From e4dce0cdd7d706f4bccee0aed6f26bdd1c82e90a Mon Sep 17 00:00:00 2001 From: Abhishek Sah Date: Tue, 21 Apr 2026 14:11:53 +0530 Subject: [PATCH 1/2] refactor: remove unused serviceuser-user relation from SpiceDB schema MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `user` relation on `app/serviceuser` and the `CreatedByUser` field were scaffolded but never wired up — the handler never populates the creator, so the relation is never written. The audit record already captures who created the service user via the actor context. This simplifies the `manage` permission to just `org->serviceusermanage`. Co-Authored-By: Claude Opus 4.6 (1M context) --- core/serviceuser/service.go | 20 -------------------- core/serviceuser/serviceuser.go | 4 ---- internal/bootstrap/schema/base_schema.zed | 3 +-- 3 files changed, 1 insertion(+), 26 deletions(-) diff --git a/core/serviceuser/service.go b/core/serviceuser/service.go index 497ca634a..80013ce99 100644 --- a/core/serviceuser/service.go +++ b/core/serviceuser/service.go @@ -107,26 +107,6 @@ func (s Service) Create(ctx context.Context, serviceUser ServiceUser) (ServiceUs return ServiceUser{}, err } - if len(serviceUser.CreatedByUser) > 0 { - // TODO: write authz tests that checks if the user who created the service user - // has the permission to interact with the service user - // attach user to service user who created it - _, err = s.relationService.Create(ctx, relation.Relation{ - Object: relation.Object{ - ID: createdSU.ID, - Namespace: schema.ServiceUserPrincipal, - }, - Subject: relation.Subject{ - ID: serviceUser.CreatedByUser, - Namespace: schema.UserPrincipal, - }, - RelationName: schema.UserRelationName, - }) - if err != nil { - return ServiceUser{}, err - } - } - return createdSU, nil } diff --git a/core/serviceuser/serviceuser.go b/core/serviceuser/serviceuser.go index 12de9f045..6e3fd53d6 100644 --- a/core/serviceuser/serviceuser.go +++ b/core/serviceuser/serviceuser.go @@ -29,10 +29,6 @@ type ServiceUser struct { State string Metadata metadata.Metadata - // CreatedByUser is a transient field that is used to track the user who created this service user - // this doesn't have any impact on the service user itself - CreatedByUser string - CreatedAt time.Time UpdatedAt time.Time } diff --git a/internal/bootstrap/schema/base_schema.zed b/internal/bootstrap/schema/base_schema.zed index 7e50b426d..430306a7f 100644 --- a/internal/bootstrap/schema/base_schema.zed +++ b/internal/bootstrap/schema/base_schema.zed @@ -2,9 +2,8 @@ definition app/user {} definition app/serviceuser { relation org: app/organization - relation user: app/user - permission manage = org->serviceusermanage + user + permission manage = org->serviceusermanage } definition app/pat { From f9e4038cf1d636e8f09e13901e9488d9243f4594 Mon Sep 17 00:00:00 2001 From: Abhishek Sah Date: Tue, 21 Apr 2026 14:21:18 +0530 Subject: [PATCH 2/2] fix: update compiled_schema.zed golden file for serviceuser change Update the test golden file to match the removed `user` relation and simplified `manage` permission on `app/serviceuser`. Co-Authored-By: Claude Opus 4.6 (1M context) --- internal/bootstrap/testdata/compiled_schema.zed | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/internal/bootstrap/testdata/compiled_schema.zed b/internal/bootstrap/testdata/compiled_schema.zed index 8a01e09a1..3bf584b18 100644 --- a/internal/bootstrap/testdata/compiled_schema.zed +++ b/internal/bootstrap/testdata/compiled_schema.zed @@ -182,9 +182,8 @@ definition app/rolebinding { } definition app/serviceuser { - permission manage = org->serviceusermanage + user + permission manage = org->serviceusermanage relation org: app/organization - relation user: app/user } definition app/user {}