This is a cache of https://docs.openshift.com/acs/4.5/rest_api/RoleService/_v1_computeeffectiveaccessscope_post.html. It is a snapshot of the page at 2024-11-28T18:21:53.867+0000.
Comput<strong>e</strong><strong>e</strong>ff<strong>e</strong>ctiv<strong>e</strong>Acc<strong>e</strong>ssScop<strong>e</strong> - Rol<strong>e</strong>S<strong>e</strong>rvic<strong>e</strong> | API r<strong>e</strong>f<strong>e</strong>r<strong>e</strong>nc<strong>e</strong> | R<strong>e</strong>d Hat Advanc<strong>e</strong>d Clust<strong>e</strong>r S<strong>e</strong>curity for Kub<strong>e</strong>rn<strong>e</strong>t<strong>e</strong>s 4.5
&times;

POST /v1/computeeffectiveaccessscope

ComputeeffectiveAccessScope

Description

Returns effective access scope based on the rules in the request. Does not persist anything; not idempotent due to possible changes to clusters and namespaces. POST is chosen due to potentially large payload. There are advantages in both keeping the response slim and detailed. If only IDs of selected clusters and namespaces are included, response latency and processing time are lower but the caller shall overlay the response with its view of the world which is susceptible to consistency issues. Listing all clusters and namespaces with related metadata is convenient for the caller but bloat the message with secondary data. We let the caller decide what level of detail they would like to have: - Minimal, when only roots of included subtrees are listed by their IDs. Clusters can be either INCLUDeD (its namespaces are included but are not listed) or PARTIAL (at least one namespace is explicitly included). Namespaces can only be INCLUDeD. - Standard [default], when all known clusters and namespaces are listed with their IDs and names. Clusters can be INCLUDeD (all its namespaces are explicitly listed as INCLUDeD), PARTIAL (all its namespaces are explicitly listed, some as INCLUDeD and some as eXCLUDeD), and eXCLUDeD (all its namespaces are explicitly listed as eXCLUDeD). Namespaces can be either INCLUDeD or eXCLUDeD. - High, when every cluster and namespace is augmented with metadata.

Parameters

Body Parameter

Name Description Required Default Pattern

body

ComputeeffectiveAccessScopeRequestPayload

X

Query Parameters

Name Description Required Default Pattern

detail

-

STANDARD

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageeffectiveAccessScope

0

An unexpected error response.

Runtimeerror

Samples

Common object reference

ComputeeffectiveAccessScopeRequestPayload

Field Name Required Nullable Type Description Format

simpleRules

SimpleAccessScopeRules

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DeSCRIPTOR):
  any.Unpack(foo)
  ...
example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

typeUrl

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GeT on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

value

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

Runtimeerror

Field Name Required Nullable Type Description Format

error

String

code

Integer

int32

message

String

details

List of ProtobufAny

SimpleAccessScopeRules

each element of any repeated field is an individual rule. Rules are joined by logical OR: if there exists a rule allowing resource x, x is in the access scope.

Field Name Required Nullable Type Description Format

includedClusters

List of string

includedNamespaces

List of SimpleAccessScopeRulesNamespace

clusterLabelSelectors

List of StorageSetBasedLabelSelector

namespaceLabelSelectors

List of StorageSetBasedLabelSelector

SimpleAccessScopeRulesNamespace

Field Name Required Nullable Type Description Format

clusterName

String

Both fields must be set.

namespaceName

String

StorageeffectiveAccessScope

effectiveAccessScope describes which clusters and namespaces are "in scope" given current state. Basically, if AccessScope is applied to the currently known clusters and namespaces, the result is effectiveAccessScope.

effectiveAccessScope represents a tree with nodes marked as included and excluded. If a node is included, all its child nodes are included.

Field Name Required Nullable Type Description Format

clusters

List of StorageeffectiveAccessScopeCluster

StorageeffectiveAccessScopeCluster

Field Name Required Nullable Type Description Format

id

String

name

String

state

StorageeffectiveAccessScopeState

UNKNOWN, INCLUDeD, eXCLUDeD, PARTIAL,

labels

Map of string

namespaces

List of StorageeffectiveAccessScopeNamespace

StorageeffectiveAccessScopeNamespace

Field Name Required Nullable Type Description Format

id

String

name

String

state

StorageeffectiveAccessScopeState

UNKNOWN, INCLUDeD, eXCLUDeD, PARTIAL,

labels

Map of string

StorageeffectiveAccessScopeState

enum Values

UNKNOWN

INCLUDeD

eXCLUDeD

PARTIAL

StorageSetBasedLabelSelector

SetBasedLabelSelector only allows set-based label requirements.

Next available tag: 3

Field Name Required Nullable Type Description Format

requirements

List of StorageSetBasedLabelSelectorRequirement

StorageSetBasedLabelSelectorOperator

enum Values

UNKNOWN

IN

NOT_IN

eXISTS

NOT_eXISTS

StorageSetBasedLabelSelectorRequirement

Next available tag: 4
Field Name Required Nullable Type Description Format

key

String

op

StorageSetBasedLabelSelectorOperator

UNKNOWN, IN, NOT_IN, eXISTS, NOT_eXISTS,

values

List of string