The Habitat Team is thrilled to announce the much-anticipated release of Lightweight Role-Based Access Control (RBAC) for Chef Habitat Builder (SaaS and on-prem) coming the week of August 24th, 2020! This new set of features will provide your organization with better operational safety in its human processes. We know many of you have been asking for RBAC for a long time, and while this is a starting point for us, after the release you’ll immediately notice a few changes.
A note For all users of SaaS builder - while today we only have the concept of 2 roles (an owner, and a member) the new state of the world for Builder will see 5 roles and we’ll enumerate each them below. Due to this shift, all origin members that aren’t also the owner of an origin have been converted to the Maintainer role. This role should see very few changes from the permissions of the generic member today however there are some changes, so be sure to read carefully!
Five Origin Member Roles:
- Read-Only: This user can read an origin’s packages, channels, members, jobs, keys, integrations, invitations, roles, settings but cannot add to, change, or delete anything else in the origin, including uploading packages and inviting members. Read-Only is the default membership role for all new origin members.
- Member: In addition to Read-Only access, an origin Member can upload and build packages in the ‘unstable’ channel, but they cannot promote packages to other channels.
- Maintainer: Current origin members are now ‘Maintainers’. This role has full read and write access to packages, channels, members, jobs, integrations, invitations, settings. However, the Maintainer role is more limited than the past role, in that Maintainers only have read access to packages, channels, members, jobs, keys, integrations, and settings. Origin Maintainers can read origin member roles and see and send invitations to new members, but they cannot otherwise change origin membership–their own or anybody else’s. Finally, Maintainers can neither read nor write origin secrets.
- Administrator: In addition to Maintainer access, the Administrator role adds the missing privileges for writing origin keys and member roles, as well as for reading and writing origin secrets. Administrators have full read and write access to packages, channels, members, jobs, keys, integrations, invitations, roles, secrets, settings.
- Owner: As in the past, the origin Owner has full read and write access to the origin. Only Owners can delete the origin or transfer ownership to another member.
hab origin rbac
In tandem with the changes to the Builder membership roles, we’ve also updated the hab
CLI to support RBAC. We’re working on adding role management to the Chef Habitat Builder site, but in the meantime, you’ll need to use the CLI for now.
Like all hab
commands that interact with Builder’s API–anything that modifies your content on Builder–you need to have your personal access token configured either in your environment with HAB_AUTH_TOKEN
or pass it with the --auth
flag when you make an API call.
The hab origin rbac
subcommands are help
, set
and show
. Access to these commands is controlled by–you got it–RBAC.
user@host$ hab origin rbac --help
Role Based Access Control for origin members
USAGE:
hab origin rbac <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
help Prints this message or the help of the given subcommand(s)
set Change an origin members role
show Display an origin members current role
- Members, Maintainers, Administrators, and Owners can use
show
to view the roles of any of the members of their origin. - Administrators and Owners can use
set
to change an origin member’s role.
user@host$ hab origin rbac set --help
Change an origin members role
USAGE:
hab origin rbac set [FLAGS] [OPTIONS] <MEMBER_ACCOUNT> <ROLE> --origin <ORIGIN>
FLAGS:
-n, --no-prompt Do not prompt for confirmation
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-z, --auth <AUTH_TOKEN> Authentication token for Builder
-u, --url <BLDR_URL> Specify an alternate Builder endpoint. If not specified, the value will be taken from the
HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
-o, --origin <ORIGIN> The Builder origin name to target
ARGS:
<MEMBER_ACCOUNT> The account name whose role will be changed
<ROLE> The role name to enforce for the member account [values: readonly_member, member,
maintainer, administrator, owner]
Should find yourself in a state in this new world of RBAC where you need help from someone with Administrator access or beyond, you can find an origin’s owner by using hab origin info
like so:
user@host$ hab origin info foo-origin
☁ Discovering origin metadata
Origin [foo-origin]:
Owner Id Owner Account Private Key Package Visibility
123456789012345678 MisterE MisterE-20771119000000 private