Upload File

graphqlapi management through static analysis · 2019-01-03 · § in graphql, rates, prices, or...

  • Home
  • Documents
  • GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql
12
© 2018 IBM Corporation GraphQL API Management Through Static Analysis Erik Wittern, Alan Cha, Jim Laredo, Louis Mandel, and Guillaume Baudart IBM Research

Upload: others

Post on 23-May-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

© 2018 IBM Corporation

GraphQL API Management Through Static Analysis

Erik Wittern, Alan Cha, Jim Laredo, Louis Mandel, and Guillaume BaudartIBM Research

Page 2: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

2Page© 2018 IBM Corporation

GraphQL is a query language and implementation paradigm for data-centric web APIs

{user (id: “123”) {nameaddress: { street }

}}

GraphQL query (sent via HTTP POST);adheres to server’s schema

{“data”: {“user”: {

“name”: ”Erik”,“address”: { “street”: “E 10th St.” }

}}

}

Response with requested data

ServerClient

Page 3: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

3Page© 2018 IBM Corporation

A challenge for managing GraphQL backends is to

understand what requests intend to do

§ API Management provides threat prevention, rate limiting, pricing, access control etc.

§ In GraphQL, rates, prices, or access

rules depend on the query:

POST ../graphqlquery { me { name, age }}

POST ../graphqlmutation {

createK8Cluster (name: "c1"){clusterId

}}

vs.

GET …/profiles/me

vs.POST …/resources/k8cluster

§ In REST APIs, rates, prices, or access

rules are defined for endpoints:

Page 4: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

4Page© 2018 IBM Corporation

Demo

Page 5: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

5Page© 2018 IBM Corporation

Static analysis provides basis for defining higher-level policies

{"maxNesting": 2,"operationType": "query","resolveCounts": {

"Query:users": 1,"User:employerCompany": 5

},"typeCounts": {

"User": 5,"Company": 5

},"typeComplexity": 10,"resolveComplexity": 6

}

Think threat prevention…

Think rates…

Think access control or pricing…

{users (limit: 5) {

nameemployerCompany {

name}

}}

Page 6: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

6Page© 2018 IBM Corporation

We decouple GraphQL management from GraphQLserver implementations

GraphQLManagement

Runtime gateway

Initiali-zation

introspection

query(if allowed)

Server

Policy definition & configuration

policy, config.

Policy enforcementquery

inspection

Query inspection

Static analysis

schema

GraphQL client

Page 7: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

7Page© 2018 IBM Corporation

We find our static analysis succeeds to determine complexity upper bounds

Evaluation based on 3040 randomly generated queries against the GitHub GraphQL API v4

Page 8: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

Thank you!

Page 9: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

9Page© 2018 IBM Corporation

(Some) advantages of GraphQL§ Developer experience

• Exploring API with tools like GraphiQL• Documentation is always in sync with the

implementation• Aliases allow bridging of syntactic gaps• Typed interface helps avoid errors• API evolution

– Extending schema does not break (even strongly typed) clients

– Deprecation messages built-in

§ Optimized payload-size (think mobile apps)§ Reduced roundtrips (clients) and unneeded

data-lookups (providers)§ Resource composition (APIs, DBs, cloud

functions…)

query result

docs

Page 10: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

10Page© 2018 IBM Corporation

Processing times – JavaScript implementation, GitHub experiments, on 2014 15” MacBook Pro

Query processing percentiles:0.90 0.9 ms0.95 22.68 ms0.99 262 ms

Response processing percentiles:0.90 2.28 ms0.95 24.2 ms0.99 176.46 ms

Page 11: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

12Page© 2018 IBM Corporation

GraphQL trade-offs

+ Query related data in single request (àless roundtrips)

+ Fine-grained control over what data to return (à smaller responses)

+ Typed schema helps avoid bugs+ Great client tooling (especially GraphiQL)+ Documentation built-in & always in sync+ Great insights into customers’ data-needs

- No HTTP caching (GraphQL uses POST) à caching in frontend required

- GraphQL API management is (still) challenging:• What are the implications of a query?• How to control / react to them?

- File uploads not natively supported- Response structure determined by query

structure- GraphQL may be overkill in certain cases

Page 12: GraphQLAPI Management Through Static Analysis · 2019-01-03 · § In GraphQL, rates, prices, or access rules depend on the query: POST ../graphql query{ me{ name, age}} POST ../graphql

13Page© 2018 IBM Corporation

When is GraphQL a good fit?

§ APIs for interacting with data – not APIs used to control functionalities or resources

§ APIs offering nested data, where GraphQL can avoid multiple roundtrips

§ APIs offering small or preprocessed data – data in GraphQL is normalized, so large

volumes are a bad fit – GraphQL is not a data-analysis tool

§ APIs being used by multiple clients, with diverse and/or changing requirements§ APIs that compose multiple systems / backends, whose data is related to another

§ APIs that evolve over time§ Up-to-date, correct documentation matters

§ Exemplary bad fit: APIs for…

• Executing functionalities (e.g., managing

resources, controlling/configuring systems,

payment systems etc.)

• Flat data

§ Exemplary good fit: APIs for…

• Fetching data for UIs

• Social networks, news feeds

• Connected, graph (-like) data


Introduction to GraphQL

AWS AppSync - blog.webgate.biz · AWS AppSync AWS IoT Hub Sensor Dashboard CRUD/Collaboration Apps . AWS AppSync Serverless GraphQL Service GraphQL query APIs (HTTP POST) WebSockets

Navigating your transition to GraphQL with GraphQL first development

GRAPHQL SUMMIT Summit Sponsorship...GraphQL Summit is a two day conference that celebrates all things GraphQL. We're thrilled to welcome the GraphQL community back again this year

Pacio€¢ GraphQL, described as a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description

GraphQL & Relay

GraphQL, das bessere REST?...GraphQL? "GraphQL is a query language for APIs and a runtime for ful lling those queries with your existing data." gedacht als d unner API Layer zwischen

GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

WITH UX-DRIVEN DESIGNcdn01.x-plarium.com/browser/content/developers/udev/... · 2018-08-07 · GraphQL Query Relay Store Components Actions Props Server GraphQL Response GraphQL Write

Introduction to GraphQL - Evan Huus · Challenge: Learn about the third type of GraphQL query - a subscription - and try to recreate the 3rd GraphQL call in queries.js from scratch,

Into to GraphQL

GraphQL 101

Data Fetching with GraphQL and ActionCable · DeckType = GraphQL::ObjectType.define do name "Deck" description "A group of magic cards" field end ColorEnum = GraphQL::EnumType.define

Build federated GraphQL schemas in Java using OSGi and Jahia · OSGi modules with support for GraphQL federation make it possible to evolve a GraphQL schema at runtime. 18. GraphQL

GraphQL or Bust - dotfmp€¦ · Preface:Introductionto GraphQL Withinthelastcoupleofyears,therehasbeenaresur-genceofdiscussionaroundAPIdesignstandardssuch as REST, gRPC, GraphQL,

GraphQL or Bust · Preface:Introductionto GraphQL Withinthelastcoupleofyears,therehasbeenaresur-genceofdiscussionaroundAPIdesignstandardssuch as REST, gRPC, GraphQL, and many others

The Evolution of the Node.js Ecosystem€¦ · GraphQL - GraphQL is a data query language initially developed internally by ... - Same UI building blocks as regular iOS and Android

GRAPHQL - Amazon Web Services · GraphQL is a query language & alternative to REST + graphs-> nodes-> edges. query language SELECT * FROM . type House {edge: Person} type Person {

GraphQL + relay

GraphQL Story: Intro To GraphQL

arXiv:1907.13012v1 [cs.SE] 30 Jul 20191 Introduction GraphQL is a query language for web APIs, and a corresponding runtime for executing queries. To o er a GraphQL API, providers de

A Principled Approach to GraphQL Query Cost Analysis...query in the context of the data graph on which it will be executed. Through lightweight query resolution, it steps through a

CAWS CONTINUOUS SECURITY VALIDATION PLATFORM API GUIDE · 2019-09-05 · INTRODUCTION TO GRAPHQL GraphQL is a query language for your API, and a server-side runtime for executing

A DATA QUERY LANGUAGE AND RUNTIME - GitHub Pages · GraphQL • Graph Query Language -“A data query language and runtime” • Facebook open sourced the specification in mid 2015

Serverless GraphQL - QCon San Francisco · Serverless GraphQL. Howdy! I’m Jared Short Director of Innovation @ @shortjared. GraphQL A query language for your API, and a runtime

On Graph Query Optimization in Large Networks · graph query method, GraphQL [12]. Moreover, SPath exhibits excellent scalability and practicability in large networks (Section 6)

LiveQueries via LiveServer - YOW Australia 2017 · What is a Live Query? • Extended GraphQLAPI • get-and-subscribe semantic • Updated on state changes

Intro to GraphQL

BootifulGraphQLwith Kotlin · Query language for your APIs GraphQL. 5 Query language for your APIs GraphQL. 6 Why Kotlin? Kotlin •Strong types •Null-safety •Data classes •Interop

GraphQL Relay Introduction

Mobile Day - GraphQL

Swift + GraphQL

An Introduction to GraphQL and Rubrik...ECNICA IE PAPE AN INTRODUCTION TO GRAPHQL AND RUBRIK 5 HISTORY OF GRAPHQL The first draft of GraphQL, known then as SuperGraph, was created

Apresentação do PowerPoint - Agência Curitiba · GraphQL GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides

Trilha – Python · GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. graphql.org