You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have two hasura instances, one acts as the gateway and has a remote schema to the other.
The remote schema has multiple roles of permissions. Some are very small slices of permissions and don't inherit from a larger body of permissions.
This setup has worked fine until we added a new role that just has insert permissions into a table and no update permissions. This left us first with an issue where the remote schema permission validation was erroring because the role we were using for that check didn't have access to those resolvers.
I then tried to use the 'admin' role for the validation query. This started failing for a different reason. On the role specific schemas the on_conflict argument creates empty enums with _PLACEHOLDER as the only value. Again, this validated fine until I tried using admin, and now since admin can see all the values that the enum could have, I get a _PLACEHOLDER not in enum type validation error.
I should be able to leverage remote schema permissions in this context. To do this I can see two possible paths forward:
Update the schema permission logic to be more permissive by determining if something is a logical subset versus a pure subset, in the case of the enum validation, I believe that could be accomplished by tweaking the logic slightly. While I'm not fluent in haskell, I think this would roughly be the 'fix' by replacing lines 651 and 652 with this:
There could be more spots that would need to be addressed like this, but I'm not aware of them.
Allow for each remote schema permission role to define additional headers that get defined and if they're present do a per-role schema query to get the remote schema for just that query. This would provide a more 'perfect' solution in some ways since the schema would be validated against the exact role that you're testing.
Have a remote schema role with only insert permissions and no update permissions
Try to validate that remote schema permission set when the introspection query uses the admin role.
Any possible solutions/workarounds you're aware of?
Not so far. I've tried:
Using an inherited role that would only be used for schema validation, but due to the way inherited roles merge permissions this results in type mismatches.
Removing _PLACEHOLDER from the enum definitions, but then the remote schema definition is rejected with a syntax error despite being, I think, technically valid.
Version Information
Server Version: v2.34.0
What is the current behaviour?
I have two hasura instances, one acts as the gateway and has a remote schema to the other.
The remote schema has multiple roles of permissions. Some are very small slices of permissions and don't inherit from a larger body of permissions.
This setup has worked fine until we added a new role that just has insert permissions into a table and no update permissions. This left us first with an issue where the remote schema permission validation was erroring because the role we were using for that check didn't have access to those resolvers.
I then tried to use the 'admin' role for the validation query. This started failing for a different reason. On the role specific schemas the
on_conflict
argument creates empty enums with_PLACEHOLDER
as the only value. Again, this validated fine until I tried usingadmin
, and now since admin can see all the values that the enum could have, I get a_PLACEHOLDER not in enum
type validation error.I've traced this back to this snippet:
graphql-engine/server/src-lib/Hasura/RemoteSchema/SchemaCache/Permission.hs
Lines 628 to 663 in e891998
What is the expected behaviour?
I should be able to leverage remote schema permissions in this context. To do this I can see two possible paths forward:
There could be more spots that would need to be addressed like this, but I'm not aware of them.
A rough example of what this could look like:
How to reproduce the issue?
Any possible solutions/workarounds you're aware of?
Not so far. I've tried:
_PLACEHOLDER
from the enum definitions, but then the remote schema definition is rejected with a syntax error despite being, I think, technically valid.Keywords
remote schema, permissions, validation, _PLACEHOLDER
The text was updated successfully, but these errors were encountered: