Rbac Guide
Roles
| Role | Scope | Sample verbs |
|---|---|---|
| ClusterAdmin | One cluster per tenant | nodes/, pods/, clusters/* |
| MlEngineer | One tenant, one cluster | incidents.read, remediation.approve |
| Researcher | One tenant, read-only | incidents.read, traces.read |
| SRE | One tenant, full ops | incidents., remediation. |
| SecurityAuditor | Cross-tenant audit | audit/* |
| ReadOnlyViewer | One tenant | *.read |
| TenantAdmin | One tenant, full | * |
| SupportEngineer | One tenant, time-limited | incidents.*, audit.read |
Dimensions (ABAC)
cluster_id, namespace, slurm_account, job_owner,
tenant, model_project, incident_severity, data_sensitivity
Policy DSL
allow:
- action: "incidents.read"
on: "tenant/*"
if: "subject.tenant == resource.tenant"
- action: "remediation.approve"
on: "incident"
if: "subject.role == 'SRE' AND resource.severity >= 'warning'"
- action: "platform/*"
on: "global"
if: "subject.role == 'PlatformAdmin'"
deny:
- action: "audit.delete"
on: "*"
if: "true" # hard deny
The policy is loaded from policy.yaml and SHA-256-hashed at boot. Any change to the file emits an audit event tagged policy_change.
Tests
tests/rbac.rs is table-driven and covers:
- Each role × each action × happy/deny matrix.
- ABAC dimension mismatch (e.g., SRE on tenant A trying to read incident on tenant B).
- Time-limited SupportEngineer tokens.
Service Accounts
Service accounts are issued per workload identity (SPIFFE). The agent authenticates with its SVID; the control plane maps SVID to a service-account principal with the agent role bound to the relevant cluster.