edgraph: add AlterNoAuth for trusted in-process schema callers#9748
Open
matthewmcneely wants to merge 1 commit into
Open
edgraph: add AlterNoAuth for trusted in-process schema callers#9748matthewmcneely wants to merge 1 commit into
matthewmcneely wants to merge 1 commit into
Conversation
Alter routes every caller through validateAlterOperation, which calls hasAdminAuth -> x.HasWhitelistedIP. That extracts the source IP from the gRPC peer, so a caller running with a context.Background() (no peer) is always rejected with "unable to find source ip" — regardless of the --security whitelist setting. Split Alter into Alter (NeedAuthorize) and AlterNoAuth (NoAuthorize) over a shared alter(), mirroring Query/QueryNoAuth. validateAlterOperation now takes an AuthMode: the structural checks always run, while the IP-whitelist and ACL checks run only under NeedAuthorize. AlterNoAuth is restricted to schema operations via isDropOperation — drop requests are refused so bypassing auth can never remove data. It must not be exposed to network clients. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
area/testing
amalistari
reviewed
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
AlterNoAuth—Alterwithout the admin-IP-whitelist and ACL authorization checks — mirroring the existingQuery/QueryNoAuthpair, for trusted in-process callers.validateAlterOperationgains anAuthMode: the structural checks (field set, health, mutations-allowed, reserved-namespace) always run; the IP-whitelist and ACL checks run only underNeedAuthorize.AlterandAlterNoAuthshare a privatealter().AlterNoAuthis restricted to schema operations —isDropOperationrefuses every drop form — so bypassing auth can never be used to remove data. It must not be exposed to network clients.Why
An in-process caller using
context.Background()carries no gRPC peer, sox.HasWhitelistedIPfails with"unable to find source ip"on every config — not only under--securitywhitelist.QueryNoAuthalready solves this for queries;AlterNoAuthis its schema-write counterpart.Tests
edgraph/alter_noauth_test.go(white-box) exercises thevalidateAlterOperationauth gate — a background context is rejected underNeedAuthorize, accepted underNoAuthorize, and the structural/health checks still fire — plusAlterNoAuth's drop refusal. No cluster needed.