Skip to content

feat(rbac): contributor role#2271

Merged
jiparis merged 29 commits into
chainloop-dev:mainfrom
jiparis:PFM-3322-newrole
Jul 21, 2025
Merged

feat(rbac): contributor role#2271
jiparis merged 29 commits into
chainloop-dev:mainfrom
jiparis:PFM-3322-newrole

Conversation

@jiparis

@jiparis jiparis commented Jul 17, 2025

Copy link
Copy Markdown
Member

This PR introduces a series of changes:

  • Only Org admins (and owners) can query organization members
  • allow to see and manage group memberships to maintainers
  • allow to see and manage project memberships to project admins
  • group list available to everyone
  • New contributor role that implements same permissions as Org Member but they cannot create projects
  • Some refactor in policies so that inheritance is used as much as possible.
  • Fixed a couple of permission inconsistencies.

I've tested every single endpoint with different role combinations, and it works as expected.

Examples:
As a contributor I cannot see memberships:

✗ cldev org ls
WRN API contacted in insecure mode
┌────────┬─────────┬─────────┬─────────────┬─────────────────────────┬─────────────────────┐
│ NAME   │ CURRENT │ DEFAULT │ ROLE        │ DEFAULT POLICY STRATEGY │ JOINED AT           │
├────────┼─────────┼─────────┼─────────────┼─────────────────────────┼─────────────────────┤
│ my-org │ truetrue    │ contributor │ ADVISORY                │ 14 Jul 25 12:52 UTC │
└────────┴─────────┴─────────┴─────────────┴─────────────────────────┴─────────────────────┘
➜  cldev org member ls
ERR operation not allowed
exit status 1

As a contributor and project admin I can create project-scoped tokens:

➜  cldev org api-token create --name test-$RANDOM
ERR project is required
exit status 1
➜  cldev org api-token create --name test-$RANDOM --project sarah
┌──────────────────────────────────────┬────────────┬───────────────┬─────────────┬─────────────────────┬────────────┬────────────┬──────────────┐
│ ID                                   │ NAME       │ SCOPE         │ DESCRIPTION │ CREATED AT          │ EXPIRES AT │ REVOKED AT │ LAST USED AT │
├──────────────────────────────────────┼────────────┼───────────────┼─────────────┼─────────────────────┼────────────┼────────────┼──────────────┤
│ dd52ad0a-2c86-409d-885e-087fda097924 │ test-12828 │ project/sarah │             │ 17 Jul 25 16:07 UTC │            │            │              │
└──────────────────────────────────────┴────────────┴───────────────┴─────────────┴─────────────────────┴────────────┴────────────┴──────────────┘

Save the following token since it will not printed again:

...

As a contributor I cannot create a new project during attestations:

➜  cldev att init --name foo --project sarah-new --replace
This command is will run against the organization "my-org"
Please confirm to continue y/N
y
ERR you are not allowed to create projects
exit status 1

However I can as a Member:

➜  cldev att init --name foo --project sarah-new --replace
This command is will run against the organization "my-org"
Please confirm to continue y/N
y
┌───────────────────────────┬──────────────────────────────────────┐
│ Initialized At            │ 17 Jul 25 16:13 UTC                  │
├───────────────────────────┼──────────────────────────────────────┤
│ Attestation ID            │ 1993cf5a-ffda-46f6-8d5c-6b5763bcedc4 │
│ Organization              │ my-org                               │
│ Name                      │ foo                                  │
│ Project                   │ sarah-new                            │
│ Version                   │ v1.35.0 (prerelease)                 │
│ Contract                  │ sarah-new-foo (revision 1)           │
│ Policy violation strategy │ ADVISORY                             │
└───────────────────────────┴──────────────────────────────────────┘

jiparis added 11 commits July 15, 2025 17:25
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
…ainers

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from javirln and migmartri July 17, 2025 12:57
jiparis added 8 commits July 17, 2025 16:03
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Comment thread app/controlplane/pkg/authz/authz.go Outdated
Comment thread app/controlplane/pkg/authz/authz.go Outdated
jiparis added 7 commits July 18, 2025 00:52
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

PolicyOrganizationListMemberships,
// RoleOrgMember inherits from RoleOrgContributor and can also create their own projects and see members
RoleOrgMember: {
PolicyProjectCreate,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

Comment thread app/controlplane/pkg/authz/authz.go Outdated
// so for now we skip the authorization check for admin users since they are allowed to do anything
// TODO: fill out the rest of the policies in authz.ServerOperationsMap and remove this check
if subject == string(authz.RoleAdmin) || subject == string(authz.RoleOwner) {
if authz.Role(subject).IsAdmin() {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

much nicer

jiparis added 2 commits July 21, 2025 11:34
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 9dda861 into chainloop-dev:main Jul 21, 2025
13 checks passed
@jiparis jiparis deleted the PFM-3322-newrole branch July 21, 2025 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants