Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
568 lines (416 sloc) 13.5 KB

Groups

A group associates a name to a list of :ref:`principals <api-principals>`. It is useful in order to handle permissions. Groups are defined in buckets.

A group is a mapping with the following attributes:

  • data: attributes of the group object
  • permissions: the :term:`ACLs <ACL>` for the group object (e.g who is allowed to read or update the group object itself.)

When used in permissions definitions, the full group URI has to be used:

{
    "write": ["/buckets/blog/groups/authors", "github:lili"],
    "read": ["system.Everyone"]
}

Creating a group

.. http:post:: /buckets/(bucket_id)/groups

    :synopsis: Creates a new bucket group with a generated ID.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ echo '{"data": {"members": ["account:alice"]}}' | http POST http://localhost:8888/v1/buckets/blog/groups --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        POST /v1/buckets/blog/groups HTTP/1.1
        Accept: application/json
        Accept-Encoding: gzip, deflate
        Authorization: Basic Ym9iOg==
        Connection: keep-alive
        Content-Length: 102
        Content-Type: application/json
        Host: localhost:8888
        User-Agent: HTTPie/0.9.2

        {
            "data": {
                "members": [
                    "account:alice"
                ]
            }
        }

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 201 Created
        Access-Control-Expose-Headers: Backoff, Retry-After, Alert
        Content-Length: 248
        Content-Type: application/json; charset=UTF-8
        Date: Thu, 18 Jun 2015 16:17:02 GMT
        Server: waitress

        {
            "data": {
                "id": "wZjuQfpS",
                "last_modified": 1434644222033,
                "members": [
                    "account:alice"
                ]
            },
            "permissions": {
                "write": [
                    "account:alice"
                ]
            }
        }

Replacing a group

.. http:put:: /buckets/(bucket_id)/groups/(group_id)

    :synopsis: Creates or replaces a group with a chosen ID.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ echo '{"data": {"members": ["account:alice"]}}' | http put http://localhost:8888/v1/buckets/blog/groups/readers --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        PUT /v1/buckets/blog/groups/readers HTTP/1.1
        Accept: application/json
        Accept-Encoding: gzip, deflate
        Authorization: Basic Ym9iOg==
        Connection: keep-alive
        Content-Length: 102
        Content-Type: application/json
        Host: localhost:8888
        User-Agent: HTTPie/0.9.2

        {
            "data": {
                "members": [
                    "account:alice"
                ]
            }
        }

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 201 Created
        Access-Control-Expose-Headers: Backoff, Retry-After, Alert
        Content-Length: 247
        Content-Type: application/json; charset=UTF-8
        Date: Thu, 18 Jun 2015 16:41:01 GMT
        Server: waitress

        {
            "data": {
                "id": "readers",
                "last_modified": 1434645661227,
                "members": [
                    "account:alice"
                ]
            },
            "permissions": {
                "write": [
                    "account:bob"
                ]
            }
        }

Modify a group

.. http:patch:: /buckets/(bucket_id)/groups/(group_id)

    :synopsis: Modifies an existing group.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ echo '{"data": {"members": ["account:alice"]}}' | http patch http://localhost:8888/v1/buckets/blog/groups/readers --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        PATCH /v1/buckets/blog/groups/readers HTTP/1.1
        Accept: application/json
        Accept-Encoding: gzip, deflate
        Authorization: Basic Ym9iOg==
        Connection: keep-alive
        Content-Length: 102
        Content-Type: application/json
        Host: localhost:8888
        User-Agent: HTTPie/0.9.2

        {
            "data": {
                "members": [
                    "account:alice"
                ]
            }
        }

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 200 OK
        Access-Control-Expose-Headers: Backoff, Retry-After, Alert
        Content-Length: 247
        Content-Type: application/json; charset=UTF-8
        Date: Thu, 18 Jun 2015 16:41:01 GMT
        Server: waitress

        {
            "data": {
                "id": "readers",
                "last_modified": 1434645661227,
                "members": [
                    "account:alice"
                ]
            },
            "permissions": {
                "write": [
                    "account:bob"
                ]
            }
        }

Retrieving a group

.. http:get:: /buckets/(bucket_id)/groups/(group_id)

    :synopsis: Returns the group object.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ http get http://localhost:8888/v1/buckets/blog/groups/readers --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        GET /v1/buckets/blog/groups/readers HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        Authorization: Basic Ym9iOg==
        Connection: keep-alive
        Host: localhost:8888
        User-Agent: HTTPie/0.9.2

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 200 OK
        Access-Control-Expose-Headers: Backoff, Retry-After, Alert, Last-Modified, ETag
        Content-Length: 247
        Content-Type: application/json; charset=UTF-8
        Date: Thu, 18 Jun 2015 16:44:07 GMT
        Etag: "1434645847532"
        Last-Modified: Thu, 18 Jun 2015 16:44:07 GMT
        Server: waitress

        {
            "data": {
                "id": "readers",
                "last_modified": 1434645661227,
                "members": [
                    "account:alice"
                ]
            },
            "permissions": {
                "write": [
                    "account:bob"
                ]
            }
        }

Retrieving all groups

.. http:get:: /buckets/(bucket_id)/groups

    :synopsis: Returns the list of groups for the bucket.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ http get http://localhost:8888/v1/buckets/blog/groups --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        GET /v1/buckets/blog/groups HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        Authorization: Basic Ym9iOg==
        Connection: keep-alive
        Host: localhost:8888
        User-Agent: HTTPie/0.9.2

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 200 OK
        Access-Control-Expose-Headers: Backoff, Retry-After, Alert, Content-Length, Next-Page, Last-Modified, ETag
        Content-Length: 147
        Content-Type: application/json; charset=UTF-8
        Date: Thu, 13 Aug 2015 12:16:05 GMT
        Etag: "1439468156451"
        Last-Modified: Thu, 13 Aug 2015 12:15:56 GMT
        Server: waitress

        {
            "data": [
                {
                    "id": "vAQSwSca",
                    "last_modified": 1439468156451,
                    "members": [
                        "account:alice"
                    ]
                }
            ]
        }

Deleting all groups

.. http:delete:: /buckets/(bucket_id)/groups

    :synopsis: Delete every writable group in the bucket.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ http delete http://localhost:8888/v1/buckets/blog/groups --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        DELETE /v1/buckets/blog/groups HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        Authorization: Basic dG9rZW46Ym9iLXRva2Vu
        Connection: keep-alive
        Content-Length: 0
        Host: localhost:8888
        User-Agent: HTTPie/0.9.3

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 200 OK
        Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff
        Content-Length: 72
        Content-Type: application/json; charset=UTF-8
        Date: Sun, 20 Nov 2016 03:04:57 GMT
        Server: waitress

        {
            "data": [
                {
                    "deleted": true,
                    "id": "readers",
                    "last_modified": 1479611097155
                }
            ]
        }



Deleting a group

.. http:delete:: /buckets/(bucket_id)/groups/(group_id)

    :synopsis: Deletes a specific group.

    **Requires authentication**

    **Example Request**

    .. sourcecode:: bash

        $ http delete http://localhost:8888/v1/buckets/blog/groups/readers --auth="bob:p4ssw0rd" --verbose

    .. sourcecode:: http

        DELETE /v1/buckets/blog/groups/readers HTTP/1.1
        Accept: */*
        Accept-Encoding: gzip, deflate
        Authorization: Basic Ym9iOg==
        Connection: keep-alive
        Content-Length: 0
        Host: localhost:8888
        User-Agent: HTTPie/0.9.2

    **Example Response**

    .. sourcecode:: http

        HTTP/1.1 200 OK
        Access-Control-Expose-Headers: Backoff, Retry-After, Alert
        Content-Length: 70
        Content-Type: application/json; charset=UTF-8
        Date: Thu, 18 Jun 2015 16:47:29 GMT
        Server: waitress

        {
            "data": {
                "deleted": true,
                "id": "readers",
                "last_modified": 1434646049488
            }
        }

Metadata validation using JSON schema

Requires setting kinto.experimental_collection_schema_validation to True.

By default, only the members must respect a particular schema (list of strings), and groups will accept any kind of additional fields.

In order to validate the additional fields, it is possible to define a JSON schema on the parent bucket metadata.

Set or replace a schema

Just modify the group:schema attribute of the parent bucket object:

Example request

$ echo '{
  "data": {
    "group:schema": {
      "title": "Supporters group",
      "type": "object",
      "properties": {
          "email": {"type": "string"},
          "members": {"type": "array", "item": {"type": "string"}}
      },
      "required": ["email"]
    }
  }
}' | http PATCH "http://localhost:8888/v1/buckets/blog" --auth bob:p4ssw0rd --verbose
PATCH /v1/buckets/blog HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46
Connection: keep-alive
Content-Length: 236
Content-Type: application/json; charset=utf-8
Host: localhost:8888
User-Agent: HTTPie/0.8.0

{
    "data": {
        "group:schema": {
            "properties": {
                "email": {
                    "type": "string"
                },
                "members": {
                    "type": "array",
                    "item": {
                        "type": "string"
                    }
                }
            },
            "required": [
                "email"
            ],
            "title": "Supporters group",
            "type": "object"
        }
    }
}

Example response

HTTP/1.1 200 OK
Access-Control-Expose-Headers: Backoff, Retry-After, Alert, Content-Length
Content-Length: 300
Content-Type: application/json; charset=UTF-8
Date: Fri, 21 Aug 2015 12:31:40 GMT
Etag: "1440160300818"
Last-Modified: Fri, 21 Aug 2015 12:31:40 GMT
Server: waitress

{
    "data": {
        "group:schema": {
            "properties": {
                "email": {
                    "type": "string"
                },
                "members": {
                    "type": "array",
                    "item": {
                        "type": "string"
                    }
                }
            },
            "required": [
                "email"
            ],
            "title": "Supporters group",
            "type": "object"
        }
    },
    "permissions": {
        "write": [
            "account:bob"
        ]
    }
}
You can’t perform that action at this time.