Add RBAC for team access control #59
Description
User Story
As a team administrator, I want to define roles and permissions for team members so that developers only have access to the resources they need.
Design
Command Interface
# Role management
qctl rbac role list
qctl rbac role create developer --permissions deploy:dev,logs:*
qctl rbac role show developer
qctl rbac role delete developer
# Permission management
qctl rbac permission list
qctl rbac permission grant developer deploy:staging
qctl rbac permission revoke developer deploy:prod
# User role assignment
qctl rbac assign james.maes developer
qctl rbac unassign james.maes developer
qctl rbac whoamiRBAC Model
┌─────────────────────────────────────────────────────────────────┐
│ RBAC Permission Model │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Resources Actions Scopes │
│ ───────── ─────── ────── │
│ • apps • create • org (all apps) │
│ • deployments • read • team (team apps) │
│ • logs • update • app (specific app) │
│ • configs • delete • env (specific env) │
│ • secrets • deploy │
│ • packages • scale │
│ • templates • restart │
│ • teams │
│ • members │
│ │
│ Permission Format: resource:action:scope │
│ Examples: │
│ • apps:read:* - Read all apps │
│ • apps:deploy:dev - Deploy to dev environment │
│ • logs:read:my-app - Read logs for my-app only │
│ • secrets:*:prod - Full secrets access in prod │
│ │
└─────────────────────────────────────────────────────────────────┘
Built-in Roles
┌────────────────┬───────────────────────────────────────────────┐
│ Role │ Permissions │
├────────────────┼───────────────────────────────────────────────┤
│ viewer │ apps:read:*, logs:read:*, configs:read:* │
│ developer │ viewer + apps:deploy:dev, packages:* │
│ operator │ developer + apps:deploy:*, apps:scale:* │
│ admin │ operator + secrets:*, teams:*, members:* │
│ owner │ * (full access) │
└────────────────┴───────────────────────────────────────────────┘
Output Format
$ qctl rbac role list
NAME DESCRIPTION PERMISSIONS MEMBERS
viewer Read-only access 5 12
developer Development access 15 8
operator Operations access 25 4
admin Administrative access 40 2
owner Full access * 1
$ qctl rbac role show developer
Name: developer
Description: Development access for dev/staging environments
Created: 2026-01-01
Modified: 2026-01-03
Permissions:
apps:read:* Read all applications
apps:deploy:dev Deploy to dev environment
apps:deploy:staging Deploy to staging environment
logs:read:* Read all logs
packages:* Full package management
configs:read:* Read all configs
configs:update:dev Update dev configs
Members (8):
james.maes, alice.smith, bob.jones, ...
$ qctl rbac whoami
User: james.maes@acme.com
Organization: ACME Corp
Team: Platform Engineering
Roles:
- developer (team scope)
- operator (app:orders-api scope)
Effective Permissions:
apps:read:*
apps:deploy:dev
apps:deploy:staging
apps:deploy:orders-api:prod
apps:scale:orders-api:*
logs:read:*
packages:*
configs:read:*
API Integration
POST /v1/roles
GET /v1/roles
GET /v1/roles/{name}
DELETE /v1/roles/{name}
POST /v1/roles/{name}/permissions
DELETE /v1/roles/{name}/permissions/{permission}
POST /v1/users/{userId}/roles
DELETE /v1/users/{userId}/roles/{roleName}
GET /v1/users/{userId}/permissions
Files to Create/Modify
| File | Action | Description |
|---|---|---|
qctl-core/src/main/java/io/qrun/qctl/core/rbac/RBACCommand.java |
Create | RBAC subcommand group |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/RoleCommand.java |
Create | Role management commands |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/PermissionCommand.java |
Create | Permission management |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/AssignCommand.java |
Create | Role assignment commands |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/WhoamiCommand.java |
Create | Show current user permissions |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/Role.java |
Create | Role model |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/Permission.java |
Create | Permission model |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/PermissionParser.java |
Create | Parse permission strings |
qctl-core/src/main/java/io/qrun/qctl/core/rbac/PermissionChecker.java |
Create | Check permission grants |
Implementation Tasks
- Create RBACCommand subcommand group
- Implement role CRUD commands
- Implement permission grant/revoke
- Implement role assignment to users
- Create permission string parser (resource:action:scope)
- Add wildcard matching for permissions
- Implement whoami with effective permissions
- Cache permissions locally for performance
- Add permission checking to protected commands
- Display permission denied with required permission
- Write unit tests for permission matching
Acceptance Criteria
- Can create custom roles with specific permissions
- Can assign roles to team members
- Permission format supports wildcards
-
whoamishows effective permissions - Permission denied errors show required permission
- Built-in roles available by default
- Roles can be scoped to teams, apps, or environments
- Permission changes take effect immediately