Summary
If you currently use either a public or on-prem builder to store/rebuild your habitat HART packages and have recently upgraded, either through auto updates or through a manual upgrade you should be aware that builder versions after 20200824x will contain a potential access breaking feature which while enabling RBAC has the potential to temporarily prohibit access by orphaning existing origins. For full publication of this topic please see https://forums.habitat.sh/t/rbac-in-builder-saas/1343
Distribution
| Product | Version | Topology |
| Chef Automate | 20200824x + | Standalone |
| Chef Habitat Builder | 20200824x + | Public, On-prem Install, Automate-deployed |
Process
Plan
Preparation: N/A
Design: N/A
Configure
Evaluation: N/A
Application: N/A
Troubleshoot
Analysis: N/A
Remediation:
1) Login to PostgreSQL
For On Prem Builder (non Chef Automate installed):
export PGPASSWORD=$(sudo cat /hab/svc/builder-datastore/config/pwfile)
hab pkg exec core/postgresql psql -U hab -h 127.0.0.1 builder
Chef Automate installed Builder:
sudo chef-automate dev psql automate-builder-api
2) Retrieve token
Grab the personal access token of the unreachable owner for the origin in question.
SELECT account_tokens.token FROM account_tokens INNER JOIN origins ON account_tokens.account_id=origins.owner_id AND origins.name='THEORIGIN';
3) Add origin owner to new origin
Ensure that the new origin owner is already a member of the origin, if not, invite them and have them accept the invite (can be done via CLI or UI).
4) Transfer ownership
Using the hab CLI, transfer the origin to the new owner. This will require setting the HAB_AUTH_TOKEN of the current unreachable origin owner, pulled from the step above.
export HAB_AUTH_TOKEN=TOKEN_GRABBED_FROM_ABOVE
hab origin transfer THE_ORIGIN_NAME THE_NEW_OWNER_NAME --url https://YOUR_BLDR_URL
Comments
0 comments
Article is closed for comments.