X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/172496748cb0a149426e8a10cb4fd1c64e20dbe7..aa49b45a4d25cb1e4282e242a2502c8a591f8615:/doc/api/methods/api_client_authorizations.html.textile.liquid diff --git a/doc/api/methods/api_client_authorizations.html.textile.liquid b/doc/api/methods/api_client_authorizations.html.textile.liquid index 01cda81bd0..660e5ddf30 100644 --- a/doc/api/methods/api_client_authorizations.html.textile.liquid +++ b/doc/api/methods/api_client_authorizations.html.textile.liquid @@ -6,22 +6,71 @@ title: "api_client_authorizations" ... +See "REST methods for working with Arvados resources":{{site.baseurl}}/api/methods.html +API endpoint base: @https://{{ site.arvados_api_host }}/arvados/v1/api_client_authorizations@ Required arguments are displayed in %{background:#ccffcc}green%. +h2. Resource -h2. create +The @api_client_authorizations@ resource stores the API tokens that have been issued to permit access the API server. + +An ApiClientAuthorization is *not* a generic Arvados resource. The full list of properties that belong to an ApiClientAuthorization is: + +table(table table-bordered table-condensed). +|_. Attribute|_. Type|_. Description|_. Example| +|uuid|string|An identifier used to refer to the token without exposing the actual token.|| +|api_token|string|The actual token string that is expected in the Authorization header.|| +|api_client_id|integer|-|| +|user_id|integer|-|| +|created_by_ip_address|string|-|| +|last_used_by_ip_address|string|The network address of the most recent client using this token.|| +|last_used_at|datetime|Timestamp of the most recent request using this token.|| +|expires_at|datetime|Time at which the token is no longer valid. May be set to a time in the past in order to immediately expire a token.|| +|owner_uuid|string|The user associated with the token. All operations using this token are checked against the permissions of this user.|| +|scopes|array|A list of resources this token is allowed to access. A scope of ["all"] allows all resources. See below.|| + +h3(#scope). Scopes + +Scopes can restrict a token so it may only access certain resources. This is in addition to normal permission checks for the user associated with the token. + +Each entry in scopes consists of a @request_method@ and @request_path@, where the @request_method@ is a HTTP method (one of @GET@, @POST@, @PUT@ or @DELETE@) and @request_path@ is the request URI. A given request is permitted if it matches a scopes exactly, or the scope ends with @/@ and the request string is a prefix of the scope. + +As a special case, a scope of ["all"] allows all resources. + +h4. Examples + +A scope of @GET /arvados/v1/collections@ permits listing collections. + +* Requests with different methods, such as creating a new collection using @POST /arvados/v1/collections@, will be rejected. +* Requests to access other resources, such as @GET /arvados/v1/groups@, will be rejected. +* Be aware that requests for specific records, such as @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will also be rejected. This is because the scope @GET /arvados/v1/collections@ does not end in @/@ + +A scope of @GET /arvados/v1/collections/@ (with @/@ suffix) will permit access to individual collections. + +* The request @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will succeed +* Be aware that requests for listing @GET /arvados/v1/collections@ (no @/@ suffix) will be rejected, because it is not an exact match with @GET /arvados/v1/collections/@ + +To allow both listing objects and requesting individual objects, include both in the scope: @["GET /arvados/v1/collections", "GET /arvados/v1/collections/"]@ + +A narrow scope such as @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will disallow listing objects as well as disallow requesting any object other than those in the scope. + +h2. Methods + +h3(#create). create Create a new ApiClientAuthorization. +Regular users may only create self-owned API tokens, but may provide a restricted "scope"#scope . Administrators may create API tokens corresponding to any user. + Arguments: table(table table-bordered table-condensed). |_. Argument |_. Type |_. Description |_. Location |_. Example | |api_client_authorization|object||query|| -h2. create_system_auth +h3. create_system_auth create_system_auth api_client_authorizations @@ -32,7 +81,7 @@ table(table table-bordered table-condensed). |api_client_id|integer||query|| |scopes|array||query|| -h2. delete +h3. delete Delete an existing ApiClientAuthorization. @@ -42,17 +91,7 @@ table(table table-bordered table-condensed). |_. Argument |_. Type |_. Description |_. Location |_. Example | {background:#ccffcc}.|uuid|string|The UUID of the ApiClientAuthorization in question.|path|| -h2. destroy - -destroy api_client_authorizations - -Arguments: - -table(table table-bordered table-condensed). -|_. Argument |_. Type |_. Description |_. Location |_. Example | -{background:#ccffcc}.|uuid|string||path|| - -h2. get +h3. get Gets a ApiClientAuthorization's metadata by UUID. @@ -62,7 +101,7 @@ table(table table-bordered table-condensed). |_. Argument |_. Type |_. Description |_. Location |_. Example | {background:#ccffcc}.|uuid|string|The UUID of the ApiClientAuthorization in question.|path|| -h2. list +h3. list List api_client_authorizations. @@ -74,7 +113,7 @@ table(table table-bordered table-condensed). |order|string|Order in which to return matching api_client_authorizations.|query|| |filters|array|Conditions for filtering api_client_authorizations.|query|| -h2. update +h3. update Update attributes of an existing ApiClientAuthorization.