Last active
June 14, 2024 18:40
-
-
Save notpushkin/8dae8a485013231afa94ed45b04938a1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
swagger: '2.0' | |
info: | |
title: Authzed | |
version: '1.0' | |
contact: | |
name: Authzed, Inc. | |
url: https://github.com/authzed/api | |
email: support@authzed.com | |
license: | |
name: Apache 2.0 License | |
url: https://github.com/authzed/api/blob/main/LICENSE | |
termsOfService: https://authzed.com/terms-conditions | |
description: "More details: https://docs.authzed.com/reference/api" | |
host: gateway-alpha.authzed.com | |
tags: | |
- name: WatchService | |
- name: PermissionsService | |
- name: SchemaService | |
- name: WatchResourcesService | |
schemes: | |
- http | |
- https | |
- wss | |
consumes: | |
- application/json | |
produces: | |
- application/json | |
security: | |
- ApiKeyAuth: [] | |
paths: | |
/v1/permissions/check: | |
post: | |
summary: >- | |
CheckPermission checks whether a subject has a particular permission or | |
is | |
a member of a particular relation, on a given resource. | |
operationId: PermissionsService_CheckPermission | |
responses: | |
'200': | |
description: A successful response. | |
schema: | |
$ref: '#/definitions/v1CheckPermissionResponse' | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1CheckPermissionRequest' | |
tags: | |
- PermissionsService | |
/v1/permissions/expand: | |
post: | |
summary: >- | |
ExpandPermissionTree expands the relationships reachable from a | |
particular | |
permission or relation of a given resource. | |
operationId: PermissionsService_ExpandPermissionTree | |
responses: | |
'200': | |
description: A successful response. | |
schema: | |
$ref: '#/definitions/v1ExpandPermissionTreeResponse' | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1ExpandPermissionTreeRequest' | |
tags: | |
- PermissionsService | |
/v1/permissions/resources: | |
post: | |
summary: >- | |
LookupResources returns the IDs of all resources on which the specified | |
subject has permission or on which the specified subject is a member of | |
the | |
relation. | |
operationId: PermissionsService_LookupResources | |
responses: | |
'200': | |
description: A successful response.(streaming responses) | |
schema: | |
type: object | |
properties: | |
result: | |
$ref: '#/definitions/v1LookupResourcesResponse' | |
error: | |
$ref: '#/definitions/rpcStatus' | |
title: Stream result of v1LookupResourcesResponse | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1LookupResourcesRequest' | |
tags: | |
- PermissionsService | |
/v1/relationships/delete: | |
post: | |
summary: >- | |
DeleteRelationships deletes relationships matching one or more filters, | |
in | |
bulk. | |
operationId: PermissionsService_DeleteRelationships | |
responses: | |
'200': | |
description: A successful response. | |
schema: | |
$ref: '#/definitions/v1DeleteRelationshipsResponse' | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1DeleteRelationshipsRequest' | |
tags: | |
- PermissionsService | |
/v1/relationships/read: | |
post: | |
summary: |- | |
ReadRelationships reads a set of the relationships matching one or more | |
filters. | |
operationId: PermissionsService_ReadRelationships | |
responses: | |
'200': | |
description: A successful response.(streaming responses) | |
schema: | |
type: object | |
properties: | |
result: | |
$ref: '#/definitions/v1ReadRelationshipsResponse' | |
error: | |
$ref: '#/definitions/rpcStatus' | |
title: Stream result of v1ReadRelationshipsResponse | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1ReadRelationshipsRequest' | |
tags: | |
- PermissionsService | |
/v1/relationships/write: | |
post: | |
summary: >- | |
WriteRelationships writes and/or deletes a set of specified | |
relationships, | |
with an optional set of precondition relationships that must exist | |
before | |
the operation can commit. | |
operationId: PermissionsService_WriteRelationships | |
responses: | |
'200': | |
description: A successful response. | |
schema: | |
$ref: '#/definitions/v1WriteRelationshipsResponse' | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1WriteRelationshipsRequest' | |
tags: | |
- PermissionsService | |
/v1/schema/read: | |
post: | |
summary: Read returns the current Object Definitions for a Permissions System. | |
description: |- | |
Errors include: | |
- INVALID_ARGUMENT: a provided value has failed to semantically validate | |
- NOT_FOUND: no schema has been defined | |
operationId: SchemaService_ReadSchema | |
responses: | |
'200': | |
description: A successful response. | |
schema: | |
$ref: '#/definitions/apiv1ReadSchemaResponse' | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/apiv1ReadSchemaRequest' | |
tags: | |
- SchemaService | |
/v1/schema/write: | |
post: | |
summary: >- | |
Write overwrites the current Object Definitions for a Permissions | |
System. | |
operationId: SchemaService_WriteSchema | |
responses: | |
'200': | |
description: A successful response. | |
schema: | |
$ref: '#/definitions/apiv1WriteSchemaResponse' | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/apiv1WriteSchemaRequest' | |
tags: | |
- SchemaService | |
/v1/watch: | |
post: | |
operationId: WatchService_Watch | |
responses: | |
'200': | |
description: A successful response.(streaming responses) | |
schema: | |
type: object | |
properties: | |
result: | |
$ref: '#/definitions/apiv1WatchResponse' | |
error: | |
$ref: '#/definitions/rpcStatus' | |
title: Stream result of apiv1WatchResponse | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/apiv1WatchRequest' | |
tags: | |
- WatchService | |
/v1alpha1/lookupwatch: | |
post: | |
summary: |- | |
WatchResources initiates a watch for permission changes for the provided | |
(resource type, permission, subject) pair. | |
operationId: WatchResourcesService_WatchResources | |
responses: | |
'200': | |
description: A successful response.(streaming responses) | |
schema: | |
type: object | |
properties: | |
result: | |
$ref: '#/definitions/v1alpha1WatchResourcesResponse' | |
error: | |
$ref: '#/definitions/rpcStatus' | |
title: Stream result of v1alpha1WatchResourcesResponse | |
default: | |
description: An unexpected error response. | |
schema: | |
$ref: '#/definitions/rpcStatus' | |
parameters: | |
- name: body | |
in: body | |
required: true | |
schema: | |
$ref: '#/definitions/v1alpha1WatchResourcesRequest' | |
tags: | |
- WatchResourcesService | |
definitions: | |
AllowedRelationPublicWildcard: | |
type: object | |
CheckResponseMembership: | |
type: string | |
enum: | |
- UNKNOWN | |
- NOT_MEMBER | |
- MEMBER | |
default: UNKNOWN | |
ChildThis: | |
type: object | |
ComputedUsersetObject: | |
type: string | |
enum: | |
- TUPLE_OBJECT | |
- TUPLE_USERSET_OBJECT | |
default: TUPLE_OBJECT | |
DeveloperErrorErrorKind: | |
type: string | |
enum: | |
- UNKNOWN_KIND | |
- PARSE_ERROR | |
- SCHEMA_ISSUE | |
- DUPLICATE_RELATIONSHIP | |
- MISSING_EXPECTED_RELATIONSHIP | |
- EXTRA_RELATIONSHIP_FOUND | |
- UNKNOWN_OBJECT_TYPE | |
- UNKNOWN_RELATION | |
- MAXIMUM_RECURSION | |
- ASSERTION_FAILED | |
default: UNKNOWN_KIND | |
DeveloperErrorSource: | |
type: string | |
enum: | |
- UNKNOWN_SOURCE | |
- SCHEMA | |
- RELATIONSHIP | |
- VALIDATION_YAML | |
- CHECK_WATCH | |
- ASSERTION | |
default: UNKNOWN_SOURCE | |
LookupShareResponseLookupStatus: | |
type: string | |
enum: | |
- UNKNOWN_REFERENCE | |
- FAILED_TO_LOOKUP | |
- VALID_REFERENCE | |
- UPGRADED_REFERENCE | |
default: UNKNOWN_REFERENCE | |
RelationTupleFilterFilter: | |
type: string | |
enum: | |
- UNKNOWN | |
- OBJECT_ID | |
- RELATION | |
- USERSET | |
default: UNKNOWN | |
SetOperationChild: | |
type: object | |
properties: | |
This: | |
$ref: '#/definitions/ChildThis' | |
computedUserset: | |
$ref: '#/definitions/v0ComputedUserset' | |
tupleToUserset: | |
$ref: '#/definitions/v0TupleToUserset' | |
usersetRewrite: | |
$ref: '#/definitions/v0UsersetRewrite' | |
SubjectFilterRelationFilter: | |
type: object | |
properties: | |
relation: | |
type: string | |
apiv0WatchResponse: | |
type: object | |
properties: | |
updates: | |
type: array | |
items: | |
$ref: '#/definitions/v0RelationTupleUpdate' | |
description: >- | |
A watch response contains all tuple modification events in ascending | |
timestamp order, from the requested start timestamp to a timestamp | |
encoded in a heartbeat zookie included in the watch response. The | |
client | |
can use the heartbeat zookie to resume watching where the previous | |
watch | |
response left off. | |
endRevision: | |
$ref: '#/definitions/v0Zookie' | |
apiv1ReadSchemaRequest: | |
type: object | |
description: ReadSchemaRequest returns the schema from the database. | |
apiv1ReadSchemaResponse: | |
type: object | |
properties: | |
schemaText: | |
type: string | |
title: schema_text is the textual form of the current schema in the system | |
description: |- | |
ReadSchemaResponse is the resulting data after having read the Object | |
Definitions from a Schema. | |
apiv1WatchRequest: | |
type: object | |
properties: | |
optionalObjectTypes: | |
type: array | |
items: | |
type: string | |
optionalStartCursor: | |
$ref: '#/definitions/v1ZedToken' | |
description: |- | |
WatchRequest specifies the object definitions for which we want to start | |
watching mutations, and an optional start snapshot for when to start | |
watching. | |
apiv1WatchResponse: | |
type: object | |
properties: | |
updates: | |
type: array | |
items: | |
$ref: '#/definitions/v1RelationshipUpdate' | |
changesThrough: | |
$ref: '#/definitions/v1ZedToken' | |
description: |- | |
WatchResponse contains all tuple modification events in ascending | |
timestamp order, from the requested start snapshot to a snapshot | |
encoded in the watch response. The client can use the snapshot to resume | |
watching where the previous watch response left off. | |
apiv1WriteSchemaRequest: | |
type: object | |
properties: | |
schema: | |
type: string | |
description: >- | |
The Schema containing one or more Object Definitions that will be | |
written | |
to the Permissions System. | |
description: |- | |
WriteSchemaRequest is the required data used to "upsert" the Schema of a | |
Permissions System. | |
apiv1WriteSchemaResponse: | |
type: object | |
description: |- | |
WriteSchemaResponse is the resulting data after having written a Schema to | |
a Permissions System. | |
apiv1alpha1ReadSchemaResponse: | |
type: object | |
properties: | |
objectDefinitions: | |
type: array | |
items: | |
type: string | |
description: The Object Definitions that were requested. | |
computedDefinitionsRevision: | |
type: string | |
description: The computed revision of the returned object definitions. | |
description: |- | |
ReadSchemaResponse is the resulting data after having read the Object | |
Definitions from a Schema. | |
apiv1alpha1WriteSchemaResponse: | |
type: object | |
properties: | |
objectDefinitionsNames: | |
type: array | |
items: | |
type: string | |
description: The names of the Object Definitions that were written. | |
computedDefinitionsRevision: | |
type: string | |
description: The computed revision of the written object definitions. | |
description: |- | |
WriteSchemaResponse is the resulting data after having written a Schema to | |
a Permissions System. | |
protobufAny: | |
type: object | |
properties: | |
'@type': | |
type: string | |
description: >- | |
A URL/resource name that uniquely identifies the type of the | |
serialized | |
protocol buffer message. This string must contain at least | |
one "/" character. The last segment of the URL's path must represent | |
the fully qualified name of the type (as in | |
`path/google.protobuf.Duration`). The name should be in a canonical | |
form | |
(e.g., leading "." is not accepted). | |
In practice, teams usually precompile into the binary all types that | |
they | |
expect it to use in the context of Any. However, for URLs which use | |
the | |
scheme `http`, `https`, or no scheme, one can optionally set up a type | |
server that maps type URLs to message definitions as follows: | |
* If no scheme is provided, `https` is assumed. | |
* An HTTP GET on the URL must yield a [google.protobuf.Type][] | |
value in binary format, or produce an error. | |
* Applications are allowed to cache lookup results based on the | |
URL, or have them precompiled into a binary to avoid any | |
lookup. Therefore, binary compatibility needs to be preserved | |
on changes to types. (Use versioned type names to manage | |
breaking changes.) | |
Note: this functionality is not currently available in the official | |
protobuf release, and it is not used for type URLs beginning with | |
type.googleapis.com. | |
Schemes other than `http`, `https` (or the empty scheme) might be | |
used with implementation specific semantics. | |
additionalProperties: {} | |
description: >- | |
`Any` contains an arbitrary serialized protocol buffer message along with | |
a | |
URL that describes the type of the serialized message. | |
Protobuf library provides support to pack/unpack Any values in the form | |
of utility functions or additional generated methods of the Any type. | |
Example 1: Pack and unpack a message in C++. | |
Foo foo = ...; | |
Any any; | |
any.PackFrom(foo); | |
... | |
if (any.UnpackTo(&foo)) { | |
... | |
} | |
Example 2: Pack and unpack a message in Java. | |
Foo foo = ...; | |
Any any = Any.pack(foo); | |
... | |
if (any.is(Foo.class)) { | |
foo = any.unpack(Foo.class); | |
} | |
Example 3: Pack and unpack a message in Python. | |
foo = Foo(...) | |
any = Any() | |
any.Pack(foo) | |
... | |
if any.Is(Foo.DESCRIPTOR): | |
any.Unpack(foo) | |
... | |
Example 4: Pack and unpack a message in Go | |
foo := &pb.Foo{...} | |
any, err := anypb.New(foo) | |
if err != nil { | |
... | |
} | |
... | |
foo := &pb.Foo{} | |
if err := any.UnmarshalTo(foo); err != nil { | |
... | |
} | |
The pack methods provided by protobuf library will by default use | |
'type.googleapis.com/full.type.name' as the type URL and the unpack | |
methods only use the fully qualified type name after the last '/' | |
in the type URL, for example "foo.bar.com/x/y.z" will yield type | |
name "y.z". | |
JSON | |
==== | |
The JSON representation of an `Any` value uses the regular | |
representation of the deserialized, embedded message, with an | |
additional field `@type` which contains the type URL. Example: | |
package google.profile; | |
message Person { | |
string first_name = 1; | |
string last_name = 2; | |
} | |
{ | |
"@type": "type.googleapis.com/google.profile.Person", | |
"firstName": <string>, | |
"lastName": <string> | |
} | |
If the embedded message type is well-known and has a custom JSON | |
representation, that representation will be embedded adding a field | |
`value` which holds the custom JSON in addition to the `@type` | |
field. Example (for message [google.protobuf.Duration][]): | |
{ | |
"@type": "type.googleapis.com/google.protobuf.Duration", | |
"value": "1.212s" | |
} | |
rpcStatus: | |
type: object | |
properties: | |
code: | |
type: integer | |
format: int32 | |
message: | |
type: string | |
details: | |
type: array | |
items: | |
$ref: '#/definitions/protobufAny' | |
v1AlgebraicSubjectSet: | |
type: object | |
properties: | |
operation: | |
$ref: '#/definitions/v1AlgebraicSubjectSetOperation' | |
children: | |
type: array | |
items: | |
$ref: '#/definitions/v1PermissionRelationshipTree' | |
description: >- | |
AlgebraicSubjectSet is a subject set which is computed based on applying | |
the | |
specified operation to the operands according to the algebra of sets. | |
UNION is a logical set containing the subject members from all operands. | |
INTERSECTION is a logical set containing only the subject members which | |
are | |
present in all operands. | |
EXCLUSION is a logical set containing only the subject members which are | |
present in the first operand, and none of the other operands. | |
v1AlgebraicSubjectSetOperation: | |
type: string | |
enum: | |
- OPERATION_UNSPECIFIED | |
- OPERATION_UNION | |
- OPERATION_INTERSECTION | |
- OPERATION_EXCLUSION | |
default: OPERATION_UNSPECIFIED | |
v1CheckPermissionRequest: | |
type: object | |
properties: | |
consistency: | |
$ref: '#/definitions/v1Consistency' | |
resource: | |
$ref: '#/definitions/v1ObjectReference' | |
description: resource is the resource on which to check the permission or relation. | |
permission: | |
type: string | |
description: >- | |
permission is the name of the permission (or relation) on which to | |
execute | |
the check. | |
subject: | |
$ref: '#/definitions/v1SubjectReference' | |
description: >- | |
subject is the subject that will be checked for the permission or | |
relation. | |
description: >- | |
CheckPermissionRequest issues a check on whether a subject has a | |
permission | |
or is a member of a relation, on a specific resource. | |
v1CheckPermissionResponse: | |
type: object | |
properties: | |
checkedAt: | |
$ref: '#/definitions/v1ZedToken' | |
permissionship: | |
$ref: '#/definitions/v1CheckPermissionResponsePermissionship' | |
description: >- | |
Permissionship communicates whether or not the subject has the | |
requested | |
permission or has a relationship with the given resource, over the | |
given | |
relation. | |
This value will be authzed.api.v1.PERMISSIONSHIP_HAS_PERMISSION if the | |
requested subject is a member of the computed permission set or there | |
exists a relationship with the requested relation from the given | |
resource | |
to the given subject. | |
v1CheckPermissionResponsePermissionship: | |
type: string | |
enum: | |
- PERMISSIONSHIP_UNSPECIFIED | |
- PERMISSIONSHIP_NO_PERMISSION | |
- PERMISSIONSHIP_HAS_PERMISSION | |
default: PERMISSIONSHIP_UNSPECIFIED | |
v1Consistency: | |
type: object | |
properties: | |
minimizeLatency: | |
type: boolean | |
description: |- | |
minimize_latency indicates that the latency for the call should be | |
minimized by having the system select the fastest snapshot available. | |
atLeastAsFresh: | |
$ref: '#/definitions/v1ZedToken' | |
description: >- | |
at_least_as_fresh indicates that all data used in the API call must be | |
*at least as fresh* as that found in the ZedToken; more recent data | |
might | |
be used if available or faster. | |
atExactSnapshot: | |
$ref: '#/definitions/v1ZedToken' | |
description: >- | |
at_exact_snapshot indicates that all data used in the API call must be | |
*at the given* snapshot in time; if the snapshot is no longer | |
available, | |
an error will be returned to the caller. | |
fullyConsistent: | |
type: boolean | |
description: >- | |
fully_consistent indicates that all data used in the API call *must* | |
be | |
at the most recent snapshot found. | |
NOTE: using this method can be *quite slow*, so unless there is a need | |
to | |
do so, it is recommended to use `at_least_as_fresh` with a stored | |
ZedToken. | |
description: |- | |
Consistency will define how a request is handled by the backend. | |
By defining a consistency requirement, and a token at which those | |
requirements should be applied, where applicable. | |
v1DeleteRelationshipsRequest: | |
type: object | |
properties: | |
relationshipFilter: | |
$ref: '#/definitions/v1RelationshipFilter' | |
optionalPreconditions: | |
type: array | |
items: | |
$ref: '#/definitions/v1Precondition' | |
description: >- | |
DeleteRelationshipsRequest specifies which Relationships should be | |
deleted, | |
requesting the delete of *ALL* relationships that match the specified | |
filters. If the optional_preconditions parameter is included, all of the | |
specified preconditions must also be satisfied before the delete will be | |
executed. | |
v1DeleteRelationshipsResponse: | |
type: object | |
properties: | |
deletedAt: | |
$ref: '#/definitions/v1ZedToken' | |
v1DirectSubjectSet: | |
type: object | |
properties: | |
subjects: | |
type: array | |
items: | |
$ref: '#/definitions/v1SubjectReference' | |
description: >- | |
DirectSubjectSet is a subject set which is simply a collection of | |
subjects. | |
v1ExpandPermissionTreeRequest: | |
type: object | |
properties: | |
consistency: | |
$ref: '#/definitions/v1Consistency' | |
resource: | |
$ref: '#/definitions/v1ObjectReference' | |
description: resource is the resource over which to run the expansion. | |
permission: | |
type: string | |
description: >- | |
permission is the name of the permission or relation over which to run | |
the | |
expansion for the resource. | |
description: >- | |
ExpandPermissionTreeRequest returns a tree representing the expansion of | |
all | |
relationships found accessible from a permission or relation on a | |
particular | |
resource. | |
ExpandPermissionTreeRequest is typically used to determine the full set of | |
subjects with a permission, along with the relationships that grant said | |
access. | |
v1ExpandPermissionTreeResponse: | |
type: object | |
properties: | |
expandedAt: | |
$ref: '#/definitions/v1ZedToken' | |
treeRoot: | |
$ref: '#/definitions/v1PermissionRelationshipTree' | |
description: >- | |
tree_root is a tree structure whose leaf nodes are subjects, and | |
intermediate nodes represent the various operations (union, | |
intersection, | |
exclusion) to reach those subjects. | |
v1LookupResourcesRequest: | |
type: object | |
properties: | |
consistency: | |
$ref: '#/definitions/v1Consistency' | |
resourceObjectType: | |
type: string | |
description: >- | |
resource_object_type is the type of resource object for which the IDs | |
will | |
be returned. | |
permission: | |
type: string | |
description: >- | |
permission is the name of the permission or relation for which the | |
subject | |
must Check. | |
subject: | |
$ref: '#/definitions/v1SubjectReference' | |
description: subject is the subject with access to the resources. | |
description: |- | |
LookupResourcesRequest performs a lookup of all resources of a particular | |
kind on which the subject has the specified permission or the relation in | |
which the subject exists, streaming back the IDs of those resources. | |
v1LookupResourcesResponse: | |
type: object | |
properties: | |
lookedUpAt: | |
$ref: '#/definitions/v1ZedToken' | |
resourceObjectId: | |
type: string | |
description: >- | |
LookupResourcesResponse contains a single matching resource object ID for | |
the | |
requested object type, permission, and subject. | |
v1ObjectReference: | |
type: object | |
properties: | |
objectType: | |
type: string | |
objectId: | |
type: string | |
description: ObjectReference is used to refer to a specific object in the system. | |
v1PermissionRelationshipTree: | |
type: object | |
properties: | |
intermediate: | |
$ref: '#/definitions/v1AlgebraicSubjectSet' | |
leaf: | |
$ref: '#/definitions/v1DirectSubjectSet' | |
expandedObject: | |
$ref: '#/definitions/v1ObjectReference' | |
expandedRelation: | |
type: string | |
description: >- | |
PermissionRelationshipTree is used for representing a tree of a resource | |
and | |
its permission relationships with other objects. | |
v1Precondition: | |
type: object | |
properties: | |
operation: | |
$ref: '#/definitions/v1PreconditionOperation' | |
filter: | |
$ref: '#/definitions/v1RelationshipFilter' | |
description: |- | |
Precondition specifies how and the existence or absence of certain | |
relationships as expressed through the accompanying filter should affect | |
whether or not the operation proceeds. | |
MUST_NOT_MATCH will fail the parent request if any relationships match the | |
relationships filter. | |
MUST_MATCH will fail the parent request if there are no | |
relationships that match the filter. | |
v1PreconditionOperation: | |
type: string | |
enum: | |
- OPERATION_UNSPECIFIED | |
- OPERATION_MUST_NOT_MATCH | |
- OPERATION_MUST_MATCH | |
default: OPERATION_UNSPECIFIED | |
v1ReadRelationshipsRequest: | |
type: object | |
properties: | |
consistency: | |
$ref: '#/definitions/v1Consistency' | |
relationshipFilter: | |
$ref: '#/definitions/v1RelationshipFilter' | |
description: >- | |
ReadRelationshipsRequest specifies one or more filters used to read | |
matching | |
relationships within the system. | |
v1ReadRelationshipsResponse: | |
type: object | |
properties: | |
readAt: | |
$ref: '#/definitions/v1ZedToken' | |
relationship: | |
$ref: '#/definitions/v1Relationship' | |
description: |- | |
ReadRelationshipsResponse contains a Relationship found that matches the | |
specified relationship filter(s). A instance of this response message will | |
be streamed to the client for each relationship found. | |
v1Relationship: | |
type: object | |
properties: | |
resource: | |
$ref: '#/definitions/v1ObjectReference' | |
title: >- | |
resource is the resource to which the subject is related, in some | |
manner | |
relation: | |
type: string | |
description: relation is how the resource and subject are related. | |
subject: | |
$ref: '#/definitions/v1SubjectReference' | |
description: >- | |
subject is the subject to which the resource is related, in some | |
manner. | |
description: |- | |
Relationship specifies how a resource relates to a subject. Relationships | |
form the data for the graph over which all permissions questions are | |
answered. | |
v1RelationshipFilter: | |
type: object | |
properties: | |
resourceType: | |
type: string | |
optionalResourceId: | |
type: string | |
optionalRelation: | |
type: string | |
optionalSubjectFilter: | |
$ref: '#/definitions/v1SubjectFilter' | |
description: |- | |
RelationshipFilter is a collection of filters which when applied to a | |
relationship will return relationships that have exactly matching fields. | |
resource_type is required. All other fields are optional and if left | |
unspecified will not filter relationships. | |
v1RelationshipUpdate: | |
type: object | |
properties: | |
operation: | |
$ref: '#/definitions/v1RelationshipUpdateOperation' | |
relationship: | |
$ref: '#/definitions/v1Relationship' | |
description: |- | |
RelationshipUpdate is used for mutating a single relationship within the | |
service. | |
CREATE will create the relationship only if it doesn't exist, and error | |
otherwise. | |
TOUCH will upsert the relationship, and will not error if it | |
already exists. | |
DELETE will delete the relationship and error if it doesn't | |
exist. | |
v1RelationshipUpdateOperation: | |
type: string | |
enum: | |
- OPERATION_UNSPECIFIED | |
- OPERATION_CREATE | |
- OPERATION_TOUCH | |
- OPERATION_DELETE | |
default: OPERATION_UNSPECIFIED | |
v1SubjectFilter: | |
type: object | |
properties: | |
subjectType: | |
type: string | |
optionalSubjectId: | |
type: string | |
optionalRelation: | |
$ref: '#/definitions/SubjectFilterRelationFilter' | |
description: |- | |
SubjectFilter specifies a filter on the subject of a relationship. | |
subject_type is required and all other fields are optional, and will not | |
impose any additional requirements if left unspecified. | |
v1SubjectReference: | |
type: object | |
properties: | |
object: | |
$ref: '#/definitions/v1ObjectReference' | |
optionalRelation: | |
type: string | |
title: >- | |
SubjectReference is used for referring to the subject portion of a | |
Relationship. The relation component is optional and is used for defining | |
a | |
sub-relation on the subject, e.g. group:123#members | |
v1WriteRelationshipsRequest: | |
type: object | |
properties: | |
updates: | |
type: array | |
items: | |
$ref: '#/definitions/v1RelationshipUpdate' | |
optionalPreconditions: | |
type: array | |
items: | |
$ref: '#/definitions/v1Precondition' | |
description: >- | |
WriteRelationshipsRequest contains a list of Relationship mutations that | |
should be applied to the service. If the optional_preconditions parameter | |
is included, all of the specified preconditions must also be satisfied | |
before | |
the write will be committed. | |
v1WriteRelationshipsResponse: | |
type: object | |
properties: | |
writtenAt: | |
$ref: '#/definitions/v1ZedToken' | |
v1ZedToken: | |
type: object | |
properties: | |
token: | |
type: string | |
description: |- | |
ZedToken is used to provide causality metadata between Write and Check | |
requests. | |
See the authzed.api.v1.Consistency message for more information. | |
v1alpha1PermissionUpdate: | |
type: object | |
properties: | |
subject: | |
$ref: '#/definitions/v1SubjectReference' | |
description: subject defines the subject resource whose permissions have changed. | |
resource: | |
$ref: '#/definitions/v1ObjectReference' | |
description: resource defines the specific object in the system. | |
relation: | |
type: string | |
updatedPermission: | |
$ref: '#/definitions/v1alpha1PermissionUpdatePermissionship' | |
description: |- | |
PermissionUpdate represents a single permission update for a specific | |
subject's permissions. | |
v1alpha1PermissionUpdatePermissionship: | |
type: string | |
enum: | |
- PERMISSIONSHIP_UNSPECIFIED | |
- PERMISSIONSHIP_NO_PERMISSION | |
- PERMISSIONSHIP_HAS_PERMISSION | |
default: PERMISSIONSHIP_UNSPECIFIED | |
description: |- | |
todo: work this into the v1 core API at some point since it's used | |
across services. | |
v1alpha1WatchResourcesRequest: | |
type: object | |
properties: | |
resourceObjectType: | |
type: string | |
description: |- | |
resource_object_type is the type of resource object for which we will | |
watch for changes. | |
permission: | |
type: string | |
description: |- | |
permission is the name of the permission or relation for which we will | |
watch for changes. | |
subjectObjectType: | |
type: string | |
description: >- | |
subject_object_type is the type of the subject resource for which we | |
will | |
watch for changes. | |
optionalSubjectRelation: | |
type: string | |
description: >- | |
optional_subject_relation allows you to specify a group of subjects to | |
watch | |
for a given subject type. | |
optionalStartCursor: | |
$ref: '#/definitions/v1ZedToken' | |
description: |- | |
WatchResourcesRequest starts a watch for specific permission updates | |
for the given resource and subject types. | |
v1alpha1WatchResourcesResponse: | |
type: object | |
properties: | |
updates: | |
type: array | |
items: | |
$ref: '#/definitions/v1alpha1PermissionUpdate' | |
changesThrough: | |
$ref: '#/definitions/v1ZedToken' | |
description: |- | |
WatchResourcesResponse enumerates the list of permission updates that have | |
occurred as a result of one or more relationship updates. | |
securityDefinitions: | |
ApiKeyAuth: | |
type: apiKey | |
name: Authorization | |
in: header | |
externalDocs: | |
description: More about the Authzed API. | |
url: https://docs.authzed.com/reference/api |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment