feat: support custom request dimensions in step.authz_check (e.g., tenant) #10
Description
Problem
The step.authz_check step currently only supports the 3-tuple Casbin request (sub, obj, act). Multi-tenant applications need to include a tenant dimension in authorization decisions, requiring a 4+ tuple request like (sub, tenant, obj, act).
Proposed Solution
Add an extra_fields config to step.authz_check that allows specifying additional request parameters. Each field can be a static value or a Go template:
- type: step.authz_check
config:
module: authz
subject_key: auth_user_id
object: /v1/follow-ups
action: "{{.request_method}}"
extra_fields:
- key: tenant
value: "{{.steps.auth.affiliate_id}}"The Enforce call would then pass (sub, tenant, obj, act) to match a 4-tuple policy definition.
Use Case
Crisis Text Line's Chimera platform uses database.partitioned for per-tenant data isolation and needs per-tenant authorization policies. Different affiliates may have different role definitions and resource permissions.
Alternatives Considered
- Encoding tenant in the object path (
tenant:/path) — works but is a hack - Multiple module instances per tenant — does not scale dynamically