KesselInventoryService_CheckSelf

POST

/api/kessel/v1beta2/checkself

Performs a relationship check where the subject is implicitly the caller (self), as determined by the authentication context, rather than being provided explicitly in the request.

This API answers the question: “Does the current caller have relation Y on object Z?”

Common use cases include enforcing access checks for the authenticated user.

Request Body ^required

CheckSelfRequest performs an access check for the caller (self) against a specific object and relation. The subject is derived from the caller’s authenticated identity rather than being provided explicitly.

object

object

Required parameters (from an authz perspective)

• resource type and id
• permission (cannot be derived from the type as a type may have multiple ‘read’ permissions. Ex: https://github.com/RedHatInsights/rbac-config/blob/master/configs/prod/schemas/src/notifications.ksl#L31)

The subject is implicitly the caller, as determined by the authentication context, instead of being provided as a SubjectReference.

object

resourceType

string

resourceId

string

reporter

object

type

string

instanceId

string

relation

string

consistency

Defines how a request is handled by the service.

object

minimizeLatency

The service selects the fastest snapshot available. Must be set true if used.

boolean

atLeastAsFresh

All data used in the API call must be at least as fresh as found in the ConsistencyToken. More recent data might be used if available or faster.

object

token

string

Responses

200

OK

CheckSelfResponse represents the result of a self-access permission check.

object

allowed

string format: enum

Allowed values: ALLOWED_UNSPECIFIED ALLOWED_TRUE ALLOWED_FALSE

consistencyToken

object

token

string

default

Default error response

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

object

code

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

integer format: int32

message

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

string

details

A list of messages that carry the error details. There is a common set of message types for APIs to use.

Array<object>

Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.

object

@type

The type of the serialized message.

string

key

additional properties

any