To support multi-tenancy with DB based identity management. Assumes t… #5110

kzwct · 2025-06-28T15:27:57Z

Assumes that all login names are "username@tenant_id". Modifies 3 methods of db_identitymanager - create_user, delete_user, and get_users to get multi-tenancy. SINGLE_TENANT_UUID provisioned at deployment is made a "super" tenant to get/create/delete users from any tenant when admin users from other tenants can do it for their own tenant only. NOTE: don't forget to set KEEP_DEFAULT_USERNAME=keep@keep

…hat all login names are username@tenant_id. Modifies 3 methods of db_identitymanager - create_user, delete_user, and get_users to get multi-tenancy. SINGLE_TENANT_UUID provisioned at deployment is made a super tenant to get/create/delete users from any tenant when admin users from other tenants can do it for their own tenant only. NOTE: don't forget to set KEEP_DEFAULT_USERNAME=keep@keep

vercel · 2025-06-28T15:28:01Z

@kzilberb is attempting to deploy a commit to the KeepHQ Team on Vercel.

A member of the Team first needs to authorize it.

CLAassistant · 2025-06-28T15:28:04Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ kzilberb
❌ kzwct
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

github-actions · 2025-06-28T15:28:07Z

No linked issues found. Please add the corresponding issues in the pull request description.
Use GitHub automation to close the issue when a PR is merged

github-actions · 2025-06-28T15:28:07Z

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "To support multi-tenancy with DB based identity management. Assumes t…". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

shahargl

I would prefer to add a new env var (e.g. AUTH_TYPE=DB_MULTITENANT) so it will be clear separation between single and multi tenant.

I guess I would also create a new identity manager (e.g. dbmt_identitymanager.py)

Last, update docs to include the new authentication type and how to use it

shahargl · 2025-06-28T15:56:36Z

keep/identitymanager/identity_managers/db/db_identitymanager.py

@@ -52,7 +53,7 @@ def signin(body: dict):
            token = jwt.encode(
                {
                    "email": user.username,
-                    "tenant_id": SINGLE_TENANT_UUID,
+                    "tenant_id": user.username.split('@')[1],


add _get_tenant_id that checks if the user is user@tenant and if not will default to SINGLE_TENANT_UUID

In my follow-up commit I am adding dbmt_identitymanager that will fail if the user name has an incorrect format. I am restored dbmt_identitymanager to the original one and add defaulting to SINGLE_TENANT_UUID to db.py so it would support both identity managers.

shahargl · 2025-06-28T15:56:51Z

keep/identitymanager/identity_managers/db/db_identitymanager.py

@@ -87,8 +89,13 @@ def create_user(
    ) -> dict:
        # Username is redundant, but we need it in other auth types
        # Groups: for future use
+        tenant_id = user_email.split('@')[1]


see comment above

cursor

Bug: JWT Payload Mismatch in Sign-In Response

The /signin endpoint's response incorrectly swaps the tenantId and email fields. tenantId is set to the full username (user.username) and email is set to the tenant ID (self._get_tenant_id(user.username)), which is inconsistent with the JWT payload and provides incorrect user/tenant information.

keep/identitymanager/identity_managers/dbmt/dbmt_identitymanager.py#L68-L74

keep/keep/identitymanager/identity_managers/dbmt/dbmt_identitymanager.py

Lines 68 to 74 in abf5361

    
           # return the token 
        
           return { 
        
               "accessToken": token, 
        
               "tenantId": user.username, 
        
               "email": self._get_tenant_id(user.username), 
        
               "role": user.role, 
        
           }

Fix in Cursor • Fix in Web

Was this report helpful? Give feedback by reacting with 👍 or 👎

shahargl · 2025-07-16T07:56:53Z

@kzilberb closing. let me know if you wanna merge it and re-open.

dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Jun 28, 2025

dosubot bot added the Enhancement New feature or request label Jun 28, 2025