Data Catalog GraphQL API
Endpoint: https://{workspace-name}.openraven.io/external/api/datacatalog/graphql
Schema
"Directs the executor to include this field or fragment only when the `if` argument is true"
directive @include(
"Included when true."
if: Boolean!
) on FIELD | FRAGMENT_SPREAD | INLINE_FRAGMENT
"Directs the executor to skip this field or fragment when the `if`'argument is true."
directive @skip(
"Skipped when true."
if: Boolean!
) on FIELD | FRAGMENT_SPREAD | INLINE_FRAGMENT
directive @Max(message: String = "graphql.validation.Max.message", value: Int! = 200) on ARGUMENT_DEFINITION | INPUT_FIELD_DEFINITION
"""
Marks fields and queries that are in beta. These should not be used in production by external production apps.
This can be for performance reasons, API's that may have short lifespans, etc.
"""
directive @beta on FIELD_DEFINITION | ARGUMENT_DEFINITION | ENUM_VALUE | INPUT_FIELD_DEFINITION
"Marks the field, argument, input field or enum value as deprecated"
directive @deprecated(
"The reason for the deprecation"
reason: String = "No longer supported"
) on FIELD_DEFINITION | ARGUMENT_DEFINITION | ENUM_VALUE | INPUT_FIELD_DEFINITION
"Exposes a URL that specifies the behaviour of this scalar."
directive @specifiedBy(
"The URL that specifies the behaviour of this scalar."
url: String!
) on SCALAR
interface Asset {
assetId: String!
}
interface AssetDataAggregate {
asset: Asset!
dataClassCounts: [DataClassCount]!
totalFindingRecords: Long!
}
"""
Asset Filter Options inform the consumer of what filters are available and has
various metadata.
"""
interface AssetFilterOption {
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
}
interface DataObjectAggregate {
asset: Asset!
dataClassCounts: [DataClassCount]!
scanTarget: String!
scanTargetChild: String
scanTargetLabel: String!
totalFindingRecords: Long!
}
interface ObjectFinding {
dataClass: DataClass!
falsePositive: Boolean!
parentObject: DataObjectAggregate!
scannerJob: ScannerJob!
scannerJobRun: ScannerJobRun!
totalFindingsRecords: Long!
}
"Type representation of saved filters"
union AssetFilter = AssetBooleanFilter | AssetEqualityFilter | AssetKeyValueFilter | AssetRangeFilter | AssetTextFilter
"""
Valid keys:
[
ENCRYPTED
PUBLIC
BACKED_UP_VIA_AWS_BACKUP_JOB
]
"""
type AssetBooleanFilter {
_internal: Boolean
key: String!
value: Boolean!
}
type AssetBooleanFilterOption implements AssetFilterOption {
_internal: Boolean
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
}
type AssetDateFilter {
_internal: Boolean
key: String!
operator: AssetDateOperator
"""
Accepts epoch time
2nd value is used for BETWEEN operator
"""
value: [Long!]!
}
type AssetDateFilterOption implements AssetFilterOption {
_internal: Boolean
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
}
"""
Valid Keys: [
CATEGORY
RESOURCE_TYPE
REGION
]
"""
type AssetEqualityFilter {
_internal: Boolean
key: String!
operator: AssetEqualityOperator!
value: [String!]!
}
type AssetEqualityFilterOption implements AssetFilterOption {
_internal: Boolean
"Returns potential values containing the search term"
availableValuesConnection(after: String, first: Int!, search: String): LabelAndValueConnection!
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
}
"Filters are AND'd"
type AssetFilters {
_internal: Boolean
filters: [AssetFilter!]!
}
type AssetKeyValueFilter {
_internal: Boolean
key: String!
keyValues: [KeyValue!]!
operator: AssetKeyValueOperator!
}
type AssetKeyValueFilterOption implements AssetFilterOption {
_internal: Boolean
"Returns available keys containing the search term"
availableKeys(after: String, first: Int!, search: String): LabelAndValueConnection!
"Returns available values for key that contain the search term"
availableValuesForKey(after: String, first: Int!, key: String!, search: String): LabelAndValueConnection!
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
}
"""
Doubles as Range With Units
Valid keys:
[
STORAGE_USED
]
"""
type AssetRangeFilter {
_internal: Boolean
key: String!
operator: AssetRangeOperator!
"Multiple values should only be passed when using BETWEEN operator"
value: [Long!]!
}
type AssetRangeFilterOption implements AssetFilterOption {
_internal: Boolean
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
maximum: Long
minimum: Long
}
"""
Valid Keys: [
ASSET_NAME
ACCOUNT
IN_BACK_UP_PLAN
]
"""
type AssetTextFilter {
_internal: Boolean
key: String!
operator: AssetTextOperator!
value: [String!]!
}
type AssetTextFilterOption implements AssetFilterOption {
_internal: Boolean
"Returns potential values containing the search term"
availableValuesConnection(after: String, first: Int!, search: String): LabelAndValueConnection!
description: String!
"Sends back a URL with an icon"
icon: String
key: String!
label: String!
}
type AwsS3Bucket implements Asset {
assetId: String!
awsAccountId: String!
awsAccountLabel: String!
awsRegion: String!
awsRegionLabel: String!
nameLabel: String!
}
type DataClass {
id: String!
}
type DataClassCount {
count: Long!
id: String!
" Not implemented by every fetcher"
name: String
}
"Generic AWS Objects"
type GenericAwsAsset implements Asset {
assetId: String!
awsAccountId: String!
awsAccountLabel: String!
awsRegion: String!
awsRegionLabel: String!
nameLabel: String!
resourceType: String
resourceTypeLabel: String
}
"Generic Objects - Asset Parent Level"
type GenericAwsAssetFindingAggregate implements AssetDataAggregate {
asset: GenericAwsAsset!
" Total records of findings in this aggregate by data class"
dataClassCounts: [DataClassCount]!
" Total records of findings in this aggregate"
totalFindingRecords: Long!
}
type GenericAwsAssetFindingAggregateConnection {
edges: [GenericAwsAssetFindingAggregateEdge]
pageInfo: PageInfo
}
type GenericAwsAssetFindingAggregateEdge {
cursor: String
node: GenericAwsAssetFindingAggregate
}
type KeyValue {
key: String!
value: String!
}
type LabelAndValue {
label: String!
value: String!
}
type LabelAndValueConnection {
edges: [LabelAndValueEdge]
pageInfo: PageInfo
}
type LabelAndValueEdge {
cursor: String
node: LabelAndValue
}
type Mutation {
flagRelationalDatabaseFindingAsFalsePositive(always: Boolean!, assetId: String!, column: String, dataClassId: String!, database: String!, message: String, schema: String, table: String!, userDescriptor: String!): Boolean @beta
flagRelationalDatabaseFindingAsIgnored(assetId: String!, column: String, dataClassId: String!, database: String!, message: String, schema: String, table: String!, userDescriptor: String!): Boolean @beta
"""
Marks a finding as ignored.
Returns true if successful.
"""
markFindingAsIgnored(
" S3 Bucket ARN"
assetId: String!,
" If dataClassId is present mark only findings with this data class as false positive."
dataClassId: String,
" Message related to ignoring a finding."
message: String,
" S3 Object Name"
scanTarget: String!,
" S3 Object child file for compressed archives like .tar.gz. Must be passed if S3 Object is compressed"
scanTargetChild: String!,
" User descriptor, API key or username for user."
userDescriptor: String!
): Boolean @beta
"""
Takes in inputs to find bucket and mark all findings in it as a false positive.
Note that future findings in this bucket will not automatically be marked as false positives.
Returns true if successful.
"""
markS3BucketAsFalsePositive(
"""
If true, future scans will ignore this finding
even if the scanner and dataclass versions are updated
"""
always: Boolean!,
" S3 Bucket ARN"
assetId: String!,
" If dataClassId is present mark only findings with this data class as false positive."
dataClassId: String
): Boolean @beta
"""
Takes in inputs to find object and mark all findings in it as a false positive.
Note that future findings in this object will not automatically be marked as false positives.
Returns true if successful.
"""
markS3ObjectAsFalsePositive(
"""
If true, future scans will ignore this finding
even if the scanner and dataclass versions are updated
"""
always: Boolean!,
" S3 Bucket ARN"
assetId: String!,
" If dataClassId is present mark only findings with this data class as false positive."
dataClassId: String,
" Message related to saving a false positive."
message: String,
" S3 Object Name"
scanTarget: String!,
" S3 Object child file for compressed archives like .tar.gz. Must be passed if S3 Object is compressed"
scanTargetChild: String,
"""
User descriptor, if set will trigger an audit log event to be saved. API key or username for user.
This logic should be temporary until the FE is updated to pass these arguments.
"""
userDescriptor: String
): Boolean @beta
}
type PageInfo {
endCursor: String
hasNextPage: Boolean!
hasPreviousPage: Boolean!
startCursor: String
}
type Query {
"Generic Aggregates"
genericAwsAssetFindingAggregates(after: String, filters: [AssetFilterInput], first: Int! @Max(message : "graphql.validation.Max.message", value : 200), sort: GenericAwsAssetFindingAggregatesSort): GenericAwsAssetFindingAggregateConnection! @beta
"Relational Database Aggregates"
relationalDatabaseFindingAggregates(after: String, filters: [AssetFilterInput], first: Int! @Max(message : "graphql.validation.Max.message", value : 200), sort: RelationalDatabaseAggregatesSort): RelationalDatabaseAggregateConnection! @beta
"Returns an S3 Bucket Aggregate for s3 bucket with input arn"
s3BucketDataAggregate(arn: String!): S3BucketDataAggregate @beta
"""
S3 Bucket Aggregates for non-false positive findings.
Filters for internal use only at the moment.
"""
s3BucketDataAggregates(after: String, filters: [AssetFilterInput], first: Int! @Max(message : "graphql.validation.Max.message", value : 200), sort: S3BucketDataAggregatesSort): S3BucketDataAggregateConnection! @beta
"S3 Bucket Aggregates for non-false positive findings in awsAccountId"
s3BucketDataAggregatesForAccount(after: String, awsAccountId: String!, first: Int! @Max(message : "graphql.validation.Max.message", value : 200), sort: S3BucketDataAggregatesSort): S3BucketDataAggregateConnection! @beta
"""
Returns an S3 Object Aggregate for s3 object with in bucketArn.
scanTarget is object name
scanTargetChild is used for compressed files in scanTarget
"""
s3ObjectAggregate(bucketArn: String!, scanTarget: String!, scanTargetChild: String): S3ObjectAggregate @beta
"""
S3 Object Aggregates for non false-positive findings in an object
Filters for internal use only at the moment.
"""
s3ObjectAggregates(after: String, filters: [AssetFilterInput], first: Int! @Max(message : "graphql.validation.Max.message", value : 200), sort: S3ObjectAggregateSort): S3ObjectAggregateConnection! @beta
"S3 Object Aggregates for non false-positive findings in an object in awsAccountId"
s3ObjectAggregatesForAccount(after: String, awsAccountId: String!, first: Int! @Max(message : "graphql.validation.Max.message", value : 200), sort: S3ObjectAggregateSort): S3ObjectAggregateConnection! @beta
}
"Relational Database Objects"
type RelationalDatabase implements Asset {
assetId: String!
}
type RelationalDatabaseAggregate {
asset: RelationalDatabase!
" Count of records by data class found in this aggregate"
dataClassCounts: [DataClassCount]!
database: String
schema: String
table: String!
" Count of records found in this aggregate"
totalFindingRecords: Long!
}
type RelationalDatabaseAggregateConnection {
edges: [RelationalDatabaseAggregateEdge]
pageInfo: PageInfo
}
type RelationalDatabaseAggregateEdge {
cursor: String
node: RelationalDatabaseAggregate
}
type S3BucketDataAggregate implements AssetDataAggregate {
asset: AwsS3Bucket!
" Total records of findings in this aggregate by data class"
dataClassCounts: [DataClassCount]!
" Total records of findings in this aggregate"
totalFindingRecords: Long!
}
type S3BucketDataAggregateConnection {
edges: [S3BucketDataAggregateEdge]
pageInfo: PageInfo
}
type S3BucketDataAggregateEdge {
cursor: String
node: S3BucketDataAggregate
}
type S3ObjectAggregate implements DataObjectAggregate {
asset: AwsS3Bucket!
" Count of records by data class found in this aggregate"
dataClassCounts: [DataClassCount]!
" S3 Object name"
scanTarget: String!
" Child file of an S3 Object Compressed file. E.G. when scanTarget is of type .tar.gz"
scanTargetChild: String
scanTargetLabel: String!
" Count of records found in this aggregate"
totalFindingRecords: Long!
}
type S3ObjectAggregateConnection {
edges: [S3ObjectAggregateEdge]
pageInfo: PageInfo
}
type S3ObjectAggregateEdge {
cursor: String
node: S3ObjectAggregate
}
type S3ObjectFinding implements ObjectFinding {
dataClass: DataClass!
falsePositive: Boolean!
parentObject: S3ObjectAggregate!
scannerJob: ScannerJob!
scannerJobRun: ScannerJobRun!
totalFindingsRecords: Long!
}
type ScannerJob {
id: String!
}
type ScannerJobRun {
id: String!
}
type TotalDataAggregate {
_internal: Boolean
}
enum AssetDateOperator {
AFTER
BEFORE
BETWEEN
}
enum AssetEqualityOperator {
DOES_NOT_EQUAL
EQUALS
}
enum AssetFiltersInputType {
BOOLEAN
DATE
EQUALITY
KEY_VALUE
RANGE
TEXT
}
enum AssetKeyValueOperator {
DOES_NOT_EQUAL
EQUALS
}
enum AssetRangeOperator {
BETWEEN
EXACTLY
GREATER_THAN
LESS_THAN
}
enum AssetTextOperator {
CONTAINS
DOES_NOT_CONTAIN
DOES_NOT_EQUAL
ENDS_WITH
EQUALS
STARTS_WITH
}
enum ErrorDetail {
"""
The deadline expired before the operation could complete.
For operations that change the state of the system, this error
may be returned even if the operation has completed successfully.
For example, a successful response from a server could have been
delayed long enough for the deadline to expire.
HTTP Mapping: 504 Gateway Timeout
Error Type: UNAVAILABLE
"""
DEADLINE_EXCEEDED
"""
The server detected that the client is exhibiting a behavior that
might be generating excessive load.
HTTP Mapping: 429 Too Many Requests or 420 Enhance Your Calm
Error Type: UNAVAILABLE
"""
ENHANCE_YOUR_CALM
"""
The requested field is not found in the schema.
This differs from `NOT_FOUND` in that `NOT_FOUND` should be used when a
query is valid, but is unable to return a result (if, for example, a
specific video id doesn't exist). `FIELD_NOT_FOUND` is intended to be
returned by the server to signify that the requested field is not known to exist.
This may be returned in lieu of failing the entire query.
See also `PERMISSION_DENIED` for cases where the
requested field is invalid only for the given user or class of users.
HTTP Mapping: 404 Not Found
Error Type: BAD_REQUEST
"""
FIELD_NOT_FOUND
"""
The client specified an invalid argument.
Note that this differs from `FAILED_PRECONDITION`.
`INVALID_ARGUMENT` indicates arguments that are problematic
regardless of the state of the system (e.g., a malformed file name).
HTTP Mapping: 400 Bad Request
Error Type: BAD_REQUEST
"""
INVALID_ARGUMENT
"""
The provided cursor is not valid.
The most common usage for this error is when a client is paginating
through a list that uses stateful cursors. In that case, the provided
cursor may be expired.
HTTP Mapping: 404 Not Found
Error Type: NOT_FOUND
"""
INVALID_CURSOR
"""
Unable to perform operation because a required resource is missing.
Example: Client is attempting to refresh a list, but the specified
list is expired. This requires an action by the client to get a new list.
If the user is simply trying GET a resource that is not found,
use the NOT_FOUND error type. FAILED_PRECONDITION.MISSING_RESOURCE
is to be used particularly when the user is performing an operation
that requires a particular resource to exist.
HTTP Mapping: 400 Bad Request or 500 Internal Server Error
Error Type: FAILED_PRECONDITION
"""
MISSING_RESOURCE
"""
Service Error.
There is a problem with an upstream service.
This may be returned if a gateway receives an unknown error from a service
or if a service is unreachable.
If a request times out which waiting on a response from a service,
`DEADLINE_EXCEEDED` may be returned instead.
If a service returns a more specific error Type, the specific error Type may
be returned instead.
HTTP Mapping: 502 Bad Gateway
Error Type: UNAVAILABLE
"""
SERVICE_ERROR
"""
Request failed due to network errors.
HTTP Mapping: 503 Unavailable
Error Type: UNAVAILABLE
"""
TCP_FAILURE
"""
Request throttled based on server concurrency limits.
HTTP Mapping: 503 Unavailable
Error Type: UNAVAILABLE
"""
THROTTLED_CONCURRENCY
"""
Request throttled based on server CPU limits
HTTP Mapping: 503 Unavailable.
Error Type: UNAVAILABLE
"""
THROTTLED_CPU
"""
The operation is not implemented or is not currently supported/enabled.
HTTP Mapping: 501 Not Implemented
Error Type: BAD_REQUEST
"""
UNIMPLEMENTED
"""
Unknown error.
This error should only be returned when no other error detail applies.
If a client sees an unknown errorDetail, it will be interpreted as UNKNOWN.
HTTP Mapping: 500 Internal Server Error
"""
UNKNOWN
}
enum ErrorType {
"""
Bad Request.
There is a problem with the request.
Retrying the same request is not likely to succeed.
An example would be a query or argument that cannot be deserialized.
HTTP Mapping: 400 Bad Request
"""
BAD_REQUEST
"""
The operation was rejected because the system is not in a state
required for the operation's execution. For example, the directory
to be deleted is non-empty, an rmdir operation is applied to
a non-directory, etc.
Service implementers can use the following guidelines to decide
between `FAILED_PRECONDITION` and `UNAVAILABLE`:
- Use `UNAVAILABLE` if the client can retry just the failing call.
- Use `FAILED_PRECONDITION` if the client should not retry until
the system state has been explicitly fixed. E.g., if an "rmdir"
fails because the directory is non-empty, `FAILED_PRECONDITION`
should be returned since the client should not retry unless
the files are deleted from the directory.
HTTP Mapping: 400 Bad Request or 500 Internal Server Error
"""
FAILED_PRECONDITION
"""
Internal error.
An unexpected internal error was encountered. This means that some
invariants expected by the underlying system have been broken.
This error code is reserved for serious errors.
HTTP Mapping: 500 Internal Server Error
"""
INTERNAL
"""
The requested entity was not found.
This could apply to a resource that has never existed (e.g. bad resource id),
or a resource that no longer exists (e.g. cache expired.)
Note to server developers: if a request is denied for an entire class
of users, such as gradual feature rollout or undocumented allowlist,
`NOT_FOUND` may be used. If a request is denied for some users within
a class of users, such as user-based access control, `PERMISSION_DENIED`
must be used.
HTTP Mapping: 404 Not Found
"""
NOT_FOUND
"""
The caller does not have permission to execute the specified
operation.
`PERMISSION_DENIED` must not be used for rejections
caused by exhausting some resource or quota.
`PERMISSION_DENIED` must not be used if the caller
cannot be identified (use `UNAUTHENTICATED`
instead for those errors).
This error Type does not imply the
request is valid or the requested entity exists or satisfies
other pre-conditions.
HTTP Mapping: 403 Forbidden
"""
PERMISSION_DENIED
"""
The request does not have valid authentication credentials.
This is intended to be returned only for routes that require
authentication.
HTTP Mapping: 401 Unauthorized
"""
UNAUTHENTICATED
"""
Currently Unavailable.
The service is currently unavailable. This is most likely a
transient condition, which can be corrected by retrying with
a backoff.
HTTP Mapping: 503 Unavailable
"""
UNAVAILABLE
"""
Unknown error.
For example, this error may be returned when
an error code received from another address space belongs to
an error space that is not known in this address space. Also
errors raised by APIs that do not return enough error information
may be converted to this error.
If a client sees an unknown errorType, it will be interpreted as UNKNOWN.
Unknown errors MUST NOT trigger any special behavior. These MAY be treated
by an implementation as being equivalent to INTERNAL.
When possible, a more specific error should be provided.
HTTP Mapping: 520 Unknown Error
"""
UNKNOWN
}
enum GenericAwsAssetFindingAggregatesSortProperty {
AWS_ACCOUNT_LABEL
AWS_REGION_LABEL
NAME_LABEL
RESOURCE_TYPE
RESOURCE_TYPE_LABEL
}
enum RelationalDatabaseAggregatesSortProperty {
DATABASE
SCHEMA
TABLE
}
enum S3BucketDataAggregatesSortProperty {
AWS_ACCOUNT_LABEL
AWS_REGION_LABEL
NAME_LABEL
}
enum S3ObjectAggregatesSortProperty {
ASSET_NAME
AWS_ACCOUNT_LABEL
AWS_REGION_LABEL
COMPRESSED
SCAN_TARGET_LABEL
}
enum SortOrder {
ASC
DESC
}
scalar Long
"""
Separate input for passing filters to the API. GraphQL inputs do not support
unions, so due to the disparate types we use a one size fits all input that
uses the type field to determine the right handler to use.
"""
input AssetFilterInput {
_internal: Boolean
}
input GenericAwsAssetFindingAggregatesSort {
property: GenericAwsAssetFindingAggregatesSortProperty!
sortOrder: SortOrder!
}
input RelationalDatabaseAggregatesSort {
property: RelationalDatabaseAggregatesSortProperty!
sortOrder: SortOrder!
}
input S3BucketDataAggregatesSort {
property: S3BucketDataAggregatesSortProperty!
sortOrder: SortOrder!
}
input S3ObjectAggregateSort {
property: S3ObjectAggregatesSortProperty!
sortOrder: SortOrder!
}
Updated almost 2 years ago