Story: Validate tenancy across surfaces
Table of Contents
This page documents a story in Sprint 11. It captures the goal, current status, acceptance criteria, and the tasks that compose it.
Goal
Validate that tenancy actually works across every surface that could leak: shell, Data Librarian publication, DQ metadata indexes, event bus. Fix the gaps.
Status
| Field | Value |
|---|---|
| State | DONE |
| Parent sprint | Sprint 11 |
| Now | Completed 2026-02-06. |
| Waiting on | None. |
| Next | None. |
| Last touched | 2026-02-06 |
Acceptance
- Shell scenarios green: super-admin login, tenant-admin creation+login, tenant-user creation+login.
- DQ metadata unique indexes include
tenant_id. - Data Librarian publication works across tenants; image_id resolution handled.
- Eventing carries tenant_id end-to-end and filters at the subscription manager.
Tasks
| Task | State | Start | End | Description |
|---|---|---|---|---|
| Test shell functionality with tenancy enabled | DONE | 2026-05-19 | 2026-02-05 | Scenarios: super-admin login, tenant-admin creation + login, tenant-user creation + login; bootstrap mode replay. ores.iam::client login() + logout() helpers; messaging enum refactoring; C++ enum codegen. |
| Review DQ metadata tables for multi-tenancy | DONE | 2026-05-19 | 2026-02-06 | Audit: 11 DQ metadata tables have unique version indexes without tenant_id, blocking cross-tenant duplication; decision recorded; fix lands as part of the publish-across-tenants task. |
| Check Data Librarian can publish across tenants | DONE | 2026-05-19 | 2026-02-06 | Add tenant_id to unique version indexes on 11 DQ metadata + asset + refdata tables; image_id resolution looks up by key in DQ images then by key in target-tenant assets; ImageCache::clear() before reload; connection-browser UI polish; permissions suggest shell command; ores_iam_generate_role_commands_fn SECURITY DEFINER. |
| Check eventing across tenants | DONE | 2026-05-19 | 2026-02-06 | tenant_id propagated through SQL triggers → JSONB payloads → event bus → subscription_manager; subscription_manager::notify() filters by session tenant; backward-compatible broadcast when tenant absent; 5 new test cases. |
Decisions
- Validate before declaring victory
- easy to think tenancy is done once the schema and handlers compile; the surfaces that would leak silently get checked here.
- Backward-compatible event broadcast when tenant absent
- keeps pre-login sessions and unconfigured-session-service paths working without a special case.
Out of scope
- Wt + HTTP tenant validation (handled separately when Wt is exercised in anger).
See also
- Per-request tenant context — must land before this validation can trust the handler layer.