RBAC in Builder SaaS!

The Habitat Team is thrilled to announce the much-anticipated release of Lightweight Role-Based Access Control (RBAC) for Chef Habitat Builder (SaaS and on-prem) coming the week of August 24th, 2020! This new set of features will provide your organization with better operational safety in its human processes. We know many of you have been asking for RBAC for a long time, and while this is a starting point for us, after the release you’ll immediately notice a few changes.

A note For all users of SaaS builder - while today we only have the concept of 2 roles (an owner, and a member) the new state of the world for Builder will see 5 roles and we’ll enumerate each them below. Due to this shift, all origin members that aren’t also the owner of an origin have been converted to the Maintainer role. This role should see very few changes from the permissions of the generic member today however there are some changes, so be sure to read carefully!

Five Origin Member Roles:

  • Read-Only: This user can read an origin’s packages, channels, members, jobs, keys, integrations, invitations, roles, settings but cannot add to, change, or delete anything else in the origin, including uploading packages and inviting members. Read-Only is the default membership role for all new origin members.
  • Member: In addition to Read-Only access, an origin Member can upload and build packages in the ‘unstable’ channel, but they cannot promote packages to other channels.
  • Maintainer: Current origin members are now ‘Maintainers’. This role has full read and write access to packages, channels, members, jobs, integrations, invitations, settings. However, the Maintainer role is more limited than the past role, in that Maintainers only have read access to packages, channels, members, jobs, keys, integrations, and settings. Origin Maintainers can read origin member roles and see and send invitations to new members, but they cannot otherwise change origin membership–their own or anybody else’s. Finally, Maintainers can neither read nor write origin secrets.
  • Administrator: In addition to Maintainer access, the Administrator role adds the missing privileges for writing origin keys and member roles, as well as for reading and writing origin secrets. Administrators have full read and write access to packages, channels, members, jobs, keys, integrations, invitations, roles, secrets, settings.
  • Owner: As in the past, the origin Owner has full read and write access to the origin. Only Owners can delete the origin or transfer ownership to another member.

hab origin rbac

In tandem with the changes to the Builder membership roles, we’ve also updated the hab CLI to support RBAC. We’re working on adding role management to the Chef Habitat Builder site, but in the meantime, you’ll need to use the CLI for now.

Like all hab commands that interact with Builder’s API–anything that modifies your content on Builder–you need to have your personal access token configured either in your environment with HAB_AUTH_TOKEN or pass it with the --auth flag when you make an API call.

The hab origin rbac subcommands are help, set and show. Access to these commands is controlled by–you got it–RBAC.

user@host$ hab origin rbac --help
Role Based Access Control for origin members

  hab origin rbac <SUBCOMMAND>

  -h, --help    Prints help information
  -V, --version  Prints version information

  help  Prints this message or the help of the given subcommand(s)
  set   Change an origin members role
  show  Display an origin members current role
  • Members, Maintainers, Administrators, and Owners can use show to view the roles of any of the members of their origin.
  • Administrators and Owners can use set to change an origin member’s role.
user@host$ hab origin rbac set --help
Change an origin members role

  hab origin rbac set [FLAGS] [OPTIONS] <MEMBER_ACCOUNT> <ROLE> --origin <ORIGIN>

  -n, --no-prompt  Do not prompt for confirmation
  -h, --help     Prints help information
  -V, --version   Prints version information

  -z, --auth <AUTH_TOKEN>  Authentication token for Builder
  -u, --url <BLDR_URL>    Specify an alternate Builder endpoint. If not specified, the value will be taken from the
                HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
  -o, --origin <ORIGIN>   The Builder origin name to target

  <MEMBER_ACCOUNT>  The account name whose role will be changed
  <ROLE>       The role name to enforce for the member account [values: readonly_member, member,
            maintainer, administrator, owner]

Should find yourself in a state in this new world of RBAC where you need help from someone with Administrator access or beyond, you can find an origin’s owner by using hab origin info like so:

user@host$ hab origin info foo-origin
 ☁ Discovering origin metadata
 Origin [foo-origin]:
 Owner Id      Owner Account Private Key        Package Visibility
 123456789012345678 MisterE    MisterE-20771119000000  private