/
authentication.yml
437 lines (415 loc) · 10.6 KB
/
authentication.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
openapi: "3.0.0"
info:
description: lakeFS authentication HTTP API
title: lakeFS authentication API
license:
name: "Apache 2.0"
url: http://www.apache.org/licenses/LICENSE-2.0.html
version: 0.1.0
servers:
- url: "/api/v1"
description: lakeFS authentication server endpoint
security:
- jwt_token: []
- basic_auth: []
- cookie_auth: []
- oidc_auth: []
- saml_auth: []
components:
securitySchemes:
basic_auth:
type: http
scheme: basic
jwt_token:
type: http
scheme: bearer
bearerFormat: JWT
cookie_auth:
type: apiKey
in: cookie
name: internal_auth_session
oidc_auth:
type: apiKey
in: cookie
name: oidc_auth_session
saml_auth:
type: apiKey
in: cookie
name: saml_auth_session
parameters:
PaginationPrefix:
in: query
name: prefix
description: return items prefixed with this value
schema:
type: string
PaginationAfter:
in: query
name: after
description: return items after this value
schema:
type: string
PaginationAmount:
in: query
name: amount
description: how many items to return
schema:
type: integer
minimum: -1
maximum: 1000
default: 100
PaginationDelimiter:
in: query
name: delimiter
description: delimiter used to group common prefixes by
schema:
type: string
responses:
BadRequest:
description: Bad Request
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
Unauthorized:
description: Unauthorized
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
Forbidden:
description: Forbidden
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
ServerError:
description: Internal Server Error
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
NotFound:
description: Resource Not Found
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
Conflict:
description: Resource Conflicts With Target
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
PreconditionFailed:
description: Precondition Failed
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
ValidationError:
description: Validation Error
content:
application/json:
schema:
$ref: "#/components/schemas/Error"
schemas:
Pagination:
type: object
required:
- has_more
- max_per_page
- results
- next_offset
properties:
has_more:
type: boolean
description: Next page is available
next_offset:
type: string
description: Token used to retrieve the next page
results:
type: integer
minimum: 0
description: Number of values found in the results
max_per_page:
type: integer
minimum: 0
description: Maximal number of entries per page
Error:
type: object
required:
- message
properties:
message:
description: short message explaining the error
type: string
ObjectError:
type: object
required:
- status_code
- message
properties:
status_code:
type: integer
description: HTTP status code associated for operation on path
message:
type: string
description: short message explaining status_code
path:
type: string
description: affected path
ObjectErrorList:
type: object
required:
- errors
properties:
errors:
type: array
items:
$ref: "#/components/schemas/ObjectError"
User:
type: object
required:
- id
- creation_date
properties:
id:
type: string
description: a unique identifier for the user. In password-based authentication, this is the email.
creation_date:
type: integer
format: int64
description: Unix Epoch in seconds
friendly_name:
type: string
email:
type: string
CurrentUser:
type: object
required:
- user
properties:
user:
$ref: "#/components/schemas/User"
UserCreation:
type: object
properties:
id:
type: string
description: a unique identifier for the user. In password-based authentication, this is the email.
invite_user:
type: boolean
required:
- id
AccessKeyCredentials:
type: object
properties:
# Example values as seen on
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
access_key_id:
description: access key ID to set for user for use in integration testing.
example: AKIAIOSFODNN7EXAMPLE
type: string
minLength: 1
secret_access_key:
description: secret access key to set for user for use in integration testing.
example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
type: string
minLength: 1
required:
- access_key_id
- secret_access_key
AuthenticationToken:
type: object
required:
- token
properties:
token:
description: a JWT token that could be used to authenticate requests
type: string
token_expiration:
type: integer
format: int64
description: Unix Epoch in seconds
StatsEvent:
type: object
properties:
class:
description: stats event class (e.g. "s3_gateway", "openapi_request", "experimental-feature", "ui-event")
type: string
name:
description: stats event name (e.g. "put_object", "create_repository", "<experimental-feature-name>")
type: string
count:
description: number of events of the class and name
type: integer
required:
- class
- name
- count
StatsEventsList:
type: object
required:
- events
properties:
events:
type: array
items:
$ref: "#/components/schemas/StatsEvent"
LdapAuthRequest:
type: object
required:
- username
- password
properties:
username:
type: string
password:
type: string
LdapAuthResponse:
type: object
required:
- external_user_identifier
properties:
external_user_identifier:
type: string
description: external_user_identifier is the user DN in LDAP set if user exists with that username and has this password.
IdentityRequest:
type: object
StsAuthRequest:
type: object
required:
- code
- state
- redirect_uri
properties:
code:
type: string
state:
type: string
redirect_uri:
type: string
oidc_token_data:
type: object
required:
- claims
properties:
claims:
type: object
additionalProperties:
type: string
description: the claims of the token returned from the provider
ExternalPrincipal:
type: object
required:
- id
properties:
id:
type: string
paths:
/ldap/login:
post:
tags:
- auth
operationId: LDAPLogin
summary: perform a login with LDAP
security: []
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/LdapAuthRequest"
responses:
200:
description: successful LDAP login
content:
application/json:
schema:
$ref: "#/components/schemas/LdapAuthResponse"
401:
$ref: "#/components/responses/Unauthorized"
default:
$ref: "#/components/responses/ServerError"
/auth/external/principal/login:
post:
tags:
- auth
- external
operationId: externalPrincipalLogin
summary: perform a login using an external authenticator
security: [ ]
requestBody:
content:
application/json:
schema:
$ref: "#/components/schemas/IdentityRequest"
responses:
200:
description: successful external login
content:
application/json:
schema:
$ref: "#/components/schemas/ExternalPrincipal"
400:
$ref: "#/components/responses/BadRequest"
401:
$ref: "#/components/responses/Unauthorized"
403:
$ref: "#/components/responses/Forbidden"
404:
$ref: "#/components/responses/NotFound"
420:
description: too many requests
default:
$ref: "#/components/responses/ServerError"
/sts/login:
post:
tags:
- auth
operationId: STSLogin
summary: perform a login with STS
security: []
requestBody:
required: true
content:
application/json:
schema:
$ref: "#/components/schemas/StsAuthRequest"
responses:
200:
description: successful STS login
content:
application/json:
schema:
$ref: "#/components/schemas/oidc_token_data"
401:
$ref: "#/components/responses/Unauthorized"
default:
$ref: "#/components/responses/ServerError"
/oidc/callback:
get:
tags:
- auth
operationId: oauthCallback
security: []
responses:
302:
description: successfully got token
401:
description: failed to exchange authorization code for token
default:
$ref: "#/components/responses/ServerError"
/healthcheck:
get:
operationId: healthCheck
security: []
tags:
- healthCheck
description: check that the API server is up and running
responses:
204:
description: NoContent
default:
$ref: "#/components/responses/ServerError"