Authorizing users

User authorization in Che is based on the permissions model. Permissions are used to control the allowed actions of users and establish a security model. Every request is verified for the presence of the required permission in the current user subject after it passes authentication. You can control resources managed by Che and allow certain actions by assigning permissions to users.

Permissions can be applied to the following entities:

  • Workspace

  • System

All permissions can be managed using the provided REST API. The APIs are documented using Swagger at https://che-host:che-port/swagger/#!/permissions.

Che workspace permissions

The user who creates a workspace is the workspace owner. By default, the workspace owner has the following permissions: read, use, run, configure, setPermissions, and delete. Workspace owners can invite users into the workspace and control workspace permissions for other users.

The following permissions are associated with workspaces:

Table 1. Che workspace permissions
Permission Description

read

Allows reading the workspace configuration.

use

Allows using a workspace and interacting with it.

run

Allows starting and stopping a workspace.

configure

Allows defining and changing the workspace configuration.

setPermissions

Allows updating the workspace permissions for other users.

delete

Allows deleting the workspace.

Che system permissions

Che system permissions control aspects of the whole Che installation. The following permissions are applicable to the system:

Table 2. Che system permission
Permission Description

manageSystem

Allows control of the system and workspaces.

setPermissions

Allows updating the permissions for users on the system.

manageUsers

Allows creating and managing users.

monitorSystem

Allows accessing endpoints used for monitoring the state of the server.

All system permissions are granted to the administrative user. To configure the administrative user, use the CHE_SYSTEM_ADMIN__NAME property. The default value is admin. The system permissions are granted when the Che server starts. If the record of the user is not in the Che user database, the permissions are granted after the first login of the user.

manageSystem permission

Users with the manageSystem permission have access to the following services:

Path HTTP Method Description

/resource/free/

GET

Get free resource limits.

/resource/free/{accountId}

GET

Get free resource limits for the given account.

/resource/free/{accountId}

POST

Edit free resource limit for the given account.

/resource/free/{accountId}

DELETE

Remove free resource limit for the given account.

/installer/

POST

Add installer to the registry.

/installer/{key}

PUT

Update installer in the registry.

/installer/{key}

DELETE

Remove installer from the registry.

/logger/

GET

Get logging configurations in the Che server.

/logger/{name}

GET

Get configurations of logger by its name in the Che server.

/logger/{name}

PUT

Create logger in the Che server.

/logger/{name}

POST

Edit logger in the Che server.

/resource/{accountId}/details

GET

Get detailed information about resources for the given account.

/system/stop

POST

Shutdown all system services, prepare Che to stop.

monitorSystem permission

Users with the monitorSystem permission have access to the following services.

Path HTTP Method Description

/activity

GET

Get workspaces in a certain state for a certain amount of time.

super-privileged mode

The manageSystem permission can be extended to provide a super-privileged mode. This allows the user to perform advanced actions on any resources managed by the system. A user can read and stop any workspace with the manageSystem permission and assign permissions to other users as needed.

The super-privileged mode is disabled by default. To change to the super-privileged mode, set the CHE_SYSTEM_SUPER__PRIVILEGED__MODE environment variable to true. The list of services that are enabled for users with the manageSystems permissions and with super-privileged mode on:

Path HTTP Method Description

/workspace/namespace/{namespace:.*}

GET

Get all workspaces for the given namespace.

/workspace/{id}

DELETE

Stop a workspace.

/workspace/\{key:.*}

GET

Get a workspace by key.

Listing Che permissions

To list Che permissions that apply to a specific resource, perform the GET /permissions request.

To list the permissions that apply to a user, perform the GET /permissions/{domain} request.

To list the permissions that apply to all users, perform the GET /permissions/{domain}/all request. The user must have manageSystem permissions to see this information.

The suitable domain values are:

  • system

  • organization

  • workspace

The domain is optional. If no domain is specified, the API returns all possible permissions for all the domains.

Assigning Che permissions

To assign permissions to a resource, perform the POST /permissions request. The suitable domain values are:

  • system

  • organization

  • workspace

The following is a message body that requests permissions for a user with a userId to a workspace with a workspaceID:

Requesting Che user permissions
{
  "actions": [
    "read",
    "use",
    "run",
    "configure",
    "setPermissions"
  ],
  "userId": "userID",          (1)
  "domainId": "workspace",
  "instanceId": "workspaceID"  (2)
}
1 The userId parameter is the ID of the user that has been granted certain permissions.
2 The instanceId parameter is the ID of the resource that retrieves the permission for all users.