I have an application which allows user to push Gremlin queries from UI and those queries are executed at a backend gremlin server.
I want to allow only select queries. i.e. any query which will update/modify the existing graph should not be allowed, while all the queries which return something without changing the graph are fine.
Like:
g.V().label() //allowed
g.V(1).properties() //allowed
g.V(1).property('name', 'new name') // not allowed
How should I identify which query is allowed and which are not?
An easy way to protect from mutation on the server side is to configure "g" in Gremlin Server with ReadOnlyStrategy. An example for this approach can be found in the default Gremlin Server distribution in conf/gremlin-server-modern-readonly.yaml. The line of interest is here which uses the initialization script of scripts/generate-modern-readonly.groovy (here) - the main point of it is:
def globals = [:]
...
globals << [g : graph.traversal().withStrategies(ReadOnlyStrategy.instance(), ReferenceElementStrategy.instance())]