User authorization in Che is based on the permissions model. Permissions are used to control the allowed actions of users and establish a security model. Every request is verified for the presence of the required permission in the current user subject after it passes authentication. You can control resources managed by Che and allow certain actions by assigning permissions to users.

Permissions can be applied to the following entities:

  • Workspace

  • Organization

  • System

All permissions can be managed using the provided REST API. The APIs are documented using Swagger at http(s)://che-host:che-port/swagger/#!/permissions.

Che workspace permissions

The user who creates a workspace is the workspace owner. By default, the workspace owner has the following permissions: read, use, run, configure, setPermissions, and delete. Workspace owners can invite users into the workspace and control workspace permissions for other users.

The following permissions are associated with workspaces:

Table 1. Che workspace permissions
Permission Description

read

Allows reading the workspace configuration.

use

Allows using a workspace and interacting with it.

run

Allows starting and stopping a workspace.

configure

Allows defining and changing the workspace configuration.

setPermissions

Allows updating the workspace permissions for other users.

delete

Allows deleting the workspace.

Che organization permissions

An Che organization is a named set of users. The following permissions are applicable to organizations:

Table 2. Che organization permissions
Permission Description

update

Allows editing of the organization settings and information.

delete

Allows deleting an organization.

manageSuborganizations

Allows creating and managing sub-organizations.

manageResources

Allows redistribution of an organization’s resources and defining the resource limits.

manageWorkspaces

Allows creating and managing all the organization’s workspaces.

setPermissions

Allows adding and removing users and updating their permissions.

Che system permissions

Che system permissions control aspects of the whole Che installation. The following permissions are applicable to the system:

Table 3. Che system permission
Permission Description

manageSystem

Allows control of the system, workspaces, and organizations.

setPermissions

Allows updating the permissions for users on the system.

manageUsers

Allows creating and managing users.

monitorSystem

Allows accessing endpoints used for monitoring the state of the server.

All system permissions are granted to the administrative user who is configured in the CHE_SYSTEM_ADMIN__NAME property (the default is admin). The system permissions are granted when the Che server starts. If the user is not present in the Che user database, it happens after the first user’s login.

manageSystem permission

Users with the manageSystem permission have access to the following services:

Path HTTP Method Description

/resource/free/

GET

Get free resource limits.

/resource/free/{accountId}

GET

Get free resource limits for the given account.

/resource/free/{accountId}

POST

Edit free resource limit for the given account.

/resource/free/{accountId}

DELETE

Remove free resource limit for the given account.

/installer/

POST

Add installer to the registry.

/installer/{key}

PUT

Update installer in the registry.

/installer/{key}

DELETE

Remove installer from the registry.

/logger/

GET

Get logging configurations in the Che server.

/logger/{name}

GET

Get configurations of logger by its name in the Che server.

/logger/{name}

PUT

Create logger in the Che server.

/logger/{name}

POST

Edit logger in the Che server.

/resource/{accountId}/details

GET

Get detailed information about resources for the given account.

/system/stop

POST

Shutdown all system services, prepare Che to stop.

monitorSystem permission

Users with the monitorSystem permission have access to the following services.

Path HTTP Method Description

/activity

GET

Get workspaces in a certain state for a certain amount of time.

Listing Che permissions

To list Che permissions that apply to a specific resource, perform the GET /permissions request.

To list the permissions that apply to a user, perform the GET /permissions/{domain} request.

To list the permissions that apply to all users, perform the GET /permissions/{domain}/all request. The user must have manageSystem permissions to see this information.

The suitable domain values are:

  • system

  • organization

  • workspace

The domain is optional. If no domain is specified, the API returns all possible permissions for all the domains.

Assigning Che permissions

To assign permissions to a resource, perform the POST /permissions request. The suitable domain values are:

  • system

  • organization

  • workspace

The following is a message body that requests permissions for a user with a userID to a workspace with a workspaceID:

Requesting Che user permissions
{
  "actions": [
    "read",
    "use",
    "run",
    "configure",
    "setPermissions"
  ],
  "userId": "userID",          (1)
  "domainId": "workspace",
  "instanceId": "workspaceID"  (2)
}
1 The userId parameter is the ID of the user that has been granted certain permissions.
2 The instanceId parameter is the ID of the resource that retrieves the permission for all users.

Sharing Che permissions

A user with setPermissions privileges can share a workspace and grant read, use, run, configure, or setPermissions privileges for other users.

Procedure

To share workspace permissions:

  1. Select a workspace in the user dashboard.

  2. Navigate to the Share tab and enter the email IDs of the users. Use commas or spaces as separators for multiple emails.

Tags: