Skip to content

feat(rbac): RBAC foundation #2124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 50 commits into from
Jun 25, 2025
Merged

feat(rbac): RBAC foundation #2124

merged 50 commits into from
Jun 25, 2025

Conversation

jiparis
Copy link
Member

@jiparis jiparis commented Jun 23, 2025
edited
Loading

This PR includes:

  • RBAC logic to apply fine grained permissions when user has role:org:member role on the organization. Regular roles don't get this logic applied
  • A new membership entry is added when a project is created (making the caller user owner of the project)
  • All endpoints where RBAC should be applied, have been adapted to query for "visible" projects

There is only one endpoint set that needs more work, or perhaps they should be maintained outside the scope of RBAC:

  • Org API token management: currently only available to Org Admins. With the current implementation, Org Members won't be able to generate tokens (unless we move or support project-scoped API tokens)

Note that this PR is safe to merge, since existing roles still work in the same way.

Refs #2121

jiparis added 13 commits June 17, 2025 16:38
@jiparis
create org member role and add project permissions
1edf06a 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
wip
afc9001 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'main' into PFM-3163-member
4b4cdd6
@jiparis
expose role through CLI
d7a1271 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
set memberships
f583b8f 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
cache membership data
38f1973 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix tests
c148162 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add enforcer to services
8287d0c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
attestation init
49ebead 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
att init complete
0e3c04e 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
remove unused roles
7d49b62 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
reset cache
b3d802e 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
rbac on att push
23bd36b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from migmartri and javirln June 23, 2025 12:57
jiparis
jiparis commented Jun 23, 2025
View reviewed changes
@jiparis jiparis marked this pull request as ready for review June 23, 2025 14:14
migmartri
migmartri reviewed Jun 23, 2025
View reviewed changes
jiparis added 7 commits June 23, 2025 17:03
@jiparis
add to att cancel
9e1221d 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
update permission to cancel attestations
a4cb4e4 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
workflows done
bbfe593 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
lint
5366022 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix error management
f627687 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
simplify
d62dc44 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
workflow run ls
683b499 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri reviewed Jun 23, 2025
View reviewed changes
jiparis added 2 commits June 23, 2025 19:15
@jiparis
wf run describe
908df49 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix error check
da278d5 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri reviewed Jun 23, 2025
View reviewed changes
@jiparis
casbackend ls
0528079 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri reviewed Jun 23, 2025
View reviewed changes
@migmartri
Copy link
Member

I made it work, looking good :)

Some minor issue is that I found some inconsistency between the message we get from the middleware and potentially from the one from the new helper, for example

go run main.go cas-backend ls
WRN API contacted in insecure mode
ERR operation not allowed

and

go run main.go att init --name test-annotations --project project-sarah  --replace
Flag --name has been deprecated, please use --workflow instead
WRN API contacted in insecure mode
This command is will run against the organization "foobar-222"
Please confirm to continue y/N
y
ERR user not authorized

@jiparis
allow member invitations
656a344 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
jiparis added 2 commits June 24, 2025 00:05
@jiparis
unify error messages
9b34c1b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
getuploadcreds
fdf606c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@migmartri
Copy link
Member

@jiparis one thing that you didn't end up adding I think is the cache we talked about when retrieving memberships, etc. Are you still going to do it?

jiparis added 6 commits June 24, 2025 11:51
@jiparis
attachments
b324e72 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
attachment detach
6ea96d9 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
remove membership list
a6eb273 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
metrics totals
96cd018 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add role to org member
453c66e 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
org metrics are project-aware
0faf6b2 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Copy link
Member Author

jiparis commented Jun 24, 2025

@jiparis one thing that you didn't end up adding I think is the cache we talked about when retrieving memberships, etc. Are you still going to do it?

Yes, it's added for 10 seconds.

@jiparis
undo change
2f7a607 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
jiparis added 3 commits June 24, 2025 16:47
@jiparis
referrer
f29a694 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
undo change
ae94ddd 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix test
164e0d2 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
jiparis added 3 commits June 24, 2025 18:06
@jiparis
document roles
6d6c91f 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
remove member from documentation
7a886d1 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
undocument member
c276566 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri reviewed Jun 24, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jiparis added 3 commits June 24, 2025 18:47
@jiparis
lower expiration to 1 second
13df2b2 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix integration detach
44bdfc8 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add commments
4224965 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 01af803 into chainloop-dev:main Jun 25, 2025
13 checks passed
@jiparis jiparis deleted the PFM-3163-member branch June 25, 2025 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln javirln approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jiparis @migmartri @javirln