feat: implement user schema management (#7416)

This PR adds the functionality to manage user schemas through the new user schema service. It includes the possibility to create a basic JSON schema and also provides a way on defining permissions (read, write) for owner and self context with an annotation. Further annotations for OIDC claims and SAML attribute mappings will follow. A guide on how to create a schema and assign permissions has been started. It will be extended though out the process of implementing the schema and users based on those. Note: This feature is in an early stage and therefore not enabled by default. To test it out, please enable the UserSchema feature flag on your instance / system though the feature service.
2025-08-11 18:17:35 +00:00 · 2024-03-12 14:50:13 +01:00
parent 2a39cc16f5
commit 0e181b218c
61 changed files with 3614 additions and 35 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -832,7 +832,7 @@ DefaultInstance:
      Greeting: Hello {{.DisplayName}},
      Text: The password of your user has changed. If this change was not done by you, please be advised to immediately reset your password.
      ButtonText: Login
-  
+
  # Once a feature is set on the instance (true or false), system level feature settings
  # will be ignored until instance level features are reset.
  Features:
@@ -1016,6 +1016,8 @@ InternalAuthZ:
        - "execution.read"
        - "execution.write"
        - "execution.delete"
+        - "userschema.write"
+        - "userschema.delete"
    - Role: "IAM_OWNER_VIEWER"
      Permissions:
        - "iam.read"
--- a/cmd/start/config_test.go
+++ b/cmd/start/config_test.go
@@ -75,6 +75,7 @@ DefaultInstance:
    LoginDefaultOrg: true
    LegacyIntrospection: true
    TriggerIntrospectionProjections: true
+    UserSchema: true
 Log:
  Level: info
 Actions:
@@ -86,6 +87,7 @@ Actions:
 				LoginDefaultOrg:                 gu.Ptr(true),
 				LegacyIntrospection:             gu.Ptr(true),
 				TriggerIntrospectionProjections: gu.Ptr(true),
+				UserSchema:                      gu.Ptr(true),
 			})
 		},
 	}, {
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -44,6 +44,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/session/v2"
 	"github.com/zitadel/zitadel/internal/api/grpc/settings/v2"
 	"github.com/zitadel/zitadel/internal/api/grpc/system"
+	user_schema_v3_alpha "github.com/zitadel/zitadel/internal/api/grpc/user/schema/v3alpha"
 	user_v2 "github.com/zitadel/zitadel/internal/api/grpc/user/v2"
 	http_util "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
@@ -410,6 +411,9 @@ func startAPIs(
 	if err := apis.RegisterService(ctx, execution_v3_alpha.CreateServer(commands, queries, domain.AllFunctions, apis.ListGrpcMethods, apis.ListGrpcServices)); err != nil {
 		return nil, err
 	}
+	if err := apis.RegisterService(ctx, user_schema_v3_alpha.CreateServer(commands, queries)); err != nil {
+		return nil, err
+	}
 	instanceInterceptor := middleware.InstanceInterceptor(queries, config.HTTP1HostHeader, config.ExternalDomain, login.IgnoreInstanceEndpoints...)
 	assetsCache := middleware.AssetsCacheInterceptor(config.AssetStorage.Cache.MaxAge, config.AssetStorage.Cache.SharedMaxAge)
 	apis.RegisterHandlerOnPrefix(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator(), store, queries, middleware.CallDurationHandler, instanceInterceptor.Handler, assetsCache.Handler, limitingAccessInterceptor.Handle))