Access
Access configuration allows Inigo's users to apply fine-grained authorization and access controls. Not all clients are the same; you may have authenticated and unauthenticated clients using your application. Using the access control capabilities of Inigo, you can enforce strong authorization controls depending on the context of your clients.
Sample Config
access.yaml
kind: Access
name: demo
label: starwars
spec:
roles:
- name: viewer
config_files:
- access/viewer.inigo
allowed_operations:
- access/viewer.graphql
- name: director
config_files:
- access/director.inigo
- name: actor
config_files:
- access/actor.inigo
- name: producer
config_files:
- access/producer.inigo
profiles:
- name: guest
introspection_mode: partial
- name: user
introspection_mode: full
- name: admin
introspection_mode: full
viewer.inigo
query {
login
logout
films {
director
title
characters {
name
appearedIn
}
}
people
}
type Film {
title
director
characters
}
type Person {
name
birthYear
height
ssn
}
viewer.graphql
query Planets {
planets {
name
appearedIn {
title
}
}
}
actor.inigo
query {
login
logout
version {
version
date
commit
}
}
mutation {
userAdd
userRemove
}
director.inigo
query {
login
logout
films {
title
director
episodeId
openingCrawl
producer
characters {
name
height
}
planets {
name
climate
}
species {
name
skinColor
}
starships {
name
crew
}
vehicles {
name
model
}
}
people {
name
}
}
producer.inigo
query {
login
logout
films {
title
director
episodeId
openingCrawl
producer
characters {
name
height
}
planets {
name
climate
}
species {
name
skinColor
}
starships {
name
crew
}
vehicles {
name
model
}
}
people {
name
}
}
Spec
This section defines the format of Inigo's Access type configuration files. Fields marked as required must be specified if the parent is defined.
| Field | Type | Description |
|---|---|---|
| profile_default_values | AccessProfileDefaultValues | |
| profiles | [AccessProfile] | |
| role_default_values | AccessRoleDefaultValues | |
| roles | [AccessRole] |
AccessProfileDefaultValues
| Field | Type | Description |
|---|---|---|
| introspection_mode | string default:none | Introspection mode policy for the given profile. One of: - none- full- partial- block |
AccessProfile
| Field | Type | Description |
|---|---|---|
| Name | string required | Name of the profile. |
| introspection_mode | string default:none | Introspection mode policy for the given profile. One of: - none- full- partial- block |
AccessRoleDefaultValues
| Field | Type | Description |
|---|---|---|
| full_access | boolean | Grants full schema access to the role. This setting takes presedence and over any access configuration files. |
| allowed_operations | [string] | Relative path to the filesystem location of your files containing allowed operations. For example: allowed_operations/viewer.graphql |
| config_files | [string] | Relative path to the filesystem location of your access files. For example: access_files/viewer.inigo. |
| operation_files | [string] |
AccessRole
| Field | Type | Description |
|---|---|---|
| Name | string required | Name of the role. |
| full_access | boolean | Grants full schema access to the role. This setting takes presedence and over any access configuration files. |
| allowed_operations | [string] | Relative path to the filesystem location of your files containing allowed operations. For example: allowed_operations/viewer.graphql |
| config_files | [string] | Relative path to the filesystem location of your access files. For example: access_files/viewer.inigo. |
| operation_files | [string] |