Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Task] Implement per-subquery permissions for GraphQL #1021

Closed
andrewazores opened this issue Jul 12, 2022 · 0 comments · Fixed by #1022
Closed

[Task] Implement per-subquery permissions for GraphQL #1021

andrewazores opened this issue Jul 12, 2022 · 0 comments · Fixed by #1022
Labels
feat New feature or request

Comments

@andrewazores
Copy link
Member

Currently, GraphQL permissions checking is all handled up front by the main GraphQLPostHandler, which is the API entrypoint. This endpoint simply defines the expected set union of permissions for all of our implemented Fetcher and Mutator classes.

  1. This is fragile, because adding a new Mutator might imply a new permission required for users executing this mutation. This requirement will not be captured by the GraphQLPostHandler and is very easy to miss during review.
  2. This doesn't allow for granular user permissions, ex. read-only user roles, when interacting via the GraphQL API. Our standard HTTP API does implement granular permissions per endpoint, so it would make sense for GraphQL's fetchers and mutations to also have granular permissions in the same way.

Related to #947
Related to #760 (granular permissions will be useful for namespace isolation)
@andrewazores andrewazores added the feat New feature or request label Jul 12, 2022
@andrewazores andrewazores moved this to Todo in 2.2.0 Release Jul 12, 2022
@andrewazores andrewazores moved this from Todo to In Progress in 2.2.0 Release Jul 12, 2022
@andrewazores andrewazores mentioned this issue Jul 12, 2022
Merged
Repository owner moved this from In Progress to Done in 2.2.0 Release Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request
Projects
No open projects
2.2.0 Release
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(graphql): granular permissions andrewazores/cryostat
1 participant
@andrewazores