generated from coulomb/repo-seed
78 lines
2.4 KiB
Markdown
78 lines
2.4 KiB
Markdown
# Pattern: Tenant Context Propagation
|
|
|
|
Status: draft
|
|
Readiness target: RL3 production
|
|
Primary owners: NetKingdom, product repos, Railiance platform
|
|
|
|
## Problem
|
|
|
|
Tenant isolation breaks when request handlers, background jobs, events,
|
|
storage access, or audit records lose the tenant context that justified
|
|
the action.
|
|
|
|
## Context
|
|
|
|
Use this pattern for APIs, workers, queues, schedulers, event streams,
|
|
data stores, object storage, audit events, and admin workflows.
|
|
|
|
## Forces
|
|
|
|
- Tenant context must be explicit and authenticated.
|
|
- Some actions are platform-scoped and must not masquerade as tenant
|
|
actions.
|
|
- Background jobs often outlive the original request.
|
|
- Logs and policy decisions need the same tenant correlation.
|
|
|
|
## Solution
|
|
|
|
Carry tenant context as a required field in trusted request, job, event,
|
|
authorization, storage, and audit envelopes. Derive it from identity or
|
|
controlled platform context, not from arbitrary user input.
|
|
|
|
## Implementation Sketch
|
|
|
|
1. Define tenant id and platform-scope semantics.
|
|
2. Add tenant context to API, job, and event envelopes.
|
|
3. Require flex-auth decisions to include tenant scope.
|
|
4. Persist tenant context through queues and background workers.
|
|
5. Include tenant id in audit and detection events.
|
|
6. Reject ambiguous or conflicting tenant context.
|
|
|
|
## Failure Modes
|
|
|
|
| Failure | Mitigation |
|
|
| --- | --- |
|
|
| Tenant id is passed as untrusted parameter | derive from trusted identity/session claims |
|
|
| Worker jobs omit tenant id | require typed job envelopes and tests |
|
|
| Platform job uses tenant scope accidentally | distinguish platform-scope explicitly |
|
|
| Audit records miss tenant | make tenant field required for tenant actions |
|
|
|
|
## Related Capabilities
|
|
|
|
- Tenant isolation.
|
|
- Authorization and access control.
|
|
- Application and API security.
|
|
- Observability, detection, and audit.
|
|
|
|
## Maturity
|
|
|
|
Draft. This is foundational for multi-tenant correctness and should be
|
|
promoted with product conformance tests.
|
|
|
|
## Verification
|
|
|
|
- Request, job, event, policy, and audit envelopes include tenant scope.
|
|
- Ambiguous tenant context fails closed.
|
|
- Platform-scope operations are explicitly marked and reviewed.
|
|
- Cross-tenant propagation tests fail for APIs and workers.
|
|
|
|
## Research Basis
|
|
|
|
Seeded by tenant context propagation, tenant identity boundary,
|
|
tenant-scoped authorization, and tenant data partitioning.
|
|
|
|
## References
|
|
|
|
- Initial exploration: Tenant isolation patterns.
|
|
- Initial exploration: Application and API security.
|