2.4 KiB
Pattern: Tenant Context Propagation
Status: draft Readiness target: RL3 production Primary owners: NetKingdom, product repos, Railiance platform
Problem
Tenant isolation breaks when request handlers, background jobs, events, storage access, or audit records lose the tenant context that justified the action.
Context
Use this pattern for APIs, workers, queues, schedulers, event streams, data stores, object storage, audit events, and admin workflows.
Forces
- Tenant context must be explicit and authenticated.
- Some actions are platform-scoped and must not masquerade as tenant actions.
- Background jobs often outlive the original request.
- Logs and policy decisions need the same tenant correlation.
Solution
Carry tenant context as a required field in trusted request, job, event, authorization, storage, and audit envelopes. Derive it from identity or controlled platform context, not from arbitrary user input.
Implementation Sketch
- Define tenant id and platform-scope semantics.
- Add tenant context to API, job, and event envelopes.
- Require flex-auth decisions to include tenant scope.
- Persist tenant context through queues and background workers.
- Include tenant id in audit and detection events.
- Reject ambiguous or conflicting tenant context.
Failure Modes
| Failure | Mitigation |
|---|---|
| Tenant id is passed as untrusted parameter | derive from trusted identity/session claims |
| Worker jobs omit tenant id | require typed job envelopes and tests |
| Platform job uses tenant scope accidentally | distinguish platform-scope explicitly |
| Audit records miss tenant | make tenant field required for tenant actions |
Related Capabilities
- Tenant isolation.
- Authorization and access control.
- Application and API security.
- Observability, detection, and audit.
Maturity
Draft. This is foundational for multi-tenant correctness and should be promoted with product conformance tests.
Verification
- Request, job, event, policy, and audit envelopes include tenant scope.
- Ambiguous tenant context fails closed.
- Platform-scope operations are explicitly marked and reviewed.
- Cross-tenant propagation tests fail for APIs and workers.
Research Basis
Seeded by tenant context propagation, tenant identity boundary, tenant-scoped authorization, and tenant data partitioning.
References
- Initial exploration: Tenant isolation patterns.
- Initial exploration: Application and API security.