Skip to content

Commit 233a2cc

Browse files
jsell-rhclaude
andauthored
spec(security): RBAC runtime enforcement specification (#1640)
## Summary - Adds `specs/security/rbac-enforcement.spec.md` — defines how the ambient-api-server enforces scope-aware authorization at runtime - Bridges the gap between the existing RBAC data model (roles, bindings, permissions) and actual access control - 10 requirements with concrete Given/When/Then scenarios covering: scope-aware evaluation, list filtering, bootstrap, credential self-service, admin seeding, RoleBinding mutation guards, gRPC parity, service caller bypass, integration testing, and production rollout ## Key design decisions - **Bootstrap via project creation** — `POST /projects` is auth-exempt; auto-creates `project:owner` binding atomically - **User auto-provisioned from JWT** — no explicit registration, no permissions granted - **Credential self-service** — `POST /credentials` auth-exempt; binding to projects requires `project:owner` - **Scope-aware enforcement** — a binding for Project A cannot access Project B - **List endpoints return filtered results, not 403** — empty list for zero access (matches K8s behavior) - **Escalation prevention** — editors cannot grant owner; last-owner deletion returns 409 - **Admin seeded via CLI** — breaks the chicken-and-egg bootstrap problem - **Rollout gated behind config flag** — no big-bang cutover ## Test plan - [ ] Spec reviewed for format compliance against `specs/index.spec.md` - [ ] Cross-referenced against existing specs: `ambient-model.spec.md`, `security.spec.md`, `sso-authentication.spec.md` - [ ] No terminology collisions with Ambient domain model - [ ] No implementation details in spec (no function names, file paths, pseudocode) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 1b01260 commit 233a2cc

1 file changed

Lines changed: 597 additions & 0 deletions

File tree

0 commit comments

Comments
 (0)