Skip to main content

Origin Membership & RBAC

Prerequisites:

Role-Based Access Control (RBAC) for Chef Habitat Builder (SaaS and on-prem)

Role-Based Access Control (RBAC) membership is a token-based authentication process that works at the origin level. RBAC improves operational safety by letting you enable specific levels of access to each user of an origin. The membership role defines the level of access to resources within an origin. When you first join or create an origin, Chef Habitat Builder identifies your personal access token and assigns a membership role to it for that origin. By default, when you join an origin you’re assigned the “read-only” role and when you create an an origin you’re assigned the ‘owner’ role. Role access is cumulative and progressive–each RBAC role includes all of the privileges of the previous roles and adds new access privileges.

RBAC Origin Member Roles:

Read-Only
The default membership role for any user joining an origin. ‘Read-Only’ users can read an origin’s packages, channels, origin membership, jobs, keys, integrations, invitations, roles, and settings. ‘Read-Only’ users cannot add to, change, or delete anything in the origin, including uploading packages and inviting users to the origin.
Member
In addition to ‘Read-Only’ access, an origin ‘Member’ can upload and build packages in the ‘unstable’ channel, but they cannot promote packages to other channels.
Maintainer
In addition to ‘Member’ access, ‘Maintainers’ can write to packages, origin membership, jobs, integrations, invitations, and promote packages from ‘unstable’ to other channels. Maintainers can read origin keys and settings, but cannot add, update or delete them. Origin ‘Maintainers’ can read origin membership roles and see and send invitations, but they cannot otherwise change origin membership–their own or anybody else’s. ‘Maintainers’ can neither read nor write origin secrets.
Administrator
In addition to ‘Maintainer’ access, the ‘Administrator’ role has write access to origin keys and can add, update, and delete origin membership. An ‘Administrator’ can read and write origin secrets.
Owner
The origin ‘Owner’ has full read and write access to all aspects of the origin. Only Owners can delete the origin or transfer ownership to another member.

Comparison of RBAC Membership Roles and Actions

ActionRead-OnlyMemberMaintainerAdministratorOwner
Packages
View packagesYYYYY
Upload packages to unstableNYYYY
Promote packages from unstableNNYYY
Build Jobs
View build jobsYYYYY
Trigger unstable build jobNYYYY
Channels
View channelsYYYYY
Add/Update/Delete channelsNNYYY
Origin Keys
View keysYYYYY
Add/Update/Delete keysNNNYY
Origin Membership
View origin membershipYYYYY
View invitationsYYYYY
Send InvitationsNNYYY
Revoke InvitationsNNYYY
Member Roles
View member rolesYYYYY
Update member rolesNNNYY
Origin Settings
View settingsYYYYY
Add/Update/Delete settingsNNNYY
Origin Secrets
View secretsNNNYY
Add/Update/Delete secretsNNNYY
Cloud Integrations
View integrationsYYYYY
Add/Update/Delete integrationsNNYYY
Ownership
Transfer OriginNNNNY
Delete OriginNNNNY

Manage Origin Membership

The hab CLI supports RBAC. You need to use the CLI to manage origin roles, you cannot manage origin roles from the Chef Habitat Builder site.

Manage origin membership

Manage origin membership with hab origin invitations

Use the hab origin invitations command to invite users to join your origin and to respond to invitations. Origin Administrators and Owners can use this command to manage invitations.

All Chef Habitat Builder users can accept, ignore, and see invitations for their accounts.

View origin invitations:

hab origin invitations list

Accept origin invitations:

hab origin invitations accept <ORIGIN> <INVITATION_ID>

Ignore origin invitations:

hab origin invitations ignore <ORIGIN> <INVITATION_ID>

Send origin membership invitations:

hab origin invitations send <ORIGIN> <INVITEE_ACCOUNT>

Origin administrators and owners can see all pending origin membership invitations:

hab origin invitations pending <ORIGIN>

Origin administrators and owners can rescind an origin membership invitation:

hab origin invitations rescind <ORIGIN> <INVITATION_ID>

Origin owners can transfer origin ownership to another member:

hab origin transfer [OPTIONS] <ORIGIN> <NEW_OWNER_ACCOUNT>

Manage membership roles with hab origin rbac

Use the hab origin rbac command to see and set role based access control (RBAC) from the command line. An origin MEMBER_ACCOUNT is the name used to sign in to Chef Habitat builder. You can find the list of user names on an origin’s Members Tab. (Builder > Origin > Members)

The RBAC command syntax is:

hab origin rbac <SUBCOMMAND>

The syntax for the show subcommand is:

hab origin rbac show <MEMBER_ACCOUNT> --origin <ORIGIN>

See an origin member’s RBAC role:

hab origin rbac show bluewhale --origin two-tier-app

The syntax for the set subcommand is:

hab origin rbac set [FLAGS] [OPTIONS] <MEMBER_ACCOUNT> <ROLE> --origin <ORIGIN>

Set an origin membership RBAC role with:

hab origin rbac set bluewhale admin --origin two-tier-app
Edit this page on GitHub

Thank you for your feedback!

×