lakeFS · Capability

lakeFS API — auth

lakeFS API — auth. 37 operations. Lead operation: perform a login using an external authenticator. Self-contained Naftiko capability covering one Lakefs business surface.

Run with Naftiko Lakefsauth

What You Can Do

POST
Externalprincipallogin — perform a login using an external authenticator
/v1/auth/external/principal/login
GET
Getexternalprincipal — describe external principal by id
/v1/auth/external/principals
GET
Listgroups — list groups
/v1/auth/groups
POST
Creategroup — create group
/v1/auth/groups
GET
Getgroup — get group
/v1/auth/groups/{groupid}
DELETE
Deletegroup — delete group
/v1/auth/groups/{groupid}
POST
Setgroupacl — set ACL of group
/v1/auth/groups/{groupid}/acl
GET
Getgroupacl — get ACL of group
/v1/auth/groups/{groupid}/acl
GET
Listgroupmembers — list group members
/v1/auth/groups/{groupid}/members
PUT
Addgroupmembership — add group membership
/v1/auth/groups/{groupid}/members/{userid}
DELETE
Deletegroupmembership — delete group membership
/v1/auth/groups/{groupid}/members/{userid}
GET
Listgrouppolicies — list group policies
/v1/auth/groups/{groupid}/policies
PUT
Attachpolicytogroup — attach policy to group
/v1/auth/groups/{groupid}/policies/{policyid}
DELETE
Detachpolicyfromgroup — detach policy from group
/v1/auth/groups/{groupid}/policies/{policyid}
POST
Login — perform a login
/v1/auth/login
GET
Listpolicies — list policies
/v1/auth/policies
POST
Createpolicy — create policy
/v1/auth/policies
GET
Getpolicy — get policy
/v1/auth/policies/{policyid}
PUT
Updatepolicy — update policy
/v1/auth/policies/{policyid}
DELETE
Deletepolicy — delete policy
/v1/auth/policies/{policyid}
GET
Listusers — list users
/v1/auth/users
POST
Createuser — create user
/v1/auth/users
GET
Getuser — get user
/v1/auth/users/{userid}
DELETE
Deleteuser — delete user
/v1/auth/users/{userid}
GET
Listusercredentials — list user credentials
/v1/auth/users/{userid}/credentials
POST
Createcredentials — create credentials
/v1/auth/users/{userid}/credentials
DELETE
Deletecredentials — delete credentials
/v1/auth/users/{userid}/credentials/{accesskeyid}
GET
Getcredentials — get credentials
/v1/auth/users/{userid}/credentials/{accesskeyid}
POST
Createuserexternalprincipal — attach external principal to user
/v1/auth/users/{userid}/external/principals
DELETE
Deleteuserexternalprincipal — delete external principal from user
/v1/auth/users/{userid}/external/principals
GET
Listuserexternalprincipals — list user external policies attached to a user
/v1/auth/users/{userid}/external/principals/ls
GET
Listusergroups — list user groups
/v1/auth/users/{userid}/groups
GET
Listuserpolicies — list user policies
/v1/auth/users/{userid}/policies
PUT
Attachpolicytouser — attach policy to user
/v1/auth/users/{userid}/policies/{policyid}
DELETE
Detachpolicyfromuser — detach policy from user
/v1/auth/users/{userid}/policies/{policyid}
GET
Oauthcallback — oauthcallback
/v1/oidc/callback
GET
Getcurrentuser — get current user
/v1/user

MCP Tools

perform-login-using-external-authenticator

perform a login using an external authenticator

describe-external-principal-id

describe external principal by id

read-only idempotent
list-groups

list groups

read-only idempotent
create-group

create group

get-group

get group

read-only idempotent
delete-group

delete group

idempotent
set-acl-group

set ACL of group

get-acl-group

get ACL of group

read-only idempotent
list-group-members

list group members

read-only idempotent
add-group-membership

add group membership

idempotent
delete-group-membership

delete group membership

idempotent
list-group-policies

list group policies

read-only idempotent
attach-policy-group

attach policy to group

idempotent
detach-policy-group

detach policy from group

idempotent
perform-login

perform a login

list-policies

list policies

read-only idempotent
create-policy

create policy

get-policy

get policy

read-only idempotent
update-policy

update policy

idempotent
delete-policy

delete policy

idempotent
list-users

list users

read-only idempotent
create-user

create user

get-user

get user

read-only idempotent
delete-user

delete user

idempotent
list-user-credentials

list user credentials

read-only idempotent
create-credentials

create credentials

delete-credentials

delete credentials

idempotent
get-credentials

get credentials

read-only idempotent
attach-external-principal-user

attach external principal to user

delete-external-principal-user

delete external principal from user

idempotent
list-user-external-policies-attached

list user external policies attached to a user

read-only idempotent
list-user-groups

list user groups

read-only idempotent
list-user-policies

list user policies

read-only idempotent
attach-policy-user

attach policy to user

idempotent
detach-policy-user

detach policy from user

idempotent
oauthcallback

oauthcallback

read-only idempotent
get-current-user

get current user

read-only idempotent

Capability Spec

lakefs-auth.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: lakeFS API — auth
  description: 'lakeFS API — auth. 37 operations. Lead operation: perform a login using an external authenticator. Self-contained
    Naftiko capability covering one Lakefs business surface.'
  tags:
  - Lakefs
  - auth
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    LAKEFS_API_KEY: LAKEFS_API_KEY
capability:
  consumes:
  - type: http
    namespace: lakefs-auth
    baseUri: ''
    description: lakeFS API — auth business capability. Self-contained, no shared references.
    resources:
    - name: auth-external-principal-login
      path: /auth/external/principal/login
      operations:
      - name: externalprincipallogin
        method: POST
        description: perform a login using an external authenticator
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: auth-external-principals
      path: /auth/external/principals
      operations:
      - name: getexternalprincipal
        method: GET
        description: describe external principal by id
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-groups
      path: /auth/groups
      operations:
      - name: listgroups
        method: GET
        description: list groups
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: creategroup
        method: POST
        description: create group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: auth-groups-groupId
      path: /auth/groups/{groupId}
      operations:
      - name: getgroup
        method: GET
        description: get group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deletegroup
        method: DELETE
        description: delete group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-groups-groupId-acl
      path: /auth/groups/{groupId}/acl
      operations:
      - name: setgroupacl
        method: POST
        description: set ACL of group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: getgroupacl
        method: GET
        description: get ACL of group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-groups-groupId-members
      path: /auth/groups/{groupId}/members
      operations:
      - name: listgroupmembers
        method: GET
        description: list group members
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-groups-groupId-members-userId
      path: /auth/groups/{groupId}/members/{userId}
      operations:
      - name: addgroupmembership
        method: PUT
        description: add group membership
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deletegroupmembership
        method: DELETE
        description: delete group membership
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-groups-groupId-policies
      path: /auth/groups/{groupId}/policies
      operations:
      - name: listgrouppolicies
        method: GET
        description: list group policies
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-groups-groupId-policies-policyId
      path: /auth/groups/{groupId}/policies/{policyId}
      operations:
      - name: attachpolicytogroup
        method: PUT
        description: attach policy to group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: detachpolicyfromgroup
        method: DELETE
        description: detach policy from group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-login
      path: /auth/login
      operations:
      - name: login
        method: POST
        description: perform a login
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: auth-policies
      path: /auth/policies
      operations:
      - name: listpolicies
        method: GET
        description: list policies
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createpolicy
        method: POST
        description: create policy
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: auth-policies-policyId
      path: /auth/policies/{policyId}
      operations:
      - name: getpolicy
        method: GET
        description: get policy
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updatepolicy
        method: PUT
        description: update policy
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deletepolicy
        method: DELETE
        description: delete policy
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users
      path: /auth/users
      operations:
      - name: listusers
        method: GET
        description: list users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createuser
        method: POST
        description: create user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
    - name: auth-users-userId
      path: /auth/users/{userId}
      operations:
      - name: getuser
        method: GET
        description: get user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteuser
        method: DELETE
        description: delete user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users-userId-credentials
      path: /auth/users/{userId}/credentials
      operations:
      - name: listusercredentials
        method: GET
        description: list user credentials
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createcredentials
        method: POST
        description: create credentials
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users-userId-credentials-accessKeyId
      path: /auth/users/{userId}/credentials/{accessKeyId}
      operations:
      - name: deletecredentials
        method: DELETE
        description: delete credentials
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: getcredentials
        method: GET
        description: get credentials
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users-userId-external-principals
      path: /auth/users/{userId}/external/principals
      operations:
      - name: createuserexternalprincipal
        method: POST
        description: attach external principal to user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: false
      - name: deleteuserexternalprincipal
        method: DELETE
        description: delete external principal from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users-userId-external-principals-ls
      path: /auth/users/{userId}/external/principals/ls
      operations:
      - name: listuserexternalprincipals
        method: GET
        description: list user external policies attached to a user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users-userId-groups
      path: /auth/users/{userId}/groups
      operations:
      - name: listusergroups
        method: GET
        description: list user groups
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-users-userId-policies
      path: /auth/users/{userId}/policies
      operations:
      - name: listuserpolicies
        method: GET
        description: list user policies
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: effective
          in: query
          type: boolean
          description: will return all distinct policies attached to the user or any of its groups
    - name: auth-users-userId-policies-policyId
      path: /auth/users/{userId}/policies/{policyId}
      operations:
      - name: attachpolicytouser
        method: PUT
        description: attach policy to user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: detachpolicyfromuser
        method: DELETE
        description: detach policy from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: oidc-callback
      path: /oidc/callback
      operations:
      - name: oauthcallback
        method: GET
        description: ''
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: user
      path: /user
      operations:
      - name: getcurrentuser
        method: GET
        description: get current user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: bearer
      token: '{{env.LAKEFS_API_KEY}}'
  exposes:
  - type: rest
    namespace: lakefs-auth-rest
    port: 8080
    description: REST adapter for lakeFS API — auth. One Spectral-compliant resource per consumed operation, prefixed with
      /v1.
    resources:
    - path: /v1/auth/external/principal/login
      name: auth-external-principal-login
      description: REST surface for auth-external-principal-login.
      operations:
      - method: POST
        name: externalprincipallogin
        description: perform a login using an external authenticator
        call: lakefs-auth.externalprincipallogin
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/external/principals
      name: auth-external-principals
      description: REST surface for auth-external-principals.
      operations:
      - method: GET
        name: getexternalprincipal
        description: describe external principal by id
        call: lakefs-auth.getexternalprincipal
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups
      name: auth-groups
      description: REST surface for auth-groups.
      operations:
      - method: GET
        name: listgroups
        description: list groups
        call: lakefs-auth.listgroups
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: creategroup
        description: create group
        call: lakefs-auth.creategroup
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups/{groupid}
      name: auth-groups-groupid
      description: REST surface for auth-groups-groupId.
      operations:
      - method: GET
        name: getgroup
        description: get group
        call: lakefs-auth.getgroup
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deletegroup
        description: delete group
        call: lakefs-auth.deletegroup
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups/{groupid}/acl
      name: auth-groups-groupid-acl
      description: REST surface for auth-groups-groupId-acl.
      operations:
      - method: POST
        name: setgroupacl
        description: set ACL of group
        call: lakefs-auth.setgroupacl
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: getgroupacl
        description: get ACL of group
        call: lakefs-auth.getgroupacl
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups/{groupid}/members
      name: auth-groups-groupid-members
      description: REST surface for auth-groups-groupId-members.
      operations:
      - method: GET
        name: listgroupmembers
        description: list group members
        call: lakefs-auth.listgroupmembers
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups/{groupid}/members/{userid}
      name: auth-groups-groupid-members-userid
      description: REST surface for auth-groups-groupId-members-userId.
      operations:
      - method: PUT
        name: addgroupmembership
        description: add group membership
        call: lakefs-auth.addgroupmembership
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deletegroupmembership
        description: delete group membership
        call: lakefs-auth.deletegroupmembership
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups/{groupid}/policies
      name: auth-groups-groupid-policies
      description: REST surface for auth-groups-groupId-policies.
      operations:
      - method: GET
        name: listgrouppolicies
        description: list group policies
        call: lakefs-auth.listgrouppolicies
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/groups/{groupid}/policies/{policyid}
      name: auth-groups-groupid-policies-policyid
      description: REST surface for auth-groups-groupId-policies-policyId.
      operations:
      - method: PUT
        name: attachpolicytogroup
        description: attach policy to group
        call: lakefs-auth.attachpolicytogroup
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: detachpolicyfromgroup
        description: detach policy from group
        call: lakefs-auth.detachpolicyfromgroup
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/login
      name: auth-login
      description: REST surface for auth-login.
      operations:
      - method: POST
        name: login
        description: perform a login
        call: lakefs-auth.login
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/policies
      name: auth-policies
      description: REST surface for auth-policies.
      operations:
      - method: GET
        name: listpolicies
        description: list policies
        call: lakefs-auth.listpolicies
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createpolicy
        description: create policy
        call: lakefs-auth.createpolicy
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/policies/{policyid}
      name: auth-policies-policyid
      description: REST surface for auth-policies-policyId.
      operations:
      - method: GET
        name: getpolicy
        description: get policy
        call: lakefs-auth.getpolicy
        outputParameters:
        - type: object
          mapping: $.
      - method: PUT
        name: updatepolicy
        description: update policy
        call: lakefs-auth.updatepolicy
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deletepolicy
        description: delete policy
        call: lakefs-auth.deletepolicy
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users
      name: auth-users
      description: REST surface for auth-users.
      operations:
      - method: GET
        name: listusers
        description: list users
        call: lakefs-auth.listusers
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createuser
        description: create user
        call: lakefs-auth.createuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}
      name: auth-users-userid
      description: REST surface for auth-users-userId.
      operations:
      - method: GET
        name: getuser
        description: get user
        call: lakefs-auth.getuser
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteuser
        description: delete user
        call: lakefs-auth.deleteuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/credentials
      name: auth-users-userid-credentials
      description: REST surface for auth-users-userId-credentials.
      operations:
      - method: GET
        name: listusercredentials
        description: list user credentials
        call: lakefs-auth.listusercredentials
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createcredentials
        description: create credentials
        call: lakefs-auth.createcredentials
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/credentials/{accesskeyid}
      name: auth-users-userid-credentials-accesskeyid
      description: REST surface for auth-users-userId-credentials-accessKeyId.
      operations:
      - method: DELETE
        name: deletecredentials
        description: delete credentials
        call: lakefs-auth.deletecredentials
        outputParameters:
        - type: object
          mapping: $.
      - method: GET
        name: getcredentials
        description: get credentials
        call: lakefs-auth.getcredentials
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/external/principals
      name: auth-users-userid-external-principals
      description: REST surface for auth-users-userId-external-principals.
      operations:
      - method: POST
        name: createuserexternalprincipal
        description: attach external principal to user
        call: lakefs-auth.createuserexternalprincipal
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteuserexternalprincipal
        description: delete external principal from user
        call: lakefs-auth.deleteuserexternalprincipal
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/external/principals/ls
      name: auth-users-userid-external-principals-ls
      description: REST surface for auth-users-userId-external-principals-ls.
      operations:
      - method: GET
        name: listuserexternalprincipals
        description: list user external policies attached to a user
        call: lakefs-auth.listuserexternalprincipals
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/groups
      name: auth-users-userid-groups
      description: REST surface for auth-users-userId-groups.
      operations:
      - method: GET
        name: listusergroups
        description: list user groups
        call: lakefs-auth.listusergroups
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/policies
      name: auth-users-userid-policies
      description: REST surface for auth-users-userId-policies.
      operations:
      - method: GET
        name: listuserpolicies
        description: list user policies
        call: lakefs-auth.listuserpolicies
        with:
          effective: rest.effective
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/auth/users/{userid}/policies/{policyid}
      name: auth-users-userid-policies-policyid
      description: REST surface for auth-users-userId-policies-policyId.
      operations:
      - method: PUT
        name: attachpolicytouser
        description: attach policy to user
        call: lakefs-auth.attachpolicytouser
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: detachpolicyfromuser
        description: detach policy from user
        call: lakefs-auth.detachpolicyfromuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/oidc/callback
      name: oidc-callback
      description: REST surface for oidc-callback.
      operations:
      - method: GET
        name: oauthcallback
        description: oauthcallback
        call: lakefs-auth.oauthcallback
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/user
      name: user
      description: REST surface for user.
      operations:
      - method: GET
        name: getcurrentuser
        description: get current user
        call: lakefs-auth.getcurrentuser
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: lakefs-auth-mcp
    port: 9090
    transport: http
    description: MCP adapter for lakeFS API — auth. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: perform-login-using-external-authenticator
      description: perform a login using an external authenticator
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.externalprincipallogin
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: describe-external-principal-id
      description: describe external principal by id
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.getexternalprincipal
      outputParameters:
      - type: object
        mapping: $.
    - name: list-groups
      description: list groups
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listgroups
      outputParameters:
      - type: object
        mapping: $.
    - name: create-group
      description: create group
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.creategroup
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-group
      description: get group
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.getgroup
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-group
      description: delete group
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.deletegroup
      outputParameters:
      - type: object
        mapping: $.
    - name: set-acl-group
      description: set ACL of group
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.setgroupacl
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-acl-group
      description: get ACL of group
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.getgroupacl
      outputParameters:
      - type: object
        mapping: $.
    - name: list-group-members
      description: list group members
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listgroupmembers
      outputParameters:
      - type: object
        mapping: $.
    - name: add-group-membership
      description: add group membership
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: lakefs-auth.addgroupmembership
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-group-membership
      description: delete group membership
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.deletegroupmembership
      outputParameters:
      - type: object
        mapping: $.
    - name: list-group-policies
      description: list group policies
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listgrouppolicies
      outputParameters:
      - type: object
        mapping: $.
    - name: attach-policy-group
      description: attach policy to group
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: lakefs-auth.attachpolicytogroup
      outputParameters:
      - type: object
        mapping: $.
    - name: detach-policy-group
      description: detach policy from group
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.detachpolicyfromgroup
      outputParameters:
      - type: object
        mapping: $.
    - name: perform-login
      description: perform a login
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.login
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: list-policies
      description: list policies
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listpolicies
      outputParameters:
      - type: object
        mapping: $.
    - name: create-policy
      description: create policy
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.createpolicy
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-policy
      description: get policy
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.getpolicy
      outputParameters:
      - type: object
        mapping: $.
    - name: update-policy
      description: update policy
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: lakefs-auth.updatepolicy
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-policy
      description: delete policy
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.deletepolicy
      outputParameters:
      - type: object
        mapping: $.
    - name: list-users
      description: list users
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listusers
      outputParameters:
      - type: object
        mapping: $.
    - name: create-user
      description: create user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.createuser
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-user
      description: get user
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.getuser
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-user
      description: delete user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.deleteuser
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-credentials
      description: list user credentials
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listusercredentials
      outputParameters:
      - type: object
        mapping: $.
    - name: create-credentials
      description: create credentials
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.createcredentials
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-credentials
      description: delete credentials
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.deletecredentials
      outputParameters:
      - type: object
        mapping: $.
    - name: get-credentials
      description: get credentials
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.getcredentials
      outputParameters:
      - type: object
        mapping: $.
    - name: attach-external-principal-user
      description: attach external principal to user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lakefs-auth.createuserexternalprincipal
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-external-principal-user
      description: delete external principal from user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: lakefs-auth.deleteuserexternalprincipal
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-external-policies-attached
      description: list user external policies attached to a user
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lakefs-auth.listuserexternalprincipals
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-groups
      description: list

# --- truncated at 32 KB (33 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/lakefs/refs/heads/main/capabilities/lakefs-auth.yaml