Authorization for REST API calls is only done at the API gateway. This is facilitated through policy checks to the Open Policy Agent (OPA). Every REST API call into the system is sent to the OPA to make an authorization decision. The decision is based on the authenticated JSON Web Token (JWT) passed into the request.
This page lists the available personas and the supported REST API endpoints for each.
Authorized for every possible REST API endpoint.
Authorized for endpoints related to booting.
The system-pxe persona is authorized to make GET, HEAD, or POST calls to any Boot Script Service (BSS) endpoint (/apis/bss/*).
Authorized for endpoints required by the Cray Operating System (COS) to manage compute nodes and NCN services.
The system-compute persona is authorized to make:
GET,HEAD, orPATCHcalls to any Configuration Framework Service (CFS) endpoint (/apis/cfs/*).GET,HEAD, orPOSTcalls to any Content Projection Service (CPS) endpoint (/apis/v2/cps/*).GET,HEAD, orPOSTcalls to any Heartbeat Tracker Daemon (HBTD) endpoint (/apis/hbtd/*).GET,HEAD,POST, orPUTcalls to any Node Memory Dump (NMD) endpoint (/apis/v2/nmd/*).GETorHEADcalls to any Hardware State Manager (HSM) endpoint (/apis/smd/*).DELETE,GET,HEAD,PATCH, orPOSTcalls to any Hardware Management Notification Fanout Daemon (HMNFD) endpoint (apis/hmnfd/*).
Authorized for endpoints related to the use of the Slurm or PBS workload managers.
The wlm persona is authorized to make:
DELETE,GET,HEAD, orPOSTcalls to any PALS endpoint (/apis/pals/*).GET,HEAD, orPOSTcalls to any Cray Advanced Platform Monitoring and Control (CAPMC) endpoint (/apis/capmc/*).DELETE,GET,HEAD,PATCH, orPOSTcalls to any Boot Orchestration Service (BOS) endpoint (/apis/bos/*).GETorHEADcalls to any System Layout Service (SLS) endpoint (/apis/sls/*).GETorHEADcalls to any HSM endpoint (/apis/smd/*).DELETE,GET,HEAD,PATCH,POSTorPUTcalls to any Virtual Network Identifier Daemon (VNID) endpoint (/apis/vnid/*).