Skip to content
Kessel

Package: rbac.v2

Package for RBAC v2 client methods.

Classes

Workspace

Represents a workspace object from RBAC v2 API

Properties

  • id: string

    Workspace identifier

  • name: string

    Workspace name

  • type: string

    Workspace type (e.g., "root", "default")

  • description: string

    Workspace description

Functions

  • fetchRootWorkspace (rbacBaseEndpoint : string, orgId : string, auth? : AuthRequest, httpClient? : HttpClient) : Workspace

    Fetches the root workspace for the specified organization. This function queries RBAC v2 to find the root workspace for the given orgId.

    GET /api/rbac/v2/workspaces/?type=root

    Example:

    from kessel.auth import fetchOIDCDiscovery, OAuth2ClientCredentials
from kessel.requests import oauth2Auth
from kessel.rbac.v2 import fetchRootWorkspace

# Configure OAuth2 credentials
discovery = fetchOIDCDiscovery("https://sso.example.com/auth/")
authCredentials = OAuth2ClientCredentials(
    clientId="your-client-id",
    clientSecret="your-client-secret",
    tokenEndpoint=discovery.tokenEndpoint,
)

# Create auth adapter
auth = oauth2Auth(authCredentials)

# Fetch the root workspace
rootWorkspace = fetchRootWorkspace(
    rbacBaseEndpoint="https://console.stage.redhat.com/",
    orgId="12345",
    auth=auth
)
print(f"Root workspace: {rootWorkspace.name}")
workspaceId = rootWorkspace.id
    rbacBaseEndpoint : string

    The RBAC service endpoint URL (stage/prod/ephemeral)

    orgId : string

    Organization ID to use for the request.

    auth? : AuthRequest

    Used to perform authenticated requests.

    httpClient? : HttpClient

    Optional HTTP client instance (e.g., requests, http.Client) if applicable. If not provided, uses the default HTTP client for the language. Allows users to inject custom HTTP clients with additional headers or configuration. This is not expected to support any custom HTTP client, some of the language constructs will be used and thus we will only support the default or most used client. e.g. python will support requests and any requests-compatible client. Node.js will support the fetch API and Go will only use http.Client.

  • fetchDefaultWorkspace (rbacBaseEndpoint : string, orgId : string, auth? : AuthRequest, httpClient? : HttpClient) : Workspace

    Fetches the default workspace for the specified organization. This function queries RBAC v2 to find the default workspace for the given orgId.

    GET /api/rbac/v2/workspaces/?type=default

    Example:

    from kessel.auth import fetchOIDCDiscovery, OAuth2ClientCredentials
from kessel.requests import oauth2Auth
from kessel.rbac.v2 import fetchDefaultWorkspace

# Configure OAuth2 credentials
discovery = fetchOIDCDiscovery("https://sso.example.com/auth/")
authCredentials = OAuth2ClientCredentials(
    clientId="your-client-id",
    clientSecret="your-client-secret",
    tokenEndpoint=discovery.tokenEndpoint,
)

# Create auth adapter
auth = oauth2Auth(authCredentials)

# Fetch the default workspace
defaultWorkspace = fetchDefaultWorkspace(
    rbacBaseEndpoint="https://console.stage.redhat.com/",
    orgId="12345",
    auth=auth
)
print(f"Default workspace: {defaultWorkspace.name}")
workspaceId = defaultWorkspace.id
    rbacBaseEndpoint : string

    The RBAC service endpoint URL (stage/prod/ephemeral)

    orgId : string

    Organization ID to use for the request.

    auth? : AuthRequest

    Used to perform authenticated requests.

    httpClient? : HttpClient

    Optional HTTP client instance (e.g., requests, http.Client) if applicable. If not provided, uses the default HTTP client for the language. Allows users to inject custom HTTP clients with additional headers or configuration. This is not expected to support any custom HTTP client, some of the language constructs will be used and thus we will only support the default or most used client. e.g. python will support requests and any requests-compatible client. Node.js will support the fetch API and Go will only use http.Client.

  • workspaceType () : RepresentationType

    Function to create a RepresentationType for workspace resources. Returns a protobuf RepresentationType configured for RBAC workspace objects.

    Example:

    workspaceType = workspaceType()
  • roleType () : RepresentationType

    Function to create a RepresentationType for role resources. Returns a protobuf RepresentationType configured for RBAC role objects.

    Example:

    roleType = roleType()
  • principalResource (id : string, domain : string) : ResourceReference

    Creates a ResourceReference for a user principal based on user ID and domain. This function standardizes the creation of principal resources.

    Example:

    userResource = principalResource("123", "redhat")
    id : string

    The user identifier

    domain : string

    The domain or organization the user belongs to

  • roleResource (resourceId : string) : ResourceReference

    Function to create a ResourceReference for a role. Returns a protobuf ResourceReference configured for RBAC role resources.

    Example:

    adminRole = roleResource("admin")
    resourceId : string

    The role identifier

  • workspaceResource (resourceId : string) : ResourceReference

    Function to create a ResourceReference for a workspace. Returns a protobuf ResourceReference configured for RBAC workspace resources.

    Example:

    projectWorkspace = workspaceResource("project-abc")
    resourceId : string

    The workspace identifier

  • principalSubject (id : string, domain : string) : SubjectReference

    Creates a SubjectReference for a user principal based on user ID and domain. This is a convenience function that wraps principalResource to create a subject reference.

    Example:

    userSubject = principalSubject("john.doe", "example.com")
    id : string

    The user identifier

    domain : string

    The domain or organization the user belongs to

  • subject (resourceRef : ResourceReference, relation? : string) : SubjectReference

    Creates a SubjectReference from a ResourceReference and an optional relation. This function allows you to easily create a subject reference.

    Example:

    # Create a subject reference from a principal resource with a relation
memberSubject = subject(principalResource("123", "redhat"), "member")

# Create a subject reference without a relation (direct subject)
directSubject = subject(principalResource("456", "redhat"))

# Create a subject reference using a manually constructed ResourceReference
customResource = ResourceReference(
    resourceType="group",
    resourceId="our-team",
    reporter=None
)
groupSubject = subject(customResource, "owner")
    resourceRef : ResourceReference

    The resource reference that identifies the subject

    relation? : string

    Optional relation that points to a set of subjects (e.g., "members", "owners")

  • listWorkspaces (inventory : KesselInventoryServiceStub, subject : SubjectReference, relation : string, continuationToken? : string) : Iterable[StreamedListObjectsResponse]

    Lists all workspaces that a subject has a specific relation to. This function queries the inventory service to find workspaces based on the subject's permissions. Default pagination limit is 1000 items per page.

    Example:

    userSubject = principalSubject("john.doe", "redhat.com")
for resp in listWorkspaces(inventoryClient, userSubject, "member"):
    print(resp)
    inventory : KesselInventoryServiceStub

    The inventory service client stub for making the request

    subject : SubjectReference

    The subject to check permissions for

    relation : string

    The relationship type to check

    continuationToken? : string

    Optional token to resume listing from a previous page

  • listWorkspacesAsync (inventory : KesselInventoryServiceStub, subject : SubjectReference, relation : string, continuationToken? : string) : AsyncIterator[StreamedListObjectsResponse]

    Lists all workspaces that a subject has a specific relation to. This function queries the inventory service to find workspaces based on the subject's permissions. Default pagination limit is 1000 items per page.

    Example:

    userSubject = principalSubject("john.doe", "redhat.com")
async for resp in listWorkspacesAsync(inventoryClient, userSubject, "member"):
    print(resp)
    inventory : KesselInventoryServiceStub

    The inventory service client stub for making the request (async channel)

    subject : SubjectReference

    The subject to check permissions for

    relation : string

    The relationship type to check

    continuationToken? : string

    Optional token to resume listing from a previous page