Good day graph enthusiasts,
This topic's goal is to tap into collective intelligence to point me in the right direction of solving access control given a very particular technology stack.
My solution runs on Amazon AWS and implements a relatively classic GRAND stack. At the heart of it is a knowledge graph powered by Neo4j. I deploy everything using Serverless Framework.
Currently I have two things that access my knowledge graph:
Apollo GraphQL server running inside a Lambda function and a bunch of Docker containers writing through Bolt on a regular basis using Python's official Neo4j driver. All of these things are running inside a private subnet which allows them to communicate freely. However, the only way to invoke the Lambda is to call a particular AWS API Gateway endpoint which has an AWS Cognito authoriser associated with it (Serverless Framework makes it very easy to set up). This means that only registered users (those inside a Cognito user pool) are able to use GraphQL to communicate with my database.
I want my GraphQL endpoint to become a single point of contact with my Neo4j database (and, in future, my database casual cluster). Both, services (ECS containers, scrapers, ETL pipelines, etc.) as well as front-end users should transact through Apollo GraphQL server.
On top of that, I should be able to, later, implement access management for real users to limit certain parts of the application (I was envisioning to do this with the neo4j-graphql-js' access management).
I've thus stumbled upon a little impedance mismatch: AWS Cognito works fine for registered front-end users but doesn't really play well with all the rest (services and such).
How would you address it?
- Would you use neo4j-graphql-js' access control for all things user ACL?
- Would you leave Cognito as authoriser of the API Gateway access and let services identify themselves as if they where users through AWS SDK (Cognito client)?
- Would you get rid of Cognito all together and use something else (Custom lambda functions maybe)?
- Would you let services invoke Lambda through AWS SDK (Lambda client) while completely bypassing Cognito?
All ideas are welcome. I'll have to make a move soon but would like to make a smart one.