2019-05-17 15:03:35 +03:00
|
|
|
Authorization / Access control
|
|
|
|
==============================
|
|
|
|
|
|
|
|
.. contents:: Table of contents
|
|
|
|
:backlinks: none
|
|
|
|
:depth: 1
|
|
|
|
:local:
|
|
|
|
|
|
|
|
Overview
|
|
|
|
--------
|
|
|
|
|
|
|
|
Hasura supports **role-based** authorization where access control is done by creating rules for each role,
|
|
|
|
table and operation (*insert*, *update*, etc.). These access control rules use dynamic session
|
2019-09-11 10:17:14 +03:00
|
|
|
variables that are passed to the GraphQL engine from your :doc:`authentication service <../authentication/index>`
|
2019-05-17 15:03:35 +03:00
|
|
|
with every request. Role information is inferred from the ``X-Hasura-Role`` and ``X-Hasura-Allowed-Roles``
|
|
|
|
session variables. Other session variables can be passed by your auth service as per your requirements.
|
|
|
|
|
|
|
|
**For example:**
|
|
|
|
|
|
|
|
.. thumbnail:: ../../../../img/graphql/manual/auth/hasura-perms.png
|
|
|
|
:width: 80 %
|
|
|
|
|
2019-09-11 10:17:14 +03:00
|
|
|
Trying out access control
|
2019-05-17 15:03:35 +03:00
|
|
|
-------------------------
|
|
|
|
|
|
|
|
If you just want to see role-based access control in action, you need not set up or integrate your
|
2019-09-11 10:17:14 +03:00
|
|
|
auth service with GraphQL engine. You can just:
|
2019-05-17 15:03:35 +03:00
|
|
|
|
|
|
|
* Define permission rules for a table for a role.
|
|
|
|
|
|
|
|
* Use the GraphiQL interface in the console to make a request and send the session variables as
|
|
|
|
request headers (*send a* ``X-Hasura-Role`` *key, with its value as the name of the role you've
|
|
|
|
defined rules for*). The data in the response will be restricted as per your configuration.
|
|
|
|
|
|
|
|
Follow the example at :doc:`access control basics <basics>`.
|
|
|
|
|
|
|
|
|
|
|
|
**See:**
|
|
|
|
|
|
|
|
.. toctree::
|
|
|
|
:maxdepth: 1
|
|
|
|
|
|
|
|
basics
|
|
|
|
roles-variables
|
|
|
|
permission-rules
|
|
|
|
common-roles-auth-examples
|
|
|
|
|