antimatter.session#

Module Contents#

Classes#

EncapsulateResponse

EncapsulateResponse contains metadata from encapsulating data, including

Session

The Session establishes auth and the domain you are working with, providing

Functions#

new_domain(→ Session)

Create a new domain with the provided email as the admin contact. A

load_domain(→ Session)

Load an existing domain. There are several different ways to specify the domain
antimatter.session.new_domain(email: str, provider: str = None, display_name: str | None = None, config_path: str | None = None, add_to_config: bool = True, make_active: bool = False, enable_retries: bool = True) Session#

Create a new domain with the provided email as the admin contact. A verification email will be sent to that email. Verification must be completed before the Antimatter API can be interacted with. If the provider is ‘google’, the session will be authenticated with a Google OAuth token. That domain will be added to the starred domains as well.

Parameters:

  • email – The admin contact email used for email verification

  • provider – The provider to use for authentication; default is None

  • display_name – The display name for the new domain

  • config_path – The path to the domain profile config file; default is ~/.antimatter/config

  • add_to_config – Whether to add the new domain to the config file; default is True

  • make_active – Whether to make the new domain the active profile in the config file; default is False

  • enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session holding the newly created domain_id and api_key

antimatter.session.load_domain(domain_id: str | None = None, api_key: str | None = None, provider: str | None = None, display_name: str | None = None, config_path: str | None = None, add_to_config: bool = False, make_active: bool = False, enable_retries: bool = True) Session#

Load an existing domain. There are several different ways to specify the domain credentials to use, from highest to lowest priority.

1. Using display name. If this is present, it will attempt to load a profile from the config file with this name. 2. Using domain_id and api_key as the credentials. 3. Using domain_id and a provider. If this is present, it will attempt to load a profile using an oauth provider. 4. Using only domain_id. If this is present, it will attempt to load a profile from the config file that matches this domain ID.

If domain_id is not provided, this will check the ANTIMATTER_DOMAIN_ID env var for a domain ID.

If api_key is not provided, this will check the ANTIMATTER_API_KEY env var for an API key.

The config file is by default expected to exist at ~/.antimatter/config, but an override location can be provided with the config_path argument, or the ANTIMATTER_CONFIG_PATH env var.

By default, loading an existing domain will not add the credentials to the profile auth config file. Set add_to_config to True to add this domain to the config. To make this domain the active profile, set make_active to True. Note that setting make_active to True implicitly sets add_to_config to True.

Parameters:

  • domain_id – The domain ID of the domain to load

  • api_key – The API key of the domain to load

  • provider – The name of the oauth provider to use for authentication

  • display_name – The display name in the auth config file of the domain to load

  • config_path – The path to the domain profile config file; default is ~/.antimatter/config

  • add_to_config – Whether to add the domain to the config file; default is False

  • make_active – Whether to make the domain the active profile in the config file; default is False

  • enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session holding the existing domain_id and api_key

class antimatter.session.EncapsulateResponse#

EncapsulateResponse contains metadata from encapsulating data, including the capsule ID or IDs, and the raw bytes if the capsule was not exported.

capsule_ids: List[str]#
raw: bytes | None#
load_capsule_func: Callable[[str | None, bytes | EncapsulateResponse | None, str], antimatter.capsule.Capsule | None] | None#
load(read_context: str) antimatter.capsule.Capsule | None#

Load the response into a capsule. Note that this shortcut requires that the raw data be returned from the encapsulation.

Parameters:

read_context – The name of the role policy to use for reading data

Returns:

The loaded capsule, if the raw data was present on the response.

save(filename: str)#

Save the capsule to a file

class antimatter.session.Session(authn: antimatter.authn.Authentication)#

Bases: antimatter.session_mixins.CapabilityMixin, antimatter.session_mixins.CapsuleMixin, antimatter.session_mixins.DomainMixin, antimatter.session_mixins.EncryptionMixin, antimatter.session_mixins.FactMixin, antimatter.session_mixins.GeneralMixin, antimatter.session_mixins.IdentityProviderMixin, antimatter.session_mixins.PolicyRuleMixin, antimatter.session_mixins.ReadContextMixin, antimatter.session_mixins.WriteContextMixin, antimatter.session_mixins.VerificationMixin, antimatter.session_mixins.RootEncryptionKeyMixin, antimatter.session_mixins.StarredDomainMixin, antimatter.session_mixins.DataPolicyMixin

The Session establishes auth and the domain you are working with, providing both a standard instantiation or a context manager in which a Capsule and its underlying data can be interacted with.

property domain_id#

Return the current domain ID

property api_key#

Return the API key in use by this session

property session#
config()#

Returns the configuration of this Session

classmethod from_api_key(domain_id: str, api_key: str, admin_email: str | None = None, enable_retries: bool = True) Session#

Create a new session with the provided domain ID and API key.

Parameters:

  • domain_id – The domain ID

  • api_key – The API key for the domain

  • admin_email – The admin email for the domain

  • enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session holding the domain_id and api_key

classmethod from_google_oauth(domain: str = None, identity_provider_name: str = 'google', reset_credentials: bool = False, token: str = None, enable_retries: bool = True) Session#

Create a new session authenticated with a Google OAuth token. If a domain is provided, the session will be authenticated with that domain and identity provider (default: google). If a token is provided, the session will be authenticated with that token. The token refresh is not handled by the session in that case. Upstream services should handle the token refresh.

Parameters:

  • domain – Optional domain ID to authenticate with

  • identity_provider_name – Optional identity provider name to authenticate with

  • reset_credentials – If True, any stored oauth credentials will be reset

  • token – An optional static OAuth token

  • enable_retries – If True, retry gateway, DNS, and general connection errors

Returns:

A Session authenticated with a Google OAuth token

new_domain(admin_email: str, reauthenticate: bool = False, display_name: str = None) Dict[str, Any]#

Create a new domain with the provided email as the admin contact. A verification email will be sent to that email. Verification must be completed before the Antimatter API can be interacted with.

Parameters:

  • admin_email – The email address of the domain administrator

  • reauthenticate – If True, the current session will be reauthenticated with the new domain

  • display_name – The display name for the new domain

Returns:

The domain metadata

with_domain(domain_id: str = None, nickname: str = None, alias: str = None) None#

Use a child domain for the current session. Uses the parent’s authz to authenticate and authorize all requests. Obtains the child domain either by domain ID or nickname or alias.

Parameters:

  • domain_id – The domain ID of the child domain

  • nickname – The nickname of the child domain

  • alias – The alias of the child domain

load_capsule(path: str | None = None, data: bytes | EncapsulateResponse | None = None, read_context: str = None, read_params: Dict[str, str] = {}) antimatter.capsule.Capsule | None#

load_capsule creates a capsule, extracting data from an Antimatter Capsule binary blob, either provided in raw bytes or as a string path to a local or remote file.

If the as_datatype parameter is supplied and the data is a binary blob Antimatter Capsule, the data will be extracted in that format. If the data is data for saving to an Antimatter Capsule, as_datatype will specify the default format for the data when loaded from the blob.

Parameters:

  • path – The location of the Capsule as a local or remote path.

  • data – The data to load into an Antimatter Capsule.

  • read_context – The name of the role policy to use for reading data

encapsulate(data: Any = None, write_context: str = None, span_tags: List[antimatter.tags.SpanTag] = None, column_tags: List[antimatter.tags.ColumnTag] = None, as_datatype: antimatter.datatype.datatypes.Datatype | str = Datatype.Unknown, skip_classify_on_column_names: List[str] = None, path: str | None = None, subdomains_from: str | None = None, create_subdomains: bool | None = False, data_file_path: str | None = None, data_file_hint: str | None = None, **kwargs) EncapsulateResponse#

Saves the provided Capsule’s data, or the provided data using the provided write context. If ‘as_datatype’ is provided, the default datatype for the raw data will use the specified type.

One of ‘data’ or ‘path’ must be provided.

Parameters:

  • data – Raw data in a Capsule-supported format

  • write_context – The name of the role policy to use for writing data

  • span_tags – The span tags to manually apply to the data

  • column_tags – Tags to apply to entire columns by name

  • as_datatype – The datatype to override the provided data with when the capsule is read

  • skip_classify_on_column_names – List of columns to skip classifying

  • path – If provided, the local or remote path to save the capsule to

  • subdomains_from – column in the raw data that represents the subdomain

  • create_subdomains – allow missing subdomains to be created

  • data_file_path – Optional path to a file containing data to be read. If provided, data from this file will be used instead of the ‘data’ parameter.

  • data_file_hint – Optional hint indicating the format of the data in the file specified by ‘data_file_hint’. Supported formats include ‘json’, ‘csv’, ‘txt’, ‘parquet’. If not specified, data will be read as plain text.

Returns:

The response containing capsule metadata and the raw blob of the capsule if no path was provided.

with_new_peer_domain(import_alias_for_child: str, display_name_for_child: str, nicknames: List[str] | None = None, import_alias_for_parent: str | None = None, display_name_for_parent: str | None = None, link_all: bool = True, link_identity_providers: bool = None, link_facts: bool = None, link_read_contexts: bool = None, link_write_contexts: bool = None, link_capabilities: bool = None, link_domain_policy: bool = None, link_capsule_access_log: bool = None, link_control_log: bool = None, link_capsule_manifest: bool = None) Session#

Creates a new peer domain, returning the authenticated session for that new domain.

Parameters:

  • import_alias_for_child – The import alias for the child domain

  • display_name_for_child – The display name for the child domain

  • nicknames – The nicknames for the child domain

  • import_alias_for_parent – The import alias for the parent domain

  • display_name_for_parent – The display name for the parent domain

  • link_all – Link all available resources

  • link_identity_providers – Link identity providers

  • link_facts – Link facts

  • link_read_contexts – Link read contexts

  • link_write_contexts – Link write contexts

  • link_capabilities – Link capabilities

  • link_domain_policy – Link domain policy

  • link_capsule_access_log – Link capsule access log

  • link_control_log – Link control log

  • link_capsule_manifest – Link capsule manifest

Returns:

The authenticated session for the new domain

get_admin_url(company_name: str, peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None, token_lifetime: int | None = None) str | None#

Generate the admin URL for the domain. By default, this is the domain for this session. If one of the peer_domain_id, nickname, or alias are provided, the admin URL will be generated for the subdomain that matches.

Parameters:

  • company_name – The name of the company to display

  • peer_domain_id – The domain ID of the peer

  • nickname – The nickname for the peer domain

  • alias – One of the aliases of the peer domain

  • token_lifetime – How long the token should last for, in seconds

Returns:

The admin URL

list_capabilities() List[antimatter_api.CapabilityDefinition]#

Get the capabilities for the session’s domain.

Returns:

A list of capabilities.

get_capability(name: str) antimatter_api.CapabilityDefinition#

Get a specific capability for the session’s domain.

Parameters:

name – The name for this capability, like “admin”

Returns:

The details of the capability.

put_capability(name: str, summary: str, description: str | None = None, unary: bool = True, create_only: bool = False) None#

Create or update a capability. A capability is attached to authenticated domain identities by an identity provider, and confers additional permissions upon the identity. This is done by writing domain policy rules that reference the capability.

Parameters:

  • name – The name for this capability, like “admin”

  • summary – A short, single sentence description of this capability

  • description – An optional longer form description of this capability

  • unary – A unary capability does not have a value

  • create_only – If True, an error will be returned if a capability with the name already exists

delete_capability(name: str) None#

Delete a capability.

Parameters:

name – The name of the capability, like “admin”

list_capsules(start_date: datetime.datetime | str | None = None, end_date: datetime.datetime | str | None = None, duration: datetime.timedelta | dateutil.relativedelta.relativedelta | str | None = None, span_tag: str | None = None, sort_on: str | None = None, ascending: bool | None = None) Iterator[antimatter_api.CapsuleInfo]#

Returns an iterator over the capsules available for the current domain and auth

Parameters:

  • start_date – The earlier date of the date range. As results are returned in reverse chronological order, this date corresponds with the end of the result set. This should be a timezone-aware datetime, or else will be treated as the system timezone

  • end_date – The later date of the date range. As results are returned in reverse chronological order, this date corresponds with the beginning of the result set. If not specified, defaults to the current time. This should be a timezone-aware datetime, or else will be treated as the system timezone

  • duration – The query time range duration. This can be a timedelta or a string such as ‘2h’. When using duration, by default the query time range ends ‘now’, unless one of start_date or end_date is specified. If both start_date and end_date are specified, duration is ignored. If using a string value, valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”, “d”, “mo”, “y”. These can be grouped together, such as 1h5m30s.

  • span_tag – The span tag you would like to filter on. This accepts a tag key only and will return all span tag key results matching the provided tag key. If not specified, this field is ignored.

  • sort_on – The capsule field you would like to sort on. This accepts the field only and will return results ordered on the provided field. If not specified, this field is ignored.

  • ascending – This defines whether a sorted result should be order ascending. This accepts a boolean value and when true will work in combination with the sort_on and start_after parameters to return values in ascending order. If not specified, this field is ignored and treated as false.

get_capsule_info(capsule_id: str) antimatter_api.CapsuleInfo#

Get the summary information about the capsule.

Parameters:

capsule_id – The identifier for the capsule

Returns:

The summary information about the capsule

upsert_capsule_tags(capsule_id: str, tags: List[antimatter.tags.CapsuleTag]) None#

Upsert the capsule-level tags to apply to a capsule.

Parameters:

  • capsule_id – The capsule to apply tags to

  • tags – The tags to apply to the capsule

delete_capsule_tags(capsule_id: str, tag_names: List[str]) None#

Delete capsule-level tags

Parameters:

  • capsule_id – The capsule to delete tags from

  • tag_names – The names of the tags to delete

new_peer_domain(import_alias_for_child: str, display_name_for_child: str, nicknames: List[str] | None = None, import_alias_for_parent: str | None = None, display_name_for_parent: str | None = None, link_all: bool = True, link_identity_providers: bool = None, link_facts: bool = None, link_read_contexts: bool = None, link_write_contexts: bool = None, link_capabilities: bool = None, link_domain_policy: bool = None, link_root_encryption_keys: bool = None, link_capsule_access_log: bool = None, link_control_log: bool = None, link_capsule_manifest: bool = None) antimatter_api.NewDomainResponse#

Creates a new peer domain

Parameters:

  • import_alias_for_child – The import alias for the child domain

  • display_name_for_child – The display name for the child domain

  • nicknames – The nicknames for the child domain

  • import_alias_for_parent – The import alias for the parent domain

  • display_name_for_parent – The display name for the parent domain

  • link_all – Whether to link all capabilities

  • link_identity_providers – Whether to link identity providers

  • link_facts – Whether to link facts

  • link_read_contexts – Whether to link read contexts

  • link_write_contexts – Whether to link write contexts

  • link_capabilities – Whether to link capabilities

  • link_domain_policy – Whether to link domain policy

  • link_root_encryption_keys – Whether to link root encryption keys

  • link_capsule_access_log – Whether to link capsule access log

  • link_control_log – Whether to link control log

  • link_capsule_manifest – Whether to link capsule manifest

Returns:

The new peer domain

get_peer(nickname: str | None = None, alias: str | None = None) str#

Retrieve the domain ID of a domain that is configured as a peer of this session’s domain by using either its alias or one of its nicknames.

Parameters:

  • nickname – The nickname for the peer domain

  • alias – One of the aliases of the peer domain

Returns:

The domain ID

list_peers() List[antimatter_api.DomainPeerListPeersInner]#

Return a list of the peers of this session’s domain.

Returns:

The peer list, containing IDs and other information about the domains

get_peer_config(peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None) antimatter_api.DomainPeerConfig#

Get a peer configuration using one of the peer’s domain ID, nickname, or alias.

Parameters:

  • peer_domain_id – The domain ID of the peer

  • nickname – The nickname for the peer domain

  • alias – One of the aliases of the peer domain

Returns:

The full peer configuration

update_peer(display_name: str, peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None, export_identity_providers: List[str] | None = None, export_all_identity_providers: bool | None = None, export_facts: List[str] | None = None, export_all_facts: bool | None = None, export_read_contexts: List[str] | None = None, export_all_read_contexts: bool | None = None, export_write_contexts: List[str] | None = None, export_all_write_contexts: bool | None = None, export_capabilities: List[str] | None = None, export_all_capabilities: bool | None = None, export_domain_policy: bool | None = None, export_root_encryption_keys: bool | None = None, export_capsule_access_log: bool | None = None, export_control_log: bool | None = None, export_capsule_manifest: bool | None = None, export_billing: bool | None = None, export_admin_contact: bool | None = None, export_data_policies: str | None = None, export_all_data_policies: bool | None = None, nicknames: List[str] | None = None, import_alias: str | None = None, forward_billing: bool | None = None, forward_admin_communications: bool | None = None, import_identity_providers: List[str] | None = None, import_all_identity_providers: bool | None = None, import_facts: List[str] | None = None, import_all_facts: bool | None = None, import_read_contexts: List[str] | None = None, import_all_read_contexts: bool | None = None, import_write_contexts: List[str] | None = None, import_all_write_contexts: bool | None = None, import_capabilities: List[str] | None = None, import_all_capabilities: bool | None = None, import_domain_policy: bool | None = None, import_root_encryption_keys: bool | None = None, import_precedence: int | None = None, import_capsule_access_log: bool | None = None, import_control_log: bool | None = None, import_capsule_manifest: bool | None = None, import_data_policies: str | None = None, import_all_data_policies: bool | None = None) None#

Create or update the configuration for this peer using one of the peer’s domain ID, nickname, or alias. Please note, if the configuration already exists, it is updated to reflect the values in the request. This will include setting the fields to their default value if not supplied.

Parameters:

  • display_name – The display name for the peer domain

  • peer_domain_id – The domain ID of the peer

  • nickname – The nickname for the peer domain

  • alias – One of the aliases of the peer domain

  • export_identity_providers – The identity providers to export

  • export_all_identity_providers – Whether to export all identity providers

  • export_facts – The facts to export

  • export_all_facts – Whether to export all facts

  • export_read_contexts – The read contexts to export

  • export_all_read_contexts – Whether to export all read contexts

  • export_write_contexts – The write contexts to export

  • export_all_write_contexts – Whether to export all write contexts

  • export_capabilities – The capabilities to export

  • export_all_capabilities – Whether to export all capabilities

  • export_domain_policy – Whether to export the domain policy

  • export_root_encryption_keys – Whether to export the root encryption keys

  • export_capsule_access_log – Whether to export the capsule access log

  • export_control_log – Whether to export the control log

  • export_capsule_manifest – Whether to export the capsule manifest

  • export_billing – Whether to export billing information

  • export_admin_contact – Whether to export the admin contact

  • nicknames – The nicknames for the peer domain

  • import_alias – The import alias for the peer domain

  • forward_billing – Whether to forward billing information

  • forward_admin_communications – Whether to forward admin communications

  • import_identity_providers – The identity providers to import

  • import_all_identity_providers – Whether to import all identity providers

  • import_facts – The facts to import

  • import_all_facts – Whether to import all facts

  • import_read_contexts – The read contexts to import

  • import_all_read_contexts – Whether to import all read contexts

  • import_write_contexts – The write contexts to import

  • import_all_write_contexts – Whether to import all write contexts

  • import_capabilities – The capabilities to import

  • import_all_capabilities – Whether to import all capabilities

  • import_domain_policy – Whether to import the domain policy

  • import_root_encryption_keys – Whether to import the root encryption keys

  • import_precedence – The precedence of the import

  • import_capsule_access_log – Whether to import the capsule access log

  • import_control_log – Whether to import the control log

  • import_capsule_manifest – Whether to import the capsule manifest

delete_peer(peer_domain_id: str | None = None, nickname: str | None = None, alias: str | None = None) None#

Remove the peering relationship with the given domain, using one of the peer’s domain ID, nickname, or alias.

Parameters:

  • peer_domain_id – The domain ID of the peer

  • nickname – The nickname for the peer domain

  • alias – One of the aliases of the peer domain

get_top_tags() List[str]#

Get domain tag info returns a list containing the top 100 tag names for the current session’s domain.

flush_encryption_keys()#

Flush all keys in memory. The keys will be immediately reloaded from persistent storage, forcing a check that the domain’s root key is still available

list_fact_types() List[antimatter_api.FactTypeDefinition]#

Returns a list of fact types available for the current domain and auth

list_facts(fact_type: str) List[antimatter_api.Fact]#

Returns a list of facts for the given fact type

add_fact_type(name: str, description: str, arguments: Dict[str, str]) None#

Upserts a fact type for the current domain and auth

Parameters:

  • name – The “type name” for this fact, like “has_role”

  • description – The human-readable description of the fact type

  • arguments – Name:description argument pairs for the fact type

add_fact(fact_type: str, *arguments: str) antimatter_api.Fact#

Upserts a fact for the current domain and auth

Parameters:

  • fact_type – The name of the type of fact being added

  • arguments – The fact arguments to add

Returns:

The upserted fact

get_fact_type(fact_type: str) antimatter_api.FactTypeDefinition#

Get the fact type details for the given fact type

Parameters:

fact_type – The “type name” for this fact, like “has_role”

Returns:

The fact type details

get_fact(fact_type: str, fact_id: str) antimatter_api.Fact#

Returns the fact details for the given fact type and name

Parameters:

  • fact_type – The “type name” for this fact, like “has_role”

  • fact_id – The ID for the fact to be retrieved

Returns:

The fact details

delete_fact_type(fact_type: str) None#

Delete a fact type AND ALL FACTS INSIDE IT.

Parameters:

fact_type – The “type name” for this fact, like “has_role”

delete_fact(fact_type: str, *arguments: str, fact_id: str | None = None) None#

Delete a fact by ID or argument. One of ‘fact_id’ or ‘arguments’ must be provided. If ‘fact_id’ is provided, it will be used solely. If arguments are provided, each must fully match the name and/or arguments of the fact for it to be deleted.

Parameters:

  • fact_type – The “type name” for this fact, like “has_role”

  • fact_id – The ID for the fact to be deleted

  • arguments – The arguments for the fact to be deleted

delete_all_facts(fact_type: str) None#

Delete all the facts for the given fact type.

Parameters:

fact_type – The “type name” for this fact, like “has_role”

get_private_info() antimatter_api.DomainPrivateInfo#

Returns a Domain’s summary information.

Returns:

The private summary info for a domain

get_public_info() antimatter_api.DomainPublicInfo#

Returns a Domain’s summary information. This endpoint does not require authorization

Returns:

The public summary info for a domain

get_settings() antimatter_api.DomainSettings#

Return the domain settings.

put_settings(settings: antimatter.builders.settings_put.SettingsPutBuilder) antimatter_api.DomainSettings#

Updates the domain settings with the provided settings.

Parameters:

settings – The domain settings to be updated.

Returns:

The domain settings after applying the proposed updates

get_status() antimatter_api.DomainStatus#

Return the domain status, which contains important notifications for administrators of the domain.

list_hooks() List[antimatter_api.DomainHooksListHooksInner]#

Return a list of available hooks in this domain. A hook is a data processor, like a PII classifier

list_resources() List[antimatter_api.DomainResourceSummarySchemaInner]#

Return a list of resource strings that can be used in policy rules, and the set of permissions that you can assign to them.

query_access_log(start_date: datetime.datetime | str | None = None, end_date: datetime.datetime | str | None = None, duration: datetime.timedelta | dateutil.relativedelta.relativedelta | str | None = None, session: str | None = None, location: str | None = None, location_prefixed: bool | None = None, operation_type: str | None = None, allowed_tag: str | antimatter.CapsuleTag | antimatter.ColumnTag | antimatter.SpanTag | None = None, redacted_or_tokenized_tag: str | antimatter.CapsuleTag | antimatter.ColumnTag | antimatter.SpanTag | None = None, capsule_id: str | None = None) Iterator[antimatter_api.AccessLogEntry]#

Query the data access log for this domain. This contains all operations interacting with capsules within this domain. An iterator is returned over the results in reverse chronological order.

Parameters:

  • start_date – The earlier date of the date range. As results are returned in reverse chronological order, this date corresponds with the end of the result set. This should be a timezone-aware datetime, or else will be treated as the system timezone

  • end_date – The later date of the date range. As results are returned in reverse chronological order, this date corresponds with the beginning of the result set. If not specified, defaults to the current time. This should be a timezone-aware datetime, or else will be treated as the system timezone

  • duration – The query time range duration. This can be a timedelta or a string such as ‘2h’. When using duration, by default the query time range ends ‘now’, unless one of start_date or end_date is specified. If both start_date and end_date are specified, duration is ignored. If using a string value, valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”, “d”, “mo”, “y”. These can be grouped together, such as 1h5m30s

  • session – The session you would like to filter on. This will return results for only the provided session. If not specified, this field is ignored

  • location – The location you would like to filter on. This is a matched filter and will return results starting with the provided string. If not specified, this field is ignored

  • location_prefixed – A boolean indicator to indicate that the location you provided is a prefix or not. If this is set to true, then the filter provided in location is treated as a prefix. If not specified, this is treated as false

  • operation_type – The operation you would like to filter on. This will filter on the provided operation type and return all results using the provided operation type. If not specified, this field is ignored

  • allowed_tag – The allow tag key you would like to filter on. This accepts tag key only and will return all allowed tag results matching the provided tag key. If not specified, this field is ignored

  • redacted_or_tokenized_tag – The redacted or tokenized tag key you would like to filter on. This accepts a tag key only and will return all redacted and tokenized tag key results matching the provided tag key. If not specified, this field is ignored

  • capsule_id – The ID for a specific capsule. Use this to limit results to a single capsule

Returns:

An iterator over the access logs matching the filters

query_control_log(start_date: datetime.datetime | str | None = None, end_date: datetime.datetime | str | None = None, duration: datetime.timedelta | dateutil.relativedelta.relativedelta | str | None = None, session: str | None = None, url: str | None = None, description: str | None = None) Iterator[antimatter_api.DomainControlLogEntry]#

Query the domain control-plane audit log. An iterator is returned over the results in reverse chronological order.

Parameters:

  • start_date – The earlier date of the date range. As results are returned in reverse chronological order, this date corresponds with the end of the result set. This should be a timezone-aware datetime, or else will be treated as the system timezone

  • end_date – The later date of the date range. As results are returned in reverse chronological order, this date corresponds with the beginning of the result set. If not specified, defaults to the current time. This should be a timezone-aware datetime, or else will be treated as the system timezone

  • duration – The query time range duration. This can be a timedelta or a string such as ‘2h’. When using duration, by default the query time range ends ‘now’, unless one of start_date or end_date is specified. If both start_date and end_date are specified, duration is ignored. If using a string value, valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”, “d”, “mo”, “y”. These can be grouped together, such as 1h5m30s

  • session – The session you would like to filter on. This will return results for only the provided session. If not specified, this field is ignored

  • url – The URL you would like to filter on. This is a prefix matched filter and will return results starting with the provided string. If not specified, this field is ignored

  • description – The description you would like to filter on. This is an in matched filter and will return results that contain the provided string. If not specified, this field is ignored

Returns:

An iterator over the control logs matching the filters

upsert_identity_provider(provider_name: str, provider_type: str | antimatter.constants.identity_provider.ProviderType = ProviderType.ApiKey, client_id: str | None = None) antimatter_api.DomainIdentityProviderInfo#

Create or update an identity provider.

Parameters:

  • provider_name – The name of a new or existing identity provider

  • provider_type – The provider type for identity management

  • client_id – If the provider type is ‘GoogleOAuth’ or ‘MicrosoftOAuth’, a client ID must be provided

Returns:

The identity provider summary

insert_identity_provider_principal(provider_name: str, capabilities: List[str | Dict[str, Any]], principal_type: str | antimatter.constants.identity_provider.PrincipalType, principal_value: str | None = None, comment: str | None = None) antimatter_api.DomainInsertIdentityProviderPrincipal200Response#

Creates a new principal for the provider. Note that the provider_name must refer to an existing identity provider. The principal_value is optional if the type is APIKey.

Parameters:

  • provider_name – The name of an existing identity provider

  • capabilities – The capabilities to attach to the principal. These can be in one of the following forms: - A list of unary capabilities, like [‘admin’, ‘read_only’] - A list of key-value pairs, like [“admin=True”, “read_only=False”] - A list of dictionaries, like [{“admin”: “True”}, {“read_only”: “False”}] - A list of dictionaries as a name/value pair, like [{“name”: “admin”, “value”: “True”}, {“name”: “read_only”, “value”: “False”}] - Any combination of the above

  • principal_type – The type of principal to create. One of ‘APIKey’, ‘Email’, or ‘HostedDomain’

  • principal_value – The appropriate identifying value for the principal, depending on type

  • comment – An optional comment for the identity provider principal

Returns:

The ID of the inserted principal and any additional metadata

update_identity_provider_principal(provider_name: str, principal_id: str, capabilities: List[str | Dict[str, Any]]) None#

Update the capabilities for an identity provider principal.

Parameters:

  • provider_name – The name of an existing identity provider

  • principal_id – The ID of the principal

  • capabilities – The capabilities to attach to the principal. These can be in one of the following forms: - A list of unary capabilities, like [‘admin’, ‘read_only’] - A list of key-value pairs, like [“admin=True”, “read_only=False”] - A list of dictionaries, like [{“admin”: “True”}, {“read_only”: “False”}] - A list of dictionaries as a name/value pair, like [{“name”: “admin”, “value”: “True”}, {“name”: “read_only”, “value”: “False”}] - Any combination of the above

get_identity_provider(provider_name: str) antimatter_api.DomainIdentityProviderInfo#

Retrieve detailed information and configuration of an identity provider

Parameters:

provider_name – The name of an existing identity provider

Returns:

The identity provider details

list_identity_providers() List[antimatter_api.DomainIdentityProviderInfo]#

Retrieve the domain’s identity providers and a brief overview of their configuration.

get_identity_provider_principal(provider_name: str, principal_id: str | None = None) List[antimatter_api.PrincipalSummary] | antimatter_api.PrincipalSummary#

Get either a summary of all the principals for an identity provider, or detailed information about a single principal if a principal_id is provided

Parameters:

  • provider_name – The name of an existing identity provider

  • principal_id – The ID of the principal; None to get all principals

Returns:

The principal information

delete_identity_provider(provider_name: str) None#

Delete an identity provider. All domain tokens created using this identity provider will be invalidated. Take care not to remove the identity provider that is providing you admin access to your domain, as you may lock yourself out.

Parameters:

provider_name – The name of the identity provider to fully delete

delete_identity_provider_principal(provider_name: str, principal_id: str) None#

Delete an identity provider principal.

Parameters:

  • provider_name – The name of the identity provider to delete a principal from

  • principal_id – The ID of the principal to delete

create_policy_rule(capability_rules: antimatter.builders.capability.CapabilityRulesBuilder, path: str, operation: str | antimatter.constants.domain_policy.Operation, result: str | antimatter.constants.domain_policy.Result, priority: int = 0, facts: antimatter.builders.fact_policy.FactPoliciesBuilder | None = None, disabled: bool = False) antimatter_api.DomainPolicyRule#

Create a policy rule for the domain.

Parameters:

  • capability_rules – Rules referring to domain identity capabilities. These rules are ANDed together

  • facts – Assert the existence or nonexistence of facts that reference the capability rules. These assertions will be ANDed together, and ANDed with the capability rules.

  • path – The path this rule governs. May contain glob expressions (e.g. ‘*’ and ‘**’)

  • operation – The operation to apply the policy to

  • result – Whether to ‘allow’ or ‘deny’ the operation performed that matches this rule

  • priority – The priority of this rule. Lower priority rules are evaluated first

  • disabled – If this rule is disabled or not

Returns:

A dictionary containing the created rule from the server

delete_policy_rule(rule_id: str) None#

Delete a domain policy rule on the session’s domain.

Parameters:

rule_id – Identifier of the policy rule to delete

list_policy_rules() List[antimatter_api.DomainPolicyRule]#

Get the domain’s policy rules.

Returns:

A list of policy rules.

update_policy_rule(rule_id: str, capability_rules: antimatter.builders.capability.CapabilityRulesBuilder, facts: antimatter.builders.fact_policy.FactPoliciesBuilder, path: str, operation: str | antimatter.constants.domain_policy.Operation, result: str | antimatter.constants.domain_policy.Result, priority: int, disabled: bool = False) None#

Update a domain policy rule by ID.

Parameters:

  • rule_id – The ID of the rule to update

  • capability_rules – Rules referring to domain identity capabilities. These rules are ANDed together

  • facts – Assert the existence or nonexistence of facts that reference the capability rules. These assertions will be ANDed together, and ANDed with the capability rules.

  • path – The path this rule governs. May contain glob expressions (e.g. ‘*’ and ‘**’)

  • operation – The operation to apply the policy to

  • result – Whether to ‘allow’ or ‘deny’ the operation performed that matches this rule

  • priority – The priority of this rule. Lower priority rules are evaluated first

  • disabled – If this rule is disabled or not

renumber_policy_rules() List[antimatter_api.DomainPolicyRule]#

Re-assign rule priority numbers for the session’s domain to integer multiples of 10

Returns:

The full list of renumbered policy rules in this domain

add_read_context(name: str, builder: antimatter.builders.ReadContextBuilder) None#

Upserts a read context for the current domain and auth

Parameters:

  • name – The name of the read context to add or update

  • builder – The builder containing read context configuration

list_read_context() List[antimatter_api.ReadContextShortDetails]#

Returns a list of read contexts available for the current domain and auth

describe_read_context(name: str) antimatter_api.ReadContextDetails#

Returns the read context with the given name for the current domain and auth

Parameters:

name – The name of the read context to describe

Returns:

The full details of the read context

delete_read_context(name: str) None#

Delete a read context. All configuration associated with this read context will also be deleted. Domain policy rules referencing this read context will be left as-is.

Parameters:

name – The name of the read context to delete

add_write_context(name: str, builder: antimatter.builders.WriteContextBuilder) None#

Upserts a write context for the current domain and auth

Parameters:

  • name – The name of the write context to add or update

  • builder – The builder containing write context configuration

list_write_context() List[antimatter_api.WriteContextDetails]#

Returns a list of write contexts available for the current domain and auth

describe_write_context(name: str) antimatter_api.WriteContextDetails#

Returns the write context with the given name for the current domain and auth

Parameters:

name – The name of the write context to describe

Returns:

The full details of the write context

upsert_write_context_configuration(name: str, builder: antimatter.builders.WriteContextConfigurationBuilder) None#

Update a write context configuration. The write context must already exist.

Parameters:

  • name – The name of the write context to update the configuration for

  • builder – The builder containing write context configuration

delete_write_context(name: str) None#

Delete a write context. All configuration associated with this write context will also be deleted. Domain policy rules referencing this write context will be left as-is.

Parameters:

name – The name of the write context to delete

list_write_context_classifier_rules(context_name: str) List[antimatter_api.ClassifierRule]#

List all regex rules for the write context.

Parameters:

context_name – The name of the write context

Returns:

The list of rules

insert_write_context_classifier_rule(context_name: str, comment: str | None = None, span_tags: List[str] = [], capsule_tags: List[str] = [], llm_model: str | None = None, llm_prompt: str | None = None, regex_pattern: str | None = None, regex_match_on_key: bool | None = None) str#

Insert a classifier rule for the context.

Parameters:

  • context_name – The name of the write context

  • comment – The comment for the classifier rule

  • span_tags – The span tags for the classifier rule

  • capsule_tags – The capsule tags for the classifier rule Span tags and capsule tags can be of the form: - A list of unary tags, like [‘tag.antimatter.io/pii/email’, ‘tag.antimatter.io/pii/name’] - A list of key-value pairs, like [“tag.antimatter.io/pii/date=24/12/2021”, “tag.antimatter.io/pii/credit_card=1234”] - A list of dictionaries, like [{“tag.antimatter.io/pii/email”: “”}, {“tag.antimatter.io/pii/date”: “24/12/2021”}] - A list of dictionaries as a name/value pair, like [{“name”: “tag.antimatter.io/pii/email”, “value”: “”}, {“name”: “tag.antimatter.io/pii/date”, “value”: “24/12/2021”}] - Any combination of the above

  • llm_model – The LLM model for the classifier rule. One of: ‘openai’, ‘bedrock’ One of the following must be provided: llm classifier rules or regex classifier rules

  • llm_prompt – The LLM prompt for the classifier rule

  • regex_pattern – A regex pattern for the classifier rule One of the following must be provided: llm classifier rules or regex classifier rules

  • regex_match_on_key – A regex match on key for the classifier rule

delete_write_context_classifier_rule(context_name: str, rule_id: str) None#

Delete a regex classifier rule for the context.

Parameters:

  • context_name – The name of the write context

  • rule_id – The ID of the rule to delete

delete_write_context_classifier_rules(context_name: str) None#

Delete the regex classifier rules for the context.

Parameters:

context_name – The name of the write context

resend_verification_email(email: str | None = None)#

Resend the verification email to the admin contact email. If the session was called with an email, that will be used if none is provided.

Parameters:

email – The email to resend the verification email for.

get_active_root_encryption_key() antimatter_api.RootEncryptionKeyItem#

Get the active root encryption key

Returns:

The active root encryption key

list_root_encryption_keys() List[antimatter_api.RootEncryptionKeyItem]#

List all root encryption keys

Returns:

A list of root encryption keys

test_root_encryption_key(root_encryption_key_id: str) antimatter_api.RootEncryptionKeyTestResponse#

Attempt to test a root encryption key to encrypt and decrypt

Parameters:

key – The key to test

Returns:

The result of the test

add_root_encryption_key(key_infos: antimatter_api.KeyInfos, description: str = '') str#

Add a new root encryption key. Use the builder functions in antimatter.builders.root_encryption_key to create the key information.

For example:

key_info = antimatter.builders.antimatter_delegated_aws_key_info(key_arn="key_arn")
key_id = session.add_root_encryption_key(key_info)

key_info = antimatter.builders.aws_service_account_key_info(
    access_key_id="access_key_id", secret_access_key
)
key_id = session.add_root_encryption_key(key_info)

key_info = antimatter.builders.gcp_service_account_key_info(
    service_account_credentials="service_account_credentials", project_id="project_id", location="location"
)
key_id = session.add_root_encryption_key(key_info)
Parameters:

  • key_infos – The key information to add

  • description – The description of the key

delete_root_encryption_key(root_encryption_key_id: str)#

Delete a root encryption key. Only possible if key is not in use by any data key encryption keys

Parameters:

key – The key to delete

set_active_root_encryption_key(root_encryption_key_id: str) None#

Set the active root encryption key for the domain

Parameters:

key – The key to set as active

rotate_encryption_keys() None#

Rotates the root encryption keys. This is a batched operation and if ‘True’ is returned, this indicates whether there are more key encryption keys that can be rotated.

list_key_providers() List[antimatter_api.AvailableDelegatedRootEncryptionKeyProvider | antimatter_api.AvailableServiceAccountRootEncryptionKeyProvider]#

Retrieve the domain’s key providers and a brief overview of their configuration.

list_starred_domains() List[str]#

Returns a list of starred domains for the current user

add_starred_domain(domain_id: str) None#

Adds a domain to the starred list for the current user

delete_starred_domain(domain_id: str) None#

Removes a domain from the starred list for the current user

list_data_policies() List[antimatter_api.DataPolicy]#

Returns a list of data policies available for the current domain and auth

Returns:

A list of data policies

create_data_policy(name: str, description: str) antimatter_api.DomainCreateDataPolicy200Response#

Create a new data policy for the current domain and auth

Parameters:

  • name – The name for this data policy

  • description – The human-readable description of the data policy

describe_data_policy(policy_id: str) antimatter_api.ExtendedDataPolicy#

Describe a data policy by ID

Parameters:

policy_id – The ID of the data policy

Returns:

The data policy details

update_data_policy(policy_id: str, name: str, description: str) None#

Update a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • name – The name for this data policy

  • description – The human-readable description of the data policy

delete_data_policy(policy_id: str) None#

Delete a data policy by ID

Parameters:

policy_id – The ID of the data policy

renumber_data_policy_rules(policy_id: str) None#

Renumber the rules of a data policy by ID

Parameters:

policy_id – The ID of the data policy

update_data_policy_rules(policy_id: str, rules: antimatter.builders.data_policy.DataPolicyRuleChangesBuilder) antimatter_api.DataPolicyRuleChangeResponse#

Update a rule of a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • rules – The rules to apply to the data policy, constructed using the DataPolicyRuleChangesBuilder

describe_data_policy_rule(policy_id: str, rule_id: str) antimatter_api.DataPolicyRule#

Describe a rule of a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • rule_id – The ID of the rule to describe

Returns:

The data policy rule details for the given policy and rule

update_data_policy_rule(policy_id: str, rule_id: str, rules: antimatter.builders.data_policy.NewDataPolicyRuleBuilder) None#

Update a rule of a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • rule_id – The ID of the rule to update

  • rules – The rules to apply to the data policy, constructed using the NewDataPolicyRuleBuilder

delete_data_policy_rule(policy_id: str, rule_id: str) None#

Delete a rule of a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • rule_id – The ID of the rule to delete

describe_data_policy_binding(policy_id: str, binding_id: str) antimatter_api.DataPolicyBindingInfo#

Describe a binding of a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • binding_id – The ID of the binding to describe

Returns:

The data policy binding details for the given policy and binding ID

set_data_policy_binding(policy_id: str, default_attachment: antimatter.builders.data_policy.Attachment, read_contexts: List[Tuple[str, antimatter.builders.data_policy.Attachment]]) None#

Set a binding of a data policy by ID

Parameters:

  • policy_id – The ID of the data policy

  • default_attachment – The default attachment for the data policy