Capabilities responds considering policies on entities and groups (#3522 )

* Capabilities endpoint will now return considering policies on entities and groups

* refactor the policy derivation into a separate function

* Docs: Update docs to reflect the change in capabilities endpoint

2017-11-03 11:20:10 -04:00

1.3 KiB

Raw Blame History

layout	page_title	sidebar_current	description
api	/sys/capabilities-self - HTTP API	docs-http-system-capabilities-self	The `/sys/capabilities-self` endpoint is used to fetch the capabilities of client token on a given path.

`/sys/capabilities-self`

The /sys/capabilities-self endpoint is used to fetch the capabilities of a the supplied token. The capabilities returned will be derived from the policies that are on the token, and from the policies to which token is entitled to through the entity and entity's group memberships.

Query Self Capabilities

This endpoint returns the capabilities of client token on the given path. The client token is the Vault token with which this API call is made.

Method	Path	Produces
`POST`	`/sys/capabilities-self`	`200 application/json`

Parameters

path (string: <required>) – Specifies the path on which the client token's capabilities will be checked.

Sample Payload

{
  "path": "secret/foo"
}

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    https://vault.rocks/v1/sys/capabilities-self

Sample Response

{
  "capabilities": ["read", "list"]
}

1.3 KiB Raw Blame History Unescape Escape

/sys/capabilities-self