RBAC
grlx includes a role-based access control (RBAC) system that governs who can perform actions on which sprouts. Permissions are tied to public keys, so every CLI user has an auditable identity.
Concepts
Section titled “Concepts”- User: Identified by their CLI public key. Each key maps to a username and role.
- Role: A named set of permissions. Roles define which actions a user can perform on which cohorts.
- Action: An operation type —
cook,cmd,ssh, orview. - Cohort scope: Permissions are granted per-cohort. A user may have different permissions on different cohorts.
Configuration
Section titled “Configuration”Roles and users are defined in the farmer configuration file:
[rbac.roles.operator]actions = ["cook", "cmd", "ssh", "view"]cohorts = ["*"]
[rbac.roles.deployer]actions = ["cook", "view"]cohorts = ["staging", "production"]
[rbac.roles.viewer]actions = ["view"]cohorts = ["*"]Users are mapped to roles by their public key:
[[rbac.users]]name = "alice"pubkey = "UABC...XYZ"role = "operator"
[[rbac.users]]name = "bob"pubkey = "UDEF...UVW"role = "deployer"Built-in Viewer Role
Section titled “Built-in Viewer Role”Users with only the view action can:
- List sprouts, jobs, props, cohorts
- Read job details and audit logs
They cannot cook recipes, run commands, or open SSH sessions.
Actions
Section titled “Actions”| Action | Description |
|---|---|
cook | Execute recipes on sprouts |
cmd | Run arbitrary commands via cmd run |
ssh | Open interactive shell sessions |
view | Read-only access to all resources |
Validation
Section titled “Validation”The farmer validates the RBAC configuration at startup:
- Referenced cohorts must exist in the cohort configuration
- Public keys must be unique across all users
- Role names must be unique
If validation fails, the farmer will not start and will report the configuration errors.
CLI Commands
Section titled “CLI Commands”Check your identity
Section titled “Check your identity”grlx auth whoamiShows the current CLI user’s public key and assigned role.
List users
Section titled “List users”grlx auth usersList roles
Section titled “List roles”grlx auth rolesExplain effective permissions
Section titled “Explain effective permissions”grlx auth explainShows the current user’s effective permissions across all cohorts — which actions are allowed where.
Enforcement
Section titled “Enforcement”Every request to the farmer is checked against RBAC before execution. If the requesting user lacks the required action on the target cohort, the request is denied with a clear error message.
The enforcement middleware covers:
cook— recipe executioncmd.run— arbitrary command dispatchssh— interactive shell sessions- Read endpoints — restricted to users with at least
viewpermission
dangerously_allow_root
Section titled “dangerously_allow_root”For development or single-user setups, the farmer supports a dangerously_allow_root flag that bypasses RBAC checks:
[farmer]dangerously_allow_root = trueAudit Logging
Section titled “Audit Logging”All actions are recorded in the audit log with the acting user’s identity. See Audit Logging for details.