changes for multi-tenancy sat v2#135
Merged
kelleyloder merged 4 commits intoJun 30, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR extends xconfadmin’s authentication/authorization to support SAT RBAC v2 with tenant scoping, and updates request handling so SAT v2 uses the tenantId header while legacy SAT/login-token paths continue to use the default tenant.
Changes:
- Add SAT token parsing enhancements (allowed partners + auth type) and a unified tenant resolution helper (
GetTenantId) used across handlers. - Implement SAT v2 route→domain classification plus capability + tenant-scope authorization, and wire permission checks into affected endpoints.
- Add OpenSpec artifacts describing SAT v2 tenant enforcement and update/add related tests/config samples.
Reviewed changes
Copilot reviewed 59 out of 59 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| taggingapi/tag/tag_member_handler.go | Adds auth checks and switches tenant resolution to xhttp.GetTenantId. |
| taggingapi/tag/tag_handler.go | Adds auth checks and switches tenant resolution to xhttp.GetTenantId. |
| openspec/specs/auth/auth-contract.md | Updates auth contract to describe SAT v2 tenant-scope enforcement and 403 semantics. |
| openspec/changes/sat-rbac-v2-tenant-enforcement/tasks.md | Adds task plan for SAT v2 tenant enforcement spec/implementation/tests. |
| openspec/changes/sat-rbac-v2-tenant-enforcement/spec.md | Adds detailed SAT v2 tenant enforcement specification. |
| openspec/changes/sat-rbac-v2-tenant-enforcement/proposal.md | Adds proposal rationale and scope for tenant enforcement phase. |
| openspec/changes/sat-rbac-v2-tenant-enforcement/design.md | Adds design/flow documentation for SAT v2 tenant enforcement. |
| openspec/changes/sat-rbac-v2-tenant-enforcement/.openspec.yaml | Adds OpenSpec metadata for the proposed change set. |
| http/webconfig_server.go | Adds allowedPartners/authType to context and logs; SAT v2 vs legacy classification. |
| http/auth.go | Introduces auth type constants, allowedPartners context access, and SAT v2 tenant resolution. |
| config/sample_xconfadmin.conf | Updates sample keyspace configuration values. |
| adminapi/xcrp/recooking_lockdown_settings_handler.go | Switches to auth.CanWrite and uses new tenant resolution. |
| adminapi/telemetry/telemetry_v2_rule_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/telemetry/telemetry_rule_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/telemetry/telemetry_profile_controller.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/setting/setting_rule_controller.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/setting/setting_profile_service.go | Refactors to tenant-aware GetAllForTenant. |
| adminapi/setting/setting_profile_controller.go | Uses tenant-aware profile listing and xhttp.GetTenantId. |
| adminapi/rfc/feature/feature_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/queries_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/percentfilter_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/percentagebean_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/namedspace_list_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/model_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/log_upload_settings_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/log_file_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/log_controller.go | Switches tenant resolution to xhttp.GetTenantId and removes old xconfwebconfig tenant helper import. |
| adminapi/queries/firmware_rule_template_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/firmware_rule_report_page_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/firmware_rule_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/firmware_config_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/feature_rule_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/feature_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/environment_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/queries/common.go | Switches tenant resolution to xhttp.GetTenantId and modernizes tool permission checks. |
| adminapi/queries/amv_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/lockdown/lockdown_settings_handler.go | Updates tool permission checks and switches tenant resolution to xhttp.GetTenantId. |
| adminapi/firmware/firmware_test_page_controller.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/dcm/vod_settings_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/dcm/logupload_settings_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/dcm/logrepo_settings_service.go | Refactors service functions to be tenant-aware. |
| adminapi/dcm/logrepo_settings_service_test.go | Updates tests for tenant-aware log repo settings service. |
| adminapi/dcm/logrepo_settings_handler.go | Switches tenant resolution to xhttp.GetTenantId and uses tenant-aware service functions. |
| adminapi/dcm/logrepo_settings_handler_test.go | Updates handler tests for tenant-aware log repo settings behavior. |
| adminapi/dcm/device_settings_handler.go | Removes default-tenant usage and switches to request tenant resolution. |
| adminapi/dcm/dcmformula_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/telemetry_two_profile_service.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/telemetry_two_profile_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/telemetry_two_change_service.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/telemetry_two_change_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/telemetry_profile_handler.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/permanent_telemetry_profile_service.go | Switches tenant resolution to xhttp.GetTenantId. |
| adminapi/change/change_service.go | Refactors change services to be tenant-aware and uses xhttp.GetTenantId. |
| adminapi/change/change_service_test.go | Updates change service tests for new tenant-aware function signatures. |
| adminapi/change/change_handler.go | Switches tenant resolution to xhttp.GetTenantId for change listing/filtering. |
| adminapi/canary/canary_settings_handler.go | Updates tool permission checks and switches tenant resolution to xhttp.GetTenantId. |
| adminapi/canary/canary_settings_handler_test.go | Updates expected status code to match new permission semantics. |
| adminapi/auth/permission_service.go | Adds SAT v2 domain mapping, capability checks, and tenant-scope enforcement integration. |
| adminapi/auth/permission_service_test.go | Adds tests for SAT v2 tenant-scope enforcement and auth behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+132
to
+137
| - Legacy SAT path: | ||
| - Legacy SAT authorization semantics remain unchanged. | ||
| - Token validation SHALL NOT enforce tenant or partner claims. | ||
| - Request processing SHALL continue to support multi-tenancy. | ||
| - In this phase, request processing SHALL resolve `tenantId` | ||
| to the default tenant. |
Comment on lines
25
to
28
| "github.com/rdkcentral/xconfadmin/adminapi/auth" | ||
| ccommon "github.com/rdkcentral/xconfadmin/common" | ||
| xhttp "github.com/rdkcentral/xconfadmin/http" | ||
| xwhttp "github.com/rdkcentral/xconfwebconfig/http" | ||
| ) |
pt-nguyen
requested changes
Jun 26, 2026
Contributor
There was a problem hiding this comment.
For GetTenantId function, passing both r.Context() and r into the same function signature is redundant so instead of requiring two parameters, the signature for GetTenantId should ideally be refactored to accept only the request:
// Proposed refactored signature
func GetTenantId(r *http.Request) string {
ctx := r.Context()
// ... extract tenant ID using ctx and r
}
pt-nguyen
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support new SAT v2 token with xconf capabilities.
Authentication ->
Authorization ->
Use tenantId from header in the rest of the request if SAT v2.
In the case of no SAT v2, check for SAT legacy or Xerxes, in which case skip tenantId check and use default tenantId for the rest of the request.