Running UDF in ABAC Predicate results in Permission Denied

siame · December 21, 2021, 2:55pm

Hi,

I’m trying to combine the logging function as declared here: Logging Function, with a predicate check on write for a collection.

As a base case, the predicate of:

Lambda(["oldData", "newData"], true)

works fine, and all write operations are allowed.

When I change this to:

Lambda(["oldData", "newData"], Call("log", { message: "hello", value: true }))

to attempt to log a basic message and return a true value to allow the write, neither the log document is created nor the action allowed, resulting in a

{
    "errors": [
        {
            "message": "Permission denied"
        }
    ]
}

on the graphql request.

I should also add that running the log UDF from the shell performs as expected, and the log document is created, as well as true being returned:

> Call('log', {message: 'hello', value: true})
true

I’ve given the role in question the permissions to access the function, as well as to write to the log collection. Am I missing some other permissions? Are UDFs allowed in predicate calls?

Thanks!

ewan · December 21, 2021, 5:48pm

Role predicates must be read-only functions. They are used solely to determine privileges, and cannot otherwise influence the execution of, or response from, the current query. What you are attempting cannot work.

siame · December 21, 2021, 7:15pm

Thanks for the answer @ewan

My endgame here was to log oldData and newData, to see what they contained when making partialUpdates as allowed through:

X-Schema-Preview: partial-update-mutation

Is there any other way to inspect/log these values at runtime?

Thanks!

ewan · December 21, 2021, 10:37pm

When I’ve tried to debug predicates, I’ve written a UDF that implements the same logic as the predicate, and then call it with an existing document and a new document.

It’s not ideal, because the UDF and predicate cannot share the same implementation; you have to manually ensure that the implementations match. But it is better than nothing.

If anyone reading this thread has tips or solutions that work for you, please share!

siame · December 21, 2021, 11:02pm

For reference, when using the partialUpdate methods through the partial-update-mutation schemas, in the write predicate lambda, do oldData and newData contain all of the fields that are on the document, or just those partial fields that are sent through in the request?

ewan · December 22, 2021, 5:56pm

Whether you use partial-update-mutation or not, the newData document contains the fields and values that you have specified in your query.

siame · December 22, 2021, 6:14pm

Does that mean that the oldData will contain all of the fields of the document regardless of which fields are sent across in the case of a partial-update-mutation?

ewan · December 23, 2021, 6:09pm

Yes. oldData contains the document as it appears in storage at the time of the transaction. That incurs at least one read operation, but might incur more depending on the size of the document.

Topic		Replies	Views
ABAC lambda functions hard to debug when using GraphQL - permissions error Help graphql	5	830	July 22, 2020
Restricting Write to currentIdentity in Role for User Help graphql , authentication	6	426	August 17, 2021
Permission denied when predicate set for collection, but works when boolean true Help fql , authentication	5	1388	May 4, 2021
Role for User vs. Role for UDF called by User Help	5	580	May 18, 2021
ABAC Write Lambda Function Not Working Help fql	4	458	May 4, 2021

Running UDF in ABAC Predicate results in Permission Denied

Related topics