Granting Permissions to Users or Groups
Use the post /v1/cckm/google/key-rings/{id}/update-acls API to grant permissions to users or groups to perform specified operations on a Google Cloud key ring with a given ID on the CipherTrust Manager.
User ID and group are mutually exclusive – specify either. For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true or false.
For example, a user or group is permitted actions, keycreate and keyupdate. Now, to permit one more action keydestroy to the user or group, set "permit":true and "actions": "keydestroy" and run the API. Similarly, now to deny permission to the action keycreate, set "permit":false, "actions": "keycreate", and run the API.
Refer to Actions for actions supported by different APIs.
Syntax
curl -k '<IP>/api/v1/cckm/google/key-rings/{id}/update-acls' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "group": "<group>",\n "actions": [\n "<action1>", "<action2>"\n ],\n "permit": <true|false>\n }\n ]\n}' --compressed
Here, {id} represents the resource ID of the Google key ring on the CipherTrust Manager.
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| acls | array of JSONs | Permissions to be granted to users and groups. Refer to ACLs for details. |
ACLs
| Parameter | Type | Description |
|---|---|---|
| actions | array of strings | List of actions. Refer to Actions for the supported actions and details. |
| group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive – specify either. |
| permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
| user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
| APIs | Actions Required | Description |
|---|---|---|
| Create | keycreate | Permission to create a Google Cloud Key. |
| Synchronize | keysynchronize | Permission to synchronize Google Cloud keys. |
| Cancel | keysynchronize | Permission to cancel the synchronization job. |
| Update | keyupdate | Permission to updates the key attributes, tags and key operations. |
| Enable key | keyupdate | Permission to enable the Google Cloud key. |
| Disable key | keyupdate | Permission to disable the Google Cloud key. |
| Schedule Destroy | keydestroy | Permission to schedule destroy Google Cloud key. |
| Cancel destroy | keycanceldestroy | Permission to cancel destroy Google Cloud key. |
| Upload | keyupload | Permission to upload the key to the Google Cloud Key Ring. |
| List | view | Permission to view Google Cloud key rings and its keys. |
| Get (Google Cloud Keys) | view | Permission to get the details of a Google Cloud key with the given id. |
| List Key Ring | view | Permission to view Google Cloud key rings and its keys. |
| Get (Google Cloud Key Rings) | view | Permission to get the details of the Google Cloud Key Rings with the given id. |
| Create Report | reportcreate | Permission to create a report. |
| Delete Report | reportdelete | Permission to delete a report. |
| Download Report | reportdownload | Permission to download a report. |
| View Report | reportview | Permission to view the content of a report. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/google/key-rings/0545492c-ebcc-4c0e-a456-b335b6fbdd3d/update-acls' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhOGY3N2IxZS1lOTY2LTQwMjEtODRjMC01YjZiNjAzMTBmOWEiLCJzdWIiOiJsb2NhbHwzM2Y5ZDFmNi04MjJiLTQ0NTItOGM4MC1mYzM0ZGYyZTI3OGQiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNjcyMjMzMDAtYjU2ZC00ZmVmLTkwMDEtZGE1NGY2ZDdiMzY4Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjNkNWM4OWYzLTM1OWYtNGZmYS04ZTMyLWMxZjk0NTIyMWYzNiIsImlhdCI6MTYyMDE5NTY0NCwiZXhwIjoxNjIwMTk1OTQ0fQ.NAHcbm9TIB3YmVg-i_nfXf0-B0wMbAoXMSTaAJ-Ke-U' -H 'Content-Type: application/json' --data-binary $'{\n "acls": [\n {\n "actions": [\n "view"\n ],\n "group": "CCKM Users",\n "permit": true\n }\n]\n}' --compressed
Example Response
{
"id": "0545492c-ebcc-4c0e-a456-b335b6fbdd3d",
"uri": "kylo:kylo:cckm:gcp-key-ring:0545492c-ebcc-4c0e-a456-b335b6fbdd3d",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2021-05-05T06:19:44.602449Z",
"updatedAt": "2021-05-05T06:23:24.676857218Z",
"name": "projects/gemalto-kyloeng/locations/global/keyRings/demo-key-ring",
"key_ring_id": "demo-key-ring",
"location": "global",
"project_id": "gemalto-kyloeng",
"project_name": "projects/gemalto-kyloeng",
"connection": "gcp-connection",
"cloud_name": "gcp",
"acls": [
{
"group": "CCKM Users",
"actions": [
"view"
]
}
],
"organization_name": "organizations/123456789012",
"organization_display_name": "123456789012"
}
The output shows the updated permissions for the Google Cloud key ring with ID 0545492c-ebcc-4c0e-a456-b335b6fbdd3d.
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
