chore: add field selector support for staff user queries#69
Open
OscarLlamas6 wants to merge 6 commits intomainfrom
Open
chore: add field selector support for staff user queries#69OscarLlamas6 wants to merge 6 commits intomainfrom
OscarLlamas6 wants to merge 6 commits intomainfrom
Conversation
Enable staff users to query other users' identities and sessions by adding field selector support to the REST storage implementations. Changes: - Add field selector parsing in useridentities List() method - Add field selector parsing in sessions List() method - Support both "status.userUID=<uid>" and "userUID=<uid>" syntax - Maintain backward compatibility: users without field selector see only their own resources (existing behavior) - Add extractUserUIDFromFieldSelector() helper function This allows staff users to retrieve identity provider links and sessions for any user by specifying the target userUID in the field selector, while regular users continue to see only their own data. Authorization is delegated to Milo (AlwaysAllowAuthorizer), so RBAC policies in Milo control who can use field selectors. Related: datum-cloud/staff-portal#[issue-number]
2 tasks
Change restart policy from 'always' to 'on-failure:3' to prevent infinite restart loops when Zitadel migrations fail during E2E tests. This allows the test to fail fast and show meaningful error logs instead of timing out after 600 seconds.
Implement authorization checks to restrict field selector usage to staff users only. Regular users can only view their own identities and sessions, while staff users (identified by group membership) can query other users' data using field selectors. Changes: - Add isStaffUser() helper to check for privileged group membership - Verify authorization before allowing cross-user queries in List() - Support staff groups: system:masters, staff, admin, datum:staff - Return Forbidden error for unauthorized field selector attempts - Add detailed logging for authorization decisions Authorization flow: 1. Extract target userUID from field selector if present 2. If target differs from authenticated user, check group membership 3. Allow if user belongs to staff/admin group, deny otherwise 4. Regular users without field selector see only their own data This enables staff portal to view user identities and sessions for support purposes while maintaining security for regular users. Related: datum-cloud/staff-portal (staff user authorization)
Implement authorization checks to restrict field selector usage to staff users only. Regular users can only view their own identities and sessions, while staff users (identified by Zitadel group membership) can query other users' data using field selectors. Changes: - Add isStaffUser() helper to check for privileged group membership - Verify authorization before allowing cross-user queries in List() - Support Zitadel groups: staff-users, fraud-manager, system:masters - Return Forbidden error for unauthorized field selector attempts - Add detailed logging for authorization decisions Authorization flow: 1. Extract target userUID from field selector if present 2. If target differs from authenticated user, check group membership 3. Allow if user belongs to staff/fraud-manager group, deny otherwise 4. Regular users without field selector see only their own data This enables staff portal to view user identities and sessions for support purposes while maintaining security for regular users. Zitadel groups are passed via JWT claims and verified at the API server level before delegating to the backend provider.
Update milo to v0.19.1-0.20260226053921-0d9c1d378aab from feat/identity-field-selector-support branch. This brings in field label conversion functions for status.userUID field selector support.
Update milo to ca31333 which includes field selector support with debug logging removed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enable staff users to query other users' identities and sessions by adding field selector support to the REST storage implementations.
Changes:
This allows staff users to retrieve identity provider links and sessions for any user by specifying the target userUID in the field selector, while regular users continue to see only their own data.
Authorization is delegated to Milo (AlwaysAllowAuthorizer), so RBAC policies in Milo control who can use field selectors.
Related: datum-cloud/staff-portal#284