← Back to reference

Rbac Guide

Roles

RoleScopeSample verbs
ClusterAdminOne cluster per tenantnodes/, pods/, clusters/*
MlEngineerOne tenant, one clusterincidents.read, remediation.approve
ResearcherOne tenant, read-onlyincidents.read, traces.read
SREOne tenant, full opsincidents., remediation.
SecurityAuditorCross-tenant auditaudit/*
ReadOnlyViewerOne tenant*.read
TenantAdminOne tenant, full*
SupportEngineerOne tenant, time-limitedincidents.*, audit.read

Dimensions (ABAC)

cluster_id, namespace, slurm_account, job_owner,
tenant, model_project, incident_severity, data_sensitivity

Policy DSL

allow:
  - action: "incidents.read"
    on: "tenant/*"
    if: "subject.tenant == resource.tenant"
  - action: "remediation.approve"
    on: "incident"
    if: "subject.role == 'SRE' AND resource.severity >= 'warning'"
  - action: "platform/*"
    on: "global"
    if: "subject.role == 'PlatformAdmin'"
deny:
  - action: "audit.delete"
    on: "*"
    if: "true"  # hard deny

The policy is loaded from policy.yaml and SHA-256-hashed at boot. Any change to the file emits an audit event tagged policy_change.

Tests

tests/rbac.rs is table-driven and covers:

  • Each role × each action × happy/deny matrix.
  • ABAC dimension mismatch (e.g., SRE on tenant A trying to read incident on tenant B).
  • Time-limited SupportEngineer tokens.

Service Accounts

Service accounts are issued per workload identity (SPIFFE). The agent authenticates with its SVID; the control plane maps SVID to a service-account principal with the agent role bound to the relevant cluster.