Hello!
Is there an example of how I can configure field-based permissions in Open-Source version of Tyk Gateway? Can I use security policies for this? Can this be done by adding some clauses to policies.json
?
Hello!
Is there an example of how I can configure field-based permissions in Open-Source version of Tyk Gateway? Can I use security policies for this? Can this be done by adding some clauses to policies.json
?
Hi @Andrey_Nado, welcome to the community.
We usually have some examples in our github repro, however, I am not sure we have for graphql. I have attached a snippet below that could be of help
Can I use security policies for this?
Yes, absolutely.
Can this be done by adding some clauses to
policies.json
?
Yes, I have added a sample below. Hope it helps.
{
"auth_type": "authToken",
"auth_types": [
"authToken"
],
"state": "active",
"graphql_enabled": true,
"_id": "623dcd6a01f3630001282da8",
"id": "",
"name": "UDG Star Wars Policy",
"org_id": "XXX",
"rate": 1000,
"per": 60,
"quota_max": -1,
"quota_renewal_rate": -1,
"throttle_interval": -1,
"throttle_retry_limit": -1,
"max_query_depth": -1,
"access_rights": {
"d29ed49e7f724b766fd8caa69cf9832d": {
"api_name": "API UDG Star Wars",
"api_id": "d29ed49e7f724b766fd8caa69cf9832d",
"versions": [
"Default"
],
"allowed_urls": [],
"restricted_types": [
{
"name": "Query",
"fields": [
"person"
]
},
{
"name": "Person",
"fields": [
"name",
"mass"
]
}
],
"limit": null,
"field_access_rights": [
{
"type_name": "Query",
"field_name": "person",
"limits": {
"max_query_depth": -1
}
}
],
"allowance_scope": ""
}
},
"hmac_enabled": false,
"active": true,
"is_inactive": false,
"tags": [],
"key_expires_in": 86400,
"partitions": {
"quota": true,
"rate_limit": true,
"complexity": true,
"acl": true,
"per_api": false
},
"meta_data": {}
}
Thank you for the quick response!
We usually have some examples in our github repro
I checked out tyk-demo
repo but it has no example of field-based permissions.
I have added a sample below.
restricted_types
configuration works like a charm, great!
Unfortunately I did not manage to make field_access_rights
working. The gate always returns “depth limit exceeded” error regardless of numeric value specified.
Thanks again!
Hey @Andrey_Nado,
the “field_access_rights” part of the policy is responsible for setting a depth limit for a query only. So if you have a schema like this:
type Query {
getCountry(code: ID!): Country
getContinent(code: ID!): Continent
getLanguage(code: ID!): Language
}
type Country {
code: ID!
name: String!
native: String!
phone: String!
continent: Continent!
}
type Continent {
code: ID!
name: String!
countries: [Country!]!
}
type Language {
code: ID!
name: String
native: String
}
You can do few different things with your policy.
Restrict someone from seeing a whole type or just part of it. That is set in “restricted_types”. Like @Olu showed above.
Set global depth limit by using “max_query_depth”
Set depth limit per query. So assuming I do not want my users to go lower than depth 3 on my getContinent(code: ID!): Continent
query I can use “field_access_rights” this way:
"field_access_rights": [
{
"type_name": "Query",
"field_name": "getContinents",
"limits": {
"max_query_depth": 3
}
}
]
You need to make sure that in “field_access_rights” you are referring to the query type and one of the queries you have there already.