Authorizing users
User authorization in Che is based on the permissions model. Permissions are used to control the allowed actions of users and establish a security model. Every request is verified for the presence of the required permission in the current user subject after it passes authentication. You can control resources managed by Che and allow certain actions by assigning permissions to users.
Permissions can be applied to the following entities:
-
Workspace
-
System
All permissions can be managed using the provided REST API. The APIs are documented using Swagger at https://che-host:che-port/swagger/#!/permissions.
Che workspace permissions
The user who creates a workspace is the workspace owner. By default, the workspace owner has the following permissions: read, use, run, configure, setPermissions, and delete. Workspace owners can invite users into the workspace and control workspace permissions for other users.
The following permissions are associated with workspaces:
| Permission | Description |
|---|---|
read |
Allows reading the workspace configuration. |
use |
Allows using a workspace and interacting with it. |
run |
Allows starting and stopping a workspace. |
configure |
Allows defining and changing the workspace configuration. |
setPermissions |
Allows updating the workspace permissions for other users. |
delete |
Allows deleting the workspace. |
Che system permissions
Che system permissions control aspects of the whole Che installation. The following permissions are applicable to the system:
| Permission | Description |
|---|---|
manageSystem |
Allows control of the system and workspaces. |
setPermissions |
Allows updating the permissions for users on the system. |
manageUsers |
Allows creating and managing users. |
monitorSystem |
Allows accessing endpoints used for monitoring the state of the server. |
All system permissions are granted to the administrative user who is configured in the CHE_SYSTEM_ADMIN__NAME property (the default is admin). The system permissions are granted when the Che server starts. If the user is not present in the Che user database, it happens after the first user’s login.
manageSystem permission
Users with the manageSystem permission have access to the following services:
| Path | HTTP Method | Description |
|---|---|---|
/resource/free/ |
GET |
Get free resource limits. |
/resource/free/{accountId} |
GET |
Get free resource limits for the given account. |
/resource/free/{accountId} |
POST |
Edit free resource limit for the given account. |
/resource/free/{accountId} |
DELETE |
Remove free resource limit for the given account. |
/installer/ |
POST |
Add installer to the registry. |
/installer/{key} |
PUT |
Update installer in the registry. |
/installer/{key} |
DELETE |
Remove installer from the registry. |
/logger/ |
GET |
Get logging configurations in the Che server. |
/logger/{name} |
GET |
Get configurations of logger by its name in the Che server. |
/logger/{name} |
PUT |
Create logger in the Che server. |
/logger/{name} |
POST |
Edit logger in the Che server. |
/resource/{accountId}/details |
GET |
Get detailed information about resources for the given account. |
/system/stop |
POST |
Shutdown all system services, prepare Che to stop. |
monitorSystem permission
Users with the monitorSystem permission have access to the following services.
| Path | HTTP Method | Description |
|---|---|---|
/activity |
GET |
Get workspaces in a certain state for a certain amount of time. |
super-privileged mode
The manageSystem permission can be extended to provide a super-privileged mode. This allows the user to perform advanced actions on any resources managed by the system. A user can read and stop any workspace with the manageSystem permission and assign permissions to other users as needed.
The super-privileged mode is disabled by default. To change to the super-privileged mode, set the CHE_SYSTEM_SUPER__PRIVILEGED__MODE environment variable to true. The list of services that are enabled for users with the manageSystems permissions and with super-privileged mode on:
| Path | HTTP Method | Description |
|---|---|---|
/workspace/namespace/{namespace:.*} |
GET |
Get all workspaces for the given namespace. |
/workspace/{id} |
DELETE |
Stop a workspace. |
/workspace/\{key:.*} |
GET |
Get a workspace by key. |
Listing Che permissions
To list Che permissions that apply to a specific resource, perform the GET /permissions request.
To list the permissions that apply to a user, perform the GET /permissions/{domain} request.
To list the permissions that apply to all users, perform the GET /permissions/{domain}/all request. The user must have manageSystem permissions to see this information.
The suitable domain values are:
-
system
-
organization
-
workspace
| The domain is optional. If no domain is specified, the API returns all possible permissions for all the domains. |
Assigning Che permissions
To assign permissions to a resource, perform the POST /permissions request. The suitable domain values are:
-
system
-
organization
-
workspace
The following is a message body that requests permissions for a user with a userId to a workspace with a workspaceID:
{
"actions": [
"read",
"use",
"run",
"configure",
"setPermissions"
],
"userId": "userID", (1)
"domainId": "workspace",
"instanceId": "workspaceID" (2)
}| 1 | The userId parameter is the ID of the user that has been granted certain permissions. |
| 2 | The instanceId parameter is the ID of the resource that retrieves the permission for all users. |
Sharing Che permissions
A user with setPermissions privileges can share a workspace and grant read, use, run, configure, or setPermissions privileges for other users.
To share workspace permissions:
-
Select a workspace in the user dashboard.
-
Navigate to the Share tab and enter the email IDs of the users. Use commas or spaces as separators for multiple emails.