feat(c/v3-engine) add possibility for namespacing when adding multiple data sources. Add possibility for permissions on namespaces and prefixes. #10642
Labels
Comments
|
Thanks for sharing this detailed and thoughtful feature request @Relaxe111 — it’s clear you’ve put a lot of effort into outlining the current challenges, proposed solutions, and potential benefits of reintroducing namespaces in Hasura DDN. I can see how this would help with managing multi-source projects, improving schema organization, and enhancing permissions for multi-tenant systems. I’ve passed your feedback along to the product and engineering teams for review, and while I can’t promise immediate changes, it’s precisely this kind of input that helps shape our roadmap. Someone will be in touch soon. Thanks again for contributing! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Request for Hasura v3: Namespacing for Multiple Data Sources
Current Behavior (Hasura v2)
In Hasura v2, when multiple databases are added as data sources, a namespace can be defined for each database. This enables GraphQL queries to group all tables and models from a database under a single, hierarchical namespace. Example:
Limitation in Hasura v3
In Hasura v3, the namespacing feature has been replaced with prefixes at the root level. While prefixes serve a similar purpose, they do not provide the hierarchical structure or flexibility that namespaces offered. Instead of:
You get:
This flat structure can be harder to manage and less intuitive, especially when working with a large number of data sources that share the same schema.
Proposed Feature: Reintroduce Namespaces for Data Sources in Hasura v3
1. Namespace Support
Allow users to define a namespace for each data source. All tables and models from the data source would be grouped under the namespace in the GraphQL schema.
Example configuration in metadata.yaml:
Resulting GraphQL structure:
2. Namespace-Specific Permissions
To enhance the security and usability of namespaces, introduce namespace-level permissions that can restrict access to certain namespaces based on headers or JWT claims.
Example Permission Definition
In the metadata.yaml file, permissions could be defined for namespaces similarly to table-level permissions. For instance:
Behavior in Queries
If a request contains the header X-Hasura-Allowed-Namespace: customer1, the user would only be able to query the customer1 namespace:
graphql
Any attempt to query other namespaces (e.g., customer2) would be denied.
Wildcard or Multi-Namespace Support
If the header contains multiple allowed namespaces (e.g., X-Hasura-Allowed-Namespaces: customer1,customer2), users can query any of the specified namespaces.
3. Optional Namespace Filtering Based on Dynamic Conditions
Enhance flexibility by allowing permissions to reference dynamic conditions like JWT claims or external data sources. For example:
JWT Claim-Based Filtering
Namespace access could be determined by a claim in the JWT token, such as allowed_namespaces.
Header-Based Filtering
Benefits of This Feature
Improved Organization
Namespaces keep the GraphQL schema structured, making it easier to manage large projects with multiple data sources.
Enhanced Security
Namespace-level permissions allow granular control over access, ensuring that users or roles can only access the data sources they are authorized for.
Compatibility with Multi-Tenant Systems
This feature is especially useful for multi-tenant applications where each tenant has its own database but a shared schema.
Backward Compatibility
By reintroducing namespaces, developers familiar with Hasura v2 can seamlessly migrate to v3 without losing the benefits of hierarchical grouping.
Scalability
Supports large-scale applications with dozens or hundreds of customers, databases, or shared logic layers.
The text was updated successfully, but these errors were encountered: