cf-tr-authz-plugin 0.1.0

AuthZ resolver plugin with tenant hierarchy resolution via Tenant Resolver
Documentation

TR AuthZ Plugin

AuthZ resolver plugin that resolves tenant hierarchy via TenantResolverClient. Delegates all tenant operations to the tenant-resolver module instead of accessing Resource Group directly.

How It Works

  1. Tenant resolution — extracts tenant_id from TenantContext.root_id or subject.properties["tenant_id"]
  2. Hierarchy query — calls TenantResolverClient::get_descendants(tenant_id, {barrier_mode: Respect}). Barrier filtering is handled by tenant-resolver internally.
  3. Predicate generation — returns In(owner_tenant_id, [visible_tenant_ids]) for tenant scoping, plus optional InGroup / InGroupSubtree predicates when group context is present in the request

Configuration

modules:
  tr_authz_plugin:
    config:
      vendor: "hyperspot"
      priority: 50  # Set lower than static-authz (100) to take precedence

Dependencies

  • tenant-resolver-sdkTenantResolverClient trait for tenant hierarchy queries
  • authz-resolver-sdkAuthZResolverPluginClient trait, predicate types
  • types-registry-sdk — GTS plugin instance registration