API Authorization

Authorization for REST API calls is only done at the API gateway. This is facilitated through policy checks to the Open Policy Agent (OPA). Every REST API call into the system is sent to the OPA to make an authorization decision. The decision is based on the authenticated JSON Web Token (JWT) passed into the request.

This page lists the available personas and the supported REST API endpoints for each.

admin

Authorized for every possible REST API endpoint.

user

NOTE: UAS and User Access Instances are deprecated in CSM 1.5.2 and will be removed in CSM 1.6.

Authorized for a subset of endpoints to allow users to create and use User Access Instances (UAIs), run jobs, view job results, and use capsules.

user UAS endpoints

REST API endpoints for the user persona for the User Access Service (UAS):

Method Endpoint Description
GET /apis/uas-mgr/v1/ Get UAS API version
GET /apis/uas-mgr/v1/uas List UAIs for current user
POST /apis/uas-mgr/v1/uas Create a UAI for current user
DELETE /apis/uas-mgr/v1/uas Delete UAIs for current user
GET /apis/uas-mgr/v1/images List available UAI images
GET /apis/uas-mgr/v1/mgr-info Get UAS service version

user PALS endpoints

The user persona is authorized to make DELETE, GET, HEAD, PATCH, POST or PUT calls to any Parallel Application Launch Service (PALS) endpoint (/apis/pals/v1/*).

user Replicant endpoints

REST API endpoints for the user persona for Replicant:

Method Endpoint Description
GET /apis/rm/v1/report/<id> Get report by ID
GET /apis/rm/v1/reports Get reports

user Analytics Capsules endpoints

The user persona is authorized to make DELETE, GET, HEAD, PATCH, POST or PUT calls to any Analytics Capsules endpoint (/apis/capsules/*).

system-pxe

Authorized for endpoints related to booting.

The system-pxe persona is authorized to make GET, HEAD, or POST calls to any Boot Script Service (BSS) endpoint (/apis/bss/*).

system-compute

Authorized for endpoints required by the Cray Operating System (COS) to manage compute nodes and NCN services.

The system-compute persona is authorized to make:

wlm

Authorized for endpoints related to the use of the Slurm or PBS workload managers.

The wlm persona is authorized to make: