RBAC - Group Management API

Use the ChaosSearch API to manage groups for your organization.

The ChaosSearch API /user/groups endpoint supports operations for creating, updating, and deleting groups for RBAC access management.

Create Groups Example—Search Analytics Access

This example shows how to create an RBAC group that allows users access only to the Search Analytics features in the ChaosSearch console. (These permissions derive from the OpenSearch Dashboards/Kibana application origins.)

The following sample code is a JSON body with all required group information to create new groups. Any groups you add with the endpoint must not already exist in the user context. This call is atomic; either all of the groups in the JSON document are created successfully, or none of the groups are created.

Endpoint: /user/groups
Method: POST
Authentication: Requires JWT for the primary user
Example JSON body: Create two new groups Foo and Bar that grant access to foo-view and bar-view.

[
  { 
     "id": ""
     "name": "Foo",
     "permissions": [
       {
         "Actions": "kibana:*",
         "Effect": "Allow",
         "Resources": "crn:view:::foo-view",
         "Version": "1.0"
       }
     ]
  },
  {
     "id": ""       
     "name": "Bar",
     "permissions": [
       {
         "Actions": "kibana:*",
         "Resources": "crn:view:::bar-view",
         "Effect": "Allow",
         "Version": "1.0"
       }
     ]
  }
]
curl --request POST \
     --url https://mycompany.chaossearch.com/user/groups \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-amz-chaossumo-route-token: login' \
     --header 'x-amz-security-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJTZWNyZXRBY...OWqVhubHR3ySHJWQ5I' \
     --data '[{"id":"","name":"foo","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],\
            "Version":"1.0"}]}]' 
[{"id":"3c160ac4-3af1-4ab7-bb91-143e5077fdee","name":"foo","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]}]

Responses: 201

If the endpoint is successful, the response displays the group(s) information similar to the CURL command example.

Update Existing Groups

This example shows how to update an RBAC group. This call is atomic; either all of the groups in the JSON document are updated successfully, or none of the groups are updated. You must specify either the group name or the group ID to identify the group; if you want to change the group name, you must specify the ID and the new name.

Endpoint: /user/groups
Method: PUT
Authentication: Requires JWT for the primary user
Example JSON body: Updates the sample groups to grant access to the foo2 and bar2 views.

[
  { 
     "id": ""
     "name": "Foo",
     "permissions": [
       {
         "Actions": "kibana:*",
         "Effect": "Allow",
         "Resources": "crn:view:::foo2-view",
         "Version": "1.0"
       }
     ]
  },
  {
     "id": ""       
     "name": "Bar",
     "permissions": [
       {
         "Actions": "kibana:*",
         "Resources": "crn:view:::bar2-view",
         "Effect": "Allow",
         "Version": "1.0"
       }
     ]
  }
]
curl --request POST \
     --url https://mycompany.chaossearch.com/user/groups \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-amz-chaossumo-route-token: login' \
     --header 'x-amz-security-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJTZWNyZXRBY...OWqVhubHR3ySHJWQ5I' \
     --data '[{"id":"3c160ac4-3af1-4ab7-bb91-143e5077fdee","name":"foo-new","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]}]' 
[{"id":"3c160ac4-3af1-4ab7-bb91-143e5077fdee","name":"foo-new","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]}]

Responses: 201

If the endpoint is successful, the response displays the new group(s) information similar to the CURL command example.

Fetch All Groups

This example shows how to fetch all RBAC groups.

Endpoint: /user/groups
Method: GET
Authentication: Requires JWT for the primary user

[
  {
    "id": "group-id",
    "name": "Foo",
    "permissions": [
      {
        "Effect": "Allow",
        "Action": "kibana:*",
        "Resources": "crn:view:::foo-view"
      }
    ]
  }
]
curl --request GET\  
     --url https://mycompany.chaossearch.com/user/groups \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-amz-chaossumo-route-token: login' \
     --header 'x-amz-security-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJTZWNyZXRBY...OWqVhubHR3ySHJWQ5I' \
[{"id":"default","name":"default","permissions":[{"Actions":["*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]},{"id":"f31aa928-89d2-4bab-bf25-5f2eee92834b","name":"foo2","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]},{"id":"76f551e6-789a-4c21-bd07-d7fd0d1f503e","name":"foo","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]}]

If the endpoint is successful, the response displays the group(s) information similar to the CURL command example.

Delete Groups

This example shows how to delete one or more RBAC groups. The groups must already exist in the user context. This call is atomic; either all of the groups in the JSON document are deleted successfully, or none of the groups are deleted.

Endpoint: /user/groups
Method: Delete
Authentication: Requires JWT for the primary user
Response: 200
Example JSON Body: Delete two existing groups for this user context.

[ "group-id1","group-id2" ]
curl --request DELETE\
     --url https://mycompany.chaossearch.com/user/groups \                                    
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-amz-chaossumo-route-token: login' \
     --header 'x-amz-security-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJTZWNyZXRBY...OWqVhubHR3ySHJWQ5I' \
     --data '["7dd106ab-2c3f-41ef-be60-d956498a6b21","b47c12d8-0fce-4242-9b90-86b975583dd9"]'                                      
["7dd106ab-2c3f-41ef-be60-d956498a6b21","b47c12d8-0fce-4242-9b90-86b975583dd9"]

If the endpoint is successful, the response displays the UIDs for the deleted group(s) similar to the CURL command example.

Fetch or Delete a Specific Group

You can use the /user/groups/{id} endpoint to fetch or delete a specific group identified by its ID. There is no JSON body sent for this endpoint, but JSON documents are returned for the information. If you require bulk group operations, see the /user/groups endpoint.

Fetch Group

Endpoint: /user/group/{id}
Method: GET
Authentication: Requires JWT for the primary user
Example: To fetch a group identified by the group ID
Response: 200

{"id":"76f551e6-789a-4c21-bd07-d7fd0d1f503e","name":"foo","permissions":[{"Actions":["kibana:*"],"Effect":"Allow","Resources":["*"],"Version":"1.0"}]}
curl --request GET\
     --url https://mycompany.chaossearch.com/user/group/e1e1e191-59ca-4991-94ed-d0a1f014334a\
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-amz-chaossumo-route-token: login' \
     --header 'x-amz-security-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJTZWNyZXRBY...OWqVhubHR3ySHJWQ5I' \
{"id":"e1e1e191-59ca-4991-94ed-d0a1f014334a","name":"mybucketgrp","permissions":[{"Actions":["ui:*","ui:storage","ui:refinery","ui:analytics","ui:dashboard"],"Effect":"Allow","Resources":["*"],"Version":"1.0"},{"Actions":["s3:aws:ListBuckets"],"Condition":{"Conditions":[{"StartsWith":{"chaos:object_group/attributes.name":"mybucket-"}}]},"Effect":"Allow","Resources":[],"Version":"1.0"}]}

If the endpoint is successful, the response displays the group's information similar to the CURL command example.

Delete Group

Endpoint: /user/group/{id}
Method: Delete
Authentication: Requires JWT for the primary user
Response: 200
Example: Delete a group identified by group-id

[ "group-id" ]
curl --request DELETE\
     --url https://mycompany.chaossearch.com/user/group/f31aa928-89d2-4bab-bf25-5f2eee92834b \                                    
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'x-amz-chaossumo-route-token: login' \
     --header 'x-amz-security-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJTZWNyZXRBY...OWqVhubHR3ySHJWQ5I' \
["f31aa928-89d2-4bab-bf25-5f2eee92834b"]

If the endpoint is successful, the response displays the group's UID similar to the CURL command example.