Add GraphQL API endpoint access from primary to secondary Geo nodes
What does this MR do and why?
Related to #345420 (closed).
This adds a api/v4/geo/node_proxy/:id/graphql
endpoint that forwards the request from to another Geo secondary node (the one with :id
) and returns the GraphQL response back.
This includes an authentication method that sends a Geo signed token from the primary using the current session's user ID, that is then authenticated on the secondary.
The flow should be:
- The
api/v4/geo/node_proxy/:id/graphql
route uses the API input as-is (env['api.request.input']
) and generates a token withauthenticating_user_id
in the data (based on the same BaseRequestService we're using the opposite way), which then sends toGeoNode.find(secondary_id).graphql_url
which is basically"#{node.internal_url}/api/v4/geo/graphql
- On the secondary, we also alias
api/v4/geo/graphql
toapi/graphql
(GraphqlController
), and add to the Workhorse Geo routes so it doesn't get proxied (plus fix the readonly middleware to take it into account too, since it's a POST) - There's a new
find_user_from_geo_token
auth finder which tries to decode the Authorization Geo token, if present, and the path starts with/api/v4/geo/
, so also for security reasons it's limited to these routes. Was thinking to also put it under a feature flag since it touches the place handling all auth finders (overriding in EE, wasn't there before) - The GraphQL controller uses the sessionless authentication which uses the finder above, logs in as the user sent by the primary (
current_user
on the primary so there needs to be a session in the first place), then fulfills the request and sends the data back
How to set up and validate locally
- Have GDK with Geo setup, or patch this MR on a GET env.
- Enable the feature flag
Feature.enable(:geo_token_user_authentication)
- Get a private token and set it in your env vars, like
export TOK="glpat-test"
- This assumes your primary is at URL https://gdk.test:3443 and your secondary node has id
2
. Runcurl -H "PRIVATE-TOKEN: $TOK" https://gdk.test:3443/api/v4/geo/node_proxy/2/graphql -X POST -i -H 'Content-Type: application/json' --data "{\"query\": \"query {currentUser {name}}\"}"
You should receive a {"data":{"currentUser":{"name":"Administrator"}}}
response back (or the user name of the user you created a PAT as).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Michael Kozono