Accesses API
The Accesses API manages Fine-Grained Authorization for resources. It uses a Relationship-Based Access Control (ReBAC) model to define permission relationships between users/groups and resources.
Core Concepts
D.Hub's access control consists of three elements:
| Element | Format | Description | Example |
|---|---|---|---|
| User | {type}:{id} or {type}:{id}#member | Permission subject | user:alice, group:data-team#member |
| Relation | string | Permission relationship | owner, editor, viewer |
| Object | {type}:{id} | Target resource | dataset:sales-2024, pipeline:etl-daily |
- owner: Resource owner. Includes all permissions.
- editor: Resource modification permission. Includes read permission.
- viewer: Read-only permission for the resource.
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /accesses/ | Retrieve access permissions |
| POST | /accesses/ | Add access permissions |
| DELETE | /accesses/ | Remove access permissions |
GET /accesses/
Retrieves access permission relationships matching specific conditions. Filter conditions are passed as query parameters.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
user | string | No | User filter (e.g., user:alice) |
relation | string | No | Relation filter (e.g., editor) |
object | string | No | Target resource filter (e.g., dataset:sales-2024) |
At least one filter must be specified. If all filters are left empty, no results will be returned.
Response
200 OK
[
{
"user": "user:alice",
"relation": "owner",
"object": "dataset:sales-2024"
},
{
"user": "group:data-team#member",
"relation": "editor",
"object": "dataset:sales-2024"
}
]
POST /accesses/
Adds one or more access permission relationships. Changes are applied simultaneously to both the authorization engine and graph store.
Request Body
[
{
"user": "user:alice",
"relation": "owner",
"object": "dataset:sales-2024"
},
{
"user": "group:data-team#member",
"relation": "editor",
"object": "pipeline:etl-daily"
}
]
| Field | Type | Required | Description |
|---|---|---|---|
user | string | Yes | Permission subject ({type}:{id} format) |
relation | string | Yes | Relation type (owner, editor, viewer) |
object | string | Yes | Target resource ({type}:{id} format) |
Response
200 OK
{
"message": "Relation created successfully"
}
DELETE /accesses/
Removes access permission relationships. All relationships matching the conditions are deleted from both the authorization engine and graph store.
Request Body
{
"user": "user:alice",
"relation": "editor",
"object": "dataset:sales-2024"
}
Response
200 OK
{
"message": "Relation deleted successfully"
}
Usage Examples
# Retrieve all access permissions for a specific resource
curl "https://api.dhub.io/api/v1/accesses/?object=dataset:sales-2024" \
-H "Authorization: Bearer <access_token>"
# Grant permissions to a user
curl -X POST https://api.dhub.io/api/v1/accesses/ \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '[
{
"user": "user:bob",
"relation": "viewer",
"object": "dataset:sales-2024"
}
]'
# Remove permissions
curl -X DELETE https://api.dhub.io/api/v1/accesses/ \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"user": "user:bob",
"relation": "viewer",
"object": "dataset:sales-2024"
}'
To grant permissions at the group level, use the group:{group_name}#member format in the user field. Permissions will be applied to all members of that group.