1
0
forked from baron/baron-sso

fix: improve keto sync reliability and initial rebac permissions for super admin

This commit is contained in:
2026-04-06 10:10:27 +09:00
parent bd296f9425
commit 583755c189
11 changed files with 254 additions and 81 deletions

View File

@@ -120,6 +120,15 @@ func (s *tenantService) RegisterTenant(ctx context.Context, name, slug, tenantTy
// [Keto] Sync hierarchy and ownership via Outbox
if s.outboxRepo != nil {
// Global Super Admin access to every tenant
_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "Tenant",
Object: tenant.ID,
Relation: "admins",
Subject: "System:global#super_admins",
Action: domain.KetoOutboxActionCreate,
})
// Sync hierarchy
if tenant.ParentID != nil {
if err := s.outboxRepo.Create(ctx, &domain.KetoOutbox{
@@ -198,6 +207,17 @@ func (s *tenantService) RequestRegistration(ctx context.Context, name, slug, des
return nil, err
}
// [Keto] Global Super Admin access to every tenant (even pending ones)
if s.outboxRepo != nil {
_ = s.outboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "Tenant",
Object: tenant.ID,
Relation: "admins",
Subject: "System:global#super_admins",
Action: domain.KetoOutboxActionCreate,
})
}
// Add Domain as unverified
if err := s.repo.AddDomain(ctx, tenant.ID, domainName, false); err != nil {
return nil, err