tenantpolicy

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 12, 2026 License: MIT Imports: 2 Imported by: 0

Documentation

Overview

Package tenantpolicy derives a per-tenant *policy.Policy from a process policy and a control-plane TenantRecord under the ADR 0021 hosted tenant policy ceiling contract.

The package is the single canonical place to apply tenant policy overrides so the production runtime (internal/runtime) and the shared-service Postgres E2E test harness (internal/controlplane/postgres) both exercise the same code path. Without this extraction the E2E factory closure had to mirror the production logic by hand, and a previous regression let the closure silently bypass the ceiling — see ADR 0021 §"Scope note" and PR #99 review.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Derive

func Derive(processPolicy *policy.Policy, tenant controlplane.TenantRecord) (*policy.Policy, error)

Derive returns a per-tenant clone of processPolicy with the TenantRecord's overrides applied under the strict-narrowing contract documented in ADR 0021:

  • Mode is set via policy.EffectiveTenantMode so the tenant cannot broaden past min(processMode, processPolicy.Ceiling). Process mode broader than an explicit ceiling fails closed before the tenant override is considered.
  • DenyTools and DenyGroups UNION with the process lists. A tenant record can only add denies; it cannot erase a process-level deny.
  • AllowGroups under a group-blocking effective mode is silently dropped and TenantAllowGroupsIgnored is set so policy_info surfaces the diagnostic. Under a non-blocking mode, the tenant list INTERSECTS with the process AllowedGroups when both are set, or defines the whitelist when the process did not set one.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL