Open
Conversation
…to bootstrap Identity patching is expected behavior Duplicate handling is part of onboarding Trait correctness is validated in E2E tests Schema updates are acknowledged as version-dependent
Feature Description 🆕 Tenant Onboarding Creates or updates Kratos identity with email, tenant_id, and roles[] 🔐 Role Granting /roles/grant assigns roles using Keto 🔍 Role Checking /roles/check verifies if a subject has a role on a tenant 🔄 Role Revocation /roles/revoke removes a role from a subject 🔁 Transactional Onboarding Grants roles during onboarding and rolls back on failure 📜 Audit Logging All actions logged with actor, subject, tenant, and IP 🔜 Pending or Suggested Enhancements Topic Description 🧪 Unit & Integration Tests Use jest + supertest to test grant, check, revoke, and onboarding flows 📜 Audit Log Viewer Add a route like /admin/tenants/:id/audit to view and filter audit logs 🛡️ Oathkeeper Enforcement Secure Keto write APIs using JWT validation via Oathkeeper 🔍 List Identities by Tenant Add /admin/tenants/:id/users to list all identities under a tenant 🔁 Idempotent Onboarding Prevent duplicate onboarding or re-granting roles unnecessarily 🧼 Soft Delete Tenant Add /admin/tenants/:id/delete to mark a tenant as inactive (instead of hard delete) 📦 Batch Role Grant/Revoke Support bulk operations for onboarding multiple users at once 📈 Metrics & Health Checks Add /admin/tenants/health and expose metrics for observability 🔐 Tenant Isolation in Oathkeeper Rules Enforce tenant-specific access policies via Oathkeeper JSON rules 🧾 Tenant Metadata Management Add support for storing and updating tenant-level metadata (e.g., plan, status)
LENOVO@Mahadevaprasad MINGW64 ~/OneDrive/Desktop/repository/kratos-selfservice-ui-node (master)
$ curl -X POST http://localhost:4000/admin/tenants/onboard \
-H "Authorization: Bearer $(cat token.txt)" \
-H "Content-Type: application/json" \
-d '{
"email": "testuser@example.com",
"tenant_id": "tenant001",
"roles": ["owner"]
}'
{"message":"Tenant onboarded successfully","identity":{"id":"30ace81f-d71d-4c97-ad61-c4a80268a77c","credentials":{"password":{"type":"password","identifiers":["testuser@example.com"],"version":0,"created_at":"0001-01-01T00:00:00Z","updated_at":"0001-01-01T00:00:00Z"}},"schema_id":"scansure_v1","schema_url":"http://localhost:4433/schemas/c2NhbnN1cmVfdjE","state":"active","state_changed_at":"2025-10-21T09:09:32.695081348Z","traits":{"email":"testuser@example.com","tenant_id":"tenant001","roles":["owner"]},"metadata_public":null,"created_at":"2025-10-21T09:09:32.699802Z","updated_at":"2025-10-21T09:09:32.699802Z","organization_id":null}}
LENOVO@Mahadevaprasad MINGW64 ~/OneDrive/Desktop/repository/kratos-selfservice-ui-node (master)
$ curl -X POST http://localhost:4000/admin/tenants/roles/grant \
-H "Authorization: Bearer $(cat token.txt)" \
-H "Content-Type: application/json" \
-d '{
"subject_id": "testuser@example.com",
"relation": "owner",
"object": "tenant001"
}'
{"message":"Role granted successfully","result":"granted"}
LENOVO@Mahadevaprasad MINGW64 ~/OneDrive/Desktop/repository/kratos-selfservice-ui-node (master)
$ curl -X POST http://localhost:4000/admin/tenants/roles/check \
-H "Authorization: Bearer $(cat token.txt)" \
-H "Content-Type: application/json" \
-d '{
"subject_id": "testuser@example.com",
"relation": "owner",
"object": "tenant001"
}'
{"allowed":true}
LENOVO@Mahadevaprasad MINGW64 ~/OneDrive/Desktop/repository/kratos-selfservice-ui-node (master)
$ curl -X POST http://localhost:4000/admin/tenants/roles/revoke \
-H "Authorization: Bearer $(cat token.txt)" \
-H "Content-Type: application/json" \
-d '{
"subject_id": "testuser@example.com",
"relation": "owner",
"object": "tenant001"
}'
{"message":"Role revoked successfully","result":"revoked"}
LENOVO@Mahadevaprasad MINGW64 ~/OneDrive/Desktop/repository/kratos-selfservice-ui-node (master)
$ curl -X POST http://localhost:4000/admin/tenants/onboard \
-H "Authorization: Bearer $(cat token.txt)" \
-H "Content-Type: application/json" \
-d '{
"email": "rollback-test@example.com",
"tenant_id": "tenant999",
"roles": ["owner", "invalid_role"]
}'
{"error":"Role grant failed. Rolled back."}
LENOVO@Mahadevaprasad MINGW64 ~/OneDrive/Desktop/repository/kratos-selfservice-ui-node (master)
$
You've successfully built and validated a flow that: Detects existing identities via Kratos Merges roles and tenant_id traits safely Updates or creates identities accordingly Grants roles via Keto with rollback on failure Logs all actions for auditability
src/lib/db/transactions.ts src/tests/manualTenantTest.ts Implemented createTenantRow() in transactions.ts using Prisma transaction and UUID generation - Added manualTenantTest.ts to test tenant creation with name and subdomain - Verified successful insertion into scansure database - Prisma client and schema are in sync
- Integrated createTenantRow() into Express via /admin/onboard POST route - Verified tenant creation via curl with UUID response - Added audit logging using pino to capture onboarding events - Confirmed route is mounted correctly and server runs on port 4000
Task Details Created createTenantRow() function to onboard tenants with: Unique tenantId using crypto.randomUUID() Dynamic email generation from subdomain Role assignment (owner) Integrated Kratos Admin API to: Create identity with traits: email, tenant_id, roles Return and store identity.id in the tenant row Used Prisma $transaction to ensure atomic creation of tenant and identity link Validated flow with curl and Prisma Studio` Confirmed identity creation Confirmed identityId stored in DB Handled duplicate identity errors (409 Conflict) Added logic to avoid re-creating existing identities
Vault Setup Installed Vault CLI (vault.exe) and verified installation Started local Vault dev server (vault server -dev) Set VAULT_ADDR to http://127.0.0.1:8200 Policy & Role Configuration Created and uploaded scansure-app-policy.hcl with read access to Kratos and Keto admin tokens Prepared Vault Kubernetes role (scansure-role) for service account binding (pending execution) Secrets Management Verified path to store Kratos/Keto admin tokens in Vault KV v2 Drafted SecretProviderClass manifest for CSI secret injection Infrastructure Validation Confirmed Vault CLI works in Command Prompt Diagnosed and resolved Git Bash path and connectivity issues Verified Vault server is unsealed and ready for API interaction
Component Status Notes Kratos Admin Token ✅ Verified You listed identities using kratos-admin-token-123 Keto Write Token ✅ Verified You created a relation tuple using keto-write-token-123 Keto Read Token ✅ Verified You queried and confirmed the tuple exists
Vault deployed & unsealed ✅ Completed Secrets created in Vault ✅ Completed Kubernetes auth configured ✅ Completed Vault policy & role created ✅ Completed SecretProviderClass defined ✅ Completed Pod deployed with CSI mount ✅ Completed Secrets verified in pod ✅ Confirmed
…ict, validated Vault CSI injection
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue or Design Document
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
Further comments