Skip to content

Instantly share code, notes, and snippets.

@notpushkin

notpushkin/authzed-swagger.yaml

Last active June 14, 2024 18:40
Show Gist options
  • Save notpushkin/8dae8a485013231afa94ed45b04938a1 to your computer and use it in GitHub Desktop.
Save notpushkin/8dae8a485013231afa94ed45b04938a1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
authzed-swagger.yaml
swagger: '2.0'
info:
title: Authzed
version: '1.0'
contact:
name: Authzed, Inc.
url: https://github.com/authzed/api
email: support@authzed.com
license:
name: Apache 2.0 License
url: https://github.com/authzed/api/blob/main/LICENSE
termsOfService: https://authzed.com/terms-conditions
description: "More details: https://docs.authzed.com/reference/api"
host: gateway-alpha.authzed.com
tags:
- name: WatchService
- name: PermissionsService
- name: SchemaService
- name: WatchResourcesService
schemes:
- http
- https
- wss
consumes:
- application/json
produces:
- application/json
security:
- ApiKeyAuth: []
paths:
/v1/permissions/check:
post:
summary: >-
CheckPermission checks whether a subject has a particular permission or
is
a member of a particular relation, on a given resource.
operationId: PermissionsService_CheckPermission
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/v1CheckPermissionResponse'
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1CheckPermissionRequest'
tags:
- PermissionsService
/v1/permissions/expand:
post:
summary: >-
ExpandPermissionTree expands the relationships reachable from a
particular
permission or relation of a given resource.
operationId: PermissionsService_ExpandPermissionTree
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/v1ExpandPermissionTreeResponse'
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1ExpandPermissionTreeRequest'
tags:
- PermissionsService
/v1/permissions/resources:
post:
summary: >-
LookupResources returns the IDs of all resources on which the specified
subject has permission or on which the specified subject is a member of
the
relation.
operationId: PermissionsService_LookupResources
responses:
'200':
description: A successful response.(streaming responses)
schema:
type: object
properties:
result:
$ref: '#/definitions/v1LookupResourcesResponse'
error:
$ref: '#/definitions/rpcStatus'
title: Stream result of v1LookupResourcesResponse
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1LookupResourcesRequest'
tags:
- PermissionsService
/v1/relationships/delete:
post:
summary: >-
DeleteRelationships deletes relationships matching one or more filters,
in
bulk.
operationId: PermissionsService_DeleteRelationships
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/v1DeleteRelationshipsResponse'
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1DeleteRelationshipsRequest'
tags:
- PermissionsService
/v1/relationships/read:
post:
summary: |-
ReadRelationships reads a set of the relationships matching one or more
filters.
operationId: PermissionsService_ReadRelationships
responses:
'200':
description: A successful response.(streaming responses)
schema:
type: object
properties:
result:
$ref: '#/definitions/v1ReadRelationshipsResponse'
error:
$ref: '#/definitions/rpcStatus'
title: Stream result of v1ReadRelationshipsResponse
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1ReadRelationshipsRequest'
tags:
- PermissionsService
/v1/relationships/write:
post:
summary: >-
WriteRelationships writes and/or deletes a set of specified
relationships,
with an optional set of precondition relationships that must exist
before
the operation can commit.
operationId: PermissionsService_WriteRelationships
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/v1WriteRelationshipsResponse'
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1WriteRelationshipsRequest'
tags:
- PermissionsService
/v1/schema/read:
post:
summary: Read returns the current Object Definitions for a Permissions System.
description: |-
Errors include:
- INVALID_ARGUMENT: a provided value has failed to semantically validate
- NOT_FOUND: no schema has been defined
operationId: SchemaService_ReadSchema
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/apiv1ReadSchemaResponse'
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/apiv1ReadSchemaRequest'
tags:
- SchemaService
/v1/schema/write:
post:
summary: >-
Write overwrites the current Object Definitions for a Permissions
System.
operationId: SchemaService_WriteSchema
responses:
'200':
description: A successful response.
schema:
$ref: '#/definitions/apiv1WriteSchemaResponse'
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/apiv1WriteSchemaRequest'
tags:
- SchemaService
/v1/watch:
post:
operationId: WatchService_Watch
responses:
'200':
description: A successful response.(streaming responses)
schema:
type: object
properties:
result:
$ref: '#/definitions/apiv1WatchResponse'
error:
$ref: '#/definitions/rpcStatus'
title: Stream result of apiv1WatchResponse
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/apiv1WatchRequest'
tags:
- WatchService
/v1alpha1/lookupwatch:
post:
summary: |-
WatchResources initiates a watch for permission changes for the provided
(resource type, permission, subject) pair.
operationId: WatchResourcesService_WatchResources
responses:
'200':
description: A successful response.(streaming responses)
schema:
type: object
properties:
result:
$ref: '#/definitions/v1alpha1WatchResourcesResponse'
error:
$ref: '#/definitions/rpcStatus'
title: Stream result of v1alpha1WatchResourcesResponse
default:
description: An unexpected error response.
schema:
$ref: '#/definitions/rpcStatus'
parameters:
- name: body
in: body
required: true
schema:
$ref: '#/definitions/v1alpha1WatchResourcesRequest'
tags:
- WatchResourcesService
definitions:
AllowedRelationPublicWildcard:
type: object
CheckResponseMembership:
type: string
enum:
- UNKNOWN
- NOT_MEMBER
- MEMBER
default: UNKNOWN
ChildThis:
type: object
ComputedUsersetObject:
type: string
enum:
- TUPLE_OBJECT
- TUPLE_USERSET_OBJECT
default: TUPLE_OBJECT
DeveloperErrorErrorKind:
type: string
enum:
- UNKNOWN_KIND
- PARSE_ERROR
- SCHEMA_ISSUE
- DUPLICATE_RELATIONSHIP
- MISSING_EXPECTED_RELATIONSHIP
- EXTRA_RELATIONSHIP_FOUND
- UNKNOWN_OBJECT_TYPE
- UNKNOWN_RELATION
- MAXIMUM_RECURSION
- ASSERTION_FAILED
default: UNKNOWN_KIND
DeveloperErrorSource:
type: string
enum:
- UNKNOWN_SOURCE
- SCHEMA
- RELATIONSHIP
- VALIDATION_YAML
- CHECK_WATCH
- ASSERTION
default: UNKNOWN_SOURCE
LookupShareResponseLookupStatus:
type: string
enum:
- UNKNOWN_REFERENCE
- FAILED_TO_LOOKUP
- VALID_REFERENCE
- UPGRADED_REFERENCE
default: UNKNOWN_REFERENCE
RelationTupleFilterFilter:
type: string
enum:
- UNKNOWN
- OBJECT_ID
- RELATION
- USERSET
default: UNKNOWN
SetOperationChild:
type: object
properties:
This:
$ref: '#/definitions/ChildThis'
computedUserset:
$ref: '#/definitions/v0ComputedUserset'
tupleToUserset:
$ref: '#/definitions/v0TupleToUserset'
usersetRewrite:
$ref: '#/definitions/v0UsersetRewrite'
SubjectFilterRelationFilter:
type: object
properties:
relation:
type: string
apiv0WatchResponse:
type: object
properties:
updates:
type: array
items:
$ref: '#/definitions/v0RelationTupleUpdate'
description: >-
A watch response contains all tuple modification events in ascending
timestamp order, from the requested start timestamp to a timestamp
encoded in a heartbeat zookie included in the watch response. The
client
can use the heartbeat zookie to resume watching where the previous
watch
response left off.
endRevision:
$ref: '#/definitions/v0Zookie'
apiv1ReadSchemaRequest:
type: object
description: ReadSchemaRequest returns the schema from the database.
apiv1ReadSchemaResponse:
type: object
properties:
schemaText:
type: string
title: schema_text is the textual form of the current schema in the system
description: |-
ReadSchemaResponse is the resulting data after having read the Object
Definitions from a Schema.
apiv1WatchRequest:
type: object
properties:
optionalObjectTypes:
type: array
items:
type: string
optionalStartCursor:
$ref: '#/definitions/v1ZedToken'
description: |-
WatchRequest specifies the object definitions for which we want to start
watching mutations, and an optional start snapshot for when to start
watching.
apiv1WatchResponse:
type: object
properties:
updates:
type: array
items:
$ref: '#/definitions/v1RelationshipUpdate'
changesThrough:
$ref: '#/definitions/v1ZedToken'
description: |-
WatchResponse contains all tuple modification events in ascending
timestamp order, from the requested start snapshot to a snapshot
encoded in the watch response. The client can use the snapshot to resume
watching where the previous watch response left off.
apiv1WriteSchemaRequest:
type: object
properties:
schema:
type: string
description: >-
The Schema containing one or more Object Definitions that will be
written
to the Permissions System.
description: |-
WriteSchemaRequest is the required data used to "upsert" the Schema of a
Permissions System.
apiv1WriteSchemaResponse:
type: object
description: |-
WriteSchemaResponse is the resulting data after having written a Schema to
a Permissions System.
apiv1alpha1ReadSchemaResponse:
type: object
properties:
objectDefinitions:
type: array
items:
type: string
description: The Object Definitions that were requested.
computedDefinitionsRevision:
type: string
description: The computed revision of the returned object definitions.
description: |-
ReadSchemaResponse is the resulting data after having read the Object
Definitions from a Schema.
apiv1alpha1WriteSchemaResponse:
type: object
properties:
objectDefinitionsNames:
type: array
items:
type: string
description: The names of the Object Definitions that were written.
computedDefinitionsRevision:
type: string
description: The computed revision of the written object definitions.
description: |-
WriteSchemaResponse is the resulting data after having written a Schema to
a Permissions System.
protobufAny:
type: object
properties:
'@type':
type: string
description: >-
A URL/resource name that uniquely identifies the type of the
serialized
protocol buffer message. This string must contain at least
one "/" character. The last segment of the URL's path must represent
the fully qualified name of the type (as in
`path/google.protobuf.Duration`). The name should be in a canonical
form
(e.g., leading "." is not accepted).
In practice, teams usually precompile into the binary all types that
they
expect it to use in the context of Any. However, for URLs which use
the
scheme `http`, `https`, or no scheme, one can optionally set up a type
server that maps type URLs to message definitions as follows:
* If no scheme is provided, `https` is assumed.
* An HTTP GET on the URL must yield a [google.protobuf.Type][]
value in binary format, or produce an error.
* Applications are allowed to cache lookup results based on the
URL, or have them precompiled into a binary to avoid any
lookup. Therefore, binary compatibility needs to be preserved
on changes to types. (Use versioned type names to manage
breaking changes.)
Note: this functionality is not currently available in the official
protobuf release, and it is not used for type URLs beginning with
type.googleapis.com.
Schemes other than `http`, `https` (or the empty scheme) might be
used with implementation specific semantics.
additionalProperties: {}
description: >-
`Any` contains an arbitrary serialized protocol buffer message along with
a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form
of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
...
}
Example 2: Pack and unpack a message in Java.
Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
foo = any.unpack(Foo.class);
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
any.Unpack(foo)
...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
...
}
The pack methods provided by protobuf library will by default use
'type.googleapis.com/full.type.name' as the type URL and the unpack
methods only use the fully qualified type name after the last '/'
in the type URL, for example "foo.bar.com/x/y.z" will yield type
name "y.z".
JSON
====
The JSON representation of an `Any` value uses the regular
representation of the deserialized, embedded message, with an
additional field `@type` which contains the type URL. Example:
package google.profile;
message Person {
string first_name = 1;
string last_name = 2;
}
{
"@type": "type.googleapis.com/google.profile.Person",
"firstName": <string>,
"lastName": <string>
}
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
`value` which holds the custom JSON in addition to the `@type`
field. Example (for message [google.protobuf.Duration][]):
{
"@type": "type.googleapis.com/google.protobuf.Duration",
"value": "1.212s"
}
rpcStatus:
type: object
properties:
code:
type: integer
format: int32
message:
type: string
details:
type: array
items:
$ref: '#/definitions/protobufAny'
v1AlgebraicSubjectSet:
type: object
properties:
operation:
$ref: '#/definitions/v1AlgebraicSubjectSetOperation'
children:
type: array
items:
$ref: '#/definitions/v1PermissionRelationshipTree'
description: >-
AlgebraicSubjectSet is a subject set which is computed based on applying
the
specified operation to the operands according to the algebra of sets.
UNION is a logical set containing the subject members from all operands.
INTERSECTION is a logical set containing only the subject members which
are
present in all operands.
EXCLUSION is a logical set containing only the subject members which are
present in the first operand, and none of the other operands.
v1AlgebraicSubjectSetOperation:
type: string
enum:
- OPERATION_UNSPECIFIED
- OPERATION_UNION
- OPERATION_INTERSECTION
- OPERATION_EXCLUSION
default: OPERATION_UNSPECIFIED
v1CheckPermissionRequest:
type: object
properties:
consistency:
$ref: '#/definitions/v1Consistency'
resource:
$ref: '#/definitions/v1ObjectReference'
description: resource is the resource on which to check the permission or relation.
permission:
type: string
description: >-
permission is the name of the permission (or relation) on which to
execute
the check.
subject:
$ref: '#/definitions/v1SubjectReference'
description: >-
subject is the subject that will be checked for the permission or
relation.
description: >-
CheckPermissionRequest issues a check on whether a subject has a
permission
or is a member of a relation, on a specific resource.
v1CheckPermissionResponse:
type: object
properties:
checkedAt:
$ref: '#/definitions/v1ZedToken'
permissionship:
$ref: '#/definitions/v1CheckPermissionResponsePermissionship'
description: >-
Permissionship communicates whether or not the subject has the
requested
permission or has a relationship with the given resource, over the
given
relation.
This value will be authzed.api.v1.PERMISSIONSHIP_HAS_PERMISSION if the
requested subject is a member of the computed permission set or there
exists a relationship with the requested relation from the given
resource
to the given subject.
v1CheckPermissionResponsePermissionship:
type: string
enum:
- PERMISSIONSHIP_UNSPECIFIED
- PERMISSIONSHIP_NO_PERMISSION
- PERMISSIONSHIP_HAS_PERMISSION
default: PERMISSIONSHIP_UNSPECIFIED
v1Consistency:
type: object
properties:
minimizeLatency:
type: boolean
description: |-
minimize_latency indicates that the latency for the call should be
minimized by having the system select the fastest snapshot available.
atLeastAsFresh:
$ref: '#/definitions/v1ZedToken'
description: >-
at_least_as_fresh indicates that all data used in the API call must be
*at least as fresh* as that found in the ZedToken; more recent data
might
be used if available or faster.
atExactSnapshot:
$ref: '#/definitions/v1ZedToken'
description: >-
at_exact_snapshot indicates that all data used in the API call must be
*at the given* snapshot in time; if the snapshot is no longer
available,
an error will be returned to the caller.
fullyConsistent:
type: boolean
description: >-
fully_consistent indicates that all data used in the API call *must*
be
at the most recent snapshot found.
NOTE: using this method can be *quite slow*, so unless there is a need
to
do so, it is recommended to use `at_least_as_fresh` with a stored
ZedToken.
description: |-
Consistency will define how a request is handled by the backend.
By defining a consistency requirement, and a token at which those
requirements should be applied, where applicable.
v1DeleteRelationshipsRequest:
type: object
properties:
relationshipFilter:
$ref: '#/definitions/v1RelationshipFilter'
optionalPreconditions:
type: array
items:
$ref: '#/definitions/v1Precondition'
description: >-
DeleteRelationshipsRequest specifies which Relationships should be
deleted,
requesting the delete of *ALL* relationships that match the specified
filters. If the optional_preconditions parameter is included, all of the
specified preconditions must also be satisfied before the delete will be
executed.
v1DeleteRelationshipsResponse:
type: object
properties:
deletedAt:
$ref: '#/definitions/v1ZedToken'
v1DirectSubjectSet:
type: object
properties:
subjects:
type: array
items:
$ref: '#/definitions/v1SubjectReference'
description: >-
DirectSubjectSet is a subject set which is simply a collection of
subjects.
v1ExpandPermissionTreeRequest:
type: object
properties:
consistency:
$ref: '#/definitions/v1Consistency'
resource:
$ref: '#/definitions/v1ObjectReference'
description: resource is the resource over which to run the expansion.
permission:
type: string
description: >-
permission is the name of the permission or relation over which to run
the
expansion for the resource.
description: >-
ExpandPermissionTreeRequest returns a tree representing the expansion of
all
relationships found accessible from a permission or relation on a
particular
resource.
ExpandPermissionTreeRequest is typically used to determine the full set of
subjects with a permission, along with the relationships that grant said
access.
v1ExpandPermissionTreeResponse:
type: object
properties:
expandedAt:
$ref: '#/definitions/v1ZedToken'
treeRoot:
$ref: '#/definitions/v1PermissionRelationshipTree'
description: >-
tree_root is a tree structure whose leaf nodes are subjects, and
intermediate nodes represent the various operations (union,
intersection,
exclusion) to reach those subjects.
v1LookupResourcesRequest:
type: object
properties:
consistency:
$ref: '#/definitions/v1Consistency'
resourceObjectType:
type: string
description: >-
resource_object_type is the type of resource object for which the IDs
will
be returned.
permission:
type: string
description: >-
permission is the name of the permission or relation for which the
subject
must Check.
subject:
$ref: '#/definitions/v1SubjectReference'
description: subject is the subject with access to the resources.
description: |-
LookupResourcesRequest performs a lookup of all resources of a particular
kind on which the subject has the specified permission or the relation in
which the subject exists, streaming back the IDs of those resources.
v1LookupResourcesResponse:
type: object
properties:
lookedUpAt:
$ref: '#/definitions/v1ZedToken'
resourceObjectId:
type: string
description: >-
LookupResourcesResponse contains a single matching resource object ID for
the
requested object type, permission, and subject.
v1ObjectReference:
type: object
properties:
objectType:
type: string
objectId:
type: string
description: ObjectReference is used to refer to a specific object in the system.
v1PermissionRelationshipTree:
type: object
properties:
intermediate:
$ref: '#/definitions/v1AlgebraicSubjectSet'
leaf:
$ref: '#/definitions/v1DirectSubjectSet'
expandedObject:
$ref: '#/definitions/v1ObjectReference'
expandedRelation:
type: string
description: >-
PermissionRelationshipTree is used for representing a tree of a resource
and
its permission relationships with other objects.
v1Precondition:
type: object
properties:
operation:
$ref: '#/definitions/v1PreconditionOperation'
filter:
$ref: '#/definitions/v1RelationshipFilter'
description: |-
Precondition specifies how and the existence or absence of certain
relationships as expressed through the accompanying filter should affect
whether or not the operation proceeds.
MUST_NOT_MATCH will fail the parent request if any relationships match the
relationships filter.
MUST_MATCH will fail the parent request if there are no
relationships that match the filter.
v1PreconditionOperation:
type: string
enum:
- OPERATION_UNSPECIFIED
- OPERATION_MUST_NOT_MATCH
- OPERATION_MUST_MATCH
default: OPERATION_UNSPECIFIED
v1ReadRelationshipsRequest:
type: object
properties:
consistency:
$ref: '#/definitions/v1Consistency'
relationshipFilter:
$ref: '#/definitions/v1RelationshipFilter'
description: >-
ReadRelationshipsRequest specifies one or more filters used to read
matching
relationships within the system.
v1ReadRelationshipsResponse:
type: object
properties:
readAt:
$ref: '#/definitions/v1ZedToken'
relationship:
$ref: '#/definitions/v1Relationship'
description: |-
ReadRelationshipsResponse contains a Relationship found that matches the
specified relationship filter(s). A instance of this response message will
be streamed to the client for each relationship found.
v1Relationship:
type: object
properties:
resource:
$ref: '#/definitions/v1ObjectReference'
title: >-
resource is the resource to which the subject is related, in some
manner
relation:
type: string
description: relation is how the resource and subject are related.
subject:
$ref: '#/definitions/v1SubjectReference'
description: >-
subject is the subject to which the resource is related, in some
manner.
description: |-
Relationship specifies how a resource relates to a subject. Relationships
form the data for the graph over which all permissions questions are
answered.
v1RelationshipFilter:
type: object
properties:
resourceType:
type: string
optionalResourceId:
type: string
optionalRelation:
type: string
optionalSubjectFilter:
$ref: '#/definitions/v1SubjectFilter'
description: |-
RelationshipFilter is a collection of filters which when applied to a
relationship will return relationships that have exactly matching fields.
resource_type is required. All other fields are optional and if left
unspecified will not filter relationships.
v1RelationshipUpdate:
type: object
properties:
operation:
$ref: '#/definitions/v1RelationshipUpdateOperation'
relationship:
$ref: '#/definitions/v1Relationship'
description: |-
RelationshipUpdate is used for mutating a single relationship within the
service.
CREATE will create the relationship only if it doesn't exist, and error
otherwise.
TOUCH will upsert the relationship, and will not error if it
already exists.
DELETE will delete the relationship and error if it doesn't
exist.
v1RelationshipUpdateOperation:
type: string
enum:
- OPERATION_UNSPECIFIED
- OPERATION_CREATE
- OPERATION_TOUCH
- OPERATION_DELETE
default: OPERATION_UNSPECIFIED
v1SubjectFilter:
type: object
properties:
subjectType:
type: string
optionalSubjectId:
type: string
optionalRelation:
$ref: '#/definitions/SubjectFilterRelationFilter'
description: |-
SubjectFilter specifies a filter on the subject of a relationship.
subject_type is required and all other fields are optional, and will not
impose any additional requirements if left unspecified.
v1SubjectReference:
type: object
properties:
object:
$ref: '#/definitions/v1ObjectReference'
optionalRelation:
type: string
title: >-
SubjectReference is used for referring to the subject portion of a
Relationship. The relation component is optional and is used for defining
a
sub-relation on the subject, e.g. group:123#members
v1WriteRelationshipsRequest:
type: object
properties:
updates:
type: array
items:
$ref: '#/definitions/v1RelationshipUpdate'
optionalPreconditions:
type: array
items:
$ref: '#/definitions/v1Precondition'
description: >-
WriteRelationshipsRequest contains a list of Relationship mutations that
should be applied to the service. If the optional_preconditions parameter
is included, all of the specified preconditions must also be satisfied
before
the write will be committed.
v1WriteRelationshipsResponse:
type: object
properties:
writtenAt:
$ref: '#/definitions/v1ZedToken'
v1ZedToken:
type: object
properties:
token:
type: string
description: |-
ZedToken is used to provide causality metadata between Write and Check
requests.
See the authzed.api.v1.Consistency message for more information.
v1alpha1PermissionUpdate:
type: object
properties:
subject:
$ref: '#/definitions/v1SubjectReference'
description: subject defines the subject resource whose permissions have changed.
resource:
$ref: '#/definitions/v1ObjectReference'
description: resource defines the specific object in the system.
relation:
type: string
updatedPermission:
$ref: '#/definitions/v1alpha1PermissionUpdatePermissionship'
description: |-
PermissionUpdate represents a single permission update for a specific
subject's permissions.
v1alpha1PermissionUpdatePermissionship:
type: string
enum:
- PERMISSIONSHIP_UNSPECIFIED
- PERMISSIONSHIP_NO_PERMISSION
- PERMISSIONSHIP_HAS_PERMISSION
default: PERMISSIONSHIP_UNSPECIFIED
description: |-
todo: work this into the v1 core API at some point since it's used
across services.
v1alpha1WatchResourcesRequest:
type: object
properties:
resourceObjectType:
type: string
description: |-
resource_object_type is the type of resource object for which we will
watch for changes.
permission:
type: string
description: |-
permission is the name of the permission or relation for which we will
watch for changes.
subjectObjectType:
type: string
description: >-
subject_object_type is the type of the subject resource for which we
will
watch for changes.
optionalSubjectRelation:
type: string
description: >-
optional_subject_relation allows you to specify a group of subjects to
watch
for a given subject type.
optionalStartCursor:
$ref: '#/definitions/v1ZedToken'
description: |-
WatchResourcesRequest starts a watch for specific permission updates
for the given resource and subject types.
v1alpha1WatchResourcesResponse:
type: object
properties:
updates:
type: array
items:
$ref: '#/definitions/v1alpha1PermissionUpdate'
changesThrough:
$ref: '#/definitions/v1ZedToken'
description: |-
WatchResourcesResponse enumerates the list of permission updates that have
occurred as a result of one or more relationship updates.
securityDefinitions:
ApiKeyAuth:
type: apiKey
name: Authorization
in: header
externalDocs:
description: More about the Authzed API.
url: https://docs.authzed.com/reference/api
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment