Role-Based Access Control

This demo showcases RBAC authorization with namespace-scoped permissions, matching the AgentCube authorization model where users can only access resources in their own namespaces.

Default Policy
Deny by default
Namespace Scope
Isolated access
Resources
agent-runtimes, sandboxes
Verbs
get, list, create, delete

1. Role Definitions

Predefined roles with different permission levels. Roles are bound to users in specific namespaces.

Admin

Full access

All verbs on all resources in all namespaces

Developer

Read/Write

get, list, create, update, delete on all resources

Viewer

Read-only

get, list on all resources

2. Create Role Binding

Bind a role to a user in a specific namespace. This grants the user the permissions defined by the role, scoped to that namespace.

Active Bindings

No role bindings created

3. Test Authorization

Test whether a user has permission to perform an action on a resource in a specific namespace. The authorization engine evaluates all role bindings and returns an allow or deny decision.

4. Permission Matrix

View all permissions for a user in a namespace. Green indicates allowed, red indicates denied.

Authorization Decision Flow

1
Extract user and namespace from request context
2
Look up role bindings for user in namespace
3
Check each role's permissions for verb + resource
If any role grants permission → ALLOW
If no role grants permission → DENY (fail-secure)

AgentCube Authorization Model

AgentCube implements namespace-scoped authorization where:

  • All users are ServiceAccounts
  • Users can only access resources in their namespace
  • No user has administrative privileges across namespaces
  • Authorization is checked via checkSandboxAccess() function
  • Default policy: Deny by default (fail-secure)