naftiko: 1.0.0-alpha2 info: label: lakeFS API — auth description: 'lakeFS API — auth. 37 operations. Lead operation: perform a login using an external authenticator. Self-contained Naftiko capability covering one Lakefs business surface.' tags: - Lakefs - auth created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: LAKEFS_API_KEY: LAKEFS_API_KEY capability: consumes: - type: http namespace: lakefs-auth baseUri: '' description: lakeFS API — auth business capability. Self-contained, no shared references. resources: - name: auth-external-principal-login path: /auth/external/principal/login operations: - name: externalprincipallogin method: POST description: perform a login using an external authenticator outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-external-principals path: /auth/external/principals operations: - name: getexternalprincipal method: GET description: describe external principal by id outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-groups path: /auth/groups operations: - name: listgroups method: GET description: list groups outputRawFormat: json outputParameters: - name: result type: object value: $. - name: creategroup method: POST description: create group outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-groups-groupId path: /auth/groups/{groupId} operations: - name: getgroup method: GET description: get group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deletegroup method: DELETE description: delete group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-groups-groupId-acl path: /auth/groups/{groupId}/acl operations: - name: setgroupacl method: POST description: set ACL of group outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: getgroupacl method: GET description: get ACL of group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-groups-groupId-members path: /auth/groups/{groupId}/members operations: - name: listgroupmembers method: GET description: list group members outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-groups-groupId-members-userId path: /auth/groups/{groupId}/members/{userId} operations: - name: addgroupmembership method: PUT description: add group membership outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deletegroupmembership method: DELETE description: delete group membership outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-groups-groupId-policies path: /auth/groups/{groupId}/policies operations: - name: listgrouppolicies method: GET description: list group policies outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-groups-groupId-policies-policyId path: /auth/groups/{groupId}/policies/{policyId} operations: - name: attachpolicytogroup method: PUT description: attach policy to group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: detachpolicyfromgroup method: DELETE description: detach policy from group outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-login path: /auth/login operations: - name: login method: POST description: perform a login outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-policies path: /auth/policies operations: - name: listpolicies method: GET description: list policies outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createpolicy method: POST description: create policy outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: auth-policies-policyId path: /auth/policies/{policyId} operations: - name: getpolicy method: GET description: get policy outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updatepolicy method: PUT description: update policy outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: deletepolicy method: DELETE description: delete policy outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users path: /auth/users operations: - name: listusers method: GET description: list users outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createuser method: POST description: create user outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-users-userId path: /auth/users/{userId} operations: - name: getuser method: GET description: get user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleteuser method: DELETE description: delete user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users-userId-credentials path: /auth/users/{userId}/credentials operations: - name: listusercredentials method: GET description: list user credentials outputRawFormat: json outputParameters: - name: result type: object value: $. - name: createcredentials method: POST description: create credentials outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users-userId-credentials-accessKeyId path: /auth/users/{userId}/credentials/{accessKeyId} operations: - name: deletecredentials method: DELETE description: delete credentials outputRawFormat: json outputParameters: - name: result type: object value: $. - name: getcredentials method: GET description: get credentials outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users-userId-external-principals path: /auth/users/{userId}/external/principals operations: - name: createuserexternalprincipal method: POST description: attach external principal to user outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: deleteuserexternalprincipal method: DELETE description: delete external principal from user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users-userId-external-principals-ls path: /auth/users/{userId}/external/principals/ls operations: - name: listuserexternalprincipals method: GET description: list user external policies attached to a user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users-userId-groups path: /auth/users/{userId}/groups operations: - name: listusergroups method: GET description: list user groups outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-users-userId-policies path: /auth/users/{userId}/policies operations: - name: listuserpolicies method: GET description: list user policies outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: effective in: query type: boolean description: will return all distinct policies attached to the user or any of its groups - name: auth-users-userId-policies-policyId path: /auth/users/{userId}/policies/{policyId} operations: - name: attachpolicytouser method: PUT description: attach policy to user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: detachpolicyfromuser method: DELETE description: detach policy from user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: oidc-callback path: /oidc/callback operations: - name: oauthcallback method: GET description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: user path: /user operations: - name: getcurrentuser method: GET description: get current user outputRawFormat: json outputParameters: - name: result type: object value: $. authentication: type: bearer token: '{{env.LAKEFS_API_KEY}}' exposes: - type: rest namespace: lakefs-auth-rest port: 8080 description: REST adapter for lakeFS API — auth. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/auth/external/principal/login name: auth-external-principal-login description: REST surface for auth-external-principal-login. operations: - method: POST name: externalprincipallogin description: perform a login using an external authenticator call: lakefs-auth.externalprincipallogin with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/external/principals name: auth-external-principals description: REST surface for auth-external-principals. operations: - method: GET name: getexternalprincipal description: describe external principal by id call: lakefs-auth.getexternalprincipal outputParameters: - type: object mapping: $. - path: /v1/auth/groups name: auth-groups description: REST surface for auth-groups. operations: - method: GET name: listgroups description: list groups call: lakefs-auth.listgroups outputParameters: - type: object mapping: $. - method: POST name: creategroup description: create group call: lakefs-auth.creategroup with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/groups/{groupid} name: auth-groups-groupid description: REST surface for auth-groups-groupId. operations: - method: GET name: getgroup description: get group call: lakefs-auth.getgroup outputParameters: - type: object mapping: $. - method: DELETE name: deletegroup description: delete group call: lakefs-auth.deletegroup outputParameters: - type: object mapping: $. - path: /v1/auth/groups/{groupid}/acl name: auth-groups-groupid-acl description: REST surface for auth-groups-groupId-acl. operations: - method: POST name: setgroupacl description: set ACL of group call: lakefs-auth.setgroupacl with: body: rest.body outputParameters: - type: object mapping: $. - method: GET name: getgroupacl description: get ACL of group call: lakefs-auth.getgroupacl outputParameters: - type: object mapping: $. - path: /v1/auth/groups/{groupid}/members name: auth-groups-groupid-members description: REST surface for auth-groups-groupId-members. operations: - method: GET name: listgroupmembers description: list group members call: lakefs-auth.listgroupmembers outputParameters: - type: object mapping: $. - path: /v1/auth/groups/{groupid}/members/{userid} name: auth-groups-groupid-members-userid description: REST surface for auth-groups-groupId-members-userId. operations: - method: PUT name: addgroupmembership description: add group membership call: lakefs-auth.addgroupmembership outputParameters: - type: object mapping: $. - method: DELETE name: deletegroupmembership description: delete group membership call: lakefs-auth.deletegroupmembership outputParameters: - type: object mapping: $. - path: /v1/auth/groups/{groupid}/policies name: auth-groups-groupid-policies description: REST surface for auth-groups-groupId-policies. operations: - method: GET name: listgrouppolicies description: list group policies call: lakefs-auth.listgrouppolicies outputParameters: - type: object mapping: $. - path: /v1/auth/groups/{groupid}/policies/{policyid} name: auth-groups-groupid-policies-policyid description: REST surface for auth-groups-groupId-policies-policyId. operations: - method: PUT name: attachpolicytogroup description: attach policy to group call: lakefs-auth.attachpolicytogroup outputParameters: - type: object mapping: $. - method: DELETE name: detachpolicyfromgroup description: detach policy from group call: lakefs-auth.detachpolicyfromgroup outputParameters: - type: object mapping: $. - path: /v1/auth/login name: auth-login description: REST surface for auth-login. operations: - method: POST name: login description: perform a login call: lakefs-auth.login with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/policies name: auth-policies description: REST surface for auth-policies. operations: - method: GET name: listpolicies description: list policies call: lakefs-auth.listpolicies outputParameters: - type: object mapping: $. - method: POST name: createpolicy description: create policy call: lakefs-auth.createpolicy with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/policies/{policyid} name: auth-policies-policyid description: REST surface for auth-policies-policyId. operations: - method: GET name: getpolicy description: get policy call: lakefs-auth.getpolicy outputParameters: - type: object mapping: $. - method: PUT name: updatepolicy description: update policy call: lakefs-auth.updatepolicy with: body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deletepolicy description: delete policy call: lakefs-auth.deletepolicy outputParameters: - type: object mapping: $. - path: /v1/auth/users name: auth-users description: REST surface for auth-users. operations: - method: GET name: listusers description: list users call: lakefs-auth.listusers outputParameters: - type: object mapping: $. - method: POST name: createuser description: create user call: lakefs-auth.createuser with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid} name: auth-users-userid description: REST surface for auth-users-userId. operations: - method: GET name: getuser description: get user call: lakefs-auth.getuser outputParameters: - type: object mapping: $. - method: DELETE name: deleteuser description: delete user call: lakefs-auth.deleteuser outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/credentials name: auth-users-userid-credentials description: REST surface for auth-users-userId-credentials. operations: - method: GET name: listusercredentials description: list user credentials call: lakefs-auth.listusercredentials outputParameters: - type: object mapping: $. - method: POST name: createcredentials description: create credentials call: lakefs-auth.createcredentials outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/credentials/{accesskeyid} name: auth-users-userid-credentials-accesskeyid description: REST surface for auth-users-userId-credentials-accessKeyId. operations: - method: DELETE name: deletecredentials description: delete credentials call: lakefs-auth.deletecredentials outputParameters: - type: object mapping: $. - method: GET name: getcredentials description: get credentials call: lakefs-auth.getcredentials outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/external/principals name: auth-users-userid-external-principals description: REST surface for auth-users-userId-external-principals. operations: - method: POST name: createuserexternalprincipal description: attach external principal to user call: lakefs-auth.createuserexternalprincipal with: body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deleteuserexternalprincipal description: delete external principal from user call: lakefs-auth.deleteuserexternalprincipal outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/external/principals/ls name: auth-users-userid-external-principals-ls description: REST surface for auth-users-userId-external-principals-ls. operations: - method: GET name: listuserexternalprincipals description: list user external policies attached to a user call: lakefs-auth.listuserexternalprincipals outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/groups name: auth-users-userid-groups description: REST surface for auth-users-userId-groups. operations: - method: GET name: listusergroups description: list user groups call: lakefs-auth.listusergroups outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/policies name: auth-users-userid-policies description: REST surface for auth-users-userId-policies. operations: - method: GET name: listuserpolicies description: list user policies call: lakefs-auth.listuserpolicies with: effective: rest.effective outputParameters: - type: object mapping: $. - path: /v1/auth/users/{userid}/policies/{policyid} name: auth-users-userid-policies-policyid description: REST surface for auth-users-userId-policies-policyId. operations: - method: PUT name: attachpolicytouser description: attach policy to user call: lakefs-auth.attachpolicytouser outputParameters: - type: object mapping: $. - method: DELETE name: detachpolicyfromuser description: detach policy from user call: lakefs-auth.detachpolicyfromuser outputParameters: - type: object mapping: $. - path: /v1/oidc/callback name: oidc-callback description: REST surface for oidc-callback. operations: - method: GET name: oauthcallback description: oauthcallback call: lakefs-auth.oauthcallback outputParameters: - type: object mapping: $. - path: /v1/user name: user description: REST surface for user. operations: - method: GET name: getcurrentuser description: get current user call: lakefs-auth.getcurrentuser outputParameters: - type: object mapping: $. - type: mcp namespace: lakefs-auth-mcp port: 9090 transport: http description: MCP adapter for lakeFS API — auth. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: perform-login-using-external-authenticator description: perform a login using an external authenticator hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.externalprincipallogin with: body: tools.body outputParameters: - type: object mapping: $. - name: describe-external-principal-id description: describe external principal by id hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getexternalprincipal outputParameters: - type: object mapping: $. - name: list-groups description: list groups hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listgroups outputParameters: - type: object mapping: $. - name: create-group description: create group hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.creategroup with: body: tools.body outputParameters: - type: object mapping: $. - name: get-group description: get group hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getgroup outputParameters: - type: object mapping: $. - name: delete-group description: delete group hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.deletegroup outputParameters: - type: object mapping: $. - name: set-acl-group description: set ACL of group hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.setgroupacl with: body: tools.body outputParameters: - type: object mapping: $. - name: get-acl-group description: get ACL of group hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getgroupacl outputParameters: - type: object mapping: $. - name: list-group-members description: list group members hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listgroupmembers outputParameters: - type: object mapping: $. - name: add-group-membership description: add group membership hints: readOnly: false destructive: false idempotent: true call: lakefs-auth.addgroupmembership outputParameters: - type: object mapping: $. - name: delete-group-membership description: delete group membership hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.deletegroupmembership outputParameters: - type: object mapping: $. - name: list-group-policies description: list group policies hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listgrouppolicies outputParameters: - type: object mapping: $. - name: attach-policy-group description: attach policy to group hints: readOnly: false destructive: false idempotent: true call: lakefs-auth.attachpolicytogroup outputParameters: - type: object mapping: $. - name: detach-policy-group description: detach policy from group hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.detachpolicyfromgroup outputParameters: - type: object mapping: $. - name: perform-login description: perform a login hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.login with: body: tools.body outputParameters: - type: object mapping: $. - name: list-policies description: list policies hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listpolicies outputParameters: - type: object mapping: $. - name: create-policy description: create policy hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.createpolicy with: body: tools.body outputParameters: - type: object mapping: $. - name: get-policy description: get policy hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getpolicy outputParameters: - type: object mapping: $. - name: update-policy description: update policy hints: readOnly: false destructive: false idempotent: true call: lakefs-auth.updatepolicy with: body: tools.body outputParameters: - type: object mapping: $. - name: delete-policy description: delete policy hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.deletepolicy outputParameters: - type: object mapping: $. - name: list-users description: list users hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listusers outputParameters: - type: object mapping: $. - name: create-user description: create user hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.createuser with: body: tools.body outputParameters: - type: object mapping: $. - name: get-user description: get user hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getuser outputParameters: - type: object mapping: $. - name: delete-user description: delete user hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.deleteuser outputParameters: - type: object mapping: $. - name: list-user-credentials description: list user credentials hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listusercredentials outputParameters: - type: object mapping: $. - name: create-credentials description: create credentials hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.createcredentials outputParameters: - type: object mapping: $. - name: delete-credentials description: delete credentials hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.deletecredentials outputParameters: - type: object mapping: $. - name: get-credentials description: get credentials hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getcredentials outputParameters: - type: object mapping: $. - name: attach-external-principal-user description: attach external principal to user hints: readOnly: false destructive: false idempotent: false call: lakefs-auth.createuserexternalprincipal with: body: tools.body outputParameters: - type: object mapping: $. - name: delete-external-principal-user description: delete external principal from user hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.deleteuserexternalprincipal outputParameters: - type: object mapping: $. - name: list-user-external-policies-attached description: list user external policies attached to a user hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listuserexternalprincipals outputParameters: - type: object mapping: $. - name: list-user-groups description: list user groups hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listusergroups outputParameters: - type: object mapping: $. - name: list-user-policies description: list user policies hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.listuserpolicies with: effective: tools.effective outputParameters: - type: object mapping: $. - name: attach-policy-user description: attach policy to user hints: readOnly: false destructive: false idempotent: true call: lakefs-auth.attachpolicytouser outputParameters: - type: object mapping: $. - name: detach-policy-user description: detach policy from user hints: readOnly: false destructive: true idempotent: true call: lakefs-auth.detachpolicyfromuser outputParameters: - type: object mapping: $. - name: oauthcallback description: oauthcallback hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.oauthcallback outputParameters: - type: object mapping: $. - name: get-current-user description: get current user hints: readOnly: true destructive: false idempotent: true call: lakefs-auth.getcurrentuser outputParameters: - type: object mapping: $.