Service Accounts#3058
Open
GregorShear wants to merge 2 commits into
Open
Conversation
faf9471 to
92dd836
Compare
92dd836 to
35ff08b
Compare
GregorShear
commented
Jun 19, 2026
| .map_err(duplicate_err)?; | ||
|
|
||
| for grant in &grants { | ||
| crate::grants::overwrite_user_grant( |
Contributor
Author
There was a problem hiding this comment.
I have mixed feelings about doing this in the create mutation - maybe we need an "update grant" mutation that lets us downgrade capabilities, and the create mutation just upserts (upgrade capabilities only)?
GregorShear
commented
Jun 19, 2026
| } | ||
| Self::Billing => EnumSet::empty(), | ||
| Self::TeamAdmin => CreateGrant | DeleteGrant | CreateInviteLink, | ||
| Self::TeamAdmin => CreateGrant | DeleteGrant | CreateInviteLink | ManageServiceAccount, |
Contributor
Author
There was a problem hiding this comment.
let's talk about this
GregorShear
commented
Jun 19, 2026
|
|
||
| # Run last so its flakiness can't skip the test steps above. It still gates | ||
| # the job on failure, surfacing genuine Stripe regressions. | ||
| - name: Stripe integration test |
Contributor
Author
There was a problem hiding this comment.
moving this flaky test to the end of the line, at least for now
2052d3d to
03fa4db
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
auth.usersrows) that authenticate via API keys and are authorized through the existinguser_grants/role_grantssystem.internal.service_accountsand adds the columnpublic.refresh_tokens.created_by.createServiceAccount,addServiceAccountGrant,removeServiceAccountGrant,createServiceAccountToken,revokeServiceAccountToken, and a paginatedserviceAccountsquery.ManageServiceAccountcapability (included in theTeamAdminbundle) that gates service-account management.Key design decisions
auth.usersrows. All existing RLS policies, PostgREST authorization,user_roles()resolution, androle_grantstraversal work unchanged. Each account gets a synthetic, non-login address (<catalog_name>@service.estuary.dev) and stores its catalog name asfull_name.catalog_nameis a management anchor It is unique and determines who may manage the account (admins of a covering prefix, viaManageServiceAccounts) and how the account is addressed.user_grants, which may span multiple prefixes.ManageServiceAccounton the catalog name. Adding a grant additionally requiresCreateGranton the granted prefix, so a caller can't hand a service account reach they couldn't grant anyone. Removing a grant requires only management capability, since narrowing access is always safe.Test plan
POST /api/v1/auth/tokenManageServiceAccountcannot create, or manage service accountsaddServiceAccountGrantrequiresCreateGranton the target prefix;removeServiceAccountGrantdoes notvalidForvalidation: reject non-ISO-8601 durations, non-positive durations, and durations over 1 yearserviceAccountsquery is scoped to the caller'sManageServiceAccountsprefixescatalogNameis rejected with a clear error