Cray System Management Documentation > Cray System Management (CSM) Administration Guide > security and authentication > API Authorization

API Authorization

Authorization for REST API calls is only done at the API gateway. This is facilitated through policy checks to the Open Policy Agent (OPA). Every REST API call into the system is sent to the OPA to make an authorization decision. The decision is based on the authenticated JSON Web Token (JWT) passed into the request.

This page lists the available personas and the supported REST API endpoints for each.

`admin`

Authorized for every possible REST API endpoint.

`user`

NOTE: UAS and User Access Instances are deprecated in CSM 1.5.2 and will be removed in CSM 1.6.

Authorized for a subset of endpoints to allow users to create and use User Access Instances (UAIs), run jobs, view job results, and use capsules.

`user` UAS endpoints

REST API endpoints for the user persona for the User Access Service (UAS):

Method	Endpoint	Description
`GET`	`/apis/uas-mgr/v1/`	Get UAS API version
`GET`	`/apis/uas-mgr/v1/uas`	List UAIs for current user
`POST`	`/apis/uas-mgr/v1/uas`	Create a UAI for current user
`DELETE`	`/apis/uas-mgr/v1/uas`	Delete UAIs for current user
`GET`	`/apis/uas-mgr/v1/images`	List available UAI images
`GET`	`/apis/uas-mgr/v1/mgr-info`	Get UAS service version

`user` PALS endpoints

The user persona is authorized to make DELETE, GET, HEAD, PATCH, POST or PUT calls to any Parallel Application Launch Service (PALS) endpoint (/apis/pals/v1/*).

`user` Replicant endpoints

REST API endpoints for the user persona for Replicant:

Method	Endpoint	Description
`GET`	`/apis/rm/v1/report/<id>`	Get report by ID
`GET`	`/apis/rm/v1/reports`	Get reports

`user` Analytics Capsules endpoints

The user persona is authorized to make DELETE, GET, HEAD, PATCH, POST or PUT calls to any Analytics Capsules endpoint (/apis/capsules/*).

`system-pxe`

Authorized for endpoints related to booting.

The system-pxe persona is authorized to make GET, HEAD, or POST calls to any Boot Script Service (BSS) endpoint (/apis/bss/*).

`system-compute`

Authorized for endpoints required by the Cray Operating System (COS) to manage compute nodes and NCN services.

The system-compute persona is authorized to make:

GET, HEAD, or PATCH calls to any Configuration Framework Service (CFS) endpoint (/apis/cfs/*).
GET, HEAD, or POST calls to any Content Projection Service (CPS) endpoint (/apis/v2/cps/*).
GET, HEAD, or POST calls to any Heartbeat Tracker Daemon (HBTD) endpoint (/apis/hbtd/*).
GET, HEAD, POST, or PUT calls to any Node Memory Dump (NMD) endpoint (/apis/v2/nmd/*).
GET or HEAD calls to any Hardware State Manager (HSM) endpoint (/apis/smd/*).
DELETE, GET, HEAD, PATCH, or POST calls to any Hardware Management Notification Fanout Daemon (HMNFD) endpoint (apis/hmnfd/*).

`wlm`

Authorized for endpoints related to the use of the Slurm or PBS workload managers.

The wlm persona is authorized to make:

DELETE, GET, HEAD, or POST calls to any PALS endpoint (/apis/pals/*).
GET, HEAD, or POST calls to any Cray Advanced Platform Monitoring and Control (CAPMC) endpoint (/apis/capmc/*).
DELETE, GET, HEAD, PATCH, or POST calls to any Boot Orchestration Service (BOS) endpoint (/apis/bos/*).
GET or HEAD calls to any System Layout Service (SLS) endpoint (/apis/sls/*).
GET or HEAD calls to any HSM endpoint (/apis/smd/*).
DELETE, GET, HEAD, PATCH, POST or PUT calls to any Virtual Network Identifier Daemon (VNID) endpoint (/apis/vnid/*).

API Authorization

admin

user

user UAS endpoints

user PALS endpoints

user Replicant endpoints

user Analytics Capsules endpoints

system-pxe

system-compute

wlm