sargx digital garden

Hasura

3 min read

Se ocorrer um drop do database, o hasura fica indisponível.

https://hasura.io/docs/latest/graphql/core/deployment/deployment-guides/docker.html#deployment-docker

Deploy Hasura utilizando DB externo (com Docker + Configurando variáveis de ambiente)

docker run -d --net=host \
  -e HASURA_GRAPHQL_DATABASE_URL=postgres://<username>:<password>@hostname:<port>/<dbname> \
  -e HASURA_GRAPHQL_ENABLE_CONSOLE=true \
  hasura/graphql-engine:latest

https://hasura.io/docs/latest/graphql/core/auth/authentication/jwt.html

https://github.com/httpsOmkar/keycloak-hasura-connector

https://gist.github.com/webdeb/d8a99df9023f01b78e3e8ff580abe10b

Autenticar com keycloak:

É necessário criar um client para o hasura e criar 3 novos mappers no menu “Mappers”.

Configurações de cada mapper:

 
    =================================================
    Protocol: openid-connect
    Name: hasura-claim-user-id
    Mapper Type: User Property
    Property: id
    Token Claim Name: https://hasura\.io/jwt/claims.x-hasura-user-id
    =================================================
    Protocol: openid-connect
    Name: hasura-claim-default-role
    Mapper Type: Hardcoded claim
    Token Claim Name: https://hasura\.io/jwt/claims.x-hasura-default-role
    Claim value: [Your Single Client Role]
    =================================================
    Protocol: openid-connect
    Name: hasura-claim-allowed-roles
    Client ID: [Your Hasura Client ID]
    Mapper Type: User Client Role
    Multivalued: On
    Token Claim Name: https://hasura\.io/jwt/claims.x-hasura-allowed-roles
    =================================================

Antes de subir o hasura, é necessário obter o secret do jwt:

  1. REALM > “Realm Settings” > “Keys”
  2. Na linha da coluna [“algorithm” = RSA256] deve existir outra coluna chamada “Public Keys” com um botão “Public Keys” para clicar e exibir a chave.
#! /bin/bash
docker run -d -p 8080:8080 \
  -e HASURA_GRAPHQL_DATABASE_URL=postgres://postgres:<senha>@<host>:5432/<database> \
  -e HASURA_GRAPHQL_ENABLE_CONSOLE=true \
  -e HASURA_GRAPHQL_ADMIN_SECRET=zYZVX4oteW \
  -e HASURA_GRAPHQL_JWT_SECRET='{"type":"RS256", "key":"-----BEGIN PUBLIC KEY-----
<public-key>
-----END PUBLIC KEY-----"}' \
  hasura/graphql-engine:latest

Está com uma formatação estranha, mas deve ser assim o formato final da string deve ser (incluindo o caractere de “nem line”):

-----BEGIN PUBLIC KEY-----
<public-key>
-----END PUBLIC KEY-----

HASURA JWT role workflow:

1.The token is decoded, and checked whether both x-hasura-default-role and x-hasura-allowed-roles are included
2.If both headers exist, it is checked whether the x-hasura-default-role is part of the roles defined in x-hasura-allowed-roles
3.If the x-hasura-role header is present, then this value is checked against the x-hasura-allowed-roles and it overrides x-hasura-default-role as the role to use
4.The role (either x-hasura-default-role or x-hasura-role) is then checked against the role defined on the permissions on the table(s) in the graphql query.

src: https://github.com/hasura/graphql-engine/issues/877

TL;DR:

Na requisição para o graphql (do hasura) deve ter um header chamado “x-hasura-role” com o papel necessário para fazer a requisição. O valor desse header é comparado com os valores (papéis) presentes no campo “x-hasura-allowed-roles” do jwt (preenchido pelo backend), se o papel indicado pelo “x-hasura-role” estiver presente no “x-hasura-allowed-roles” a requisição acontece, se não, 401 :/

Deploy no Kubernetes:

deploy.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: hasura
    hasuraService: custom
  name: hasura
  namespace: hasura
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hasura
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: hasura
    spec:
      containers:
      - image: hasura/graphql-engine:v1.3.3
        imagePullPolicy: IfNotPresent
        name: hasura
        env:
        - name: HASURA_GRAPHQL_DATABASE_URL
          value: postgres://postgres:<SENHA>@<HOST>:<PORT>/<DB>
        ## enable the console served by server
        - name: HASURA_GRAPHQL_ENABLE_CONSOLE
          value: "true"
        ## enable debugging mode. It is recommended to disable this in production
        - name: HASURA_GRAPHQL_DEV_MODE
          value: "true"
        - name: HASURA_GRAPHQL_ADMIN_SECRET
          value: <ADMIN_SECRET
        - name: HASURA_GRAPHQL_JWT_SECRET
          value: '{"type":"RS256", "key":"-----BEGIN PUBLIC KEY-----\n<CHAVE_PUBLICA>\n-----END PUBLIC KEY-----"}'
 
        ports:
        - containerPort: 8080
          protocol: TCP
        resources: {}

service.yaml

apiVersion: v1
kind: Service
metadata:
  labels:
    app: hasura
  name: hasura
  namespace: hasura
spec:
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080
  selector:
    app: hasura
  type: LoadBalancer

https://hasura.io/docs/latest/graphql/core/auth/authorization/roles-variables.html

🌱 Back to Garden

Graph View

Backlinks