POST /permitted

Query whether a user or user group can perform specified actions. Use this to check if a user or group already has a certain permission. Authentication is required.

Request format

When Forming RBAC API requests to this endpoint, the content type is application/json. The body must be a JSON object specifying a user or user group and one or more specific permissions. You must use these keys:

  • token: The UUID of a user or user group.
  • permissions: An array of JSON objects representing permissions. Each permissions object includes the object_type, action, and instance keys. For more information about these keys and how to populate them, refer to Permissions endpoints keys.
    For any object_type that doesn't support instance specification, you must supply "instance": "*".

For example, the following body queries a user or group with the UUID 456. It checks if this user or group can edit rules for a specific node group, and if the user or group can disable all ("*") user accounts. The response returns an array of Boolean values representing each JSON object in the permissions array. A true response indicates that the user or group can perform the specified action, whereas false indicates the user or group can't perform that action.

{"token": "456",
 "permissions": [{"object_type": "node_groups",
                  "action": "edit_rules",
                  "instance": "<NODE_GROUP_UUID"},
                 {"object_type": "users",
                  "action": "disable",
                  "instance": "*"}]
}

Here is an example of a complete curl request to the permitted endpoint:

curl -X POST "https://$(puppet config print server):4433/rbac-api/v1/permitted" \
-H "X-Authentication: 0RrYy80wuJZLNDcOwxnl19DJAe7LAkpPZtCbx8Jh3NxQ"  \
-H "Content-type:   application/json" \
-d '{"token": "42bf351c-f9ec-40af-84ad-e976fec7f4bd",
     "permissions": [{"object_type": "node_groups",
                      "action": "edit_rules",
                      "instance": "4"}]}'

Response format

If the request is well-formed and valid, the endpoint returns a 200 OK response with an array of Boolean values representing each JSON object in the permissions array in the request body.

The response array has the same length as the request's permissions array. Each returned Boolean value corresponds to the submitted permission query at the same index. For example, if you query two permissions, the response array contains two values, such as:

[true, false]

A true response indicates that the user or group can perform the specified action (described at the corresponding index position in the request), whereas false indicates the user or group can't perform that action.

The response is based on a full evaluation of permissions, including inherited roles and matching general permissions to more specific queries. For example, a query for users:edit:1 returns true if the token subject has either permission to edit that specific user (users:edit:1) or permission to edit all users (users:edit:*).

For error responses, refer to RBAC service errors .