Support PostgreSQL Database Roles and Row Security Policies

Any updates on this? I find it incredible how far this project has come, specially the built in permissions system, but without supporting the built in authentication and authorization system, which IMO should be the primary system since the project itself proposes to be a frontend to PostgreSQL. RLS and built in authentication could be as flexible as the database itself. There should be minimum configuration on hasura whenever possible. I’d contribute this, but I know no haskell…

Thanks

+1 on this.

Not sure if I should be writing this here or starting a new thread, but there should be a way to pass webhook/auth server variables into the session, so that we could use them in queries or RLS rules. Currently, if I get it right, to use permissions one must use the hasura permissions system since the connections run under a single role. Although the permissions system is nice, I’d rather use PostgreSQL’s built-in permissions system, keeping it all in the database, since more manageable and portable. An example:

<Incoming request > => <Hasura Server> => <Webhook server/JWT auth> => {"postgresql_current_user: "howe"}

For that webhook reply, it’s my understanding that hasura should emit a command (keeping the same connection from the pool):

howe=# SET SESSION AUTHORIZATION howe;
SET

… then continue processing the request normally as role “howe”.

That alone would allow using everything RLS needs.

Another nice adding would be defining arbitrary settings coming from webhook/JWT other then just the user name as shown above. Examples:

<Incoming request > => <Hasura Server> => <Webhook server/JWT auth> => {"hasura_postgresql_mysetting_1: "xxx", "hasura_postgresql_mysetting_1": "yyy"}

Hasura should emit these SQL commands before starting any queries:

howe=# SET hasura_settings.my_setting_1 =  'xxx';
SET
howe=# SET hasura_settings.my_setting_2 =  'yyy';
SET

That way we could easily retrieve those settings coming from webhook/jwt token in any query or RLS check constraint:

howe=# select current_setting('hasura_settings.my_setting');
howe=# select current_setting('hasura_settings.my_setting_1');
 current_setting 
-----------------
 xxx
(1 row)

This is nice enough that we could import and use arbitrary json values coming from the webhook; just convert the string into json type and use as wished. Of course, sending all those settings in a single sql string would make it faster then sending each one in rounds.

As someone posted in another thread, simple built-in authentication is missing. Hasura could easily check a user login is valid by reconnecting with the given credentials and store the current_user in session information, and send a “SET SESSION AUTHORIZATION”… as above. That would be great for those who want a hasura-only authentication solution.

Finally, a great and simple way of authenticating and setting vars would be calling a function: howe=# create function

Thanks Howe