Taz Singh - Moderator
Panelists:
Tanmai Gopal
Ankita Masand
Jonny Green
Sam Scott
The 90-90 rule mentioned by Taz Singh in software development refers to spending the first 90% of the time building the server and the last 10% on writing authorization rules, which paradoxically takes up another 90% of the time.
Guild.IO approaches GraphQL authorization by implementing role-based and attribute-based access checks. They ensure that users are authenticated and have the appropriate roles before accessing sensitive data, like hotel bookings or financial information.
Role-based access control (RBAC) assigns permissions based on user roles within an organization, allowing access to resources based on those roles. Attribute-based access control (ABAC) grants permissions based on policies that combine multiple attributes of users and resources, offering more granular access control.
Common challenges include managing the complexity of permissions as schemas evolve, ensuring data security while maintaining efficient data access and handling, and integrating authorization seamlessly with existing data systems without impacting performance.
Hasura handles GraphQL authorization using a built-in policy engine inspired by database systems with Row Level Security (RLS). This model allows specifying authorization policies at the model level, ensuring consistent application of security rules across all queries that touch the model.
The panel discusses several strategies including returning null for unauthorized fields, using GraphQL errors to indicate unauthorized access, and implementing role-based schema visibility where users only see parts of the schema they are authorized to access.
Organizations ensure consistency by using centralized roles and privilege management systems to define what actions a user can perform, which are validated both on the frontend for user experience and on the backend for security.
Hey, everyone! I'm Taz Singh, the founder of Guild IO, and I'm excited to be joined by a group of experts for this authorization panel. Building a GraphQL server involves spending 90% of the time on the server itself and the remaining 10% on writing the authorization rules. Today, we will deep dive into this topic and have a discussion with Ankita, Johnny, Sam, and Tanmay. Join us in the discussion room for more interaction.
Awesome. Hey, everyone! I'm Taz Singh, and I'm the founder of Guild IO. I'm happy that you're joining us today for this authorization panel. It's probably one of my favorite parts of building a GraphQL server. I feel like it's one of those parts where it kind of follows the 90-90 rule of software development, which if you aren't familiar with that, it's where you spend the first 90% of your time building a GraphQL server. And the last 10% is spent writing the authorization rules, which counts for the other 90% of the time writing a GraphQL server. Therefore, I couldn't be more thrilled to deep dive on this topic with you today, and I couldn't be happier to be joined by this group of experts on this topic. I'd like to start with Ankita from Treebo, Johnny from Unity Technologies, Sam, the co-founder at Oso, and Tanmay, the CEO of Azura. After this, we're going to have a discussion room on this topic, so if you have any questions for today's panelists or just want to chat or hang out, feel free to join us in the discussion room and we'd love to talk to you more there.
Founder introduces GraphQL server authorization panel with experts. Ankita details role-based, attribute-based, and data-based access checks in GraphQL authorization.
Awesome. Hey, everyone. I'm Taz Singh and I'm the founder of Guild.IO. I'm happy that you're joining us today for this authorization panel. It's probably one of my favorite parts of building a GraphQL server. I feel like it's one of those parts where it kind of follows a 90-90 rule of software development, which if you aren't familiar with that is where you spent the first 90% of your time building a GraphQL server. And the last 10% is spent writing the authorization rules, which counts for the other 90% of the time writing a GraphQL server. Therefore, I couldn't be more thrilled to deep dive in this topic with you today. And I couldn't be happier to be joined by this group of experts on this topic.
I'd like to start with Ankita from Tribo, Jonny from Unity Technologies, Sam, the co-founder at Osso, and Tanmay, the CEO of Hasura. After this, we're going to have a discussion room on this topic. So if you have any questions for today's panelists, or just want to chat or hang out, feel free to join us in the discussion room and we'd love to talk to you more there. But without further ado, let's dive into our first question, because I'm sure you'd love to hear from the panelists instead of hearing from me. So let's go around and talk about how each of you have worked with GraphQL authorization, just to kind of set the stage and provide some ideas for the panel, some topics of discussion we can talk about. So let's start with Ankita.
So Ankita, can you describe how you work with GraphQL authorization? Yeah, sure. Hi. Hi, everyone. So to start with, we have two kinds of data, one that is publicly accessible. For example, hotel name, location, email, contact. This is just a small piece of graph and you can access this even if you're not authenticated. This other piece of data like bookings done on a hotel or you creating a booking, finance rated information of a hotel. To view this information, you should be authenticated and you should have a required role on this particular hotel, right? So we first check all these role-based access, they are on the GraphQL layer. We check if you have a valid role in the system and then we allow you to go to the GraphQL layer. Otherwise, we'll error out the entire operation in the context object itself saying that you're not authorized.
Also, to solve for insecure direct object reference, which means that you are a valid authenticated user and you are authorized to access the details of Hotel A, but you are not authorized to access details of Hotel B, which means that you have to check role this user on a resource, right? These are all role based access. And next comes is attribute based access, which means a user has certain permissions to, let's say, you know, take an example of, like we say, you don't have access to create a booking on a hotel. These kinds of checks we have on GraphQL fields. The third type of authorization checks that we have in our system is data based access checks, which means that you can refund an amount, but how much you can refund it depends on some particular business logic. Now this business logic is in the backend services.
We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career
Comments