|
|
|
|
|
|
|
| RMGetCatalogState !GetCatalogState
|
|
|
|
| RMSetCatalogState !SetCatalogState
|
|
|
|
|
2021-02-11 20:54:25 +03:00
|
|
|
-- 'ApiLimit' related
|
|
|
|
| RMSetApiLimits !ApiLimit
|
|
|
|
| RMRemoveApiLimits
|
|
|
|
|
|
|
|
-- 'MetricsConfig' related
|
|
|
|
| RMSetMetricsConfig !MetricsConfig
|
|
|
|
| RMRemoveMetricsConfig
|
|
|
|
|
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
|
|
|
-- inherited roles
|
|
|
|
| RMAddInheritedRole !AddInheritedRole
|
|
|
|
| RMDropInheritedRole !DropInheritedRole
|
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
-- bulk metadata queries
|
2021-02-19 05:39:30 +03:00
|
|
|
| RMBulk [RQLMetadataRequest]
|
2021-02-14 09:07:52 +03:00
|
|
|
deriving (Eq)
|
2021-01-07 12:04:22 +03:00
|
|
|
|
2021-02-16 11:08:19 +03:00
|
|
|
data RQLMetadataV2
|
|
|
|
= RMV2ReplaceMetadata !ReplaceMetadataV2
|
2021-02-19 05:39:30 +03:00
|
|
|
| RMV2ExportMetadata !ExportMetadata
|
2021-02-16 11:08:19 +03:00
|
|
|
deriving (Eq)
|
|
|
|
|
2021-02-19 05:39:30 +03:00
|
|
|
data RQLMetadataRequest
|
2021-02-16 11:08:19 +03:00
|
|
|
= RMV1 !RQLMetadataV1
|
|
|
|
| RMV2 !RQLMetadataV2
|
|
|
|
deriving (Eq)
|
|
|
|
|
2021-02-19 05:39:30 +03:00
|
|
|
instance FromJSON RQLMetadataRequest where
|
|
|
|
parseJSON = withObject "RQLMetadataRequest" $ \o -> do
|
2021-02-16 11:08:19 +03:00
|
|
|
version <- o .:? "version" .!= VIVersion1
|
|
|
|
let val = Object o
|
|
|
|
case version of
|
|
|
|
VIVersion1 -> RMV1 <$> parseJSON val
|
|
|
|
VIVersion2 -> RMV2 <$> parseJSON val
|
|
|
|
|
2021-02-19 05:39:30 +03:00
|
|
|
instance ToJSON RQLMetadataRequest where
|
2021-02-16 11:08:19 +03:00
|
|
|
toJSON = \case
|
|
|
|
RMV1 q -> embedVersion VIVersion1 $ toJSON q
|
|
|
|
RMV2 q -> embedVersion VIVersion2 $ toJSON q
|
|
|
|
where
|
|
|
|
embedVersion version (Object o) =
|
2021-02-19 05:39:30 +03:00
|
|
|
Object $ o <> "version" .= version
|
2021-02-16 11:08:19 +03:00
|
|
|
-- never happens since JSON value of RQL queries are always objects
|
2021-02-19 05:39:30 +03:00
|
|
|
embedVersion _ _ = error "Unexpected: toJSON of RQLMetadtaV is not an object"
|
|
|
|
|
|
|
|
data RQLMetadata
|
|
|
|
= RQLMetadata
|
|
|
|
{ _rqlMetadataResourceVersion :: !(Maybe MetadataResourceVersion)
|
|
|
|
, _rqlMetadata :: !RQLMetadataRequest
|
|
|
|
} deriving (Eq)
|
|
|
|
|
|
|
|
instance FromJSON RQLMetadata where
|
|
|
|
parseJSON = withObject "RQLMetadata" $ \o -> do
|
|
|
|
_rqlMetadataResourceVersion <- o .:? "resource_version"
|
|
|
|
_rqlMetadata <- parseJSON $ Object o
|
|
|
|
pure RQLMetadata{..}
|
|
|
|
|
|
|
|
instance ToJSON RQLMetadata where
|
|
|
|
toJSON RQLMetadata{..} =
|
|
|
|
embedResourceVersion $ toJSON _rqlMetadata
|
|
|
|
where
|
|
|
|
embedResourceVersion (Object o) =
|
|
|
|
Object $ o <> "resource_version" .= _rqlMetadataResourceVersion
|
|
|
|
-- never happens since JSON value of RQL queries are always objects
|
|
|
|
embedResourceVersion _ = error "Unexpected: toJSON of RQLMetadata is not an object"
|
2021-02-16 11:08:19 +03:00
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
$(deriveJSON
|
|
|
|
defaultOptions { constructorTagModifier = snakeCase . drop 2
|
|
|
|
, sumEncoding = TaggedObject "type" "args"
|
|
|
|
}
|
2021-02-16 11:08:19 +03:00
|
|
|
''RQLMetadataV1)
|
|
|
|
|
|
|
|
$(deriveJSON
|
|
|
|
defaultOptions { constructorTagModifier = snakeCase . drop 4
|
|
|
|
, sumEncoding = TaggedObject "type" "args"
|
|
|
|
}
|
|
|
|
''RQLMetadataV2)
|
2021-01-07 12:04:22 +03:00
|
|
|
|
|
|
|
runMetadataQuery
|
|
|
|
:: ( HasVersion
|
|
|
|
, MonadIO m
|
|
|
|
, MonadBaseControl IO m
|
|
|
|
, Tracing.MonadTrace m
|
|
|
|
, MonadMetadataStorage m
|
|
|
|
, MonadResolveSource m
|
|
|
|
)
|
|
|
|
=> Env.Environment
|
|
|
|
-> InstanceId
|
|
|
|
-> UserInfo
|
|
|
|
-> HTTP.Manager
|
2021-01-29 08:48:17 +03:00
|
|
|
-> ServerConfigCtx
|
2021-01-07 12:04:22 +03:00
|
|
|
-> RebuildableSchemaCache
|
|
|
|
-> RQLMetadata
|
|
|
|
-> m (EncJSON, RebuildableSchemaCache)
|
2021-02-19 05:39:30 +03:00
|
|
|
runMetadataQuery env instanceId userInfo httpManager serverConfigCtx schemaCache RQLMetadata{..} = do
|
|
|
|
(metadata, currentResourceVersion) <- fetchMetadata
|
2021-01-07 12:04:22 +03:00
|
|
|
((r, modMetadata), modSchemaCache, cacheInvalidations) <-
|
2021-02-19 05:39:30 +03:00
|
|
|
runMetadataQueryM env currentResourceVersion _rqlMetadata
|
2021-01-07 12:04:22 +03:00
|
|
|
& runMetadataT metadata
|
|
|
|
& runCacheRWT schemaCache
|
2021-01-29 08:48:17 +03:00
|
|
|
& peelRun (RunCtx userInfo httpManager serverConfigCtx)
|
2021-01-07 12:04:22 +03:00
|
|
|
& runExceptT
|
|
|
|
& liftEitherM
|
|
|
|
-- set modified metadata in storage
|
2021-04-06 06:25:02 +03:00
|
|
|
if (queryModifiesMetadata _rqlMetadata)
|
|
|
|
then
|
|
|
|
case (_sccMaintenanceMode serverConfigCtx) of
|
|
|
|
MaintenanceModeDisabled -> do
|
|
|
|
-- set modified metadata in storage
|
|
|
|
newResourceVersion <- setMetadata (fromMaybe currentResourceVersion _rqlMetadataResourceVersion) modMetadata
|
|
|
|
-- notify schema cache sync
|
|
|
|
notifySchemaCacheSync newResourceVersion instanceId cacheInvalidations
|
|
|
|
(_, modSchemaCache', _) <- setMetadataResourceVersionInSchemaCache newResourceVersion
|
|
|
|
& runCacheRWT modSchemaCache
|
|
|
|
& peelRun (RunCtx userInfo httpManager serverConfigCtx)
|
|
|
|
& runExceptT
|
|
|
|
& liftEitherM
|
|
|
|
pure (r, modSchemaCache')
|
|
|
|
MaintenanceModeEnabled ->
|
|
|
|
throw500 "metadata cannot be modified in maintenance mode"
|
|
|
|
else
|
|
|
|
pure (r, modSchemaCache)
|
2021-01-07 12:04:22 +03:00
|
|
|
|
2021-02-19 05:39:30 +03:00
|
|
|
queryModifiesMetadata :: RQLMetadataRequest -> Bool
|
2021-02-18 19:46:14 +03:00
|
|
|
queryModifiesMetadata = \case
|
|
|
|
RMV1 q ->
|
|
|
|
case q of
|
2021-04-27 07:22:32 +03:00
|
|
|
RMPgRedeliverEvent _ -> False
|
|
|
|
RMPgInvokeEventTrigger _ -> False
|
|
|
|
RMGetInconsistentMetadata _ -> False
|
|
|
|
RMIntrospectRemoteSchema _ -> False
|
|
|
|
RMDumpInternalState _ -> False
|
|
|
|
RMSetCatalogState _ -> False
|
|
|
|
RMGetCatalogState _ -> False
|
|
|
|
RMExportMetadata _ -> False
|
|
|
|
RMGetEventInvocations _ -> False
|
|
|
|
RMGetScheduledEvents _ -> False
|
|
|
|
RMCreateScheduledEvent _ -> False
|
|
|
|
RMDeleteScheduledEvent _ -> False
|
|
|
|
RMBulk qs -> any queryModifiesMetadata qs
|
|
|
|
_ -> True
|
2021-02-19 05:39:30 +03:00
|
|
|
RMV2 q ->
|
|
|
|
case q of
|
2021-04-27 07:22:32 +03:00
|
|
|
RMV2ExportMetadata _ -> False
|
|
|
|
_ -> True
|
2021-02-18 19:46:14 +03:00
|
|
|
|
2021-01-07 12:04:22 +03:00
|
|
|
runMetadataQueryM
|
|
|
|
:: ( HasVersion
|
|
|
|
, MonadIO m
|
|
|
|
, MonadBaseControl IO m
|
|
|
|
, CacheRWM m
|
|
|
|
, Tracing.MonadTrace m
|
|
|
|
, UserInfoM m
|
|
|
|
, MonadUnique m
|
2021-01-09 02:09:15 +03:00
|
|
|
, HTTP.HasHttpManagerM m
|
2021-01-07 12:04:22 +03:00
|
|
|
, MetadataM m
|
|
|
|
, MonadMetadataStorageQueryAPI m
|
2021-01-29 08:48:17 +03:00
|
|
|
, HasServerConfigCtx m
|
2021-01-07 12:04:22 +03:00
|
|
|
)
|
|
|
|
=> Env.Environment
|
2021-02-19 05:39:30 +03:00
|
|
|
-> MetadataResourceVersion
|
|
|
|
-> RQLMetadataRequest
|
2021-01-07 12:04:22 +03:00
|
|
|
-> m EncJSON
|
2021-02-19 05:39:30 +03:00
|
|
|
runMetadataQueryM env currentResourceVersion = withPathK "args" . \case
|
|
|
|
RMV1 q -> runMetadataQueryV1M env currentResourceVersion q
|
|
|
|
RMV2 q -> runMetadataQueryV2M currentResourceVersion q
|
2021-02-16 11:08:19 +03:00
|
|
|
|
|
|
|
runMetadataQueryV1M
|
|
|
|
:: ( HasVersion
|
|
|
|
, MonadIO m
|
|
|
|
, MonadBaseControl IO m
|
|
|
|
, CacheRWM m
|
|
|
|
, Tracing.MonadTrace m
|
|
|
|
, UserInfoM m
|
|
|
|
, MonadUnique m
|
|
|
|
, HTTP.HasHttpManagerM m
|
|
|
|
, MetadataM m
|
|
|
|
, MonadMetadataStorageQueryAPI m
|
|
|
|
, HasServerConfigCtx m
|
|
|
|
)
|
|
|
|
=> Env.Environment
|
2021-02-19 05:39:30 +03:00
|
|
|
-> MetadataResourceVersion
|
2021-02-16 11:08:19 +03:00
|
|
|
-> RQLMetadataV1
|
|
|
|
-> m EncJSON
|
2021-02-19 05:39:30 +03:00
|
|
|
runMetadataQueryV1M env currentResourceVersion = \case
|
2021-02-23 20:37:27 +03:00
|
|
|
RMPgAddSource q -> runAddSource q
|
|
|
|
RMPgDropSource q -> runDropSource q
|
|
|
|
|
|
|
|
RMPgTrackTable q -> runTrackTableV2Q q
|
|
|
|
RMPgUntrackTable q -> runUntrackTableQ q
|
|
|
|
RMPgSetTableIsEnum q -> runSetExistingTableIsEnumQ q
|
|
|
|
RMPgSetTableCustomization q -> runSetTableCustomization q
|
|
|
|
|
|
|
|
RMPgTrackFunction q -> runTrackFunctionV2 q
|
|
|
|
RMPgUntrackFunction q -> runUntrackFunc q
|
|
|
|
|
|
|
|
RMPgCreateFunctionPermission q -> runCreateFunctionPermission q
|
|
|
|
RMPgDropFunctionPermission q -> runDropFunctionPermission q
|
|
|
|
|
|
|
|
RMPgCreateObjectRelationship q -> runCreateRelationship ObjRel q
|
|
|
|
RMPgCreateArrayRelationship q -> runCreateRelationship ArrRel q
|
|
|
|
RMPgDropRelationship q -> runDropRel q
|
|
|
|
RMPgSetRelationshipComment q -> runSetRelComment q
|
|
|
|
RMPgRenameRelationship q -> runRenameRel q
|
|
|
|
|
|
|
|
RMPgAddComputedField q -> runAddComputedField q
|
|
|
|
RMPgDropComputedField q -> runDropComputedField q
|
|
|
|
|
|
|
|
RMPgCreateRemoteRelationship q -> runCreateRemoteRelationship q
|
|
|
|
RMPgUpdateRemoteRelationship q -> runUpdateRemoteRelationship q
|
|
|
|
RMPgDeleteRemoteRelationship q -> runDeleteRemoteRelationship q
|
|
|
|
|
|
|
|
RMPgCreateInsertPermission q -> runCreatePerm q
|
|
|
|
RMPgCreateSelectPermission q -> runCreatePerm q
|
|
|
|
RMPgCreateUpdatePermission q -> runCreatePerm q
|
|
|
|
RMPgCreateDeletePermission q -> runCreatePerm q
|
|
|
|
|
|
|
|
RMPgDropInsertPermission q -> runDropPerm q
|
|
|
|
RMPgDropSelectPermission q -> runDropPerm q
|
|
|
|
RMPgDropUpdatePermission q -> runDropPerm q
|
|
|
|
RMPgDropDeletePermission q -> runDropPerm q
|
|
|
|
RMPgSetPermissionComment q -> runSetPermComment q
|
|
|
|
|
|
|
|
RMPgCreateEventTrigger q -> runCreateEventTriggerQuery q
|
|
|
|
RMPgDeleteEventTrigger q -> runDeleteEventTriggerQuery q
|
|
|
|
RMPgRedeliverEvent q -> runRedeliverEvent q
|
|
|
|
RMPgInvokeEventTrigger q -> runInvokeEventTrigger q
|
|
|
|
|
2021-04-12 13:18:29 +03:00
|
|
|
RMBigqueryAddSource q -> runAddSource q
|
|
|
|
RMBigqueryDropSource q -> runDropSource q
|
|
|
|
RMBigqueryTrackTable q -> runTrackTableV2Q q
|
|
|
|
RMBigqueryUntrackTable q -> runUntrackTableQ q
|
|
|
|
|
|
|
|
RMBigqueryCreateObjectRelationship q -> runCreateRelationship ObjRel q
|
|
|
|
RMBigqueryCreateArrayRelationship q -> runCreateRelationship ArrRel q
|
|
|
|
RMBigqueryDropRelationship q -> runDropRel q
|
|
|
|
RMBigquerySetRelationshipComment q -> runSetRelComment q
|
|
|
|
RMBigqueryRenameRelationship q -> runRenameRel q
|
|
|
|
|
|
|
|
RMBigqueryCreateInsertPermission q -> runCreatePerm q
|
|
|
|
RMBigqueryCreateSelectPermission q -> runCreatePerm q
|
|
|
|
RMBigqueryCreateUpdatePermission q -> runCreatePerm q
|
|
|
|
RMBigqueryCreateDeletePermission q -> runCreatePerm q
|
|
|
|
|
|
|
|
RMBigqueryDropInsertPermission q -> runDropPerm q
|
|
|
|
RMBigqueryDropSelectPermission q -> runDropPerm q
|
|
|
|
RMBigqueryDropUpdatePermission q -> runDropPerm q
|
|
|
|
RMBigqueryDropDeletePermission q -> runDropPerm q
|
|
|
|
RMBigquerySetPermissionComment q -> runSetPermComment q
|
|
|
|
|
2021-02-23 20:37:27 +03:00
|
|
|
RMMssqlAddSource q -> runAddSource q
|
|
|
|
RMMssqlDropSource q -> runDropSource q
|
|
|
|
RMMssqlTrackTable q -> runTrackTableV2Q q
|
|
|
|
RMMssqlUntrackTable q -> runUntrackTableQ q
|
|
|
|
|
|
|
|
RMMssqlCreateObjectRelationship q -> runCreateRelationship ObjRel q
|
|
|
|
RMMssqlCreateArrayRelationship q -> runCreateRelationship ArrRel q
|
|
|
|
RMMssqlDropRelationship q -> runDropRel q
|
|
|
|
RMMssqlSetRelationshipComment q -> runSetRelComment q
|
|
|
|
RMMssqlRenameRelationship q -> runRenameRel q
|
|
|
|
|
|
|
|
RMMssqlCreateInsertPermission q -> runCreatePerm q
|
|
|
|
RMMssqlCreateSelectPermission q -> runCreatePerm q
|
|
|
|
RMMssqlCreateUpdatePermission q -> runCreatePerm q
|
|
|
|
RMMssqlCreateDeletePermission q -> runCreatePerm q
|
|
|
|
|
|
|
|
RMMssqlDropInsertPermission q -> runDropPerm q
|
|
|
|
RMMssqlDropSelectPermission q -> runDropPerm q
|
|
|
|
RMMssqlDropUpdatePermission q -> runDropPerm q
|
|
|
|
RMMssqlDropDeletePermission q -> runDropPerm q
|
|
|
|
RMMssqlSetPermissionComment q -> runSetPermComment q
|
|
|
|
|
|
|
|
RMGetInconsistentMetadata q -> runGetInconsistentMetadata q
|
|
|
|
RMDropInconsistentMetadata q -> runDropInconsistentMetadata q
|
|
|
|
|
|
|
|
RMAddRemoteSchema q -> runAddRemoteSchema env q
|
|
|
|
RMRemoveRemoteSchema q -> runRemoveRemoteSchema q
|
|
|
|
RMReloadRemoteSchema q -> runReloadRemoteSchema q
|
|
|
|
RMIntrospectRemoteSchema q -> runIntrospectRemoteSchema q
|
|
|
|
|
|
|
|
RMAddRemoteSchemaPermissions q -> runAddRemoteSchemaPermissions q
|
|
|
|
RMDropRemoteSchemaPermissions q -> runDropRemoteSchemaPermissions q
|
|
|
|
|
|
|
|
RMCreateCronTrigger q -> runCreateCronTrigger q
|
|
|
|
RMDeleteCronTrigger q -> runDeleteCronTrigger q
|
|
|
|
RMCreateScheduledEvent q -> runCreateScheduledEvent q
|
|
|
|
RMDeleteScheduledEvent q -> runDeleteScheduledEvent q
|
|
|
|
RMGetScheduledEvents q -> runGetScheduledEvents q
|
|
|
|
RMGetEventInvocations q -> runGetEventInvocations q
|
|
|
|
|
|
|
|
RMCreateQueryCollection q -> runCreateCollection q
|
|
|
|
RMDropQueryCollection q -> runDropCollection q
|
|
|
|
RMAddQueryToCollection q -> runAddQueryToCollection q
|
|
|
|
RMDropQueryFromCollection q -> runDropQueryFromCollection q
|
|
|
|
RMAddCollectionToAllowlist q -> runAddCollectionToAllowlist q
|
|
|
|
RMDropCollectionFromAllowlist q -> runDropCollectionFromAllowlist q
|
|
|
|
|
|
|
|
RMReplaceMetadata q -> runReplaceMetadata q
|
|
|
|
RMExportMetadata q -> runExportMetadata q
|
|
|
|
RMClearMetadata q -> runClearMetadata q
|
|
|
|
RMReloadMetadata q -> runReloadMetadata q
|
|
|
|
|
|
|
|
RMCreateAction q -> runCreateAction q
|
|
|
|
RMDropAction q -> runDropAction q
|
|
|
|
RMUpdateAction q -> runUpdateAction q
|
|
|
|
RMCreateActionPermission q -> runCreateActionPermission q
|
|
|
|
RMDropActionPermission q -> runDropActionPermission q
|
|
|
|
|
|
|
|
RMCreateRestEndpoint q -> runCreateEndpoint q
|
|
|
|
RMDropRestEndpoint q -> runDropEndpoint q
|
|
|
|
|
|
|
|
RMSetCustomTypes q -> runSetCustomTypes q
|
|
|
|
|
|
|
|
RMDumpInternalState q -> runDumpInternalState q
|
|
|
|
|
|
|
|
RMGetCatalogState q -> runGetCatalogState q
|
|
|
|
RMSetCatalogState q -> runSetCatalogState q
|
|
|
|
|
|
|
|
RMSetApiLimits q -> runSetApiLimits q
|
|
|
|
RMRemoveApiLimits -> runRemoveApiLimits
|
|
|
|
|
|
|
|
RMSetMetricsConfig q -> runSetMetricsConfig q
|
|
|
|
RMRemoveMetricsConfig -> runRemoveMetricsConfig
|
|
|
|
|
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
|
|
|
RMAddInheritedRole q -> runAddInheritedRole q
|
|
|
|
RMDropInheritedRole q -> runDropInheritedRole q
|
|
|
|
|
2021-02-23 20:37:27 +03:00
|
|
|
RMBulk q -> encJFromList <$> indexedMapM (runMetadataQueryM env currentResourceVersion) q
|
2021-02-16 11:08:19 +03:00
|
|
|
|
|
|
|
runMetadataQueryV2M
|
|
|
|
:: ( MonadIO m
|
|
|
|
, CacheRWM m
|
|
|
|
, MetadataM m
|
|
|
|
, MonadMetadataStorageQueryAPI m
|
[Preview] Inherited roles for postgres read queries
fixes #3868
docker image - `hasura/graphql-engine:inherited-roles-preview-48b73a2de`
Note:
To be able to use the inherited roles feature, the graphql-engine should be started with the env variable `HASURA_GRAPHQL_EXPERIMENTAL_FEATURES` set to `inherited_roles`.
Introduction
------------
This PR implements the idea of multiple roles as presented in this [paper](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/FGALanguageICDE07.pdf). The multiple roles feature in this PR can be used via inherited roles. An inherited role is a role which can be created by combining multiple singular roles. For example, if there are two roles `author` and `editor` configured in the graphql-engine, then we can create a inherited role with the name of `combined_author_editor` role which will combine the select permissions of the `author` and `editor` roles and then make GraphQL queries using the `combined_author_editor`.
How are select permissions of different roles are combined?
------------------------------------------------------------
A select permission includes 5 things:
1. Columns accessible to the role
2. Row selection filter
3. Limit
4. Allow aggregation
5. Scalar computed fields accessible to the role
Suppose there are two roles, `role1` gives access to the `address` column with row filter `P1` and `role2` gives access to both the `address` and the `phone` column with row filter `P2` and we create a new role `combined_roles` which combines `role1` and `role2`.
Let's say the following GraphQL query is queried with the `combined_roles` role.
```graphql
query {
employees {
address
phone
}
}
```
This will translate to the following SQL query:
```sql
select
(case when (P1 or P2) then address else null end) as address,
(case when P2 then phone else null end) as phone
from employee
where (P1 or P2)
```
The other parameters of the select permission will be combined in the following manner:
1. Limit - Minimum of the limits will be the limit of the inherited role
2. Allow aggregations - If any of the role allows aggregation, then the inherited role will allow aggregation
3. Scalar computed fields - same as table column fields, as in the above example
APIs for inherited roles:
----------------------
1. `add_inherited_role`
`add_inherited_role` is the [metadata API](https://hasura.io/docs/1.0/graphql/core/api-reference/index.html#schema-metadata-api) to create a new inherited role. It accepts two arguments
`role_name`: the name of the inherited role to be added (String)
`role_set`: list of roles that need to be combined (Array of Strings)
Example:
```json
{
"type": "add_inherited_role",
"args": {
"role_name":"combined_user",
"role_set":[
"user",
"user1"
]
}
}
```
After adding the inherited role, the inherited role can be used like single roles like earlier
Note:
An inherited role can only be created with non-inherited/singular roles.
2. `drop_inherited_role`
The `drop_inherited_role` API accepts the name of the inherited role and drops it from the metadata. It accepts a single argument:
`role_name`: name of the inherited role to be dropped
Example:
```json
{
"type": "drop_inherited_role",
"args": {
"role_name":"combined_user"
}
}
```
Metadata
---------
The derived roles metadata will be included under the `experimental_features` key while exporting the metadata.
```json
{
"experimental_features": {
"derived_roles": [
{
"role_name": "manager_is_employee_too",
"role_set": [
"employee",
"manager"
]
}
]
}
}
```
Scope
------
Only postgres queries and subscriptions are supported in this PR.
Important points:
-----------------
1. All columns exposed to an inherited role will be marked as `nullable`, this is done so that cell value nullification can be done.
TODOs
-------
- [ ] Tests
- [ ] Test a GraphQL query running with a inherited role without enabling inherited roles in experimental features
- [] Tests for aggregate queries, limit, computed fields, functions, subscriptions (?)
- [ ] Introspection test with a inherited role (nullability changes in a inherited role)
- [ ] Docs
- [ ] Changelog
Co-authored-by: Vamshi Surabhi <6562944+0x777@users.noreply.github.com>
GitOrigin-RevId: 3b8ee1e11f5ceca80fe294f8c074d42fbccfec63
2021-03-08 14:14:13 +03:00
|
|
|
, HasServerConfigCtx m
|
2021-02-16 11:08:19 +03:00
|
|
|
)
|
2021-02-19 05:39:30 +03:00
|
|
|
=> MetadataResourceVersion
|
|
|
|
-> RQLMetadataV2
|
2021-02-16 11:08:19 +03:00
|
|
|
-> m EncJSON
|
2021-02-19 05:39:30 +03:00
|
|
|
runMetadataQueryV2M currentResourceVersion = \case
|
2021-02-16 11:08:19 +03:00
|
|
|
RMV2ReplaceMetadata q -> runReplaceMetadataV2 q
|
2021-02-19 05:39:30 +03:00
|
|
|
RMV2ExportMetadata q -> runExportMetadataV2 currentResourceVersion q
|