
Show HN: Hasura – A Postgres BaaS and Kubernetes PaaS on Your Own Infrastructure - ecthiender
https://hasura.io
======
ecthiender
We built Hasura over the last few years to help us build products fast. We
didn't know what it would look like when we started, but we've ended up with
something like a Parse + Heroku but on your own infra so that you can mess
around with the internals when required.

Key features:

1\. Data APIs on a Postgres database

2\. Deploy with git-push, or any docker image

3\. Expose HTTP services on the API gateway over subdomains/paths

4\. Automatic LetsEncrypt SSL cert generation for exposed http services

5\. SSH service to get tunnelled access to TCP services on your cluster

6\. Auth middleware built into the API gateway, so that upstream services
don't have to resolve sessions

7\. Out of the box auth APIs for password, email, recaptcha, social login.
mobile-OTP stuff

~~~
splitrocket
In the comparison page, it would be great to see how Hasura compares to other
PAAS offerings, such as Deis, Flynn, Tsuru, etc.

Agreed that built in ACLs and Baas is really fantastic.

~~~
ecthiender
Thanks! The BaaS components and the session middleware are precisely what
differentiates Hasura from the above platforms.

~~~
webmaven
You should compare with Parse. And with Google App Engine / AppScale as well.

------
Arcsech
Looks kinda like Dokku + PostgREST + a fancy UI, is that mostly right? Not
trying to disparage it, just trying to relate figure out what Hasura is,
there's a lot going on.

One thing that concerns me is the "Don't make changes to your Postgres schema
outside of the UI, it'll mess things up" warning. If I already have a tool to
manage database migrations, it sounds like using it with this would be a bad
idea?

Edit: Also, what accounts for the speed increase over a bare VM? I'm assuming
something Hasura does for you, but it would be nice to know what that is.

~~~
ruslan_talpa
Actually Hasura is something that might be the only thing out there that is
anything close to touching postgrest in this space (respect :)). The only
thing that worries me a bit is that the client can generate any type of query,
meaning it's easy to generate an unoptimized join that will kill the db (did i
get it wrong? how do you protect against that?). The other thing i do not
understand is why are you not relying on "reading" the schema and require to
go through a gui to define the schema. Why did you not copy the queries from
postgrest that introspect the database schema and the relations? If you guys
want i can send you a single query that you run and get the structure of the
database and all the relations and use that as your "metadata" :)

(I'm from postgrest core team, probably competing with hasura in the future
here [https://graphqlapi.com](https://graphqlapi.com))

~~~
tango12
Hey there! Thanks for your comment.

Well actually we do infer directly from the Postgres schema. Only for users
not familiar with Postgres directly, we recommend going through the UI so that
not only is the table created, but the Data API is also asked to track it and
provide an API for it.

There is other metadata that we do need the user to specify, via the UI or the
API, and that's for stuff like permissions and relationships.

Regarding, the unrestricted querying, we address it in one of the following
ways:

1\. Timing out queries running for longer than a specified interval.

2\. Cursors and streaming data if the dataset requested is large.

3\. Query templates: We allow the developer to create a RESTful API endpoint
that has a limited pre-defined surface area (eg: GET
data.mysite.com/v1/template/article?limit=10) which internally maps to a pre-
defined query.

Our docs are still lagging behind on these unfortunately!

What do you guys do to restrict access? Any suggestions?

~~~
ruslan_talpa
about metadata: in Postgrest - you tell it which schema to expose and that
means that anything inside it needs "tracking" and exposing, want it exposed,
put it in that schema. Relations between entities ... that can be queried from
the database itself, no need to ask the user for it.

timing out - it works up to a point, if you for example set a hard limit to 1s
then to an attacker it just means he needs to do a few parallel requests and
he still kills your db.

what postgrest does for protection: a - no fancy joins, joins are only done by
a thing we call "embedding" and those are joins between tables that FKs
defined between them so they are fast, if you need fancy joins then the user
has to define the view doing the join and expose it to the api.

b - no functions applied to the return columns, like you cant generate
something like "select md5(bigtextcolumn) ..."

c - the only way to "kill" the database under postgrest is to use a filter on
a column that has no index ( name like " _hello_ "), out of the box postgrest
does not have protection build in for that, but it's easy to put a proxy in
front and whenever there is a url parameter called "name" you just reply with
"you are not allowed to filter by this column"

~~~
0x777
I'm one of the engineers who work on the data service

> about metadata: in Postgrest ..

We don't want to restrict the data service to a particular schema. You can add
a table from any schema to be tracked, say information_schema or pg_catalog.
In fact, that is how introspection works (you can look at the queries made by
the console). This means that the schema cache in memory would be quite large
because of the number of tables in information_schema/pg_catalog if we were to
auto load all these. There is also the issue that you may not want to expose
some tables. We can definitely have a console button which will let you import
all the tables in public schema.

Sure, you can infer relationships from the foreign key constraints. But, how
would you come up with names that do not conflict with the existing columns?
What if you add a new column with the same name as an inferred relationship?
With the data service, you can also define relationships on/to views across
schemas (1). Making metadata explicit goes with one of our core principles,
'no magic'.

> what postgrest does for protection: a - no fancy joins,

explicit joins are not allowed even with our data service. The joins that
happen are the implicit ones because of the relationships. We do the same
thing if we need any custom joins/aggregations. Define a view and expose it.

> b - you can't do anything other than selecting columns and relationships
> with the api.

> c - the permission layer can be used to prevent these to some extent (like
> not allowing an anonymous user to filter on a particular column).

1\. [https://hasura.io/_docs/platform/0.6/getting-
started/5-data-...](https://hasura.io/_docs/platform/0.6/getting-
started/5-data-aggregations-views.html)

~~~
ruslan_talpa
all the things i explained about metadata are implemented in postgrest and
they work, and there is no loss of flexibility sinceyou can expose any table
you want from any schema by explicitly creating a "mirror" view in the exposed
schema. and relations are detected across tables and views and there is a way
to deal with collisions. I am not saying that your way is bad (having a
metadata file), just saying there is a way to automatically create it.

\- b,c that's good that you don't expose the entire SQL

~~~
ruslan_talpa
can't reply to your question so doing it here. the code is OS so you can look
it up :) the idea is this \- detect table relations based on FK \- for each
view check where each column comes from (view column usage) based on the info
above you know all the relations in the system, even view to view

also there is a way to do it in a single query but that is not yet implemented
in postgrest

~~~
0x777
While we can get the information on the columns used in a view, we can't infer
if the uniqueness properties propagate to the view which guarantee the
semantics of relationships.

I guess it might be convenient to do this (determine relationships across
views), but the users should be aware of the guarantees offered in this
scenario.

~~~
ruslan_talpa
I am not sure i understand what you are saying about guarantees. If there is a
FK, there is a relation. It's the user that is driving the relations by
specifying what columns are FK, it's the same thing as defining relations in a
GUI, only you do it at the database level

------
Zaheer
This is super useful. I'd wager 80% of API's are single data API's and Hasura
would speed up development time by a significant factor while still allowing
for more flexibility than just building on top of something like Parse. I
think eventually most API's will use managed frameworks like this or go
serverless so that a lot of the repetitive wiring code is abstracted out.

~~~
tango12
:) Thanks. This is one of the key thoughts that inspired Hasura! We kept
refining these data APIs on Postgres over the various products that we helped
our clients build.

------
weitzj
Looks great. How does it handle networking? E.g. if you are on AWS or Google
you are fine with your VPC. But as far as I understood on Digital Ocean the
private subnet is shared across all customers in this region. Do you employ an
overlay network with encryption, e.g. Weave.net? Or do you deploy a VPN (tinc,
peervpn) and Kubernetes on top?

~~~
ecthiender
You're right! On AWS and Google we use VPC. But on Digital Ocean we create
single-node clusters only. We do not encourage multi-node clusters on Digital
Ocean. Hopefully DO will address this soon!

------
manojlds
It would be great if the events info have links to the events. I am based out
off Chennai and use Kubernetes in production and would like to hear more about
what you guys do at Hasura.

Edit - realized that only the IIT talk wasn't a link. On mobile.

------
ojr
One of the features, that I know how to do in MongoDB quickly but not in
Postgres, is creating permissions not on the the role level (user, admin, etc)
but on the id level like users with unique id blah234 and blah546 can access
this table/row. I can figure it out in sql with time but it is not a tradeoff
worth taking in my certain situation. I always look for this feature when I
see a baas/paas tool show up on hacker news.

~~~
ecthiender
This is quite possible with the permission layer of the data service in
Hasura. Why not add a new role that only 'blah234' and 'blah546' can be part
of? All you have to do is to define permissions on this role.

Also, creating permissions and roles are all exposed via API calls, in case
you have a requirement where you need to create these dynamically.

~~~
ojr
I looked into an api, I don't see how can leverage it in the way I want, yes
these roles will have to be created dynamically, pretend a user makes a post
and only wants certain users to see the post, a new dynamic role will have to
be created every time a user creates a new post?

~~~
tango12
You could do that, but you don't need to. The ACL constraint can be any
arbitrary SQLish expression that is a boolean.

In this case, say select is allowed if: req_user_id is in
article.viewers.user_id. This means, if the request's user_id is in the
viewers list of the article.

It depends on the fact, that you have a relationship called viewers which
comes from a table that contains article_id, user_id.

The idea is to allow any ACL rule that can be represented as a constraint in
your data model.

------
searchfaster
Looks great... may be just what I have been looking for. PS: The illustrations
are awesome !

~~~
guruparan18
Illustrations: They are indeed. These are the colorful demigods of Hinduism.
More:
[https://www.google.com/search?q=mahishasura](https://www.google.com/search?q=mahishasura)

------
samblr
How do I change some part of controller function of a DB table ? i.e can I
change generated code (what language is the code?) or is it like hook
functions available in cloud ?

~~~
tango12
The Data APIs are not actually generated. The Data API service exposes a JSON
query language on any Postgres table.

So if you want to customise the controller, the easiest thing to do is to
write a custom API endpoint (which you can deploy to your server using a
heroku style git-push or a docker image) which in turn can contact the data
APIs or even the Postgres database directly.

------
Just1689
I may be wrong but I think the username lookup on your login page is case
sensitive.

------
infinitebyte
Couldn't find docs for installing Hasura on own infrastructure?

~~~
ecthiender
Currently installation on cloud providers (that you own) happens through
hasura.io. Register at [https://beta.hasura.io](https://beta.hasura.io) and
you can create a project.

If you want to install on your own, we will be releasing docs over the next 2
weeks.

~~~
infinitebyte
Okay. I am more interested in testing this on Openshift running on our
infrastructure. Thanks!

~~~
ecthiender
We've never tried on OpenShift, but it works on vanilla Kubernetes cluster.

------
HugoDaniel
Is it open source ?

------
kensai
Χασούρα! (so funny Hasura in Greek)

~~~
dominotw
Asura's are indian vedic (vague) group who are primary opponents to gods.

[https://en.wikipedia.org/wiki/Asura](https://en.wikipedia.org/wiki/Asura)

~~~
ecthiender
Asura is a demon (daemon - aka a background process). We love our puns.

