Auth And RBAC
Configure authentication, role queries, table permissions, row filters, and column blocking.
Auth providers
GraphJin supports JWT/OIDC-style config, JWKS refresh, static public keys, and header authentication.
auth:
type: jwt
jwt:
jwks_url: https://issuer.example.com/.well-known/jwks.json
audience: graphjinIdentity mapping in source mode
Source mode centralizes common identity claims and then generates the lower-level filters and presets GraphJin already enforces in the compiler:
identity:
user_id_claim: sub
role_claims: [role, roles]
namespace_claim: account_id
admin_roles: [admin]
sources:
- name: app
kind: database
type: postgres
access:
read: account
write: blocked
delete: blocked
namespace_column: account_id
public_tables: [countries, plans]
admin_tables: [audit_logs]
blocked_tables: [internal_events]TestApplySourceAccessRulesGeneratesAccountFiltersAndClassifications
core/source_access_test.go:14Role query
Roles can come from SQL or GraphQL role queries. GraphQL role queries return fields that role predicates match against.
TestGraphQLRoleQueryMatchesConfiguredRole
core/role_query_graphql_test.go:14Table permissions
Per-table role rules control query, insert, update, upsert, and delete operations. Rules can set limits, filters, column allow/block lists, presets, and operation blocks.
roles:
- name: user
tables:
- name: products
query:
filters:
- "{ owner_id: { eq: $user_id } }"
columns: ["id", "name", "price"]
insert:
columns: ["name", "price"]
presets:
owner_id: "$user_id"
delete:
block: trueIn source mode, do not mix user-written roles[].tables rules with sources:. Migrate repeated account filters to sources[].access and keep legacy role table rules for database-only legacy configs.
Column and aggregate enforcement
Column allow-lists also apply inside expressions and aggregate metrics. If a role cannot read price, sum(of: price) and expression aggregates that reference price should fail the same way a direct price field would.
Example_queryWithExprRoleAllowlist
tests/query_test.go:2468