[Feature request] Multiple admin-secret keys and secret key management #1995
Comments
|
@revskill10 I love your idea Or maybe more general if Hasura can support a simple user password authentication and merge that with jwt or webhook then admin users can use builtin authentication feature. (I think this approach is more dynamic than key/role approach and still we can use one specific user/password rather than key/password for specific client app) In that case we also need some new permissions for example called:
To restrict access to each part of console app. |
|
@mnlbox I think user management is a different issue. |
|
@revskill10 are you thinking more along the lines of allowing multiple admins specific keys to hit the API or console? I think that would be really useful as people leave teams/companies then you only need to remove that users admin key. |
|
@jasonmccallister My main motivation for this feature is that, i need to integrate a 3rd client to access Hasura as a specific role. So the simplest solution is to grant an access_key for it. |
|
Ok perfect, we have a huge need for this feature as well! Thanks @revskill10! |
|
Also, I would say this falls into two buckets:
We have a separate function that returns a JWT for a predefined role for the 3rd party client - that works well but of course it does not allow them to use the console in stage. |
coco98
changed the title
|
I don't think any work was done on this but we're about to do something of our own. We'll roll out two hasuras talking to the same DB. One is "maintenance" and the other is "developer". Maintenance will be used to manage metadata and permissions. "developer" will be restricted to the API panel. They'll both have different admin secrets, but "developer" will have a specific Is this really the only/easiest way to achieve this right now? @coco98 and @tirumaraiselvan ? |
|
@jflambert Not sure if this is related, but in the latest community call they are talking about multiple JWTs for complex auth flows: https://hasura.io/community/community-call/2022/march/ |
|
Hey folks, multiple admin secrets is available in our Cloud/EE offering: https://hasura.io/docs/latest/graphql/cloud/security/multiple-admin-secrets/ We understand this may not be the most ideal thing for open-source users but there is an easy workaround to achieve the same in OSS: create JWT tokens with |
|
Thank you @tirumaraiselvan that is what I have done in the meantime although it does not provide access to the console it does work with the OSS version. Keep up the great work!!! |
Currently, Hasura only allows 1 secret key as
adminrole.This feature request suggests a
tabon console for admin to add/edit/revoke morekey-rolepair:So, this will allow bypass JWT authentication for specific client.
The default
admin-secretshould be immutable and showable for the first admin only.API usage:
Client needs to send header
x-hasura-secret-keyto access hasura.Use case:
keyto access hasura.Related issue:
#587
With this feature, hasura will eventually support access console for all roles.
Alternative solution:
We need a table
secret_keyswith three columns above and a join table betweensecret_keysand the table you want to grant access. And usesecret_keysinpermissionssettings.The text was updated successfully, but these errors were encountered: