Access
Access configuration allows Inigo's users to apply fine-grained authorization and access controls. Not all clients are the same; you may have authenticated and unauthenticated clients using your application. Using the access control capabilities of Inigo, you can enforce strong authorization controls depending on the context of your clients.
Sample Config
kind: Access
name: demo
label: starwars
spec:
roles:
- name: viewer
config_files:
- access/viewer.inigo
allowed_operations:
- access/viewer.graphql
- name: director
config_files:
- access/director.inigo
- name: actor
config_files:
- access/actor.inigo
- name: producer
config_files:
- access/producer.inigo
profiles:
- name: guest
introspection_mode: partial
- name: user
introspection_mode: full
- name: admin
introspection_mode: full
query {
login
logout
films {
director
title
characters {
name
appearedIn
}
}
people
}
type Film {
title
director
characters
}
type Person {
name
birthYear
height
ssn
}
query Planets {
planets {
name
appearedIn {
title
}
}
}
query {
login
logout
version {
version
date
commit
}
}
mutation {
userAdd
userRemove
}
query {
login
logout
films {
title
director
episodeId
openingCrawl
producer
characters {
name
height
}
planets {
name
climate
}
species {
name
skinColor
}
starships {
name
crew
}
vehicles {
name
model
}
}
people {
name
}
}
query {
login
logout
films {
title
director
episodeId
openingCrawl
producer
characters {
name
height
}
planets {
name
climate
}
species {
name
skinColor
}
starships {
name
crew
}
vehicles {
name
model
}
}
people {
name
}
}
@access
Directive
Inigo also provides the ability to configure access directly in graphql schema via @access
directive.
Let's take a look at the access
directive usage in this simple example:
scalar Int
scalar String
schema {
query : Query
}
type Query {
user: User @access(role: ["user", "admin"])
}
type User {
id: Int!
fullname: String
email: String! @access(role: ["admin"])
}
directive @access(role: [String] = ["allowed role"]) on FIELD_DEFINITION
Such schema will create access configuration for user
role that will look like this:
query {
user: User
}
type User {
id
fullname
}
and for the admin
role:
query {
user: User
}
type User {
id
fullname
email
}
Note that User.email
field is only accesible for admin
role, according to the directive configuration.
If the field has non-primitive type, the acces
directvie will grant access to all of the nested fieds and types, excluding those that have another access
direcive without given role.
You can also combine access configuration files with access
directive.
Spec
This section defines the format of Inigo's Access
type configuration files. Fields marked as required
must be specified if the parent is defined.
Field | Type | Description |
---|---|---|
access_mode | string default:block | One of: - block - partial |
operation_registry | OperationRegistry | |
schema_directive_path_scope | string default:"@access.role" | Path to access scope on schema. Example: @auth.scope. Directive argument 'scope' must be of type [String] or compatible. |
schema_directive_path_state | string | Path to access state on schema. Example: @auth.state. Directive argument 'state' must be of type [Enum] or compatible. |
profile_default_values | AccessProfileDefaultValues | |
profiles | [AccessProfile] | |
role_default_values | AccessRoleDefaultValues | |
roles | [AccessRole] |
OperationRegistry
Field | Type | Description |
---|---|---|
enabled | boolean | |
operation_id_path | string | |
security_mode | string default:audit | Operation registry security mode. You can specify the registry behaviour based on provided operation id / query string. One of: - allow_operation_id : allow using persisted operation id. it is optional, regular requests are also working.- audit : operation id is optional but unregistered queries are being logged as warnings- safelist : only persisted queries are allowed, by operation id or by query string- operation_id_only : persisted operation id is mandatory, query strings are considered unrecognized |
operations_files | [string] | Relative path to the filesystem location of your operations graphql files. For example: access_files/operations.graphql |
operations_map_files | [string] | Relative path to the filesystem location of your operations json map files. For example: access_files/operations.json |
AccessProfileDefaultValues
Field | Type | Description |
---|---|---|
introspection_mode | string default:none | Introspection mode policy for the given profile. One of: - none - full - partial - block |
AccessProfile
Field | Type | Description |
---|---|---|
Name | string required | Name of the profile. |
introspection_mode | string default:none | Introspection mode policy for the given profile. One of: - none - full - partial - block |
AccessRoleDefaultValues
Field | Type | Description |
---|---|---|
full_access | boolean | Grants full schema access to the role. This setting takes presedence and over any access configuration files. |
allowed_operations | [string] | Relative path to the filesystem location of your files containing allowed operations. For example: allowed_operations/viewer.graphql |
config_files | [string] | Relative path to the filesystem location of your access files. For example: access_files/viewer.inigo. |
operation_files | [string] |
AccessRole
Field | Type | Description |
---|---|---|
Name | string required | Name of the role. |
full_access | boolean | Grants full schema access to the role. This setting takes presedence and over any access configuration files. |
allowed_operations | [string] | Relative path to the filesystem location of your files containing allowed operations. For example: allowed_operations/viewer.graphql |
config_files | [string] | Relative path to the filesystem location of your access files. For example: access_files/viewer.inigo. |
operation_files | [string] |