Skip to content

feat(identity): enable field selector support for staff users#504

Open
OscarLlamas6 wants to merge 11 commits intomainfrom
feat/identity-field-selector-support
Open

feat(identity): enable field selector support for staff users#504
OscarLlamas6 wants to merge 11 commits intomainfrom
feat/identity-field-selector-support

Conversation

@OscarLlamas6
Copy link
Contributor

@OscarLlamas6 OscarLlamas6 commented Feb 21, 2026
edited
Loading

Pass field selectors from REST layer to backend provider to enable staff users to query other users' identities and sessions. This is required for the staff portal to view user identity provider links and active sessions for support purposes.

Changes:

  • Pass field selector from ListOptions to backend in useridentities
  • Pass field selector from ListOptions to backend in sessions
  • Update README documentation with field selector usage and security model
  • Add test documentation for field selector authorization scenarios

Authorization model:

  1. Milo RBAC: PolicyBinding grants access to identity resources
  2. Backend authorization: Provider validates group membership
    • Regular users: Can only see their own data (no field selector)
    • Staff users: Can use field selectors to query other users
    • Groups: staff-users, fraud-manager (configured in Zitadel)

Security:

  • Backward compatible: Regular users unaffected
  • Defense in depth: Two layers of authorization
  • Audit logging: All requests logged with user context
  • Explicit deny: Non-staff users cannot use field selectors

This changes the previous 'self-scoped' design where field selectors were intentionally ignored. The new behavior maintains self-scoped access for regular users while enabling cross-user queries for staff.

Because the field selectors are not being passed to the provider, the following error is obtained:

❯ curl -H "Authorization: Bearer $(datumctl auth get-token)" https://api.staging.env.datum.net/apis/identity.miloapis.com/v1alpha1/useridentities\?fieldSelector\=status.userUID%3D340583683847098197
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "\"status.userUID\" is not a known field selector: only \"metadata.name\", \"metadata.namespace\"",
  "reason": "BadRequest",
  "code": 400
}%

@OscarLlamas6
feat(identity): enable field selector support for staff users
dd18f7d 
Pass field selectors from REST layer to backend provider to enable
staff users to query other users' identities and sessions. This is
required for the staff portal to view user identity provider links
and active sessions for support purposes.

Changes:
- Pass field selector from ListOptions to backend in useridentities
- Pass field selector from ListOptions to backend in sessions
- Update README documentation with field selector usage and security model
- Add test documentation for field selector authorization scenarios

Authorization model:
1. Milo RBAC: PolicyBinding grants access to identity resources
2. Backend authorization: Provider validates group membership
   - Regular users: Can only see their own data (no field selector)
   - Staff users: Can use field selectors to query other users
   - Groups: staff-users, fraud-manager (configured in Zitadel)

Security:
- Backward compatible: Regular users unaffected
- Defense in depth: Two layers of authorization
- Audit logging: All requests logged with user context
- Explicit deny: Non-staff users cannot use field selectors

This changes the previous 'self-scoped' design where field selectors
were intentionally ignored. The new behavior maintains self-scoped
access for regular users while enabling cross-user queries for staff.

Related: datum-cloud/staff-portal (staff user authorization)
Related: datum-cloud/auth-provider-zitadel (backend authorization)
@OscarLlamas6
chore: tests adjustments
bdb3aae
@OscarLlamas6 OscarLlamas6 self-assigned this Feb 21, 2026
@joggrbot
Copy link
Contributor

joggrbot bot commented Feb 21, 2026
edited
Loading

📝 Documentation Analysis

All docs are up to date! 🎉

✅ Latest commit analyzed: ca31333 | Powered by Joggr

@OscarLlamas6
Copy link
Contributor Author

OscarLlamas6 commented Feb 21, 2026

Needed for datum-cloud/staff-portal#284

@scotwells
Copy link
Contributor

scotwells commented Feb 24, 2026

@OscarLlamas6 based on this error message you also need to register status.userUID as a field selector.

"status.userUID" is not a known field selector: only "metadata.name", "metadata.namespace"

Looks like you do this by registering the supported fields with the AddFieldLabelConversionFunc, see the activity service for an example.

@OscarLlamas6
feat(identity): register status.userUID as valid field selector
a8be41d 
Add field label conversion functions for UserIdentity and Session
resources to enable status.userUID as a supported field selector.
This allows the API server to validate field selector queries before
passing them to the backend provider.

Changes:
- Add UserIdentityFieldLabelConversionFunc for UserIdentity resources
- Add SessionFieldLabelConversionFunc for Session resources
- Register both conversion functions in addKnownTypes
- Support field selectors: metadata.name, metadata.namespace, status.userUID

This fixes the error:
  "status.userUID" is not a known field selector: only "metadata.name", "metadata.namespace"

Now staff users can successfully query:
  kubectl get useridentities --field-selector=status.userUID=<user-id>

Related: PR feedback on field selector validation
@OscarLlamas6 OscarLlamas6 force-pushed the feat/identity-field-selector-support branch from 766dcb1 to a8be41d Compare February 26, 2026 02:22
@OscarLlamas6
fix(identity): use legacyscheme for ParameterCodec
0b3cd56 
Use runtime.NewParameterCodec(legacyscheme.Scheme) instead of metav1.ParameterCodec.
The legacyscheme already has identity scheme installed with field label conversions.

Add unit tests for field selector validation.
@OscarLlamas6
debug: add logging to field label conversion functions
40fd512
@OscarLlamas6
fix(identity): use dedicated Scheme for field selector support
47e67bc 
Create dedicated Identity Scheme following Activity API pattern.
This ensures field label conversion functions are properly registered
and used by the API server for field selector validation.

- Add pkg/apis/identity/install package
- Create dedicated Scheme in storageprovider with identity types only
- Use metav1.ParameterCodec with dedicated Scheme
@OscarLlamas6
debug: add logging for field label conversion registration
fa76dff
@OscarLlamas6
debug: test field label conversion in init
a588049
@OscarLlamas6
debug: simplify field label conversion test
132f603
@OscarLlamas6
debug: use klog.Error for visibility in init
0d9c1d3
@OscarLlamas6
refactor: remove debug logging from field selector implementation
ca31333 
Clean up debug logging that was added during investigation:
- Remove klog.Error debug messages from storageprovider init()
- Remove verbose logging from field label conversion functions
- Keep only essential code for field selector support

All functionality remains intact and tested.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scotwells scotwells Awaiting requested review from scotwells

@JoseSzycho JoseSzycho Awaiting requested review from JoseSzycho

At least 1 approving review is required to merge this pull request.

Assignees

@OscarLlamas6 OscarLlamas6

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OscarLlamas6 @scotwells