Authorization

The Authorization API exposes the KubeDB Platform’s custom role management and permission inspection, backed by the platform’s relationship-based authorization model (OpenFGA-style checks). It lets you list the permissions the caller holds on a given object, discover the permissions that can be assigned within an organization, and create/manage custom roles that bundle permissions and assign them to teams.

All endpoints live under the /api/v1/authz prefix and require organization context. That context is not taken from the path — it is supplied as a ?org=<org-slug> query parameter (for example ?org=appscode). A valid token and membership of that organization are required.

Custom role management backed by the relationship-based authorization model.

MethodPathAuthDescription
GET/api/v1/authz/objects/:objectType/:objID/allowed-permissionsToken + orgAllowed permissions on an object
POST/api/v1/authz/objects/allowed-permissionsToken + orgBatch allowed-permissions query
GET/api/v1/authz/roles/available_permissionsToken + orgList available permissions
GET/POST/api/v1/authz/rolesToken + org (+create_role:org)List / create roles
GET/PUT/DELETE/api/v1/authz/roles/:idauthzCheck(view/edit/delete:role)Manage a role
GET/api/v1/authz/roles/:id/principalsauthzCheck(viewer:role)List principals assigned to a role

Pages

  • Roles & Permissions — object allowed-permissions lookups (single and batch), the available-permissions catalog, role CRUD, and role principal listings.