feat(rbac): allow tokens to create org invitations and storage backends #2710

jiparis · 2026-02-05T07:20:50Z

For easy onboarding, this PR includes the RBAC logic to allow Tokens with proper permissions to create organization invitations (initially only InstanceAdminRole), and list and create storage backends.

Also, for InstanceAdmin users, they will be allowed to invite users to orgs they don't belong to.

Some tests:

Organization invitations

With Instance admin token: 🟢

cldev org member invitation create --receiver foo@acme.corp --role member --org membership
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
┌──────────────────────────────────────┬────────────────┬────────┬─────────┬─────────────────────┐
│ ID                                   │ RECEIVER EMAIL │ ROLE   │ STATUS  │ CREATED AT          │
├──────────────────────────────────────┼────────────────┼────────┼─────────┼─────────────────────┤
│ 7a2e12e2-4fa6-4c09-879d-78e92d868d4f │ foo@acme.corp  │ member │ pending │ 05 Feb 26 10:04 UTC │
└──────────────────────────────────────┴────────────────┴────────┴─────────┴─────────────────────┘

Then authenticate with the target user:

✗ cldev org ls
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
WRN Both user credentials and $CHAINLOOP_TOKEN set. Ignoring $CHAINLOOP_TOKEN.
┌────────────┬─────────┬─────────┬────────┬─────────────────────────┬─────────────────────┐
│ NAME       │ CURRENT │ DEFAULT │ ROLE   │ DEFAULT POLICY STRATEGY │ JOINED AT           │
├────────────┼─────────┼─────────┼────────┼─────────────────────────┼─────────────────────┤
│ membership │ true    │ false   │ member │ ADVISORY                │ 05 Feb 26 10:06 UTC │
└────────────┴─────────┴─────────┴────────┴─────────────────────────┴─────────────────────┘

With Instance admin user: 🟢

✗ cldev org member invitation create --receiver bar@acme.corp --role member --org membership
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
┌──────────────────────────────────────┬────────────────┬────────┬─────────┬─────────────────────┐
│ ID                                   │ RECEIVER EMAIL │ ROLE   │ STATUS  │ CREATED AT          │
├──────────────────────────────────────┼────────────────┼────────┼─────────┼─────────────────────┤
│ ab2751f8-51ab-47a6-b8d3-4764d0d25812 │ bar@acme.corp  │ member │ pending │ 05 Feb 26 10:59 UTC │
└──────────────────────────────────────┴────────────────┴────────┴─────────┴─────────────────────┘

With regular token: 🔴

✗ cldev org member invitation create --receiver foo@acme.corp --role member
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
ERR operation not allowed
exit status 1

With regular user (Org Member): 🔴

✗ cldev org member invitation create --receiver nah@acme.corp --role member --org membership
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
ERR operation not allowed
exit status 1

Same user trying to invite someone to an org he doesn't belong to (but exists):

✗ cldev org member invitation create --receiver user4@acme.corp --role member --org org4
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
ERR org not found

With regular user (org admin): 🟢

✗ cldev org member invitation create --receiver user3@acme.corp --role member --org membership
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
┌──────────────────────────────────────┬─────────────────┬────────┬─────────┬─────────────────────┐
│ ID                                   │ RECEIVER EMAIL  │ ROLE   │ STATUS  │ CREATED AT          │
├──────────────────────────────────────┼─────────────────┼────────┼─────────┼─────────────────────┤
│ 754b217f-e3ff-4ae7-9dcd-b68c54db8cc1 │ user3@acme.corp │ member │ pending │ 05 Feb 26 11:06 UTC │
└──────────────────────────────────────┴─────────────────┴────────┴─────────┴─────────────────────┘

Storage backends

Regular user (Org Owner): 🟢

✗ cldev cas-backend add aws-s3 --access-key-id xxx --secret-access-key xxx --bucket chainloop --endpoint http://localhost:9002 --name minio2001 --default
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
You are changing the default CAS backend in your organization
Please confirm to continue y/N
y
┌───────────┬─────────────────────────────────┬──────────┬─────────────┬───────────────┬─────────┬──────────┬────────┐
│ NAME      │ LOCATION                        │ PROVIDER │ DESCRIPTION │ LIMITS        │ DEFAULT │ FALLBACK │ STATUS │
├───────────┼─────────────────────────────────┼──────────┼─────────────┼───────────────┼─────────┼──────────┼────────┤
│ minio2001 │ http://localhost:9002/chainloop │ AWS-S3   │             │ MaxSize: 300M │ true    │ false    │ valid  │
└───────────┴─────────────────────────────────┴──────────┴─────────────┴───────────────┴─────────┴──────────┴────────┘

Regular user (Org Viewer): 🔴

✗ cldev cas-backend add aws-s3 --access-key-id xxx --secret-access-key xxx --bucket chainloop --endpoint http://localhost:9002 --name minio2001 --default
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
You are changing the default CAS backend in your organization
Please confirm to continue y/N
y
ERR operation not allowed

Regular user (Instance admin, not member of the target org): 🟢

cldev cas-backend ls --org storage-tests
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
┌────────────────┬─────────────────────────────────┬──────────┬─────────────────────────────────────┬───────────────┬─────────┬──────────┬────────┐
│ NAME           │ LOCATION                        │ PROVIDER │ DESCRIPTION                         │ LIMITS        │ DEFAULT │ FALLBACK │ STATUS │
├────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┼──────────┼────────┤
│ minio2001      │ http://localhost:9002/chainloop │ AWS-S3   │                                     │ MaxSize: 300M │ true    │ false    │ valid  │
├────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┼──────────┼────────┤
│ default-inline │                                 │ INLINE   │ Embed artifacts content in the atte │ MaxSize: 500K │ false   │ false    │ valid  │
│                │                                 │          │ station (fallback)                  │               │         │          │        │
└────────────────┴─────────────────────────────────┴──────────┴─────────────────────────────────────┴───────────────┴─────────┴──────────┴────────┘

✗ cldev cas-backend add aws-s3 --access-key-id xxx --secret-access-key xxx --bucket chainloop --endpoint http://localhost:9002 --name minio2002 --default --org storage-tests
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
You are changing the default CAS backend in your organization
Please confirm to continue y/N
y
┌───────────┬─────────────────────────────────┬──────────┬─────────────┬───────────────┬─────────┬──────────┬────────┐
│ NAME      │ LOCATION                        │ PROVIDER │ DESCRIPTION │ LIMITS        │ DEFAULT │ FALLBACK │ STATUS │
├───────────┼─────────────────────────────────┼──────────┼─────────────┼───────────────┼─────────┼──────────┼────────┤
│ minio2002 │ http://localhost:9002/chainloop │ AWS-S3   │             │ MaxSize: 300M │ true    │ false    │ valid  │
└───────────┴─────────────────────────────────┴──────────┴─────────────┴───────────────┴─────────┴──────────┴────────┘

Token (instance admin)
Without org: ⚠️

cldev cas-backend ls
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
ERR current organization not set
exit status 1

With org: 🟢

cldev cas-backend add aws-s3 --access-key-id xxx --secret-access-key xxx --bucket chainloop --endpoint http://localhost:9002 --name minio2001 --default --org storage-tests
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
You are changing the default CAS backend in your organization
Please confirm to continue y/N
y
┌───────────┬─────────────────────────────────┬──────────┬─────────────┬───────────────┬─────────┬──────────┬────────┐
│ NAME      │ LOCATION                        │ PROVIDER │ DESCRIPTION │ LIMITS        │ DEFAULT │ FALLBACK │ STATUS │
├───────────┼─────────────────────────────────┼──────────┼─────────────┼───────────────┼─────────┼──────────┼────────┤
│ minio2001 │ http://localhost:9002/chainloop │ AWS-S3   │             │ MaxSize: 300M │ true    │ false    │ valid  │
└───────────┴─────────────────────────────────┴──────────┴─────────────┴───────────────┴─────────┴──────────┴────────┘
✗ cldev cas-backend ls --org storage-tests
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
┌────────────────┬─────────────────────────────────┬──────────┬─────────────────────────────────────┬───────────────┬─────────┬──────────┬────────┐
│ NAME           │ LOCATION                        │ PROVIDER │ DESCRIPTION                         │ LIMITS        │ DEFAULT │ FALLBACK │ STATUS │
├────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┼──────────┼────────┤
│ minio2001      │ http://localhost:9002/chainloop │ AWS-S3   │                                     │ MaxSize: 300M │ true    │ false    │ valid  │
├────────────────┼─────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┼──────────┼────────┤
│ default-inline │                                 │ INLINE   │ Embed artifacts content in the atte │ MaxSize: 500K │ false   │ false    │ valid  │
│                │                                 │          │ station (fallback)                  │               │         │          │        │
└────────────────┴─────────────────────────────────┴──────────┴─────────────────────────────────────┴───────────────┴─────────┴──────────┴────────┘

Regular token: 🔴

✗ cldev cas-backend ls
DBG using config file path="/Users/jiparis/Library/Application Support/chainloop/config.devel.toml"
WRN API contacted in insecure mode
ERR operation not allowed

Refs #2704

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis · 2026-02-05T16:05:27Z

app/controlplane/internal/server/grpc.go

 			// 2.c - Set its user
 			usercontext.WithCurrentUserMiddleware(opts.UserUseCase, logHelper),
+			// Store all memberships in the context
+			usercontext.WithCurrentMembershipsMiddleware(opts.MembershipUseCase),


I just moved this earlier in the chain, so that membership is available to the middlewares in the next selector.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis · 2026-02-05T17:12:07Z

app/controlplane/pkg/biz/orginvitation.go

+		}

-	// 3 - Check that the user is a member of the given org
-	// NOTE: this check is not necessary, as the user is already a member of the org


As the comment states, this is not needed since validation is done in the middleware layer already.

migmartri

Thanks

migmartri · 2026-02-05T19:14:09Z

app/controlplane/pkg/data/ent/migrate/migrations/20260204113827.sql

@@ -0,0 +1,2 @@
+-- Modify "org_invitations" table
+ALTER TABLE "org_invitations" ALTER COLUMN "sender_id" DROP NOT NULL;


why is this?

The sender is now optional (instance tokens are anonymous)

app/controlplane/internal/usercontext/currentorganization_middleware.go

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Piskoo · 2026-02-06T10:56:22Z

How does the mail look like when instance admin token is used? I think the header might be off

jiparis added 8 commits February 4, 2026 10:37

allow creating orgs to tokens with proper permissions

4aeb65d

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

fix

838f00c

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

create invitations

fbee36e

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

use enforcer

32add98

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

check policies in all cases

0a2f322

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Merge branch 'main' into PFM-4137

5cd6698

use currentuser

4803ca3

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Merge branch 'PFM-4137' into PFM-4146

8fa108f

jiparis requested review from Piskoo, javirln and migmartri February 5, 2026 07:20

jiparis added 2 commits February 5, 2026 10:55

Merge branch 'main' into PFM-4146

0c0e05f

support org invitations for instance admins (users and tokens)

e3144c3

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis marked this pull request as ready for review February 5, 2026 11:13

jiparis added 5 commits February 5, 2026 14:43

fix tests

877ceb3

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

fix test

e25f747

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

add permission

d6f7c76

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

remove comment

8e5f831

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Merge branch 'PFM-4146' into PFM-4147-casbackends

c96ea3d

jiparis commented Feb 5, 2026

View reviewed changes

add casbackend/list, as it's used by the CLI

8dd2cc3

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis changed the title ~~feat(rbac): allow tokens to create org invitations~~ feat(rbac): allow tokens to create org invitations and storage backends Feb 5, 2026

fix tests

69054e0

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis commented Feb 5, 2026

View reviewed changes

migmartri previously approved these changes Feb 5, 2026

View reviewed changes

move membership to function

0488f3a

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis dismissed migmartri’s stale review via 0488f3a February 5, 2026 22:33

jiparis requested a review from migmartri February 5, 2026 22:43

javirln approved these changes Feb 6, 2026

View reviewed changes

jiparis merged commit 3ff1709 into chainloop-dev:main Feb 6, 2026
13 checks passed

jiparis deleted the PFM-4146 branch February 6, 2026 10:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(rbac): allow tokens to create org invitations and storage backends #2710

feat(rbac): allow tokens to create org invitations and storage backends #2710

Uh oh!

jiparis commented Feb 5, 2026 •

edited

Loading

Uh oh!

jiparis Feb 5, 2026

Uh oh!

jiparis Feb 5, 2026

Uh oh!

migmartri left a comment

Uh oh!

migmartri Feb 5, 2026

Uh oh!

jiparis Feb 5, 2026

Uh oh!

Uh oh!

Piskoo commented Feb 6, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

		@@ -0,0 +1,2 @@
		-- Modify "org_invitations" table
		ALTER TABLE "org_invitations" ALTER COLUMN "sender_id" DROP NOT NULL;

feat(rbac): allow tokens to create org invitations and storage backends #2710

feat(rbac): allow tokens to create org invitations and storage backends #2710

Uh oh!

Conversation

jiparis commented Feb 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Organization invitations

Storage backends

Uh oh!

jiparis Feb 5, 2026

Choose a reason for hiding this comment

Uh oh!

jiparis Feb 5, 2026

Choose a reason for hiding this comment

Uh oh!

migmartri left a comment

Choose a reason for hiding this comment

Uh oh!

migmartri Feb 5, 2026

Choose a reason for hiding this comment

Uh oh!

jiparis Feb 5, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Piskoo commented Feb 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

jiparis commented Feb 5, 2026 •

edited

Loading

Piskoo commented Feb 6, 2026 •

edited

Loading