This is a cache of https://docs.openshift.com/acs/4.5/api/RoleService.html. It is a snapshot of the page at 2024-11-25T18:12:46.236+0000.
Rol<strong>e</strong>S<strong>e</strong>rvic<strong>e</strong> | API r<strong>e</strong>f<strong>e</strong>r<strong>e</strong>nc<strong>e</strong> | R<strong>e</strong>d Hat Advanc<strong>e</strong>d Clust<strong>e</strong>r S<strong>e</strong>curity for Kub<strong>e</strong>rn<strong>e</strong>t<strong>e</strong>s 4.5
&times;

ComputeeffectiveAccessScope

POST /v1/computeeffectiveaccessscope

ComputeeffectiveAccessScope

Description

Returns effective access scope based on the rules in the request. Does not persist anything; not idempotent due to possible changes to clusters and namespaces. POST is chosen due to potentially large payload. There are advantages in both keeping the response slim and detailed. If only IDs of selected clusters and namespaces are included, response latency and processing time are lower but the caller shall overlay the response with its view of the world which is susceptible to consistency issues. Listing all clusters and namespaces with related metadata is convenient for the caller but bloat the message with secondary data. We let the caller decide what level of detail they would like to have: - Minimal, when only roots of included subtrees are listed by their IDs. Clusters can be either INCLUDeD (its namespaces are included but are not listed) or PARTIAL (at least one namespace is explicitly included). Namespaces can only be INCLUDeD. - Standard [default], when all known clusters and namespaces are listed with their IDs and names. Clusters can be INCLUDeD (all its namespaces are explicitly listed as INCLUDeD), PARTIAL (all its namespaces are explicitly listed, some as INCLUDeD and some as eXCLUDeD), and eXCLUDeD (all its namespaces are explicitly listed as eXCLUDeD). Namespaces can be either INCLUDeD or eXCLUDeD. - High, when every cluster and namespace is augmented with metadata.

Parameters

Body Parameter

Name Description Required Default Pattern

body

ComputeeffectiveAccessScopeRequestPayload

X

Query Parameters

Name Description Required Default Pattern

detail

-

STANDARD

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageeffectiveAccessScope

0

An unexpected error response.

Runtimeerror

Samples

CreateRole

POST /v1/roles/{name}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

name

X

null

Body Parameter

Name Description Required Default Pattern

body

StorageRole

X

Return Type

Object

Content Type

  • application/json

Responses

Table 2. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

DeletePermissionSet

DeLeTe /v1/permissionsets/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Return Type

Object

Content Type

  • application/json

Responses

Table 3. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

DeleteRole

DeLeTe /v1/roles/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Return Type

Object

Content Type

  • application/json

Responses

Table 4. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

DeleteSimpleAccessScope

DeLeTe /v1/simpleaccessscopes/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Return Type

Object

Content Type

  • application/json

Responses

Table 5. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

GetClustersForPermissions

GeT /v1/sac/clusters

GetClustersForPermissions

Description

Returns the list of cluster ID and cluster name pairs that have at least read allowed by the scope of the requesting user for the list of requested permissions. effective access scopes are only considered for input permissions that have cluster scope or narrower (i.e. global permissions from the input are ignored). If the input only contains permissions at global level, the output will be an empty list. If no permission is given in input, all clusters allowed by the requester scope for any permission with cluster scope or narrower will be part of the response.

Parameters

Query Parameters

Name Description Required Default Pattern

pagination.limit

-

null

pagination.offset

-

null

pagination.sortOption.field

-

null

pagination.sortOption.reversed

-

null

pagination.sortOption.aggregateBy.aggrFunc

-

UNSeT

pagination.sortOption.aggregateBy.distinct

-

null

permissions

String

-

null

Content Type

  • application/json

Responses

Table 6. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetClustersForPermissionsResponse

0

An unexpected error response.

Runtimeerror

Samples

GetMyPermissions

GeT /v1/mypermissions

Description

Parameters

Content Type

  • application/json

Responses

Table 7. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetPermissionsResponse

0

An unexpected error response.

Runtimeerror

Samples

GetNamespacesForClusterAndPermissions

GeT /v1/sac/clusters/{clusterId}/namespaces

GetNamespacesForClusterAndPermissions

Description

Returns the list of namespace ID and namespace name pairs that belong to the requested cluster and for which the user has at least read access granted for the list of requested permissions that have namespace scope or narrower (i.e. global and cluster permissions from the input are ignored). If the input only contains permissions at global or cluster level, the output will be an empty list. If no permission is given in input, all namespaces allowed by the requester scope for any permission with namespace scope or narrower will be part of the response.

Parameters

Path Parameters

Name Description Required Default Pattern

clusterId

X

null

Query Parameters

Name Description Required Default Pattern

permissions

String

-

null

Content Type

  • application/json

Responses

Table 8. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetNamespacesForClusterAndPermissionsResponse

0

An unexpected error response.

Runtimeerror

Samples

GetPermissionSet

GeT /v1/permissionsets/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Return Type

Content Type

  • application/json

Responses

Table 9. HTTP Response Codes
Code Message Datatype

200

A successful response.

StoragePermissionSet

0

An unexpected error response.

Runtimeerror

Samples

GetResources

GeT /v1/resources

Description

Parameters

Content Type

  • application/json

Responses

Table 10. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetResourcesResponse

0

An unexpected error response.

Runtimeerror

Samples

GetRole

GeT /v1/roles/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Return Type

Content Type

  • application/json

Responses

Table 11. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageRole

0

An unexpected error response.

Runtimeerror

Samples

GetRoles

GeT /v1/roles

Description

Parameters

Return Type

Content Type

  • application/json

Responses

Table 12. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1GetRolesResponse

0

An unexpected error response.

Runtimeerror

Samples

GetSimpleAccessScope

GeT /v1/simpleaccessscopes/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

X

null

Content Type

  • application/json

Responses

Table 13. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageSimpleAccessScope

0

An unexpected error response.

Runtimeerror

Samples

ListPermissionSets

GeT /v1/permissionsets

Description

Parameters

Content Type

  • application/json

Responses

Table 14. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1ListPermissionSetsResponse

0

An unexpected error response.

Runtimeerror

Samples

ListSimpleAccessScopes

GeT /v1/simpleaccessscopes

Description

Parameters

Content Type

  • application/json

Responses

Table 15. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1ListSimpleAccessScopesResponse

0

An unexpected error response.

Runtimeerror

Samples

PostPermissionSet

POST /v1/permissionsets

PostPermissionSet

Description

PermissionSet.id is disallowed in request and set in response.

Parameters

Body Parameter

Name Description Required Default Pattern

body

StoragePermissionSet

X

Return Type

Content Type

  • application/json

Responses

Table 16. HTTP Response Codes
Code Message Datatype

200

A successful response.

StoragePermissionSet

0

An unexpected error response.

Runtimeerror

Samples

PostSimpleAccessScope

POST /v1/simpleaccessscopes

PostSimpleAccessScope

Description

SimpleAccessScope.id is disallowed in request and set in response.

Parameters

Body Parameter

Name Description Required Default Pattern

body

StorageSimpleAccessScope

X

Content Type

  • application/json

Responses

Table 17. HTTP Response Codes
Code Message Datatype

200

A successful response.

StorageSimpleAccessScope

0

An unexpected error response.

Runtimeerror

Samples

PutPermissionSet

PUT /v1/permissionsets/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

id is generated and cannot be changed.

X

null

Body Parameter

Name Description Required Default Pattern

body

StoragePermissionSet

X

Return Type

Object

Content Type

  • application/json

Responses

Table 18. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

PutSimpleAccessScope

PUT /v1/simpleaccessscopes/{id}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

id

`id` is generated and cannot be changed.

X

null

Body Parameter

Name Description Required Default Pattern

body

StorageSimpleAccessScope

X

Return Type

Object

Content Type

  • application/json

Responses

Table 19. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

UpdateRole

PUT /v1/roles/{name}

Description

Parameters

Path Parameters

Name Description Required Default Pattern

name

`name` and `description` are provided by the user and can be changed.

X

null

Body Parameter

Name Description Required Default Pattern

body

StorageRole

X

Return Type

Object

Content Type

  • application/json

Responses

Table 20. HTTP Response Codes
Code Message Datatype

200

A successful response.

Object

0

An unexpected error response.

Runtimeerror

Samples

Common object reference

ComputeeffectiveAccessScopeRequestPayload

Field Name Required Nullable Type Description Format

simpleRules

SimpleAccessScopeRules

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DeSCRIPTOR):
  any.Unpack(foo)
  ...
example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

typeUrl

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GeT on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

value

byte[]

Must be a valid serialized protocol buffer of the above specified type.

byte

Runtimeerror

Field Name Required Nullable Type Description Format

error

String

code

Integer

int32

message

String

details

List of ProtobufAny

SimpleAccessScopeRules

each element of any repeated field is an individual rule. Rules are joined by logical OR: if there exists a rule allowing resource x, x is in the access scope.

Field Name Required Nullable Type Description Format

includedClusters

List of string

includedNamespaces

List of SimpleAccessScopeRulesNamespace

clusterLabelSelectors

List of StorageSetBasedLabelSelector

namespaceLabelSelectors

List of StorageSetBasedLabelSelector

SimpleAccessScopeRulesNamespace

Field Name Required Nullable Type Description Format

clusterName

String

Both fields must be set.

namespaceName

String

StorageAccess

enum Values

NO_ACCeSS

ReAD_ACCeSS

ReAD_WRITe_ACCeSS

StorageeffectiveAccessScope

effectiveAccessScope describes which clusters and namespaces are "in scope" given current state. Basically, if AccessScope is applied to the currently known clusters and namespaces, the result is effectiveAccessScope.

effectiveAccessScope represents a tree with nodes marked as included and excluded. If a node is included, all its child nodes are included.

Field Name Required Nullable Type Description Format

clusters

List of StorageeffectiveAccessScopeCluster

StorageeffectiveAccessScopeCluster

Field Name Required Nullable Type Description Format

id

String

name

String

state

StorageeffectiveAccessScopeState

UNKNOWN, INCLUDeD, eXCLUDeD, PARTIAL,

labels

Map of string

namespaces

List of StorageeffectiveAccessScopeNamespace

StorageeffectiveAccessScopeNamespace

Field Name Required Nullable Type Description Format

id

String

name

String

state

StorageeffectiveAccessScopeState

UNKNOWN, INCLUDeD, eXCLUDeD, PARTIAL,

labels

Map of string

StorageeffectiveAccessScopeState

enum Values

UNKNOWN

INCLUDeD

eXCLUDeD

PARTIAL

StoragePermissionSet

This encodes a set of permissions for StackRox resources.

Field Name Required Nullable Type Description Format

id

String

id is generated and cannot be changed.

name

String

name and description are provided by the user and can be changed.

description

String

resourceToAccess

Map of StorageAccess

traits

StorageTraits

StorageRole

A role specifies which actions are allowed for which subset of cluster objects. Permissions be can either specified directly via setting resource_to_access together with global_access or by referencing a permission set by its id in permission_set_name.

Field Name Required Nullable Type Description Format

name

String

name and description are provided by the user and can be changed.

description

String

permissionSetId

String

The associated PermissionSet and AccessScope for this Role.

accessScopeId

String

globalAccess

StorageAccess

NO_ACCeSS, ReAD_ACCeSS, ReAD_WRITe_ACCeSS,

resourceToAccess

Map of StorageAccess

Deprecated 2021-04-20 in favor of permission_set_id.

traits

StorageTraits

StorageSetBasedLabelSelector

SetBasedLabelSelector only allows set-based label requirements.

Next available tag: 3

Field Name Required Nullable Type Description Format

requirements

List of StorageSetBasedLabelSelectorRequirement

StorageSetBasedLabelSelectorOperator

enum Values

UNKNOWN

IN

NOT_IN

eXISTS

NOT_eXISTS

StorageSetBasedLabelSelectorRequirement

Next available tag: 4
Field Name Required Nullable Type Description Format

key

String

op

StorageSetBasedLabelSelectorOperator

UNKNOWN, IN, NOT_IN, eXISTS, NOT_eXISTS,

values

List of string

StorageSimpleAccessScope

Simple access scope is a (simple) selection criteria for scoped resources. It does not allow multi-component AND-rules nor set operations on names.

Field Name Required Nullable Type Description Format

id

String

id is generated and cannot be changed.

name

String

name and description are provided by the user and can be changed.

description

String

rules

SimpleAccessScopeRules

traits

StorageTraits

StorageTraits

Field Name Required Nullable Type Description Format

mutabilityMode

TraitsMutabilityMode

ALLOW_MUTATe, ALLOW_MUTATe_FORCeD,

visibility

TraitsVisibility

VISIBLe, HIDDeN,

origin

TraitsOrigin

IMPeRATIVe, DeFAULT, DeCLARATIVe, DeCLARATIVe_ORPHANeD,

TraitsMutabilityMode

eXPeRIMeNTAL. NOTe: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATe and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATe_FORCeD forbids all modifying operations except object removal with force bit on.

Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATe to ALLOW_MUTATe_FORCeD is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATe.

enum Values

ALLOW_MUTATe

ALLOW_MUTATe_FORCeD

TraitsOrigin

Origin specifies the origin of an object. Objects can have four different origins: - IMPeRATIVe: the object was created via the API. This is assumed by default. - DeFAULT: the object is a default object, such as default roles, access scopes etc. - DeCLARATIVe: the object is created via declarative configuration. - DeCLARATIVe_ORPHANeD: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DeCLARATIVe origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPeRATIVe origin. Objects with the DeFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPeRATIVe origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DeCLARATIVe_ORPHANeD origin are not allowed to be modified via either API or declarative configuration. DeCLARATIVe_ORPHANeD resource can become DeCLARATIVe again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.

enum Values

IMPeRATIVe

DeFAULT

DeCLARATIVe

DeCLARATIVe_ORPHANeD

TraitsVisibility

eXPeRIMeNTAL. visibility allows to specify whether the object should be visible for certain APIs.

enum Values

VISIBLe

HIDDeN

V1GetClustersForPermissionsResponse

Field Name Required Nullable Type Description Format

clusters

List of V1ScopeObject

V1GetNamespacesForClusterAndPermissionsResponse

Field Name Required Nullable Type Description Format

namespaces

List of V1ScopeObject

V1GetPermissionsResponse

GetPermissionsResponse is wire-compatible with the old format of the Role message and represents a collection of aggregated permissions.

Field Name Required Nullable Type Description Format

resourceToAccess

Map of StorageAccess

V1GetResourcesResponse

Field Name Required Nullable Type Description Format

resources

List of string

V1GetRolesResponse

Field Name Required Nullable Type Description Format

roles

List of StorageRole

V1ListPermissionSetsResponse

Field Name Required Nullable Type Description Format

permissionSets

List of StoragePermissionSet

V1ListSimpleAccessScopesResponse

Field Name Required Nullable Type Description Format

accessScopes

List of StorageSimpleAccessScope

V1ScopeObject

ScopeObject represents an ID, name pair, which can apply to any entity that takes part in an access scope (so far Cluster and Namespace).

Field Name Required Nullable Type Description Format

id

String

name

String