Skip to content

feat: add public read access to ResourceRegistration catalog#604

Merged
kevwilliams merged 2 commits into
mainfrom
feat/feature-flag-iam
May 6, 2026
Merged

feat: add public read access to ResourceRegistration catalog#604
kevwilliams merged 2 commits into
mainfrom
feat/feature-flag-iam

Conversation

@kevwilliams
Copy link
Copy Markdown
Contributor

@kevwilliams kevwilliams commented May 6, 2026
edited
Loading

Summary

Make the ResourceRegistration catalog readable by any authenticated user, so the staff-portal Feature Flags UI can list available flags. Modeled after billing's meter-definition-viewer + authenticated-user-meter-definition-read pattern.

  • New config/services/features/ component scaffolding (iam + registrations placeholder).
  • quota.miloapis.com-resource-registration-viewer Role: read-only on the registration catalog.
  • authenticated-user-resource-registration-read PolicyBinding: grants the viewer role to system:authenticated, scoped via resourceSelector.resourceKind to ResourceRegistration.
  • Wire features into config/services/kustomization.yaml.

Why

Staff-portal needs to call list resourceregistrations.quota.miloapis.com (cluster-scoped) to enumerate the feature flag catalog before a flag can be toggled on for an org. Today this returns 403 Forbidden for authenticated users because no PolicyBinding grants list access.

The catalog of registered resource types is non-sensitive metadata — same reasoning as MeterDefinition — so making it readable by all authenticated users keeps parity and unblocks the UI without per-team binding.

Out of scope

  • Roles for managing ResourceGrant create/delete (the toggle action). Those bindings live in datum-cloud/infra and aren't required to render the catalog.
  • Specific feature flag registrations (e.g. cloud-portal-usage-metering) — separate PRs.

Notes

The viewer role grants read on all ResourceRegistrations (type ∈ {Entity, Allocation, Feature}). PolicyBinding's resourceSelector is kind-only — no spec filter. If we ever want to restrict catalog visibility to only type=Feature, that requires admission/webhook enforcement, not IAM.

Test plan

  • kustomize build config/services/features/ produces the Role + PolicyBinding without errors
  • kustomize build config/services/ includes them in the aggregate
  • After deploy, verify datumctl get resourceregistrations --platform-wide succeeds for any authenticated user

@joggrbot
Copy link
Copy Markdown
Contributor

joggrbot Bot commented May 6, 2026
edited
Loading

📝 Documentation Analysis

All docs are up to date! 🎉

✅ Latest commit analyzed: 7d86582 | Powered by Joggr

@kevwilliams kevwilliams force-pushed the feat/feature-flag-iam branch from 31c8c41 to b56cde6 Compare May 6, 2026 20:26
@kevwilliams kevwilliams changed the title feat: add feature flag IAM scaffolding with public catalog read feat: add public read access to ResourceRegistration catalog May 6, 2026
scotwells
scotwells reviewed May 6, 2026
View reviewed changes
Comment thread config/services/quota/iam/roles/feature-flag-viewer.yaml
@kevwilliams kevwilliams force-pushed the feat/feature-flag-iam branch from b56cde6 to 80ccbff Compare May 6, 2026 20:34
@kevwilliams kevwilliams requested a review from scotwells May 6, 2026 20:35
@kevwilliams
feat: add public read access to ResourceRegistration catalog
53d76b9 
- Add config/services/features/ component scaffolding (iam + registrations placeholder)
- Add quota.miloapis.com-resource-registration-viewer Role: read-only on
  ResourceRegistration (mirrors billing's meter-definition-viewer)
- Add authenticated-user-resource-registration-read PolicyBinding: grants
  the viewer role to system:authenticated, scoped to ResourceRegistration kind
- Wire features into config/services/kustomization.yaml

Unblocks staff-portal Feature Flags UI: any authenticated user can list
the ResourceRegistration catalog to discover available flags. Toggling
flags (ResourceGrant create/delete) is governed by separate roles bound
in datum-cloud/infra and is out of scope for this PR.

The catalog read grants all ResourceRegistration kinds (Entity, Allocation,
Feature) — PolicyBinding resourceSelector is kind-only, no spec filter.
The catalog is non-sensitive metadata, same reasoning as MeterDefinition.
@kevwilliams kevwilliams force-pushed the feat/feature-flag-iam branch from 80ccbff to 53d76b9 Compare May 6, 2026 20:44
@kevwilliams kevwilliams merged commit 9b5c0ea into main May 6, 2026
9 checks passed
@kevwilliams kevwilliams deleted the feat/feature-flag-iam branch May 6, 2026 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scotwells scotwells scotwells approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevwilliams @scotwells