hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-09-21 07:28:26 +03:00
Code Issues Projects Releases Wiki Activity

docs: add multiple admin secrets and multiple jwt secrets pages

Browse Source 
PR-URL: https://github.com/hasura/graphql-engine-mono/pull/4164
Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com>
GitOrigin-RevId: 50d1e404f013024e845fb60bb2bda6594e8bcb50
This commit is contained in:
Tirumarai Selvan 2022-04-20 15:44:18 +05:30 committed by hasura-bot
parent 7f4565fad2
commit 7dce0a0782
5 changed files with 104 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/docs/graphql/cloud/security/index.mdx
View File

@ -26,3 +26,5 @@ All API security-related features can be found under the `Security` tab in the A
- [Allow Lists](/graphql/cloud/security/allow-lists.mdx)
- [API Limits](/graphql/cloud/security/api-limits.mdx)
- [Disable GraphQL Introspection](/graphql/cloud/security/disable-graphql-introspection.mdx)
- [Multiple Admin Secrets](/graphql/cloud/security/multiple-admin-secrets.mdx)
- [Multiple JWT Secrets](/graphql/cloud/security/multiple-jwt-secrets.mdx)

52
docs/docs/graphql/cloud/security/multiple-admin-secrets.mdx Normal file
View File

@ -0,0 +1,52 @@
---
description: Hasura Cloud multiple admin secrets
keywords:
- hasura
- docs
- cloud
- security
- allow
- rotating
- multiple
- admin
- secrets
sidebar_position: 4
---
# Multiple Admin Secrets
## Introduction
You can specify a list of admin secrets in GraphQL Engine which can be used to :
1. Implement security mechanisms like rotating secrets
2. Have different lifecycles for individual admin secrets e.g. temporarily give admin access to an operator
## How to use
Multiple admin secrets can be provided in the env var `HASURA_GRAPHQL_ADMIN_SECRETS` which takes a list of admin secrets,
For example:
```json
["secret-1", "secret-2"]
```
When you launch the console from the Hasura Cloud dashboard, you can use any secret from the admin secrets list to authenticate yourself as an admin.
If you want to make API calls as an admin from outside the console, you need to pass any one of the admin secrets as the `x-hasura-admin-secret` request header.
:::info Note
If both `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ADMIN_SECRETS` are set, then only `HASURA_GRAPHQL_ADMIN_SECRETS` will be used.
:::
## Rotating admin secrets (Self-hosted environments)
When you have a self-hosted Hasura EE setup, you can use this feature to implement a secret rotation mechanism without downtime as outlined below:
1. Add a new secret to the list of admin secrets (and perform a rolling deploy)
2. Update applications/services using the old admin secret to use the new secret
3. Remove the old secret from the admin secret list (and perform a rolling deploy)
Note that a rolling deploy ensures that there is atleast one service which is active.

50
docs/docs/graphql/cloud/security/multiple-jwt-secrets.mdx Normal file
View File

@ -0,0 +1,50 @@
---
description: Hasura Cloud multiple JWT Secrets
keywords:
- hasura
- docs
- cloud
- security
- allow
- multiple
- JWT
- secrets
sidebar_position: 5
---
# Multiple JWT Secrets
## Introduction
You can configure GraphQL Engine with a list of JWT secrets. This enables you to authenticate with different JWT issuers.
## How to use
Multiple JWT secrets can be provided in the env var `HASURA_GRAPHQL_JWT_SECRETS` which takes a list of JWT secret objects.
For example:
```json
[
{ "jwk_url": "https://...", "issuer": "myapp" },
{ "type":"HS256", "key": "3EK6FD...", "issuer": "test" }
]
```
The structure of an individual JWT secret is described [here](/graphql/core/auth/authentication/jwt.mdx#configuring-jwt-mode).
:::info Note
If both `HASURA_GRAPHQL_JWT_SECRET` and `HASURA_GRAPHQL_JWT_SECRETS` are set, then `HASURA_GRAPHQL_JWT_SECRETS` will be used.
:::
## Resolution logic
The authentication is resolved as follows:
1. Bearer tokens are extracted from headers or cookie locations (as configured by each JWT secret)
2. Tokens are filtered to ensure that the **issuer** field matches the configuration, or that the issuer is absent either from the configuration or the token.
3. If no matching tokens are found then the unauthenticated flow is performed (depends on [HASURA_GRAPHQL_UNAUTHORIZED_ROLE](/graphql/core/auth/authentication/unauthenticated-access.mdx)).
4. If multiple matching tokens are found then an error is raised as the desired token is ambiguous.
5. If only one matching token is found then it is verified against the corresponding configured secret.

49
docs/docs/graphql/cloud/security/mutiple-jwt-secrets.mdx.wip
View File

@ -1,49 +0,0 @@
---
description: Hasura Cloud multiple JWT Secrets
keywords:
- hasura
- docs
- cloud
- security
- allow
- multiple
- JWT
- secrets
sidebar_position: 5
---
# Multiple JWT Secrets
## Introduction
You can configure Hasura with a list of JWT Secrets so that you can integrate with different JWT issuers.
This is useful when you have different authentication providers using the same Hasura infrastructure.
## How to use multiple jwt secrets
Multiple JWT secrets can be provided in the env var `HASURA_GRAPHQL_JWT_SECRETS` which takes a JSON array of JWT secret objects.
Bearer Tokens are authenticated against the secret with a matching or absent <em>issuer</em>.
The authentication is resolved as follows:
1. Raw token values matched with configurations by looking in locations configured in HASURA_GRAPHQL_JWT_SECRETS under the "header" field (Authorization Header if missing).
2. Tokens are filtered to ensure that the <em>issuer</em> field matches, or that the issuer is absent either from the configuration, or the token.
3. If no candidate tokens are found then the unauthorized flow is performed (depends on `HASURA_GRAPHQL_UNAUTHORIZED_ROLE`).
4. If multiple candidate tokens are found then an error is raised as the desired token is ambiguous.
5. If one candidate token is found then it is verified against the corresponding configured secret.
:::info Note
Authentication resolution is identical when using `HASURA_GRAPHQL_JWT_SECRET` or a single `HASURA_GRAPHQL_JWT_SECRETS` configuration.
:::
:::info Note
If both `HASURA_GRAPHQL_JWT_SECRET` and `HASURA_GRAPHQL_JWT_SECRETS` are set, then `HASURA_GRAPHQL_JWT_SECRETS` will be used.
:::

41
docs/docs/graphql/cloud/security/rotating-admin-secrets.mdx.wip
View File

@ -1,41 +0,0 @@
---
description: Hasura Cloud multiple admin secrets
keywords:
- hasura
- docs
- cloud
- security
- allow
- rotating
- multiple
- admin
- secrets
sidebar_position: 4
---
# Rotating Admin Secrets
## Introduction
You can specify a list of admin secrets which can be used to implement security mechanisms like rotating admin secrets.
## How to use multiple admin secrets
Multiple admin secrets can be provided in the env var `HASURA_GRAPHQL_ADMIN_SECRETS` which takes a JSON array of admin secrets (strings).
When you launch the console from the Hasura Cloud dashboard, you can use any secret from the admin secrets list to authenticate yourself as an admin.
If you want to make API calls from outside the console, you need to pass any one of the admin secrets as the `x-hasura-admin-secret` request header.
:::info Note
If both `HASURA_GRAPHQL_ADMIN_SECRET` and `HASURA_GRAPHQL_ADMIN_SECRETS` are set, then only `HASURA_GRAPH_ADMIN_SECRETS` will be used.
:::
## How to rotate an admin secret
To implement a secret rotation mechanism, the following can be done:
1. Add a new secret to the list of admin secrets (and perform a rolling deploy)
2. Update applications/services using the old admin secret to use the new secret
3. Remove the old secret from the admin secret list (and perform a rolling deploy)