Hasura's declarative RBAC is powerful — but dangerously quiet when misconfigured.
You might think guest has no write access… until a policy-less table says otherwise.
This guide walks you through building a CLI tool that parses Hasura metadata and verifies RBAC rules statically, before deployment.
1. Why Static Validation?
Hasura permissions live in metadata/ as YAML or JSON.
You can validate them without running the server — ideal for CI pipelines.
Use cases:
- Detect tables with no
selectrestrictions - Ensure
publicrole can’t write - Enforce field-level allowlists
- Audit policy completeness per role
2. Directory Structure (exported via Hasura CLI)
metadata/
├── tables/
│ ├── user.yaml
│ ├── invoice.yaml
├── actions/
├── sources.yaml
├── version.yaml
Each *.yaml under tables/ contains permissions by role:
select_permissions:
- role: user
permission:
columns: [id, email]
filter:
id: { _eq: X-Hasura-User-Id }
3. CLI Tool Overview
We'll build a Node.js script that:
- Loads all
tables/*.yaml - Parses permissions per role
- Applies validation rules
- Outputs audit results or fails with nonzero exit code
4. Install Dependencies
npm init -y
npm install yaml fs glob chalk
5. Example CLI Logic
import fs from 'fs';
import path from 'path';
import yaml from 'yaml';
import glob from 'glob';
import chalk from 'chalk';
const PERMIT_ROLES = ['admin', 'user'];
const metadataPath = './metadata/tables';
const files = glob.sync(`${metadataPath}/*.yaml`);
for (const file of files) {
const content = fs.readFileSync(file, 'utf8');
const doc = yaml.parse(content);
const table = `${doc.table.schema}.${doc.table.name}`;
// Check for public access
const publicInsert = doc.insert_permissions?.find(p => p.role === 'public');
if (publicInsert) {
console.log(chalk.red(`❌ PUBLIC role has insert access on ${table}`));
process.exitCode = 1;
}
// Check for missing filters
for (const role of PERMIT_ROLES) {
const sel = doc.select_permissions?.find(p => p.role === role);
if (sel && (!sel.permission.filter || Object.keys(sel.permission.filter).length === 0)) {
console.log(chalk.yellow(`⚠️ Role ${role} has unfiltered SELECT on ${table}`));
}
}
}
6. Run It in CI
"scripts": {
"validate:rbac": "node rbac-check.js"
}
Then add to .github/workflows/ci.yml or GitLab CI pipeline:
- name: Validate Hasura RBAC
run: npm run validate:rbac
7. Extending the Ruleset
- 🔒 Block full-field exposure (
columns: '*') - 🧪 Verify insert/update/delete have field filters
- 📊 Export role × table permission matrix
- 🧬 Compare across environments (dev vs prod metadata)
Final Thoughts
Hasura metadata is auditable. You just need to look.
By statically verifying your RBAC before deployment,
you eliminate entire classes of silent misconfiguration bugs — before they hit production.
Next:
- Generate HTML or CSV access matrix
- Integrate with Slack alerting
- Build a VSCode plugin for live feedback on permission diffs
Fail fast. Trust static. Secure declaratively.
Top comments (0)