Permissions endpoints

Example curl request:

curl GET 'https://$(puppet config print server):4433/rbac-api/v1/types' \
-H "X-Authentication: 0RrYy80wuJZLNDcOwxnl19DJAe7LAkpPZtCbx8Jh3NxQ"Copied!

Returns 200 OK with a listing of types and actions for each type. For example:

[{ "object_type": "node_groups",
   "display_name": "Node Groups",
   "description": "Groups that nodes can be assigned to."
   "actions": [{ "name": "view",
                 "display_name": "View",
                 "description": "View the node groups",
                 "has_instances": true
                },{
                 "name":"modify",
                 "display_name": "Configure",
                 "description": "Modify description, variables and classes",
                 "has_instances": true
                }, ...]
 },...]Copied!

In the following example, the first permission queries whether the subject specified by the token is permitted to perform the edit_rules action on the instance of node_groups identified by the given UUID.

{"token": "<subject uuid>",
 "permissions": [{"object_type": "node_groups",
                  "action": "edit_rules",
                  "instance": "<node group UUID"},
                 {"object_type": "users",
                  "action": "disable",
                  "instance": "<UUID or *>"}]
}Copied!

Not all permissions require instance specification. Use * to indicate all instances or provide a UUID to identify a specific instance.

Example curl request:

curl POST 'https://$(puppet config print server):4433/rbac-api/v1/permitted' \
-H "X-Authentication: 0RrYy80wuJZLNDcOwxnl19DJAe7LAkpPZtCbx8Jh3NxQ"  \
-H "Content-type:   application/json" \
-d '{"token": "42bf351c-f9ec-40af-84ad-e976fec7f4bd",
     "permissions": [{"object_type": "node_groups",
                      "action": "edit_rules",
                      "instance": "4"}]}'Copied!

Returns 200 OK with an array of Boolean values representing whether each submitted action on a specific object type and instance is permitted for the subject. The array always has the same length as the submitted array, and each returned Boolean value corresponds to the submitted permission query at the same index. For example, if you query two permissions, the array contains two values:

[true, false]Copied!

Example request using the node_groups object type and the view action:

GET /permitted/node_groups/viewCopied!

Example curl request using the node_groups object type and the edit_child_rules action:

curl GET 'https://$(puppet config print server):4433/rbac-api/v1/permitted/node_groups/edit_child_rules' \
-H "X-Authentication: 0RrYy80wuJZLNDcOwxnl19DJAe7LAkpPZtCbx8Jh3NxQ"Copied!

Returns 200 OK with a list of instances that the current user is permitted to use with the specified action. For example, this response has one instance:

["00000000-0000-4000-8000-000000000000"]Copied!

Returns 404 Not Found if:

• The object-type does not map to a known object-type.
• The action does not exist for the given object-type.

Example request using the node_groups object type and the view action:

GET /permitted/node_groups/view/fe62d770-5886-11e4-8ed6-0800200c9a66Copied!

Example curl request using the node_groups object type and the edit_child_rules action:

curl GET 'https://$(puppet config print server):4433/rbac-api/v1/permitted/node_groups/edit_child_rules/42bf351c-f9ec-40af-84ad-e976fec7f4bd' \
-H "X-Authentication: 0RrYy80wuJZLNDcOwxnl19DJAe7LAkpPZtCbx8Jh3NxQ"Copied!

Returns 200 OK with a list of instances that the specified user is permitted to use with the specified action. For example, this response has one instance:

["00000000-0000-4000-8000-000000000000"]Copied!

The endpoint returns 404 Not Found if:

• The object-type does not map to a known object-type.
• The action does not exist for the given object-type.
• The uuid does not map to a known user.