Capabilities responds considering policies on entities and groups (#3522 )

* Capabilities endpoint will now return considering policies on entities and groups

* refactor the policy derivation into a separate function

* Docs: Update docs to reflect the change in capabilities endpoint

2017-11-03 11:20:10 -04:00

1.5 KiB

Raw Blame History

layout	page_title	sidebar_current	description
api	/sys/capabilities-accessor - HTTP API	docs-http-system-capabilities-accessor	The `/sys/capabilities-accessor` endpoint is used to fetch the capabilities of the token associated with an accessor, on the given path.

`/sys/capabilities-accessor`

The /sys/capabilities-accessor endpoint is used to fetch the capabilities of a token associated with an accessor. The capabilities returned will be derived from the policies that are on the token, and from the policies to which token is entitled to through the entity and entity's group memberships.

Query Token Accessor Capabilities

This endpoint returns the capabilities of the token associated with an accessor, for the given path.

Method	Path	Produces
`POST`	`/sys/capabilities-accessor`	`200 application/json`

Parameters

accessor (string: <required>) – Specifies the accessor of the token to check.
path (string: <required>) – Specifies the path on which the token's capabilities will be checked.

Sample Payload

{
  "accessor": "abcd1234",
  "path": "secret/foo"
}

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    https://vault.rocks/v1/sys/capabilities-accessor

Sample Response

{
  "capabilities": ["read", "list"]
}

1.5 KiB Raw Blame History Unescape Escape

/sys/capabilities-accessor