Jobs Permissions and Sharing

As with the Systems, Apps, and Files services, your jobs have their own set of access controls. Using these, you can share your job and its data with other Tapis users. Job permissions are private by default. The permissions you give a job apply both to the job, its outputs, its metadata, and the permissions themselves. Thus, by sharing a job with another user, you share all aspects of that job.

Job permissions are managed through a set of URLs consistent with the permissions URL elsewhere in the API.

Granting

Granting permissions is simply a matter of issuing a POST with the desired permission object to the job’s pems collection.

tapis jobs pems grant $JOB_UUID $USERNAME $PERMISSION
Show curl
# General grant
curl -sk -H "Authorization: Bearer $ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -X POST --data-binary '{"permission":"READ","username":"$USERNAME"}' \
    https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/pems

# Custom url grant
curl -sk -H "Authorization: Bearer $ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -X POST --data-binary '{"permission":"READ"}' \
    https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/pems/$USERNAME

Show json response
{
"username": "$USERNAME",
"internalUsername": null,
"permission": {
  "read": true,
  "write": false
},
"_links": {
  "self": {
    "href": "https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/pems/$USERNAME"
  },
  "parent": {
    "href": "https://api.tacc.utexas.edu/jobs/v2/$JOB_ID"
  },
  "profile": {
    "href": "https://api.tacc.utexas.edu/profiles/v2/$USERNAME"
  }
}
}

The available permission values are listed in Table 2.

Permission Description
READ Gives the ability to view the job status, and output data.
WRITE Gives the ability to perform actions, manage metadata, and set permissions.
ALL Gives full READ and WRITE permissions to the user.
READ_WRITE Synonymous to ALL. Gives full READ and WRITE permissions to the user

Table 2. Supported job permission values.

Job permissions are distinct from file permissions. In many instances, your job output will be accessible via the Files and Jobs services simultaneously. Granting a user permissions to a job output file through the Files services does not alter the accessibility of that file through the Jobs service. It is important, then, that you consider to whom you grant permissions, and the implications of that decision in all areas of your application.

Listing

To find the permissions for a given job, make a GET on the job’s pems collection. Here we see that both the job owner and the user we just granted permission to appear in the response.

tapis jobs pems list -V $JOB_UUID
Show curl
curl -sk -H "Authorization: Bearer $AUTH_TOKEN" \
  'https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/pems/'

Show json response
[
{
  "username": "$API_USERNAME",
  "internalUsername": null,
  "permission": {
    "read": true,
    "write": true
  },
  "_links": {
    "self": {
      "href": "https://api.tacc.utexas.edu/jobs/v2/6608339759546166810-242ac114-0001-007/pems/$API_USERNAME"
    },
    "parent": {
      "href": "https://api.tacc.utexas.edu/jobs/v2/6608339759546166810-242ac114-0001-007"
    },
    "profile": {
      "href": "https://api.tacc.utexas.edu/profiles/v2/$API_USERNAME"
    }
  }
},
{
  "username": "$USERNAME",
  "internalUsername": null,
  "permission": {
    "read": true,
    "write": false
  },
  "_links": {
    "self": {
      "href": "https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/pems/$USERNAME"
    },
    "parent": {
      "href": "https://api.tacc.utexas.edu/jobs/v2/$JOB_ID"
    },
    "profile": {
      "href": "https://api.tacc.utexas.edu/profiles/v2/$USERNAME"
    }
  }
}
]

Updating

Updating is exactly like granting permissions. Just POST to the same job’s pems collection.

tapis jobs pems grant $USERNAME $PERMISSION $JOB_UUID
Show curl
curl -sk -H "Authorization: Bearer  $ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -X POST --data-binary {"permission":"READ_WRITE}" \
    https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/$USERNAME

Show json response
{
"username": "$USERNAME",
"internalUsername": null,
"permission": {
  "read": true,
  "write": true
},
"_links": {
  "self": {
    "href": "https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/pems/$USERNAME"
  },
  "parent": {
    "href": "https://api.tacc.utexas.edu/jobs/v2/$JOB_ID"
  },
  "profile": {
    "href": "https://api.tacc.utexas.edu/profiles/v2/$USERNAME"
  }
}
}

Deleting

To delete a permission, you can issue a DELETE request on the user permission resource we’ve been using, or update with an empty permission value.

tapis jobs pems revoke $JOB_UUID $USERNAME
Show curl
curl -sk -H "Authorization: Bearer  $ACCESS_TOKEN" \
    -X DELETE \
    https://api.tacc.utexas.edu/jobs/v2/$JOB_ID/$USERNAME