Skip to content

Entitlement Service API client for kdb Insights Enterprise.

Use EntitlementService to manage access entitlements on entities such as databases and packages.

Entitlements control which Keycloak groups and users can access which kdb Insights Enterprise entities, and at what Access level.

Example 
from uuid import UUID
from kxi.authorization.entitlement_service import EntitlementService
from kxi.authorization.entitlement_types import EntityType, Access, Group

svc = EntitlementService(host="https://<host>")

# Create an entitlement granting READ access to a group
svc.create(
    id=UUID("12345678-0000-0000-0000-000000000000"),
    entity="my-database",
    entity_type=EntityType.database,
    groups=[Group(id=UUID("abcdefab-0000-0000-0000-000000000000"), access=Access.READ)],
)

# List all entitlements
for ent in svc.list():
    print(ent.entity, ent.entityType)

# Delete an entitlement by name
svc.delete("my-database", EntityType.database)

Classes:

Functions:

EntitlementService

Bases: ApiClient

REST client for the kdb Insights Enterprise Entitlement Service.

Manages access entitlements on entities — controlling which Keycloak groups and users may access databases, packages, queries, and views at a given Access level.

Connects to the /entitlements service path.

Example 
from uuid import UUID
from kxi.authorization.entitlement_service import EntitlementService
from kxi.authorization.entitlement_types import EntityType, Access, Group

svc = EntitlementService(host="https://<host>")

svc.create(
    id=UUID("12345678-0000-0000-0000-000000000000"),
    entity="my-database",
    entity_type=EntityType.database,
)
for ent in svc.list():
    print(ent.entity, ent.entityType)

See Connection Parameters for shared constructor arguments.

Functions:

  • actors – List all Keycloak group actors in the realm.
  • alive – Check whether the Entitlement Service is alive.
  • create – Create a new entitlement for an entity.
  • delete – Delete an entitlement by entity ID or name.
  • exists – Check whether an entitlement exists for a given entity ID.
  • get – Get entitlements by entity ID or name.
  • get_by_user_id – Get entitlements accessible to a specific user.
  • list – List all entitlements visible to the current user.
  • list_owned – List entitlements owned by the current user.
  • pod_owners – Query pod-to-owner mappings.
  • policy_update – Update a policy type mapping for a group on an entitlement.
  • policymapping_update – Update the policy mapping for a group on an entitlement.
  • ready – Check whether the Entitlement Service is ready to serve requests.
  • update – Update an existing entitlement.

actors

actors(**kwargs)

List all Keycloak group actors in the realm.

Returns:

alive

alive(**kwargs)

Check whether the Entitlement Service is alive.

Returns:

  • dict – Alive status payload from the service.

create

create(id, entity, entity_type, owner=None, groups=None)

Create a new entitlement for an entity.

Parameters:

  • id (UUID) – UUID to assign to the entity.
  • entity (str) – Human-readable entity name.
  • entity_type (EntityType) – Category of the entity (see EntityType).
  • owner (UUID | None) – Keycloak user UUID of the entity owner.
  • groups (List[Group] | None) – Groups to entitle with access to this entity.

Returns:

  • – API response for the created entitlement.

delete

delete(id, entity_type, **kwargs)

Delete an entitlement by entity ID or name.

Parameters:

  • id (str) – Entity UUID string or human-readable entity name.
  • entity_type (str) – Entity type to scope the deletion.
  • *kwargs* – Additional keyword arguments forwarded to the HTTP client.

Returns:

  • – API response for the deletion.

exists

exists(id, **kwargs)

Check whether an entitlement exists for a given entity ID.

Parameters:

  • id (str) – Entity UUID string to check.
  • *kwargs* – Additional keyword arguments forwarded to the HTTP client.

Returns:

  • boolTrue if the entity exists, False otherwise.

get

get(id, entity_type=None, **kwargs)

Get entitlements by entity ID or name.

Accepts either a UUID string (looked up by id) or a plain name string (looked up by entity).

Parameters:

  • id (str) – Entity UUID string or human-readable entity name.
  • entity_type (EntityType | None) – Filter results to this entity type.
  • *kwargs* – Additional keyword arguments forwarded to the HTTP client.

Returns:

get_by_user_id

get_by_user_id(id, **kwargs)

Get entitlements accessible to a specific user.

Parameters:

  • id (str) – Keycloak user UUID string.
  • *kwargs* – Additional keyword arguments forwarded to the HTTP client.

Returns:

list

list(**kwargs)

List all entitlements visible to the current user.

Returns:

list_owned

list_owned(**kwargs)

List entitlements owned by the current user.

Returns:

pod_owners

pod_owners(pod=None, owner=None, ip=None, pretty=False, **kwargs)

Query pod-to-owner mappings.

All parameters are optional filters; omit them to return all mappings.

Parameters:

  • pod (str | None) – Filter by Kubernetes pod name.
  • owner (UUID | None) – Filter by Keycloak owner UUID.
  • ip (str | None) – Filter by pod IP address.
  • pretty (bool) – Return pretty-printed JSON. Default: False.
  • *kwargs* – Additional keyword arguments forwarded to the HTTP client.

Returns:

policy_update

policy_update(id, entity_type, group, policy=None, policy_type=None, policies=None, operation=None)

Update a policy type mapping for a group on an entitlement.

Parameters:

  • id (Union[str, UUID]) – Entity UUID or name string.
  • entity_type (EntityType) – Entity type to scope the update.
  • group (str) – Keycloak group UUID or name string.
  • policy (str | None) – Policy value to set.
  • policy_type (str | None) – Type of policy to update (e.g. "row").
  • policies (list[str] | None) – List of policy values to assign.
  • operation (str | None) – Patch operation to apply (e.g. "add", "remove").

Returns:

  • – API response for the policy update.

policymapping_update

policymapping_update(id, entity_type, group, policy=None, policy_type=None, policies=None)

Update the policy mapping for a group on an entitlement.

Parameters:

  • id (Union[str, UUID]) – Entity UUID or name string.
  • entity_type (EntityType) – Entity type to scope the update.
  • group (str) – Keycloak group UUID or name string.
  • policy (str | None) – Policy value to set.
  • policy_type (str | None) – Type of policy to update (e.g. "row").
  • policies (list[str] | None) – List of policy values to assign.

Returns:

  • – API response for the policy mapping update.

ready

ready(**kwargs)

Check whether the Entitlement Service is ready to serve requests.

Returns:

  • dict – Ready status payload from the service.

update

update(id, entity_type, entity=None, owner=None, groups=None, policies_enabled=None, policy_types=None)

Update an existing entitlement.

Parameters:

  • id (Union[str, UUID]) – Entity UUID or name string.
  • entity_type (EntityType) – Entity type to scope the update.
  • entity (str | None) – New human-readable entity name.
  • owner (UUID | None) – New owner Keycloak user UUID.
  • groups (List[Group] | None) – Updated list of entitled groups.
  • policies_enabled (Optional[bool]) – Whether to enable row/column policies.
  • policy_types (Optional[Dict[str, bool]]) – Map of policy type names to enabled flags.

Returns:

  • – API response for the update.

format_params

format_params(id, entity)

Format id and entity params.

is_valid_uuid

is_valid_uuid(value)

Validate str is a UUID.

Back to top