Reputation: 3751
Hasura inherited role permission inconsistency
I am trying to define two roles in Hasura:
role_1: Inmy_table, can update:column_Aandcolumn_Brole_2: Inmy_table, can update:column_C
I want an end user to be able to update column_A, column_B or column_C without specifying a role, so I combine these into an inherited role: user.
I receive the following error when uploading the metadata to Hasura:
{
"internal": [
{
"reason": "Could not inherit permission for the role 'user' for the entity: 'update permission, table: my_table, source: 'my_source''",
"name": "user",
"type": "inherited role permission inconsistency",
"entity": {
"permission_type": "update",
"source": "my_source",
"table": "my_table"
}
}
],
"path": "$.args",
"error": "cannot continue due to inconsistent metadata",
"code": "unexpected"
}
The my_table permissions in my metadata:
"update_permissions": [
{
"role": "role_1",
"permission": {
"filter": ...(check if I can update column_A and column_B)
},
"columns": [
"column_A",
"column_B"
]
}
},
{
"role": "role_2",
"permission": {
"filter": ...(a different check if I can update column_C)
},
"columns": [
"column_C"
]
}
}
],
Inherited roles config:
"inherited_roles": [
{
"role_name": "user",
"role_set": [
"role_1",
"role_2"
]
}
]
If I include all three columns in update permissions / roles, it works fine. However this isn't what I want 🙁
Upvotes: 3
Views: 526
Answers (1)
Reputation: 3751
(Thanks to jmart on Hasura Discorf for the answer):
As far as I understand the feature, it's a cascade of checks, not a combination of checks.
So it looks to see if the user has permission to select columns ABC from the first role it has access to, and if not, checks if it has access via any of the other roles.
If none of the roles are inclusive of all requested columns, it will be considered a clash because they are conflicting permission rules.
Upvotes: 2
Related Questions
- Hasura User Role Inherited Permissions from Anonymous
- Granting user membership to another role does not give it the same permissions to objects the other role owns
- handle different roles in hasura
- How to handle X-Hasura-Role with graphql codegen
- How do I inherit a role's priveleges?
- Hasura SELECT permissions for table relationships
- Implementing custom user permissions in GraphQL and Hasura
- How to make Hasura's permissions feature work when two tables are involved?
- PostgreSQL role inheritance not working?
- GraphQL different result, if different permissions