Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Hasura – A Postgres BaaS and Kubernetes PaaS on Your Own Infrastructure (hasura.io)
259 points by ecthiender on Feb 24, 2017 | hide | past | favorite | 69 comments

We built Hasura over the last few years to help us build products fast. We didn't know what it would look like when we started, but we've ended up with something like a Parse + Heroku but on your own infra so that you can mess around with the internals when required.

Key features:

1. Data APIs on a Postgres database

2. Deploy with git-push, or any docker image

3. Expose HTTP services on the API gateway over subdomains/paths

4. Automatic LetsEncrypt SSL cert generation for exposed http services

5. SSH service to get tunnelled access to TCP services on your cluster

6. Auth middleware built into the API gateway, so that upstream services don't have to resolve sessions

7. Out of the box auth APIs for password, email, recaptcha, social login. mobile-OTP stuff

If you can launch this with a tutorial on using it with Digital Ocean and build in VPC/VPN around your VM orchestration I imagine you'll see a pretty significant response.

Aside: ran through the demo and got a "bad gateway" at the very end trying to access the todomvc-jquery app. Guessing HNs'd.

First impressions: very little magics/transparent, reasonable pieces, reasonable architecture, well packaged, nicely automated, descriptive UI, no glaring wtfs, all the bases are covered, looks easy enough to customize at any layer with skills I already have — all very sensible.


Thanks for the feedback! Can you elaborate what you mean by little magics/transparent?

Magics: no new DSLs. The JSON to SQL thing seems more on the level of a convenience mapping than a DSL. And it can be skipped.

Transparency: I felt like it wouldn't be hard to figure out what was going on behind each step. First guess easy vs black box not-so-fun.

Overall easy to grok created app plus Hasura meta data associations and transformation points.

I like that you took time to consider ACLs out of the box, that's something that most general-purpose tools leave too much to the developer, despite them being crucial for every app

In the comparison page, it would be great to see how Hasura compares to other PAAS offerings, such as Deis, Flynn, Tsuru, etc.

Agreed that built in ACLs and Baas is really fantastic.

Thanks! The BaaS components and the session middleware are precisely what differentiates Hasura from the above platforms.

You should compare with Parse. And with Google App Engine / AppScale as well.

Fun fact: hasura in Greek stands for "loss/ lost".

Hahaha! The H in Hasura comes from Haskell, while Asura is the Sanskrit word for demon ('daemon').

It also rhymes with "Basura" which means "Trash" in Spanish. ;-)

Then I guess it was fortunate that it it was written in Haskell and not in Basic

Interesting, a couple quick questions:

* for the host-your-own version are there any HA features for Postgres?

* what language is it written in? GitHub link?

> for the host-your-own version are there any HA features for Postgres?

Not right now. This is definitely on our roadmap though.

> what language is it written in? GitHub link?

It's mostly in Haskell, with smatterings of Python. Planning to open source it soon!

What is your monetisation strategy?

We do a lot of work with large enterprises.

Haskell -- cool!

This seems like working on a similar space as loopback.io, is this correct? if not, how would you compare the two?

I ask because I'm currently using LB for a project and while I actually like it a lot I always like to be aware of alternatives and similar tools that I might need in the future.

The motivation is quite similar, especially with the out of the box APIs. The architecture/implementation is significantly different.

Key value-prop differences are that out-of-box APIs are just one part of Hasura. The idea is to make it easy to integrate with community services (containerised) or deploy your own services in whatever language/stack.

Some other specific differences:

1. Hasura Data API is a graphql like query language to Postgres.

2. Deployment is similar to Heroku. So you deploy code in any language/framework

3. Nginx based API gateway behaves like a session middleware, so that any upstrea service can re-use auth

great! seems like a nice tool to have in the toolbox :)

Nice, and you've really polished that onboarding experience. Smooth and no head-scratching moments.

One minor nit: It is quite nice that you provide links to jump to the right place for each step, but I would suggest adding images of the equivalent spot to click in the UI.

So, what's the registration code?

> Nice, and you've really polished that onboarding experience.

Thanks ! Alas, Tanmai (our CTO) will quote this at us for the foreseeable future, this being his idea.

> So, what's the registration code?

This is just something that is used with the startups and incubators we partner with. You can ignore this.

Off the cuff it looks great. Going to have to set aside some time to try it out.

This looks really cool, going to check it out this weekend. Thanks!

I like the cartoons too! Who drew them?

We have an in-house illustrator. This comment will make her very happy!

Well, you can tell her the illustrations alone would've made the visit to the site a great experience. I particularly love the ringmaster.

Thanks! We've been lucky enough to have a couple of kickass graphic designers help us with our wackiest ideas!

The logo is by https://twitter.com/shmunday Cartoons by http://www.sandhyaprabhat.com/

Looks kinda like Dokku + PostgREST + a fancy UI, is that mostly right? Not trying to disparage it, just trying to relate figure out what Hasura is, there's a lot going on.

One thing that concerns me is the "Don't make changes to your Postgres schema outside of the UI, it'll mess things up" warning. If I already have a tool to manage database migrations, it sounds like using it with this would be a bad idea?

Edit: Also, what accounts for the speed increase over a bare VM? I'm assuming something Hasura does for you, but it would be nice to know what that is.

Hasura engg. here. No offence taken! :)

Hasura is indeed kind of what you described.

The warning on the UI is mostly for non power-users who probably don't have a good db migration kind of practice. Underneath, the Hasura data API stores its minimal metadata within Postgres itself.

That means that you can always use Postgres directly, and your migration tool works exactly the way it should. Whenever your schema migrations affect a data API, you need to ensure a metadata update for the Data API as well. We're going to be publishing examples of how DB migrations look using just a raw SQL setup, and an alembic setup!

The speed increase for the Data APIs is because of a few reasons:

1) Efficient serialization/deserialization of the JSON queries and responses (https://hackage.haskell.org/package/aeson)

2) Prepared statements

3) JSON aggregations done within Postgres (not generating the JSON)

4) Every client API call needs to be authenticated. The authentication is done by a efficient middleware written inside nginx with redis as the session store. The data API layer, then just does the authorization (this user-id can access this row).

Actually Hasura is something that might be the only thing out there that is anything close to touching postgrest in this space (respect :)). The only thing that worries me a bit is that the client can generate any type of query, meaning it's easy to generate an unoptimized join that will kill the db (did i get it wrong? how do you protect against that?). The other thing i do not understand is why are you not relying on "reading" the schema and require to go through a gui to define the schema. Why did you not copy the queries from postgrest that introspect the database schema and the relations? If you guys want i can send you a single query that you run and get the structure of the database and all the relations and use that as your "metadata" :)

(I'm from postgrest core team, probably competing with hasura in the future here https://graphqlapi.com)

Hey there! Thanks for your comment.

Well actually we do infer directly from the Postgres schema. Only for users not familiar with Postgres directly, we recommend going through the UI so that not only is the table created, but the Data API is also asked to track it and provide an API for it.

There is other metadata that we do need the user to specify, via the UI or the API, and that's for stuff like permissions and relationships.

Regarding, the unrestricted querying, we address it in one of the following ways:

1. Timing out queries running for longer than a specified interval.

2. Cursors and streaming data if the dataset requested is large.

3. Query templates: We allow the developer to create a RESTful API endpoint that has a limited pre-defined surface area (eg: GET data.mysite.com/v1/template/article?limit=10) which internally maps to a pre-defined query.

Our docs are still lagging behind on these unfortunately!

What do you guys do to restrict access? Any suggestions?

about metadata: in Postgrest - you tell it which schema to expose and that means that anything inside it needs "tracking" and exposing, want it exposed, put it in that schema. Relations between entities ... that can be queried from the database itself, no need to ask the user for it.

timing out - it works up to a point, if you for example set a hard limit to 1s then to an attacker it just means he needs to do a few parallel requests and he still kills your db.

what postgrest does for protection: a - no fancy joins, joins are only done by a thing we call "embedding" and those are joins between tables that FKs defined between them so they are fast, if you need fancy joins then the user has to define the view doing the join and expose it to the api.

b - no functions applied to the return columns, like you cant generate something like "select md5(bigtextcolumn) ..."

c - the only way to "kill" the database under postgrest is to use a filter on a column that has no index ( name like "hello"), out of the box postgrest does not have protection build in for that, but it's easy to put a proxy in front and whenever there is a url parameter called "name" you just reply with "you are not allowed to filter by this column"

I'm one of the engineers who work on the data service

> about metadata: in Postgrest ..

We don't want to restrict the data service to a particular schema. You can add a table from any schema to be tracked, say information_schema or pg_catalog. In fact, that is how introspection works (you can look at the queries made by the console). This means that the schema cache in memory would be quite large because of the number of tables in information_schema/pg_catalog if we were to auto load all these. There is also the issue that you may not want to expose some tables. We can definitely have a console button which will let you import all the tables in public schema.

Sure, you can infer relationships from the foreign key constraints. But, how would you come up with names that do not conflict with the existing columns? What if you add a new column with the same name as an inferred relationship? With the data service, you can also define relationships on/to views across schemas (1). Making metadata explicit goes with one of our core principles, 'no magic'.

> what postgrest does for protection: a - no fancy joins,

explicit joins are not allowed even with our data service. The joins that happen are the implicit ones because of the relationships. We do the same thing if we need any custom joins/aggregations. Define a view and expose it.

> b - you can't do anything other than selecting columns and relationships with the api.

> c - the permission layer can be used to prevent these to some extent (like not allowing an anonymous user to filter on a particular column).

1. https://hasura.io/_docs/platform/0.6/getting-started/5-data-...

all the things i explained about metadata are implemented in postgrest and they work, and there is no loss of flexibility sinceyou can expose any table you want from any schema by explicitly creating a "mirror" view in the exposed schema. and relations are detected across tables and views and there is a way to deal with collisions. I am not saying that your way is bad (having a metadata file), just saying there is a way to automatically create it.

- b,c that's good that you don't expose the entire SQL

I guess we'll need to have 'auto generate relationships' tooling. Just curious, how do you infer the relationships between a table and a view?

can't reply to your question so doing it here. the code is OS so you can look it up :) the idea is this - detect table relations based on FK - for each view check where each column comes from (view column usage) based on the info above you know all the relations in the system, even view to view

also there is a way to do it in a single query but that is not yet implemented in postgrest

While we can get the information on the columns used in a view, we can't infer if the uniqueness properties propagate to the view which guarantee the semantics of relationships.

I guess it might be convenient to do this (determine relationships across views), but the users should be aware of the guarantees offered in this scenario.

I am not sure i understand what you are saying about guarantees. If there is a FK, there is a relation. It's the user that is driving the relations by specifying what columns are FK, it's the same thing as defining relations in a GUI, only you do it at the database level

anyway, good luck with your product. As i mentioned, it's the only thing out there close to the concept of postgrest, and that's a good thing :)

Thanks ! If I remember correctly, postgrest was started about the same time we started work on the data service. In fact, both these projects were pushing the limits of the then hasql library with the whole dynamic query generation.

and also permission, between views/stored procedures/roles/grants/rls postgresql has all the features needed to implement any ACL needed.

> and also permission, between

True. That would also mean creating a database user for every application user. The auth service needs to attach more metadata to the users and since postgres does not allow you to reference system catalogs, the two user systems have to be kept in sync. We were not quite certain how this idea of mapping users would pan out when we started building the auth service.

You don't have to have a database user for each application user. Database roles are mapped to groups and application users are defined in tables as always and their ids can be used in RLS policies. It's hard to explain in a few words but the main point is that you don't need a database role to map to each application user

This is super useful. I'd wager 80% of API's are single data API's and Hasura would speed up development time by a significant factor while still allowing for more flexibility than just building on top of something like Parse. I think eventually most API's will use managed frameworks like this or go serverless so that a lot of the repetitive wiring code is abstracted out.

:) Thanks. This is one of the key thoughts that inspired Hasura! We kept refining these data APIs on Postgres over the various products that we helped our clients build.

Looks great. How does it handle networking? E.g. if you are on AWS or Google you are fine with your VPC. But as far as I understood on Digital Ocean the private subnet is shared across all customers in this region. Do you employ an overlay network with encryption, e.g. Weave.net? Or do you deploy a VPN (tinc, peervpn) and Kubernetes on top?

You're right! On AWS and Google we use VPC. But on Digital Ocean we create single-node clusters only. We do not encourage multi-node clusters on Digital Ocean. Hopefully DO will address this soon!

It would be great if the events info have links to the events. I am based out off Chennai and use Kubernetes in production and would like to hear more about what you guys do at Hasura.

Edit - realized that only the IIT talk wasn't a link. On mobile.

One of the features, that I know how to do in MongoDB quickly but not in Postgres, is creating permissions not on the the role level (user, admin, etc) but on the id level like users with unique id blah234 and blah546 can access this table/row. I can figure it out in sql with time but it is not a tradeoff worth taking in my certain situation. I always look for this feature when I see a baas/paas tool show up on hacker news.

This is quite possible with the permission layer of the data service in Hasura. Why not add a new role that only 'blah234' and 'blah546' can be part of? All you have to do is to define permissions on this role.

Also, creating permissions and roles are all exposed via API calls, in case you have a requirement where you need to create these dynamically.

I looked into an api, I don't see how can leverage it in the way I want, yes these roles will have to be created dynamically, pretend a user makes a post and only wants certain users to see the post, a new dynamic role will have to be created every time a user creates a new post?

You could do that, but you don't need to. The ACL constraint can be any arbitrary SQLish expression that is a boolean.

In this case, say select is allowed if: req_user_id is in article.viewers.user_id. This means, if the request's user_id is in the viewers list of the article.

It depends on the fact, that you have a relationship called viewers which comes from a table that contains article_id, user_id.

The idea is to allow any ACL rule that can be represented as a constraint in your data model.

If you know the multiple id's, why not make a role for them?

I don't know them

Looks great... may be just what I have been looking for. PS: The illustrations are awesome !

Illustrations: They are indeed. These are the colorful demigods of Hinduism. More: https://www.google.com/search?q=mahishasura

How do I change some part of controller function of a DB table ? i.e can I change generated code (what language is the code?) or is it like hook functions available in cloud ?

The Data APIs are not actually generated. The Data API service exposes a JSON query language on any Postgres table.

So if you want to customise the controller, the easiest thing to do is to write a custom API endpoint (which you can deploy to your server using a heroku style git-push or a docker image) which in turn can contact the data APIs or even the Postgres database directly.

I may be wrong but I think the username lookup on your login page is case sensitive.

Couldn't find docs for installing Hasura on own infrastructure?

Currently installation on cloud providers (that you own) happens through hasura.io. Register at https://beta.hasura.io and you can create a project.

If you want to install on your own, we will be releasing docs over the next 2 weeks.

Okay. I am more interested in testing this on Openshift running on our infrastructure. Thanks!

We've never tried on OpenShift, but it works on vanilla Kubernetes cluster.

Is it open source ?

Χασούρα! (so funny Hasura in Greek)

Asura's are indian vedic (vague) group who are primary opponents to gods.


Asura is a demon (daemon - aka a background process). We love our puns.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact