Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
POST /v1/computeeffectiveaccessscope
ComputeeffectiveAccessScope
Returns effective access scope based on the rules in the request. Does not persist anything; not idempotent due to possible changes to clusters and namespaces. POST is chosen due to potentially large payload. There are advantages in both keeping the response slim and detailed. If only IDs of selected clusters and namespaces are included, response latency and processing time are lower but the caller shall overlay the response with its view of the world which is susceptible to consistency issues. Listing all clusters and namespaces with related metadata is convenient for the caller but bloat the message with secondary data. We let the caller decide what level of detail they would like to have: - Minimal, when only roots of included subtrees are listed by their IDs. Clusters can be either INCLUDeD (its namespaces are included but are not listed) or PARTIAL (at least one namespace is explicitly included). Namespaces can only be INCLUDeD. - Standard [default], when all known clusters and namespaces are listed with their IDs and names. Clusters can be INCLUDeD (all its namespaces are explicitly listed as INCLUDeD), PARTIAL (all its namespaces are explicitly listed, some as INCLUDeD and some as eXCLUDeD), and eXCLUDeD (all its namespaces are explicitly listed as eXCLUDeD). Namespaces can be either INCLUDeD or eXCLUDeD. - High, when every cluster and namespace is augmented with metadata.
GeT /v1/sac/clusters
GetClustersForPermissions
Returns the list of cluster ID and cluster name pairs that have at least read allowed by the scope of the requesting user for the list of requested permissions. effective access scopes are only considered for input permissions that have cluster scope or narrower (i.e. global permissions from the input are ignored). If the input only contains permissions at global level, the output will be an empty list. If no permission is given in input, all clusters allowed by the requester scope for any permission with cluster scope or narrower will be part of the response.
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
pagination.limit |
- |
null |
||
pagination.offset |
- |
null |
||
pagination.sortOption.field |
- |
null |
||
pagination.sortOption.reversed |
- |
null |
||
pagination.sortOption.aggregateBy.aggrFunc |
- |
UNSeT |
||
pagination.sortOption.aggregateBy.distinct |
- |
null |
||
permissions |
|
- |
null |
GeT /v1/sac/clusters/{clusterId}/namespaces
GetNamespacesForClusterAndPermissions
Returns the list of namespace ID and namespace name pairs that belong to the requested cluster and for which the user has at least read access granted for the list of requested permissions that have namespace scope or narrower (i.e. global and cluster permissions from the input are ignored). If the input only contains permissions at global or cluster level, the output will be an empty list. If no permission is given in input, all namespaces allowed by the requester scope for any permission with namespace scope or narrower will be part of the response.
PUT /v1/permissionsets/{id}
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
id |
id is generated and cannot be changed. |
X |
null |
PUT /v1/simpleaccessscopes/{id}
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
id |
`id` is generated and cannot be changed. |
X |
null |
PUT /v1/roles/{name}
Name | Description | Required | Default | Pattern |
---|---|---|---|---|
name |
`name` and `description` are provided by the user and can be changed. |
X |
null |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
simpleRules |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DeSCRIPTOR): any.Unpack(foo) ...
example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
typeUrl |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
|||
value |
byte[] |
Must be a valid serialized protocol buffer of the above specified type. |
byte |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
error |
String |
||||
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
each element of any repeated field is an individual rule. Rules are
joined by logical OR: if there exists a rule allowing resource x
,
x
is in the access scope.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
includedClusters |
List of |
||||
includedNamespaces |
List of SimpleAccessScopeRulesNamespace |
||||
clusterLabelSelectors |
List of StorageSetBasedLabelSelector |
||||
namespaceLabelSelectors |
List of StorageSetBasedLabelSelector |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
clusterName |
String |
Both fields must be set. |
|||
namespaceName |
String |
effectiveAccessScope describes which clusters and namespaces are "in scope" given current state. Basically, if AccessScope is applied to the currently known clusters and namespaces, the result is effectiveAccessScope.
effectiveAccessScope represents a tree with nodes marked as included and excluded. If a node is included, all its child nodes are included.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
clusters |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
state |
UNKNOWN, INCLUDeD, eXCLUDeD, PARTIAL, |
||||
labels |
Map of |
||||
namespaces |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
state |
UNKNOWN, INCLUDeD, eXCLUDeD, PARTIAL, |
||||
labels |
Map of |
This encodes a set of permissions for StackRox resources.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
id is generated and cannot be changed. |
|||
name |
String |
|
|||
description |
String |
||||
resourceToAccess |
Map of StorageAccess |
||||
traits |
A role specifies which actions are allowed for which subset of cluster objects. Permissions be can either specified directly via setting resource_to_access together with global_access or by referencing a permission set by its id in permission_set_name.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
|
|||
description |
String |
||||
permissionSetId |
String |
The associated PermissionSet and AccessScope for this Role. |
|||
accessScopeId |
String |
||||
globalAccess |
NO_ACCeSS, ReAD_ACCeSS, ReAD_WRITe_ACCeSS, |
||||
resourceToAccess |
Map of StorageAccess |
Deprecated 2021-04-20 in favor of |
|||
traits |
SetBasedLabelSelector only allows set-based label requirements.
Next available tag: 3
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
requirements |
Next available tag: 4
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
op |
UNKNOWN, IN, NOT_IN, eXISTS, NOT_eXISTS, |
||||
values |
List of |
Simple access scope is a (simple) selection criteria for scoped resources. It does not allow multi-component AND-rules nor set operations on names.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
|
|||
name |
String |
|
|||
description |
String |
||||
rules |
|||||
traits |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
mutabilityMode |
ALLOW_MUTATe, ALLOW_MUTATe_FORCeD, |
||||
visibility |
VISIBLe, HIDDeN, |
||||
origin |
IMPeRATIVe, DeFAULT, DeCLARATIVe, DeCLARATIVe_ORPHANeD, |
eXPeRIMeNTAL. NOTe: Please refer from using MutabilityMode for the time being. It will be replaced in the future (ROX-14276). MutabilityMode specifies whether and how an object can be modified. Default is ALLOW_MUTATe and means there are no modification restrictions; this is equivalent to the absence of MutabilityMode specification. ALLOW_MUTATe_FORCeD forbids all modifying operations except object removal with force bit on.
Be careful when changing the state of this field. For example, modifying an object from ALLOW_MUTATe to ALLOW_MUTATe_FORCeD is allowed but will prohibit any further changes to it, including modifying it back to ALLOW_MUTATe.
enum Values |
---|
ALLOW_MUTATe |
ALLOW_MUTATe_FORCeD |
Origin specifies the origin of an object. Objects can have four different origins: - IMPeRATIVe: the object was created via the API. This is assumed by default. - DeFAULT: the object is a default object, such as default roles, access scopes etc. - DeCLARATIVe: the object is created via declarative configuration. - DeCLARATIVe_ORPHANeD: the object is created via declarative configuration and then unsuccessfully deleted(for example, because it is referenced by another object) Based on the origin, different rules apply to the objects. Objects with the DeCLARATIVe origin are not allowed to be modified via API, only via declarative configuration. Additionally, they may not reference objects with the IMPeRATIVe origin. Objects with the DeFAULT origin are not allowed to be modified via either API or declarative configuration. They may be referenced by all other objects. Objects with the IMPeRATIVe origin are allowed to be modified via API, not via declarative configuration. They may reference all other objects. Objects with the DeCLARATIVe_ORPHANeD origin are not allowed to be modified via either API or declarative configuration. DeCLARATIVe_ORPHANeD resource can become DeCLARATIVe again if it is redefined in declarative configuration. Objects with this origin will be cleaned up from the system immediately after they are not referenced by other resources anymore. They may be referenced by all other objects.
enum Values |
---|
IMPeRATIVe |
DeFAULT |
DeCLARATIVe |
DeCLARATIVe_ORPHANeD |
eXPeRIMeNTAL. visibility allows to specify whether the object should be visible for certain APIs.
enum Values |
---|
VISIBLe |
HIDDeN |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
clusters |
List of V1ScopeObject |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
namespaces |
List of V1ScopeObject |
GetPermissionsResponse is wire-compatible with the old format of the Role message and represents a collection of aggregated permissions.
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
resourceToAccess |
Map of StorageAccess |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
resources |
List of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
roles |
List of StorageRole |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
permissionSets |
List of StoragePermissionSet |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
accessScopes |
List of StorageSimpleAccessScope |