`antimatter`#

Subpackages#

Submodules#

Package Contents#

Classes#

`CapabilityRulesBuilder`	Builder class for creating a CapabilityRule.
`FactPoliciesBuilder`	Builder class for creating a list of FactPolicyRulesInner.
`FactPolicyArgumentBuilder`	Builder class for creating a FactPolicyRulesInnerArgumentsInner.
`ReadContextBuilder`	A builder class for constructing a ReadContext object.
`SettingsPutBuilder`	A builder class for constructing a Settings object.
`WriteContextBuilder`	Builder class for creating WriteContext objects.
`WriteContextConfigurationBuilder`	Builder class for creating WriteContextConfigInfo objects.
`WriteContextClassifierRuleBuilder`	Builder class for creating a WriteContextRegexRule
`CapabilityOperator`	Enum class for defining the operator of the match expression.
`Operation`	Enum class for defining the operation.
`Result`	Enum class for defining the result.
`FactArgumentSource`	Enum class for defining the source of a fact policy argument.
`FactOperator`	Enum class for defining the operator of a fact policy.
`Hook`	Enum representing the available hooks.
`PrincipalType`	Enum class for defining the principal type.
`ProviderType`	Enum class for defining the type of identity provider.
`Action`	Enum class for defining the action of the rule.
`Operator`	Enum class for defining the operator of the match expression.
`Source`	Enum class for defining the source of the match expression.
`TokenFormat`	Enum class for defining the format of the token.
`TokenScope`	Enum class for defining the scope of the token.
`WriteContextHookMode`	Class representing the mode of the WriteContextHook.
`RuleEffect`	Create a collection of name/value pairs.
`AssignPriority`	Create a collection of name/value pairs.
`ClauseOperator`	Create a collection of name/value pairs.
`Attachment`	Create a collection of name/value pairs.
`ExpressionBuilder`
`TagExpressionBuilder`
`CapabilityExpressionBuilder`
`ReadParameterExpressionBuilder`
`FactExpressionBuilder`
`FactExpressionArgumentBuilder`
`VariableBuilder`
`DataPolicyClauseBuilder`
`NewDataPolicyRuleBuilder`
`DataPolicyRuleChangesBuilder`
`CapsuleTag`	Defines a capsule tag manually set to apply a rule to a capsule.
`ColumnTag`	Defines a column tag manually set to apply a rule to a particular column of data.
`SpanTag`	Defines a span tag manually to the data contained in the cell path. The tag
`TagType`	The span tag types
`Datatype`	Datatype is an enumeration of the compatible datatypes supported by
`FieldType`	FieldType is an enumeration of the compatible field types supported by
`Session`	The Session establishes auth and the domain you are working with, providing
`Authentication`	This is an abstract class for authentication. These methods must be implemented by the child classes.
`OAuthAuthentication`	This is an abstract class which should be used by OAuth clients for authentication.
`ApiKeyAuthentication`	This is an agent which uses an API key for authentication.
`GoogleOAuthAuthentication`	A base authentication class which uses google oauth device flow for authentication.
`Unauthenticated`	An unauthenticated agent which does not have any authentication.
`StaticOAuthAuthentication`	A static authentication agent uses a static oauth token.
`OAuthDomainAuthentication`	A domain authentication class which uses an oauth token for authentication.
`Authorization`	Helper class that provides a standard way to create an ABC using
`TokenAuthorization`	Helper class that provides a standard way to create an ABC using

Functions#

`antimatter_delegated_aws_key_info`(...)	Create a KeyInfos object with Antimatter delegated AWS key information
`aws_service_account_key_info`(→ antimatter_api.KeyInfos)	Create a KeyInfos object with AWS service account key information
`gcp_service_account_key_info`(→ antimatter_api.KeyInfos)	Create a KeyInfos object with GCP service account key information
`cell_path`(cname, rnum)	Helper function to get a cell path name from a column name and row number.
`new_domain`(→ Session)	Create a new domain with the provided email as the admin contact. A
`load_domain`(→ Session)	Load an existing domain. There are several different ways to specify the domain

class antimatter.CapabilityRulesBuilder(*rules)#

Builder class for creating a CapabilityRule.

Parameters:: rules – A list of tuples containing the name, operator, and values of the match expression.

with_rule(name: str, operator: antimatter.constants.CapabilityOperator | str | None, values: List[str] | None = None) → CapabilityRulesBuilder#

Add a match expression to the rule.

Parameters:

name – The name of the match expression.
operator – The operator of the match expression.
values – The values of the match expression.

build() → antimatter_api.CapabilityRule#

Build the rule.

Returns:: The CapabilityRule which can be used to create a new capability.

class antimatter.FactPoliciesBuilder#

Builder class for creating a list of FactPolicyRulesInner.

with_policy(name: str, operator: antimatter.constants.FactOperator | str, *policies: FactPolicyArgumentBuilder) → FactPoliciesBuilder#

Add a policy to the list.

Parameters:

name – The name of the policy.
operator – The operator of the policy.
policies – The arguments of the policy.

Returns:

The builder instance.

build() → List[antimatter_api.FactPolicyRulesInner]#

Build the list of policies.

Returns:: The built list of policies.

class antimatter.FactPolicyArgumentBuilder(source: str | antimatter.constants.FactArgumentSource, capability: str | None = None, any_value: bool | None = None, value: str | None = None)#

Builder class for creating a FactPolicyRulesInnerArgumentsInner.

Parameters:

source – The source of the argument.
capability – The capability of the argument.
any_value – Whether the argument can be any value.
value – The value of the argument.

build() → antimatter_api.FactPolicyRulesInnerArgumentsInner#

Build the argument.

Returns:: The built argument.

class antimatter.ReadContextBuilder#

A builder class for constructing a ReadContext object.

set_summary(summary: str) → ReadContextBuilder#

Sets the summary of the ReadContext.

Parameters:: summary – The summary to set.
Returns:: The instance of the builder.

set_description(description: str) → ReadContextBuilder#

Sets the description of the ReadContext.

Parameters:: description – The description to set.
Returns:: The instance of the builder.

add_required_hook(name: antimatter.constants.Hook | str, constraint: str = '>1.0.0', write_context: str = None) → ReadContextBuilder#

Adds a required hook to the ReadContext.

Parameters:

name – The name of the hook.
constraint – The constraint of the hook.
write_context – The write context for the hook

Returns:

The instance of the builder.

add_read_parameter(key: str, required: bool, description: str) → ReadContextBuilder#

Adds a read parameter to the ReadContext.

Parameters:

key – The key of the parameter.
required – Whether the parameter is required.
description – The description of the parameter.

Returns:

The instance of the builder.

set_key_cache_ttl(ttl: int) → ReadContextBuilder#

Sets the recommended TTL for client-side CapsuleOpenResponses associated with this ReadContext.

Parameters:: ttl – The TTL to set.
Returns:: The instance of the builder.

set_disable_read_logging() → ReadContextBuilder#

Instructs the client that read logging associated with this ReadContext can be skipped, which speeds up access to capsules.

Returns:: This instance of the builder.

build() → antimatter_api.AddReadContext#

Builds the ReadContext and returns it.

Returns:: The built ReadContext.

class antimatter.SettingsPutBuilder#

A builder class for constructing a Settings object.

set_default_display_name(name: str) → SettingsPutBuilder#

Sets the active_admin_contacts of the domain settings.

Parameters:: name – The new default display name
Returns:: The instance of the builder.

set_default_token_lifetime(lifetime: int) → SettingsPutBuilder#

Sets the set_default_token_lifetime of the domain settings.

Parameters:: lifetime – The new default token lifetime
Returns:: The instance of the builder.

set_maximum_token_lifetime(lifetime: int) → SettingsPutBuilder#

Sets the maximum_token_lifetime of the domain settings.

Parameters:: lifetime – The new maximin token lifetime
Returns:: The instance of the builder.

set_active_admin_contacts(contacts: List[str]) → SettingsPutBuilder#

Sets the set_active_admin_contacts of the domain settings. Note: this list cannot contain any new contacts and should only be used to remove current active admin contacts. To add new active admin contacts, fist add the contacts to the pending contacts list using set_pending_admin_contacts. Once updated, a verification request will then be sent to the contact, and once verified, the contact will be converted into an active admin contact.

Parameters:: contacts – The new list of active admin contacts
Returns:: The instance of the builder.

set_pending_admin_contacts(contacts: List[str]) → SettingsPutBuilder#

Sets the pending_admin_contacts of the domain settings.

Parameters:: contacts – The new list of pending admin contacts
Returns:: The instance of the builder.

build() → antimatter_api.NewDomainSettings#

Builds the NewDomainSettings and returns it.

Returns:: The built NewDomainSettings.

class antimatter.WriteContextBuilder#

Builder class for creating WriteContext objects.

set_summary(summary: str) → WriteContextBuilder#

Set the summary of the WriteContext.

Parameters:: summary – The summary to set.
Returns:: The WriteContextBuilder instance.

set_description(description: str) → WriteContextBuilder#

Set the description of the WriteContext.

Parameters:: description – The description to set.
Returns:: The WriteContextBuilder instance.

add_hook(name: antimatter.constants.Hook | str, constraint: str = '>1.0.0', mode: antimatter.constants.WriteContextHookMode | str = WriteContextHookMode.Sync) → WriteContextBuilder#

Add a hook to the WriteContext.

Parameters:

name – The name of the hook.
constraint – The constraint of the hook.
mode – The mode of the hook.

Returns:

The WriteContextBuilder instance.

set_key_reuse_ttl(seconds: int) → WriteContextBuilder#

Set the recommended key reuse TTL, which instructs the client to reuse encryption keys (and associated capsule IDs) for up to this duration in seconds.

Parameters:: seconds – The TTL in seconds to set.
Returns:: The WriteContextBuilder instance.

build() → antimatter_api.AddWriteContext#

Build the WriteContext.

Returns:: The built WriteContext.

class antimatter.WriteContextConfigurationBuilder#

Builder class for creating WriteContextConfigInfo objects.

add_hook(name: antimatter.constants.Hook | str, constraint: str = '>1.0.0', mode: antimatter.constants.WriteContextHookMode | str = WriteContextHookMode.Sync) → WriteContextConfigurationBuilder#

Add a hook to the WriteContextConfigurationBuilder.

Parameters:

name – The name of the hook.
constraint – The constraint of the hook.
mode – The mode of the hook.

Returns:

The WriteContextConfigurationBuilder instance.

set_key_reuse_ttl(seconds: int) → WriteContextConfigurationBuilder#

Set the recommended key reuse TTL, which instructs the client to reuse encryption keys (and associated capsule IDs) for up to this duration in seconds.

Parameters:: seconds – The TTL in seconds to set.
Returns:: The WriteContextConfigurationBuilder instance.

build() → antimatter_api.WriteContextConfigInfo#

Build the WriteContextConfigInfo.

Returns:: The built WriteContextConfigInfo.

class antimatter.WriteContextClassifierRuleBuilder#

Builder class for creating a WriteContextRegexRule

add_regex_rule(pattern: str, match_on_key: bool = False) → WriteContextClassifierRuleBuilder#

Create a new regex rule builder.

Parameters:

pattern – The regex pattern for matching
match_on_key – If True, match against the key instead of the field

Returns:

The builder instance

add_llm_config(model: str, prompt: str) → WriteContextClassifierRuleBuilder#

Add LLM config to the rule

Parameters:

model – The LLM model to use
prompt – The prompt to use

Returns:

The builder instance

add_span_tag(name: str, tag_type: str | antimatter.tags.TagType = TagType.Unary, value: str | None = None) → WriteContextClassifierRuleBuilder#

The span tag to add when the regex rule matches

Parameters:

name – The span tag name
tag_type – The span tag type; default ‘unary’
value – The span tag value, if the tag_type is not ‘unary’

Returns:

The builder instance

add_capsule_tag(name: str, tag_type: str | antimatter.tags.TagType = TagType.Unary, value: str | None = None) → WriteContextClassifierRuleBuilder#

The capsule tag to add when the regex rule matches

Parameters:

name – The capsule tag name
tag_type – The capsule tag type; default ‘unary’
value – The capsule tag value, if the tag_type is not ‘unary’

Returns:

The builder instance

build() → antimatter_api.ClassifierRule#

Build the rule.

Returns:: The built rule

antimatter.antimatter_delegated_aws_key_info(key_arn: str) → antimatter_api.KeyInfos#

Create a KeyInfos object with Antimatter delegated AWS key information

Example usage:

key_info = antimatter_delegated_aws_key_info(key_arn="key_arn")

Parameters:: key_arn – The key ARN
Returns:: A KeyInfos object with the specified key information

antimatter.aws_service_account_key_info(access_key_id: str, secret_access_key: str, key_arn: str = '') → antimatter_api.KeyInfos#

Create a KeyInfos object with AWS service account key information

Example usage:

key_info = aws_service_account_key_info(
    access_key_id="access_key_id", secret_access_key="secret_access_key", key_arn="key_arn"
)

Parameters:

access_key_id – The access key ID
secret_access_key – The secret access key
key_arn – The key ARN

Returns:

A KeyInfos object with the specified key information

antimatter.gcp_service_account_key_info(project_id: str, location: str, key_ring_id: str = '', key_id: str = '', service_account_credentials: str = '', service_account_credentials_path: str = '') → antimatter_api.KeyInfos#

Create a KeyInfos object with GCP service account key information

Example usage:

key_info = gcp_service_account_key_info(
    project_id="project_id",
    location="location",
    key_ring_id="key_ring_id",
    key_id="key_id",
    service_account_credentials="<service_account_credentials_as_json_string>",
    service_account_credentials_path="/path/to/service_account_credentials.json"
)

Either service_account_credentials or service_account_credentials_path should be provided.

Parameters:

project_id – The project ID
location – The location
key_ring_id – The key ring ID
key_id – The key ID
service_account_credentials – The service account credentials as JSON string
service_account_credentials_path – The path to the service account credentials

Returns:

A KeyInfos object with the specified key information

class antimatter.CapabilityOperator#

Bases: str, enum.Enum

Enum class for defining the operator of the match expression.

In = 'In'#

NotIn = 'NotIn'#

Exists = 'Exists'#

NotExists = 'NotExists'#

class antimatter.Operation#

Bases: str, enum.Enum

Enum class for defining the operation.

Edit = 'edit'#

View = 'view'#

Use = 'use'#

class antimatter.Result#

Bases: str, enum.Enum

Enum class for defining the result.

Allow = 'allow'#

Deny = 'deny'#

class antimatter.FactArgumentSource#

Bases: str, enum.Enum

Enum class for defining the source of a fact policy argument.

DomainIdentity = 'domainIdentity'#

Literal = 'literal'#

Any = 'any'#

class antimatter.FactOperator#

Bases: str, enum.Enum

Enum class for defining the operator of a fact policy.

Exists = 'Exists'#

NotExists = 'NotExists'#

class antimatter.Hook#

Bases: str, enum.Enum

Enum representing the available hooks.

Fast = 'fast-pii'#

Accurate = 'accurate-pii'#

Regex = 'regex-classifier'#

Datastructure = 'data-structure-classifier'#

LLM = 'llm-classifier'#

class antimatter.PrincipalType#

Bases: str, enum.Enum

Enum class for defining the principal type.

ApiKey = 'APIKey'#

Email = 'Email'#

HostedDomain = 'HostedDomain'#

class antimatter.ProviderType#

Bases: str, enum.Enum

Enum class for defining the type of identity provider.

GoogleOAuth = 'GoogleOAuth'#

ApiKey = 'APIKey'#

MicrosoftOAuth = 'MicrosoftOAuth'#

class antimatter.Action#

Bases: str, enum.Enum

Enum class for defining the action of the rule.

DenyCapsule = 'DenyCapsule'#

DenyRecord = 'DenyRecord'#

Redact = 'Redact'#

Tokenize = 'Tokenize'#

Allow = 'Allow'#

class antimatter.Operator#

Bases: str, enum.Enum

Enum class for defining the operator of the match expression.

In = 'In'#

NotIn = 'NotIn'#

Exists = 'Exists'#

NotExists = 'NotExists'#

DateDeltaLessThan = 'DateDeltaLessThan'#

DateDeltaGreaterThan = 'DateDeltaGreaterThan'#

Any = 'Any'#

class antimatter.Source#

Bases: str, enum.Enum

Enum class for defining the source of the match expression.

DomainIdentity = 'domainIdentity'#

ReadParameters = 'readParameters'#

Tags = 'tags'#

Literal = 'literal'#

class antimatter.TokenFormat#

Bases: str, enum.Enum

Enum class for defining the format of the token.

Explicit = 'explicit'#

Synthetic = 'synthetic'#

class antimatter.TokenScope#

Bases: str, enum.Enum

Enum class for defining the scope of the token.

Unique = 'unique'#

Capsule = 'capsule'#

Domain = 'domain'#

class antimatter.WriteContextHookMode#

Bases: str, enum.Enum

Class representing the mode of the WriteContextHook.

Sync = 'sync'#

Async = 'async'#

class antimatter.RuleEffect(*args, **kwds)#

Bases: enum.Enum

Create a collection of name/value pairs.

Example enumeration:

>>> class Color(Enum):
...     RED = 1
...     BLUE = 2
...     GREEN = 3

Access them by:

attribute access:

>>> Color.RED
<Color.RED: 1>

value lookup:

>>> Color(1)
<Color.RED: 1>

name lookup:

>>> Color['RED']
<Color.RED: 1>

Enumerations can be iterated over, and know how many members they have:

>>> len(Color)
3

>>> list(Color)
[<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]

Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.

DENYCAPSULE#

DENYRECORD#

REDACT#

TOKENIZE#

ALLOW#

class antimatter.AssignPriority(*args, **kwds)#

Bases: enum.Enum

Create a collection of name/value pairs.

Example enumeration:

>>> class Color(Enum):
...     RED = 1
...     BLUE = 2
...     GREEN = 3

Access them by:

attribute access:

>>> Color.RED
<Color.RED: 1>

value lookup:

>>> Color(1)
<Color.RED: 1>

name lookup:

>>> Color['RED']
<Color.RED: 1>

Enumerations can be iterated over, and know how many members they have:

>>> len(Color)
3

>>> list(Color)
[<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]

Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.

FIRST = 'first'#

LAST = 'last'#

class antimatter.ClauseOperator(*args, **kwds)#

Bases: enum.Enum

Create a collection of name/value pairs.

Example enumeration:

>>> class Color(Enum):
...     RED = 1
...     BLUE = 2
...     GREEN = 3

Access them by:

attribute access:

>>> Color.RED
<Color.RED: 1>

value lookup:

>>> Color(1)
<Color.RED: 1>

name lookup:

>>> Color['RED']
<Color.RED: 1>

Enumerations can be iterated over, and know how many members they have:

>>> len(Color)
3

>>> list(Color)
[<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]

Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.

AllOf = 'AllOf'#

NotAllOf = 'NotAllOf'#

AnyOf = 'AnyOf'#

NotAnyOf = 'NotAnyOf'#

Always = 'Always'#

class antimatter.Attachment(*args, **kwds)#

Bases: enum.Enum

Create a collection of name/value pairs.

Example enumeration:

>>> class Color(Enum):
...     RED = 1
...     BLUE = 2
...     GREEN = 3

Access them by:

attribute access:

>>> Color.RED
<Color.RED: 1>

value lookup:

>>> Color(1)
<Color.RED: 1>

name lookup:

>>> Color['RED']
<Color.RED: 1>

Enumerations can be iterated over, and know how many members they have:

>>> len(Color)
3

>>> list(Color)
[<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]

Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.

Inherit = 'Inherit'#

NotAttached = 'NotAttached'#

Attached = 'Attached'#

class antimatter.ExpressionBuilder#

set_name(name: str) → ExpressionBuilder#

add_value(value: str) → ExpressionBuilder#

set_operator(operator: str) → ExpressionBuilder#

add_variable(variable: VariableBuilder) → ExpressionBuilder#

class antimatter.TagExpressionBuilder#

Bases: ExpressionBuilder

build() → antimatter_api.TagExpression#

class antimatter.CapabilityExpressionBuilder#

Bases: ExpressionBuilder

build() → antimatter_api.CapabilityExpression#

class antimatter.ReadParameterExpressionBuilder#

Bases: ExpressionBuilder

build() → antimatter_api.ReadParameterExpression#

class antimatter.FactExpressionBuilder#

set_type(fact_type: str) → FactExpressionBuilder#

set_operator(operator: str) → FactExpressionBuilder#

add_argument(operator: antimatter.constants.Operator, values: List[str] = []) → FactExpressionBuilder#

add_variable(variable: VariableBuilder) → FactExpressionBuilder#

build() → antimatter_api.FactExpression#

class antimatter.FactExpressionArgumentBuilder#

set_operator(operator: str) → FactExpressionArgumentBuilder#

add_value(value: str) → FactExpressionArgumentBuilder#

build() → antimatter_api.FactExpressionArgumentsInner#

class antimatter.VariableBuilder#

set_variable_name(name: str) → VariableBuilder#

set_source(source: str) → VariableBuilder#

set_tag_name(tag_name: str) → VariableBuilder#

set_capability_name(capability_name: str) → VariableBuilder#

set_fact_type(fact_type: str) → VariableBuilder#

add_fact_argument(argument: FactExpressionArgumentBuilder) → VariableBuilder#

add_variable(variable: VariableBuilder) → VariableBuilder#

build() → antimatter_api.VariableDefinition#

class antimatter.DataPolicyClauseBuilder(operator: ClauseOperator)#

add_tag(tag: TagExpressionBuilder) → DataPolicyClauseBuilder#

add_capability(capability: CapabilityExpressionBuilder) → DataPolicyClauseBuilder#

add_fact(fact: FactExpressionBuilder) → DataPolicyClauseBuilder#

add_read_parameter(read_parameter: ReadParameterExpressionBuilder) → DataPolicyClauseBuilder#

build() → antimatter_api.DataPolicyClause#

class antimatter.NewDataPolicyRuleBuilder(effect: RuleEffect, comment: str | None = None, token_scope: TokenScope | None = None, token_format: TokenFormat | None = None, assign_priority: AssignPriority | None = None, priority: int | None = None)#

add_clause(clause: DataPolicyClauseBuilder) → NewDataPolicyRuleBuilder#

build() → antimatter_api.NewDataPolicyRule#

class antimatter.DataPolicyRuleChangesBuilder#

add_rule(rule: NewDataPolicyRuleBuilder) → DataPolicyRuleChangesBuilder#

delete_rules(rule_ids: List[str]) → DataPolicyRuleChangesBuilder#

build() → antimatter_api.DataPolicyRuleChanges#

class antimatter.CapsuleTag#

Defines a capsule tag manually set to apply a rule to a capsule.

name: str#

tag_type: TagType#

tag_value: str = ''#

class antimatter.ColumnTag#

Defines a column tag manually set to apply a rule to a particular column of data.

column_name: str#

tag_names: List[str]#

tag_type: TagType#

tag_value: str = ''#

class antimatter.SpanTag#

Defines a span tag manually to the data contained in the cell path. The tag is applied to the subset of data contained between start (inclusive) and end (exclusive).

The cell path describes which cell to apply this tag to. Cell paths can be created using the antimatter.cell_utils.cell_path(cname, rnum) helper function, which takes the name of the column and the row number. As an example, if the cell to apply this span tag to was in a column named “name” and was in row 10 of the data, the cell path would be “name[9]” (the first row would be number 0).

name: str#

start: int | None#

end: int | None#

cell_path: str = ''#

tag_type: TagType#

tag_value: str = ''#

class antimatter.TagType(*args, **kwds)#

Bases: enum.Enum

The span tag types

Unary = 0#

String = 1#

Number = 2#

Boolean = 3#

Date = 4#

antimatter.cell_path(cname: str, rnum: int)#

Helper function to get a cell path name from a column name and row number. This can be used for a manual SpanTag

Parameters:

cname – The column name of the cell
rnum – The row number of the cell

Returns:

The name of the cell path

class antimatter.Datatype#

Bases: str, enum.Enum

Datatype is an enumeration of the compatible datatypes supported by antimatter, plus the ‘Unknown’ default placeholder.

Unknown#

Scalar#

Dict#

DictList#

PandasDataframe#

PytorchDataLoader#

LangchainRetriever#

class antimatter.FieldType#

Bases: str, enum.Enum

FieldType is an enumeration of the compatible field types supported by antimatter.

String#

Bytes#

Bool#

Int#

Float#

Date#

DateTime#

Time#

Timestamp#

Timedelta#

Decimal#

class antimatter.Session(authn: antimatter.authn.Authentication)#

The Session establishes auth and the domain you are working with, providing both a standard instantiation or a context manager in which a Capsule and its underlying data can be interacted with.

property domain_id#: Return the current domain ID

property api_key#: Return the API key in use by this session

property session#

config()#: Returns the configuration of this Session

classmethod from_api_key(domain_id: str, api_key: str, admin_email: str | None = None, enable_retries: bool = True) → Session#

Create a new session with the provided domain ID and API key.

Parameters:

domain_id – The domain ID
api_key – The API key for the domain
admin_email – The admin email for the domain
enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session holding the domain_id and api_key

classmethod from_google_oauth(domain: str = None, identity_provider_name: str = 'google', reset_credentials: bool = False, token: str = None, enable_retries: bool = True) → Session#

Create a new session authenticated with a Google OAuth token. If a domain is provided, the session will be authenticated with that domain and identity provider (default: google). If a token is provided, the session will be authenticated with that token. The token refresh is not handled by the session in that case. Upstream services should handle the token refresh.

Parameters:

domain – Optional domain ID to authenticate with
identity_provider_name – Optional identity provider name to authenticate with
reset_credentials – If True, any stored oauth credentials will be reset
token – An optional static OAuth token
enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session authenticated with a Google OAuth token

new_domain(admin_email: str, reauthenticate: bool = False, display_name: str = None) → Dict[str, Any]#

Create a new domain with the provided email as the admin contact. A verification email will be sent to that email. Verification must be completed before the Antimatter API can be interacted with.

Parameters:

admin_email – The email address of the domain administrator
reauthenticate – If True, the current session will be reauthenticated with the new domain
display_name – The display name for the new domain

Returns:

The domain metadata

with_domain(domain_id: str = None, nickname: str = None, alias: str = None) → None#

Use a child domain for the current session. Uses the parent’s authz to authenticate and authorize all requests. Obtains the child domain either by domain ID or nickname or alias.

Parameters:

domain_id – The domain ID of the child domain
nickname – The nickname of the child domain
alias – The alias of the child domain

load_capsule(path: str | None = None, data: bytes | EncapsulateResponse | None = None, read_context: str = None, read_params: Dict[str, str] = {}) → antimatter.capsule.Capsule | None#

load_capsule creates a capsule, extracting data from an Antimatter Capsule binary blob, either provided in raw bytes or as a string path to a local or remote file.

If the as_datatype parameter is supplied and the data is a binary blob Antimatter Capsule, the data will be extracted in that format. If the data is data for saving to an Antimatter Capsule, as_datatype will specify the default format for the data when loaded from the blob.

Parameters:

path – The location of the Capsule as a local or remote path.
data – The data to load into an Antimatter Capsule.
read_context – The name of the role policy to use for reading data

encapsulate(data: Any = None, write_context: str = None, span_tags: List[antimatter.tags.SpanTag] = None, column_tags: List[antimatter.tags.ColumnTag] = None, as_datatype: antimatter.datatype.datatypes.Datatype | str = Datatype.Unknown, skip_classify_on_column_names: List[str] = None, path: str | None = None, subdomains_from: str | None = None, create_subdomains: bool | None = False, data_file_path: str | None = None, data_file_hint: str | None = None, **kwargs) → EncapsulateResponse#

Saves the provided Capsule’s data, or the provided data using the provided write context. If ‘as_datatype’ is provided, the default datatype for the raw data will use the specified type.

One of ‘data’ or ‘path’ must be provided.

Parameters:

data – Raw data in a Capsule-supported format
write_context – The name of the role policy to use for writing data
span_tags – The span tags to manually apply to the data
column_tags – Tags to apply to entire columns by name
as_datatype – The datatype to override the provided data with when the capsule is read
skip_classify_on_column_names – List of columns to skip classifying
path – If provided, the local or remote path to save the capsule to
subdomains_from – column in the raw data that represents the subdomain
create_subdomains – allow missing subdomains to be created
data_file_path – Optional path to a file containing data to be read. If provided, data from this file will be used instead of the ‘data’ parameter.
data_file_hint – Optional hint indicating the format of the data in the file specified by ‘data_file_hint’. Supported formats include ‘json’, ‘csv’, ‘txt’, ‘parquet’. If not specified, data will be read as plain text.

Returns:

The response containing capsule metadata and the raw blob of the capsule if no path was provided.

with_new_peer_domain(import_alias_for_child: str, display_name_for_child: str, nicknames: List[str] | None = None, import_alias_for_parent: str | None = None, display_name_for_parent: str | None = None, link_all: bool = True, link_identity_providers: bool = None, link_facts: bool = None, link_read_contexts: bool = None, link_write_contexts: bool = None, link_capabilities: bool = None, link_domain_policy: bool = None, link_capsule_access_log: bool = None, link_control_log: bool = None, link_capsule_manifest: bool = None) → Session#

Creates a new peer domain, returning the authenticated session for that new domain.

Parameters:

import_alias_for_child – The import alias for the child domain
display_name_for_child – The display name for the child domain
nicknames – The nicknames for the child domain
import_alias_for_parent – The import alias for the parent domain
display_name_for_parent – The display name for the parent domain
link_all – Link all available resources
link_identity_providers – Link identity providers
link_facts – Link facts
link_read_contexts – Link read contexts
link_write_contexts – Link write contexts
link_capabilities – Link capabilities
link_domain_policy – Link domain policy
link_capsule_access_log – Link capsule access log
link_control_log – Link control log
link_capsule_manifest – Link capsule manifest

Returns:

The authenticated session for the new domain

Generate the admin URL for the domain. By default, this is the domain for this session. If one of the peer_domain_id, nickname, or alias are provided, the admin URL will be generated for the subdomain that matches.

Parameters:

company_name – The name of the company to display
peer_domain_id – The domain ID of the peer
nickname – The nickname for the peer domain
alias – One of the aliases of the peer domain
token_lifetime – How long the token should last for, in seconds

Returns:

The admin URL

list_capabilities() → List[antimatter_api.CapabilityDefinition]#

Get the capabilities for the session’s domain.

Returns:: A list of capabilities.

get_capability(name: str) → antimatter_api.CapabilityDefinition#

Get a specific capability for the session’s domain.

Parameters:: name – The name for this capability, like “admin”
Returns:: The details of the capability.

put_capability(name: str, summary: str, description: str | None = None, unary: bool = True, create_only: bool = False) → None#

Create or update a capability. A capability is attached to authenticated domain identities by an identity provider, and confers additional permissions upon the identity. This is done by writing domain policy rules that reference the capability.

Parameters:

name – The name for this capability, like “admin”
summary – A short, single sentence description of this capability
description – An optional longer form description of this capability
unary – A unary capability does not have a value
create_only – If True, an error will be returned if a capability with the name already exists

delete_capability(name: str) → None#

Delete a capability.

Parameters:: name – The name of the capability, like “admin”

Returns an iterator over the capsules available for the current domain and auth

Parameters:

start_date – The earlier date of the date range. As results are returned in reverse chronological order, this date corresponds with the end of the result set. This should be a timezone-aware datetime, or else will be treated as the system timezone
end_date – The later date of the date range. As results are returned in reverse chronological order, this date corresponds with the beginning of the result set. If not specified, defaults to the current time. This should be a timezone-aware datetime, or else will be treated as the system timezone
duration – The query time range duration. This can be a timedelta or a string such as ‘2h’. When using duration, by default the query time range ends ‘now’, unless one of start_date or end_date is specified. If both start_date and end_date are specified, duration is ignored. If using a string value, valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”, “d”, “mo”, “y”. These can be grouped together, such as 1h5m30s.
span_tag – The span tag you would like to filter on. This accepts a tag key only and will return all span tag key results matching the provided tag key. If not specified, this field is ignored.
sort_on – The capsule field you would like to sort on. This accepts the field only and will return results ordered on the provided field. If not specified, this field is ignored.
ascending – This defines whether a sorted result should be order ascending. This accepts a boolean value and when true will work in combination with the sort_on and start_after parameters to return values in ascending order. If not specified, this field is ignored and treated as false.

get_capsule_info(capsule_id: str) → antimatter_api.CapsuleInfo#

Get the summary information about the capsule.

Parameters:: capsule_id – The identifier for the capsule
Returns:: The summary information about the capsule

upsert_capsule_tags(capsule_id: str, tags: List[antimatter.tags.CapsuleTag]) → None#

Upsert the capsule-level tags to apply to a capsule.

Parameters:

capsule_id – The capsule to apply tags to
tags – The tags to apply to the capsule

delete_capsule_tags(capsule_id: str, tag_names: List[str]) → None#

Delete capsule-level tags

Parameters:

capsule_id – The capsule to delete tags from
tag_names – The names of the tags to delete

new_peer_domain(import_alias_for_child: str, display_name_for_child: str, nicknames: List[str] | None = None, import_alias_for_parent: str | None = None, display_name_for_parent: str | None = None, link_all: bool = True, link_identity_providers: bool = None, link_facts: bool = None, link_read_contexts: bool = None, link_write_contexts: bool = None, link_capabilities: bool = None, link_domain_policy: bool = None, link_root_encryption_keys: bool = None, link_capsule_access_log: bool = None, link_control_log: bool = None, link_capsule_manifest: bool = None) → antimatter_api.NewDomainResponse#

Creates a new peer domain

Parameters:

import_alias_for_child – The import alias for the child domain
display_name_for_child – The display name for the child domain
nicknames – The nicknames for the child domain
import_alias_for_parent – The import alias for the parent domain
display_name_for_parent – The display name for the parent domain
link_all – Whether to link all capabilities
link_identity_providers – Whether to link identity providers
link_facts – Whether to link facts
link_read_contexts – Whether to link read contexts
link_write_contexts – Whether to link write contexts
link_capabilities – Whether to link capabilities
link_domain_policy – Whether to link domain policy
link_root_encryption_keys – Whether to link root encryption keys
link_capsule_access_log – Whether to link capsule access log
link_control_log – Whether to link control log
link_capsule_manifest – Whether to link capsule manifest

Returns:

The new peer domain

get_peer(nickname: str | None = None, alias: str | None = None) → str#

Retrieve the domain ID of a domain that is configured as a peer of this session’s domain by using either its alias or one of its nicknames.

Parameters:

nickname – The nickname for the peer domain
alias – One of the aliases of the peer domain

Returns:

The domain ID

list_peers() → List[antimatter_api.DomainPeerListPeersInner]#

Return a list of the peers of this session’s domain.

Returns:: The peer list, containing IDs and other information about the domains

get_peer_config(peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None) → antimatter_api.DomainPeerConfig#

Get a peer configuration using one of the peer’s domain ID, nickname, or alias.

Parameters:

peer_domain_id – The domain ID of the peer
nickname – The nickname for the peer domain
alias – One of the aliases of the peer domain

Returns:

The full peer configuration

update_peer(display_name: str, peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None, export_identity_providers: List[str] | None = None, export_all_identity_providers: bool | None = None, export_facts: List[str] | None = None, export_all_facts: bool | None = None, export_read_contexts: List[str] | None = None, export_all_read_contexts: bool | None = None, export_write_contexts: List[str] | None = None, export_all_write_contexts: bool | None = None, export_capabilities: List[str] | None = None, export_all_capabilities: bool | None = None, export_domain_policy: bool | None = None, export_root_encryption_keys: bool | None = None, export_capsule_access_log: bool | None = None, export_control_log: bool | None = None, export_capsule_manifest: bool | None = None, export_billing: bool | None = None, export_admin_contact: bool | None = None, export_data_policies: str | None = None, export_all_data_policies: bool | None = None, nicknames: List[str] | None = None, import_alias: str | None = None, forward_billing: bool | None = None, forward_admin_communications: bool | None = None, import_identity_providers: List[str] | None = None, import_all_identity_providers: bool | None = None, import_facts: List[str] | None = None, import_all_facts: bool | None = None, import_read_contexts: List[str] | None = None, import_all_read_contexts: bool | None = None, import_write_contexts: List[str] | None = None, import_all_write_contexts: bool | None = None, import_capabilities: List[str] | None = None, import_all_capabilities: bool | None = None, import_domain_policy: bool | None = None, import_root_encryption_keys: bool | None = None, import_precedence: int | None = None, import_capsule_access_log: bool | None = None, import_control_log: bool | None = None, import_capsule_manifest: bool | None = None, import_data_policies: str | None = None, import_all_data_policies: bool | None = None) → None#

Create or update the configuration for this peer using one of the peer’s domain ID, nickname, or alias. Please note, if the configuration already exists, it is updated to reflect the values in the request. This will include setting the fields to their default value if not supplied.

Parameters:

display_name – The display name for the peer domain
peer_domain_id – The domain ID of the peer
nickname – The nickname for the peer domain
alias – One of the aliases of the peer domain
export_identity_providers – The identity providers to export
export_all_identity_providers – Whether to export all identity providers
export_facts – The facts to export
export_all_facts – Whether to export all facts
export_read_contexts – The read contexts to export
export_all_read_contexts – Whether to export all read contexts
export_write_contexts – The write contexts to export
export_all_write_contexts – Whether to export all write contexts
export_capabilities – The capabilities to export
export_all_capabilities – Whether to export all capabilities
export_domain_policy – Whether to export the domain policy
export_root_encryption_keys – Whether to export the root encryption keys
export_capsule_access_log – Whether to export the capsule access log
export_control_log – Whether to export the control log
export_capsule_manifest – Whether to export the capsule manifest
export_billing – Whether to export billing information
export_admin_contact – Whether to export the admin contact
nicknames – The nicknames for the peer domain
import_alias – The import alias for the peer domain
forward_billing – Whether to forward billing information
forward_admin_communications – Whether to forward admin communications
import_identity_providers – The identity providers to import
import_all_identity_providers – Whether to import all identity providers
import_facts – The facts to import
import_all_facts – Whether to import all facts
import_read_contexts – The read contexts to import
import_all_read_contexts – Whether to import all read contexts
import_write_contexts – The write contexts to import
import_all_write_contexts – Whether to import all write contexts
import_capabilities – The capabilities to import
import_all_capabilities – Whether to import all capabilities
import_domain_policy – Whether to import the domain policy
import_root_encryption_keys – Whether to import the root encryption keys
import_precedence – The precedence of the import
import_capsule_access_log – Whether to import the capsule access log
import_control_log – Whether to import the control log
import_capsule_manifest – Whether to import the capsule manifest

delete_peer(peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None) → None#

Remove the peering relationship with the given domain, using one of the peer’s domain ID, nickname, or alias.

Parameters:

peer_domain_id – The domain ID of the peer
nickname – The nickname for the peer domain
alias – One of the aliases of the peer domain

get_top_tags() → List[str]#: Get domain tag info returns a list containing the top 100 tag names for the current session’s domain.

flush_encryption_keys()#: Flush all keys in memory. The keys will be immediately reloaded from persistent storage, forcing a check that the domain’s root key is still available

list_fact_types() → List[antimatter_api.FactTypeDefinition]#: Returns a list of fact types available for the current domain and auth

list_facts(fact_type: str) → List[antimatter_api.Fact]#: Returns a list of facts for the given fact type

add_fact_type(name: str, description: str, arguments: Dict[str, str]) → None#

Upserts a fact type for the current domain and auth

Parameters:

name – The “type name” for this fact, like “has_role”
description – The human-readable description of the fact type
arguments – Name:description argument pairs for the fact type

add_fact(fact_type: str, *arguments: str) → antimatter_api.Fact#

Upserts a fact for the current domain and auth

Parameters:

fact_type – The name of the type of fact being added
arguments – The fact arguments to add

Returns:

The upserted fact

get_fact_type(fact_type: str) → antimatter_api.FactTypeDefinition#

Get the fact type details for the given fact type

Parameters:: fact_type – The “type name” for this fact, like “has_role”
Returns:: The fact type details

get_fact(fact_type: str, fact_id: str) → antimatter_api.Fact#

Returns the fact details for the given fact type and name

Parameters:

fact_type – The “type name” for this fact, like “has_role”
fact_id – The ID for the fact to be retrieved

Returns:

The fact details

delete_fact_type(fact_type: str) → None#

Delete a fact type AND ALL FACTS INSIDE IT.

Parameters:: fact_type – The “type name” for this fact, like “has_role”

delete_fact(fact_type: str, *arguments: str, fact_id: str | None = None) → None#

Delete a fact by ID or argument. One of ‘fact_id’ or ‘arguments’ must be provided. If ‘fact_id’ is provided, it will be used solely. If arguments are provided, each must fully match the name and/or arguments of the fact for it to be deleted.

Parameters:

fact_type – The “type name” for this fact, like “has_role”
fact_id – The ID for the fact to be deleted
arguments – The arguments for the fact to be deleted

delete_all_facts(fact_type: str) → None#

Delete all the facts for the given fact type.

Parameters:: fact_type – The “type name” for this fact, like “has_role”

get_private_info() → antimatter_api.DomainPrivateInfo#

Returns a Domain’s summary information.

Returns:: The private summary info for a domain

get_public_info() → antimatter_api.DomainPublicInfo#

Returns a Domain’s summary information. This endpoint does not require authorization

Returns:: The public summary info for a domain

get_settings() → antimatter_api.DomainSettings#: Return the domain settings.

put_settings(settings: antimatter.builders.settings_put.SettingsPutBuilder) → antimatter_api.DomainSettings#

Updates the domain settings with the provided settings.

Parameters:: settings – The domain settings to be updated.
Returns:: The domain settings after applying the proposed updates

get_status() → antimatter_api.DomainStatus#: Return the domain status, which contains important notifications for administrators of the domain.

list_hooks() → List[antimatter_api.DomainHooksListHooksInner]#: Return a list of available hooks in this domain. A hook is a data processor, like a PII classifier

list_resources() → List[antimatter_api.DomainResourceSummarySchemaInner]#: Return a list of resource strings that can be used in policy rules, and the set of permissions that you can assign to them.

Query the data access log for this domain. This contains all operations interacting with capsules within this domain. An iterator is returned over the results in reverse chronological order.

Parameters:

start_date – The earlier date of the date range. As results are returned in reverse chronological order, this date corresponds with the end of the result set. This should be a timezone-aware datetime, or else will be treated as the system timezone
end_date – The later date of the date range. As results are returned in reverse chronological order, this date corresponds with the beginning of the result set. If not specified, defaults to the current time. This should be a timezone-aware datetime, or else will be treated as the system timezone
duration – The query time range duration. This can be a timedelta or a string such as ‘2h’. When using duration, by default the query time range ends ‘now’, unless one of start_date or end_date is specified. If both start_date and end_date are specified, duration is ignored. If using a string value, valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”, “d”, “mo”, “y”. These can be grouped together, such as 1h5m30s
session – The session you would like to filter on. This will return results for only the provided session. If not specified, this field is ignored
location – The location you would like to filter on. This is a matched filter and will return results starting with the provided string. If not specified, this field is ignored
location_prefixed – A boolean indicator to indicate that the location you provided is a prefix or not. If this is set to true, then the filter provided in location is treated as a prefix. If not specified, this is treated as false
operation_type – The operation you would like to filter on. This will filter on the provided operation type and return all results using the provided operation type. If not specified, this field is ignored
allowed_tag – The allow tag key you would like to filter on. This accepts tag key only and will return all allowed tag results matching the provided tag key. If not specified, this field is ignored
redacted_or_tokenized_tag – The redacted or tokenized tag key you would like to filter on. This accepts a tag key only and will return all redacted and tokenized tag key results matching the provided tag key. If not specified, this field is ignored
capsule_id – The ID for a specific capsule. Use this to limit results to a single capsule

Returns:

An iterator over the access logs matching the filters

Query the domain control-plane audit log. An iterator is returned over the results in reverse chronological order.

Parameters:

start_date – The earlier date of the date range. As results are returned in reverse chronological order, this date corresponds with the end of the result set. This should be a timezone-aware datetime, or else will be treated as the system timezone
end_date – The later date of the date range. As results are returned in reverse chronological order, this date corresponds with the beginning of the result set. If not specified, defaults to the current time. This should be a timezone-aware datetime, or else will be treated as the system timezone
duration – The query time range duration. This can be a timedelta or a string such as ‘2h’. When using duration, by default the query time range ends ‘now’, unless one of start_date or end_date is specified. If both start_date and end_date are specified, duration is ignored. If using a string value, valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”, “d”, “mo”, “y”. These can be grouped together, such as 1h5m30s
session – The session you would like to filter on. This will return results for only the provided session. If not specified, this field is ignored
url – The URL you would like to filter on. This is a prefix matched filter and will return results starting with the provided string. If not specified, this field is ignored
description – The description you would like to filter on. This is an in matched filter and will return results that contain the provided string. If not specified, this field is ignored

Returns:

An iterator over the control logs matching the filters

upsert_identity_provider(provider_name: str, provider_type: str | antimatter.constants.identity_provider.ProviderType = ProviderType.ApiKey, client_id: str | None = None) → antimatter_api.DomainIdentityProviderInfo#

Create or update an identity provider.

Parameters:

provider_name – The name of a new or existing identity provider
provider_type – The provider type for identity management
client_id – If the provider type is ‘GoogleOAuth’ or ‘MicrosoftOAuth’, a client ID must be provided

Returns:

The identity provider summary

insert_identity_provider_principal(provider_name: str, capabilities: List[str | Dict[str, Any]], principal_type: str | antimatter.constants.identity_provider.PrincipalType, principal_value: str | None = None, comment: str | None = None) → antimatter_api.DomainInsertIdentityProviderPrincipal200Response#

Creates a new principal for the provider. Note that the provider_name must refer to an existing identity provider. The principal_value is optional if the type is APIKey.

Parameters:

provider_name – The name of an existing identity provider
capabilities – The capabilities to attach to the principal. These can be in one of the following forms: - A list of unary capabilities, like [‘admin’, ‘read_only’] - A list of key-value pairs, like [“admin=True”, “read_only=False”] - A list of dictionaries, like [{“admin”: “True”}, {“read_only”: “False”}] - A list of dictionaries as a name/value pair, like [{“name”: “admin”, “value”: “True”}, {“name”: “read_only”, “value”: “False”}] - Any combination of the above
principal_type – The type of principal to create. One of ‘APIKey’, ‘Email’, or ‘HostedDomain’
principal_value – The appropriate identifying value for the principal, depending on type
comment – An optional comment for the identity provider principal

Returns:

The ID of the inserted principal and any additional metadata

update_identity_provider_principal(provider_name: str, principal_id: str, capabilities: List[str | Dict[str, Any]]) → None#

Update the capabilities for an identity provider principal.

Parameters:

provider_name – The name of an existing identity provider
principal_id – The ID of the principal
capabilities – The capabilities to attach to the principal. These can be in one of the following forms: - A list of unary capabilities, like [‘admin’, ‘read_only’] - A list of key-value pairs, like [“admin=True”, “read_only=False”] - A list of dictionaries, like [{“admin”: “True”}, {“read_only”: “False”}] - A list of dictionaries as a name/value pair, like [{“name”: “admin”, “value”: “True”}, {“name”: “read_only”, “value”: “False”}] - Any combination of the above

get_identity_provider(provider_name: str) → antimatter_api.DomainIdentityProviderInfo#

Retrieve detailed information and configuration of an identity provider

Parameters:: provider_name – The name of an existing identity provider
Returns:: The identity provider details

list_identity_providers() → List[antimatter_api.DomainIdentityProviderInfo]#: Retrieve the domain’s identity providers and a brief overview of their configuration.

get_identity_provider_principal(provider_name: str, principal_id: str | None = None) → List[antimatter_api.PrincipalSummary] | antimatter_api.PrincipalSummary#

Get either a summary of all the principals for an identity provider, or detailed information about a single principal if a principal_id is provided

Parameters:

provider_name – The name of an existing identity provider
principal_id – The ID of the principal; None to get all principals

Returns:

The principal information

delete_identity_provider(provider_name: str) → None#

Delete an identity provider. All domain tokens created using this identity provider will be invalidated. Take care not to remove the identity provider that is providing you admin access to your domain, as you may lock yourself out.

Parameters:: provider_name – The name of the identity provider to fully delete

delete_identity_provider_principal(provider_name: str, principal_id: str) → None#

Delete an identity provider principal.

Parameters:

provider_name – The name of the identity provider to delete a principal from
principal_id – The ID of the principal to delete

create_policy_rule(capability_rules: antimatter.builders.capability.CapabilityRulesBuilder, path: str, operation: str | antimatter.constants.domain_policy.Operation, result: str | antimatter.constants.domain_policy.Result, priority: int = 0, facts: antimatter.builders.fact_policy.FactPoliciesBuilder | None = None, disabled: bool = False) → antimatter_api.DomainPolicyRule#

Create a policy rule for the domain.

Parameters:

capability_rules – Rules referring to domain identity capabilities. These rules are ANDed together
facts – Assert the existence or nonexistence of facts that reference the capability rules. These assertions will be ANDed together, and ANDed with the capability rules.
path – The path this rule governs. May contain glob expressions (e.g. ‘*’ and ‘**’)
operation – The operation to apply the policy to
result – Whether to ‘allow’ or ‘deny’ the operation performed that matches this rule
priority – The priority of this rule. Lower priority rules are evaluated first
disabled – If this rule is disabled or not

Returns:

A dictionary containing the created rule from the server

delete_policy_rule(rule_id: str) → None#

Delete a domain policy rule on the session’s domain.

Parameters:: rule_id – Identifier of the policy rule to delete

list_policy_rules() → List[antimatter_api.DomainPolicyRule]#

Get the domain’s policy rules.

Returns:: A list of policy rules.

update_policy_rule(rule_id: str, capability_rules: antimatter.builders.capability.CapabilityRulesBuilder, facts: antimatter.builders.fact_policy.FactPoliciesBuilder, path: str, operation: str | antimatter.constants.domain_policy.Operation, result: str | antimatter.constants.domain_policy.Result, priority: int, disabled: bool = False) → None#

Update a domain policy rule by ID.

Parameters:

rule_id – The ID of the rule to update
capability_rules – Rules referring to domain identity capabilities. These rules are ANDed together
facts – Assert the existence or nonexistence of facts that reference the capability rules. These assertions will be ANDed together, and ANDed with the capability rules.
path – The path this rule governs. May contain glob expressions (e.g. ‘*’ and ‘**’)
operation – The operation to apply the policy to
result – Whether to ‘allow’ or ‘deny’ the operation performed that matches this rule
priority – The priority of this rule. Lower priority rules are evaluated first
disabled – If this rule is disabled or not

renumber_policy_rules() → List[antimatter_api.DomainPolicyRule]#

Re-assign rule priority numbers for the session’s domain to integer multiples of 10

Returns:: The full list of renumbered policy rules in this domain

add_read_context(name: str, builder: antimatter.builders.ReadContextBuilder) → None#

Upserts a read context for the current domain and auth

Parameters:

name – The name of the read context to add or update
builder – The builder containing read context configuration

list_read_context() → List[antimatter_api.ReadContextShortDetails]#: Returns a list of read contexts available for the current domain and auth

describe_read_context(name: str) → antimatter_api.ReadContextDetails#

Returns the read context with the given name for the current domain and auth

Parameters:: name – The name of the read context to describe
Returns:: The full details of the read context

delete_read_context(name: str) → None#

Delete a read context. All configuration associated with this read context will also be deleted. Domain policy rules referencing this read context will be left as-is.

Parameters:: name – The name of the read context to delete

add_write_context(name: str, builder: antimatter.builders.WriteContextBuilder) → None#

Upserts a write context for the current domain and auth

Parameters:

name – The name of the write context to add or update
builder – The builder containing write context configuration

list_write_context() → List[antimatter_api.WriteContextDetails]#: Returns a list of write contexts available for the current domain and auth

describe_write_context(name: str) → antimatter_api.WriteContextDetails#

Returns the write context with the given name for the current domain and auth

Parameters:: name – The name of the write context to describe
Returns:: The full details of the write context

upsert_write_context_configuration(name: str, builder: antimatter.builders.WriteContextConfigurationBuilder) → None#

Update a write context configuration. The write context must already exist.

Parameters:

name – The name of the write context to update the configuration for
builder – The builder containing write context configuration

delete_write_context(name: str) → None#

Delete a write context. All configuration associated with this write context will also be deleted. Domain policy rules referencing this write context will be left as-is.

Parameters:: name – The name of the write context to delete

list_write_context_classifier_rules(context_name: str) → List[antimatter_api.ClassifierRule]#

List all regex rules for the write context.

Parameters:: context_name – The name of the write context
Returns:: The list of rules

insert_write_context_classifier_rule(context_name: str, comment: str | None = None, span_tags: List[str] = [], capsule_tags: List[str] = [], llm_model: str | None = None, llm_prompt: str | None = None, regex_pattern: str | None = None, regex_match_on_key: bool | None = None) → str#

Insert a classifier rule for the context.

Parameters:

context_name – The name of the write context
comment – The comment for the classifier rule
span_tags – The span tags for the classifier rule
capsule_tags – The capsule tags for the classifier rule Span tags and capsule tags can be of the form: - A list of unary tags, like [‘tag.antimatter.io/pii/email’, ‘tag.antimatter.io/pii/name’] - A list of key-value pairs, like [“tag.antimatter.io/pii/date=24/12/2021”, “tag.antimatter.io/pii/credit_card=1234”] - A list of dictionaries, like [{“tag.antimatter.io/pii/email”: “”}, {“tag.antimatter.io/pii/date”: “24/12/2021”}] - A list of dictionaries as a name/value pair, like [{“name”: “tag.antimatter.io/pii/email”, “value”: “”}, {“name”: “tag.antimatter.io/pii/date”, “value”: “24/12/2021”}] - Any combination of the above
llm_model – The LLM model for the classifier rule. One of: ‘openai’, ‘bedrock’ One of the following must be provided: llm classifier rules or regex classifier rules
llm_prompt – The LLM prompt for the classifier rule
regex_pattern – A regex pattern for the classifier rule One of the following must be provided: llm classifier rules or regex classifier rules
regex_match_on_key – A regex match on key for the classifier rule

delete_write_context_classifier_rule(context_name: str, rule_id: str) → None#

Delete a regex classifier rule for the context.

Parameters:

context_name – The name of the write context
rule_id – The ID of the rule to delete

delete_write_context_classifier_rules(context_name: str) → None#

Delete the regex classifier rules for the context.

Parameters:: context_name – The name of the write context

resend_verification_email(email: str | None = None)#

Resend the verification email to the admin contact email. If the session was called with an email, that will be used if none is provided.

Parameters:: email – The email to resend the verification email for.

get_active_root_encryption_key() → antimatter_api.RootEncryptionKeyItem#

Get the active root encryption key

Returns:: The active root encryption key

list_root_encryption_keys() → List[antimatter_api.RootEncryptionKeyItem]#

List all root encryption keys

Returns:: A list of root encryption keys

test_root_encryption_key(root_encryption_key_id: str) → antimatter_api.RootEncryptionKeyTestResponse#

Attempt to test a root encryption key to encrypt and decrypt

Parameters:: key – The key to test
Returns:: The result of the test

add_root_encryption_key(key_infos: antimatter_api.KeyInfos, description: str = '') → str#

Add a new root encryption key. Use the builder functions in antimatter.builders.root_encryption_key to create the key information.

For example:

key_info = antimatter.builders.antimatter_delegated_aws_key_info(key_arn="key_arn")
key_id = session.add_root_encryption_key(key_info)

key_info = antimatter.builders.aws_service_account_key_info(
    access_key_id="access_key_id", secret_access_key
)
key_id = session.add_root_encryption_key(key_info)

key_info = antimatter.builders.gcp_service_account_key_info(
    service_account_credentials="service_account_credentials", project_id="project_id", location="location"
)
key_id = session.add_root_encryption_key(key_info)

Parameters:

key_infos – The key information to add
description – The description of the key

delete_root_encryption_key(root_encryption_key_id: str)#

Delete a root encryption key. Only possible if key is not in use by any data key encryption keys

Parameters:: key – The key to delete

set_active_root_encryption_key(root_encryption_key_id: str) → None#

Set the active root encryption key for the domain

Parameters:: key – The key to set as active

rotate_encryption_keys() → None#: Rotates the root encryption keys. This is a batched operation and if ‘True’ is returned, this indicates whether there are more key encryption keys that can be rotated.

list_key_providers() → List[antimatter_api.AvailableDelegatedRootEncryptionKeyProvider | antimatter_api.AvailableServiceAccountRootEncryptionKeyProvider]#: Retrieve the domain’s key providers and a brief overview of their configuration.

list_starred_domains() → List[str]#: Returns a list of starred domains for the current user

add_starred_domain(domain_id: str) → None#: Adds a domain to the starred list for the current user

delete_starred_domain(domain_id: str) → None#: Removes a domain from the starred list for the current user

list_data_policies() → List[antimatter_api.DataPolicy]#

Returns a list of data policies available for the current domain and auth

Returns:: A list of data policies

create_data_policy(name: str, description: str) → antimatter_api.DomainCreateDataPolicy200Response#

Create a new data policy for the current domain and auth

Parameters:

name – The name for this data policy
description – The human-readable description of the data policy

describe_data_policy(policy_id: str) → antimatter_api.ExtendedDataPolicy#

Describe a data policy by ID

Parameters:: policy_id – The ID of the data policy
Returns:: The data policy details

update_data_policy(policy_id: str, name: str, description: str) → None#

Update a data policy by ID

Parameters:

policy_id – The ID of the data policy
name – The name for this data policy
description – The human-readable description of the data policy

delete_data_policy(policy_id: str) → None#

Delete a data policy by ID

Parameters:: policy_id – The ID of the data policy

renumber_data_policy_rules(policy_id: str) → None#

Renumber the rules of a data policy by ID

Parameters:: policy_id – The ID of the data policy

update_data_policy_rules(policy_id: str, rules: antimatter.builders.data_policy.DataPolicyRuleChangesBuilder) → antimatter_api.DataPolicyRuleChangeResponse#

Update a rule of a data policy by ID

Parameters:

policy_id – The ID of the data policy
rules – The rules to apply to the data policy, constructed using the DataPolicyRuleChangesBuilder

describe_data_policy_rule(policy_id: str, rule_id: str) → antimatter_api.DataPolicyRule#

Describe a rule of a data policy by ID

Parameters:

policy_id – The ID of the data policy
rule_id – The ID of the rule to describe

Returns:

The data policy rule details for the given policy and rule

update_data_policy_rule(policy_id: str, rule_id: str, rules: antimatter.builders.data_policy.NewDataPolicyRuleBuilder) → None#

Update a rule of a data policy by ID

Parameters:

policy_id – The ID of the data policy
rule_id – The ID of the rule to update
rules – The rules to apply to the data policy, constructed using the NewDataPolicyRuleBuilder

delete_data_policy_rule(policy_id: str, rule_id: str) → None#

Delete a rule of a data policy by ID

Parameters:

policy_id – The ID of the data policy
rule_id – The ID of the rule to delete

describe_data_policy_binding(policy_id: str, binding_id: str) → antimatter_api.DataPolicyBindingInfo#

Describe a binding of a data policy by ID

Parameters:

policy_id – The ID of the data policy
binding_id – The ID of the binding to describe

Returns:

The data policy binding details for the given policy and binding ID

set_data_policy_binding(policy_id: str, default_attachment: antimatter.builders.data_policy.Attachment, read_contexts: List[Tuple[str, antimatter.builders.data_policy.Attachment]]) → None#

Set a binding of a data policy by ID

Parameters:

policy_id – The ID of the data policy
default_attachment – The default attachment for the data policy

antimatter.new_domain(email: str, provider: str = None, display_name: str | None = None, config_path: str | None = None, add_to_config: bool = True, make_active: bool = False, enable_retries: bool = True) → Session#

Create a new domain with the provided email as the admin contact. A verification email will be sent to that email. Verification must be completed before the Antimatter API can be interacted with. If the provider is ‘google’, the session will be authenticated with a Google OAuth token. That domain will be added to the starred domains as well.

Parameters:

email – The admin contact email used for email verification
provider – The provider to use for authentication; default is None
display_name – The display name for the new domain
config_path – The path to the domain profile config file; default is ~/.antimatter/config
add_to_config – Whether to add the new domain to the config file; default is True
make_active – Whether to make the new domain the active profile in the config file; default is False
enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session holding the newly created domain_id and api_key

antimatter.load_domain(domain_id: str | None = None, api_key: str | None = None, provider: str | None = None, display_name: str | None = None, config_path: str | None = None, add_to_config: bool = False, make_active: bool = False, enable_retries: bool = True) → Session#

Load an existing domain. There are several different ways to specify the domain credentials to use, from highest to lowest priority.

1. Using display name. If this is present, it will attempt to load a profile from the config file with this name. 2. Using domain_id and api_key as the credentials. 3. Using domain_id and a provider. If this is present, it will attempt to load a profile using an oauth provider. 4. Using only domain_id. If this is present, it will attempt to load a profile from the config file that matches this domain ID.

If domain_id is not provided, this will check the ANTIMATTER_DOMAIN_ID env var for a domain ID.

If api_key is not provided, this will check the ANTIMATTER_API_KEY env var for an API key.

The config file is by default expected to exist at ~/.antimatter/config, but an override location can be provided with the config_path argument, or the ANTIMATTER_CONFIG_PATH env var.

By default, loading an existing domain will not add the credentials to the profile auth config file. Set add_to_config to True to add this domain to the config. To make this domain the active profile, set make_active to True. Note that setting make_active to True implicitly sets add_to_config to True.

Parameters:

domain_id – The domain ID of the domain to load
api_key – The API key of the domain to load
provider – The name of the oauth provider to use for authentication
display_name – The display name in the auth config file of the domain to load
config_path – The path to the domain profile config file; default is ~/.antimatter/config
add_to_config – Whether to add the domain to the config file; default is False
make_active – Whether to make the domain the active profile in the config file; default is False
enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session holding the existing domain_id and api_key

class antimatter.Authentication#

Bases: abc.ABC

This is an abstract class for authentication. These methods must be implemented by the child classes. Authentication should return a domain identity token which can then be used to perform actions on behalf of the domain.

abstract authenticate(token_lifetime: int | None = None)#

abstract get_token()#

abstract needs_refresh()#

abstract get_token_scope()#

abstract get_session()#

abstract get_domain_id()#

abstract get_email()#

abstract has_client_retry_policy() → bool#

class antimatter.OAuthAuthentication#

Bases: Authentication, abc.ABC

This is an abstract class which should be used by OAuth clients for authentication.

abstract get_config_token() → antimatter.auth.config.tokens.OidcToken#: Get the token from the configuration

class antimatter.ApiKeyAuthentication(domain_id: str = None, api_key: str = None, admin_email: str | None = None, enable_retries: bool = True)#

Bases: antimatter.authn.Authentication

This is an agent which uses an API key for authentication.

needs_refresh()#

authenticate(token_lifetime: int | None = None)#

get_token()#

get_token_scope()#

get_session()#

get_domain_id()#

get_email()#

has_client_retry_policy() → bool#

class antimatter.GoogleOAuthAuthentication(token: antimatter.auth.config.tokens.GoogleOidcToken = None, reset_credentials: bool = False, enable_retries: bool = True)#

Bases: antimatter.authn.OAuthAuthentication

A base authentication class which uses google oauth device flow for authentication.

This class is used to authenticate with Google OAuth using the device flow. It will prompt the user to go to a verification URL and enter a code to authenticate. This file does not take care of storing the tokens. Use the other derived oauth classes, global and domain to store the tokens.

get_config_token() → antimatter.auth.config.tokens.OidcToken#: Get the token from the configuration

authenticate(**kwargs)#

needs_refresh()#

get_token()#

get_token_scope()#

get_session()#

get_domain_id()#

get_email()#

has_client_retry_policy() → bool#

class antimatter.Unauthenticated(admin_email: str | None = None, enable_retries: bool = True)#

Bases: antimatter.authn.Authentication

An unauthenticated agent which does not have any authentication. Can be used to create a session for an unauthenticated user.

authenticate(**kwargs)#

get_token()#

needs_refresh()#

get_token_scope()#

get_session()#

get_domain_id()#

get_email()#

has_client_retry_policy() → bool#

class antimatter.StaticOAuthAuthentication(token: str, enable_retries: bool = True)#

Bases: antimatter.authn.OAuthAuthentication

A static authentication agent uses a static oauth token. This implementation does not know about the token’s expiration or its validity. It’s up to the upstream service to handle the token’s expiration and validity.

authenticate(**kwargs)#

get_token()#

needs_refresh()#

get_token_scope()#

get_session()#

get_domain_id()#

get_email()#

get_config_token() → antimatter.auth.config.tokens.OidcToken#: Get the token from the configuration

has_client_retry_policy() → bool#

class antimatter.OAuthDomainAuthentication(domain_id: str, oauth_authentication: antimatter.authn.OAuthAuthentication, identity_provider_name: str = 'google')#

Bases: antimatter.authn.Authentication

A domain authentication class which uses an oauth token for authentication. This class uses the oauth id token obtained from its parent to transmute them into a domain identity token. It uses the identity provider name “google” by default to authenticate the domain.

authenticate(token_lifetime: int | None = None)#

get_token()#

needs_refresh()#

get_token_scope()#

get_session()#

get_domain_id()#

get_email()#

has_client_retry_policy() → bool#

class antimatter.Authorization(auth_client: antimatter.authn.Authentication)#

Bases: abc.ABC

Helper class that provides a standard way to create an ABC using inheritance.

abstract get_client() → antimatter_api.ApiClient#

abstract get_session() → antimatter_engine.PySession#

class antimatter.TokenAuthorization(auth_client: antimatter.authn.Authentication)#

Bases: antimatter.authz.Authorization

Helper class that provides a standard way to create an ABC using inheritance.

get_client() → antimatter_api.ApiClient#

get_session() → antimatter_engine.PySession#

antimatter#

Subpackages#

Submodules#

Package Contents#

Classes#

Functions#

`antimatter`#