[ARVADOS] updated: 94e52d9256cb17dddbc9c383d2ab90e713c25e3b

Git user git at public.curoverse.com
Mon Oct 31 09:54:06 EDT 2016


Summary of changes:
 doc/api/methods.html.textile.liquid                | 16 ++++----
 .../api_client_authorizations.html.textile.liquid  | 45 +++++++++++++++++-----
 doc/api/methods/users.html.textile.liquid          |  2 +-
 doc/api/resources.html.textile.liquid              |  6 +--
 4 files changed, 49 insertions(+), 20 deletions(-)

       via  94e52d9256cb17dddbc9c383d2ab90e713c25e3b (commit)
      from  42b9e37cd53d63980d3fa4a238f9ff6adad9ccc4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 94e52d9256cb17dddbc9c383d2ab90e713c25e3b
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Fri Oct 28 21:29:19 2016 -0400

    10346: Document token scopes.

diff --git a/doc/api/methods.html.textile.liquid b/doc/api/methods.html.textile.liquid
index 7941e52..f392778 100644
--- a/doc/api/methods.html.textile.liquid
+++ b/doc/api/methods.html.textile.liquid
@@ -8,19 +8,21 @@ title: Common resource methods
 
 The following methods are available for most resources.  Some resources may limit who can perform certain operations.  Consult documentation for individual resource types for details.
 
+The methods are relative to the base URI, e.g. @/arvados/v1/resource_type at .  For arguments specifying a *Location* of @path@, the value of the argument is incorporated into the path portion of the URI. Arguments specifying a *Location* of @query@ are incorporated into the query portion of the URI or request body.
+
 h2. create
 
-The @create@ method creates a new object of the specified type.  It corresponds to the HTTP request @POST /arvados/v1/resource_name at .  A successful create call returns a copy of the new object.
+The @create@ method creates a new object of the specified type.  It corresponds to the HTTP request @POST /arvados/v1/resource_type at .  A successful create call returns a copy of the new object.
 
 Arguments:
 
 table(table table-bordered table-condensed).
 |_. Argument |_. Type |_. Description |_. Location |
-|{resource_name}|object||query||
+|{resource_type}|object|Name is the singular form of the resource type, e.g. for the "collections" resource, this argument is "collection"|query||
 
 h2. delete
 
-The @delete@ method deletes a object of the specified type.  It corresponds to the HTTP request @DELETE /arvados/v1/resource_name/uuid at .  A successful delete call returns a copy of the deleted object.
+The @delete@ method deletes a object of the specified type.  It corresponds to the HTTP request @DELETE /arvados/v1/resource_type/uuid at .  A successful delete call returns a copy of the deleted object.
 
 Arguments:
 
@@ -30,7 +32,7 @@ table(table table-bordered table-condensed).
 
 h2. get
 
-The @get@ method gets a single object with the specified @uuid at .  It corresponds to the HTTP request @GET /arvados/v1/resource_name/uuid at .
+The @get@ method gets a single object with the specified @uuid at .  It corresponds to the HTTP request @GET /arvados/v1/resource_type/uuid at .
 
 Arguments:
 
@@ -40,7 +42,7 @@ table(table table-bordered table-condensed).
 
 h2(#index). list
 
-The @list@ method requests an list of resources of that type.  It corresponds to the HTTP request @GET /arvados/v1/resource_name at .  All resources support listing with unless otherwise noted.
+The @list@ method requests an list of resources of that type.  It corresponds to the HTTP request @GET /arvados/v1/resource_type at .  All resources support listing with unless otherwise noted.
 
 Arguments:
 
@@ -94,9 +96,9 @@ table(table table-bordered table-condensed).
 
 h2. update
 
-The @update@ method updates fields on the object with the specified @uuid at .  It corresponds to the HTTP request @PUT /arvados/v1/resource_name/uuid at .  A successful update call returns the updated copy of the object.
+The @update@ method updates fields on the object with the specified @uuid at .  It corresponds to the HTTP request @PUT /arvados/v1/resource_type/uuid at .  A successful update call returns the updated copy of the object.
 
 table(table table-bordered table-condensed).
 |_. Argument |_. Type |_. Description |_. Location |
 {background:#ccffcc}.|uuid|string|The UUID of the resource in question.|path||
-|{resource_name}|object||query||
+|{resource_type}|object||query||
diff --git a/doc/api/methods/api_client_authorizations.html.textile.liquid b/doc/api/methods/api_client_authorizations.html.textile.liquid
index 82dac7d..8c33ea1 100644
--- a/doc/api/methods/api_client_authorizations.html.textile.liquid
+++ b/doc/api/methods/api_client_authorizations.html.textile.liquid
@@ -14,19 +14,46 @@ Required arguments are displayed in %{background:#ccffcc}green%.
 
 h2. Resource
 
-An ApiClientAuthorization is not a generic Arvados resource.  The full list of properties that belong to an ApiClientAuthorization is:
+The @api_client_authorizations@ resource stores the list of API tokens that have been issued to permit access the API server.
+
+An ApiClientAuthorization is *not* a generic Arvados resource.  The full list of properties that belong to an ApiClientAuthorization is:
 
 table(table table-bordered table-condensed).
 |_. Attribute|_. Type|_. Description|_. Example|
-|api_token|string|||
-|api_client_id|integer|||
-|user_id|integer|||
-|created_by_ip_address|string|||
-|last_used_by_ip_address|string|||
-|last_used_at|datetime|||
-|expires_at|datetime|||
+|api_token|string|The actual token string that is expected in the Authorization header.||
+|api_client_id|integer|-||
+|user_id|integer|-||
+|created_by_ip_address|string|-||
+|last_used_by_ip_address|string|The network address of the most recent client using this token.||
+|last_used_at|datetime|Timestamp of the most recent request using this token.||
+|expires_at|datetime|Time at which the token is no longer valid.||
 |default_owner_uuid|string|||
-|scopes|array|||
+|scopes|array|A list of resources this token is allowed to access.  A scope of ["all"] allows all resources.  See below.||
+
+h3. Scopes
+
+Scopes can restrict a token so it may only access certain resources.  This is in addition to normal permission checks for the user associated with the token.
+
+Each entry in scopes consists of a @request_method@ and @request_path@, where the @request_method@ is a HTTP method (one of @GET@, @POST@, @PUT@ or @DELETE@) and @request_path@ is the request URI.  A given request is permitted if it matches a scopes exactly, or the scope ends with @/@ and the request string is a prefix of the scope.
+
+As a special case, a scope of ["all"] allows all resources.
+
+h4. Examples
+
+A scope of @GET /arvados/v1/collections@ permits listing collections.
+
+* Requests with different methods, such as creating a new collection using @POST /arvados/v1/collections@, will be rejected.
+* Requests to access other resources, such as @GET /arvados/v1/groups@, will be rejected.
+* Be aware that requests for specific records, such as @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will also be rejected.  This is because the scope @GET /arvados/v1/collections@ does not end in @/@
+
+A scope of @GET /arvados/v1/collections/@ (with @/@ suffix) will permit access to individual collections.
+
+* The request @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will succeed
+* Be aware that requests for listing @GET /arvados/v1/collections@ (no @/@ suffix) will be rejected, because it is not an exact match with @GET /arvados/v1/collections/@
+
+To allow both listing objects and requesting individual objects, include both in the scope: @["GET /arvados/v1/collections", "GET /arvados/v1/collections/"]@
+
+A narrow scope such as @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will disallow listing objects as well as disallow requesting any object other than those in the scope.
 
 h2. Methods
 
diff --git a/doc/api/methods/users.html.textile.liquid b/doc/api/methods/users.html.textile.liquid
index a9884d3..81e49c0 100644
--- a/doc/api/methods/users.html.textile.liquid
+++ b/doc/api/methods/users.html.textile.liquid
@@ -43,7 +43,7 @@ table(table table-bordered table-condensed).
 
 h3. current
 
-current users
+Get the user associated with the provided API token.
 
 Arguments:
 
diff --git a/doc/api/resources.html.textile.liquid b/doc/api/resources.html.textile.liquid
index 9f36628..07470c1 100644
--- a/doc/api/resources.html.textile.liquid
+++ b/doc/api/resources.html.textile.liquid
@@ -27,9 +27,9 @@ h2. Object UUID
 Each object is assigned a UUID.  This has the format @aaaaa-bbbbb-ccccccccccccccc at .
 format.
 
-# The first field ("aaaaa" in the example) is the site prefix.  This is unique to a specific Arvados installation.
-# The second field ("bbbbb" in the example) is the object type.
-# The third field ("ccccccccccccccc" in the example) uniquely identifies the object.
+# The first field (@aaaaa@ in the example) is the site prefix.  This is unique to a specific Arvados installation.
+# The second field (@bbbbb@ in the example) is the object type.
+# The third field (@ccccccccccccccc@ in the example) uniquely identifies the object.
 
 h2. Timestamps
 

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list