Skip to content

Support camunda.security.multi-tenancy.checks-enabled (kebab-case) #36863

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 18, 2025
Merged

Support camunda.security.multi-tenancy.checks-enabled (kebab-case) #36863

merged 4 commits into from
Aug 18, 2025

Conversation

korthout
Copy link
Member

@korthout korthout commented Aug 15, 2025
edited
Loading

Description

This PR adds support for configuring the multi-tenancy checks using kebab-case:

  • camunda.security.multi-tenancy.checks-enabled

This comes in addition to the already supported camelCase style:

  • camunda.security.multiTenancy.checksEnabled

It achieves this by depending on the SecurityConfiguration which correctly handle the different cases.

The PR adds test cases to show that the tenant provider can be configured using either of these properties.

Note

This PR does not add anything to discourage the conflicting configuration using a combination of both styles, e.g.:

camunda.security.multi-tenancy.checks-enabled=true
camunda.security.multiTenancy.checksEnabled=false

Checklist

Related issues

closes #36597

@korthout
test: show that security config support kebab-case
99d30dd 
These four test cases show that the multi-tenancy checks can be enabled
and disabled using both camelCase and kebab-case style of the
properties:
- camunda.security.multiTenancy.checksEnabled
- camunda.security.multi-tenancy.checks-enabled
@github-actions github-actions bot added component/zeebe Related to the Zeebe component/team component/operate Related to the Operate component/team component/tasklist Related to the Tasklist component/team component/optimize Related to Optimize component/team labels Aug 15, 2025
@korthout korthout force-pushed the korthout-36597-multi-tenancy-checks-enabled-kebab branch from ec3306c to 07ca837 Compare August 15, 2025 14:28
@korthout korthout mentioned this pull request Aug 15, 2025
Closed
@korthout korthout marked this pull request as ready for review August 15, 2025 14:36
@korthout korthout requested review from ana-vinogradova-camunda and removed request for ana-vinogradova-camunda August 15, 2025 14:36
@korthout korthout marked this pull request as draft August 15, 2025 14:41
@korthout korthout force-pushed the korthout-36597-multi-tenancy-checks-enabled-kebab branch from 07ca837 to 0334c69 Compare August 15, 2025 14:52
@korthout
test: configure tenant access case insensitive
dc112f4 
These tests verify that the resource access controller has tenant access
or not through the multi tenancy checks enabled property. As this
property can be configured both using camelCase and kebab-case, we can
verify the 4 combinations.

Note that enabling it using kebab-case currently fails, we'll fix this
in a following commit.
@korthout
fix: support multi-tenancy.checks-enabled config
14ff45f 
The property was only checked using multiTenancy specifically, which
meant that the kebab-case style (multi-tenancy.checks-enabled) was
ignored completely.

We can easily resolve this by dynamically providing the bean using the
SecurityConfiguration which correctly determines the config option
regardless of camelCase or kebab-case because it's based on spring's own
property loading.
@korthout
refactor: use security config for resource access
aaacddc 
Applies the same mechanism to the ResourceAccessProvider as used to
configure the TenantAccessProvider.

This ensures that the full spring configuration is used rather than
relying on specific casing for the property.
@korthout korthout force-pushed the korthout-36597-multi-tenancy-checks-enabled-kebab branch from 0334c69 to aaacddc Compare August 15, 2025 15:11
@korthout korthout marked this pull request as ready for review August 15, 2025 16:49
ana-vinogradova-camunda
ana-vinogradova-camunda approved these changes Aug 18, 2025
View reviewed changes
Copy link
Contributor

@ana-vinogradova-camunda ana-vinogradova-camunda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@korthout changes look good to me, I really like testing here ⭐

It is a bit unclear what would happen if both styles are used at the same time (as per note in the PR description)?

@korthout
Copy link
Member Author

korthout commented Aug 18, 2025
edited
Loading

It is a bit unclear what would happen if both styles are used at the same time (as per note in the PR description)?

I had another look at this, and it's not an actual problem. Spring normalizes property names so both multiTenancy.checksEnabled and multi-tenancy.checks-enabled are mapped to the same Java field. However, if both are defined in the same source (e.g., in application.yaml), the last one wins—the one closest to the end of the file takes precedence under YAML parsing rules, as Spring parses them in order in the file. However, if they are defined in different sources, then Spring Boot applies its standard precedence order for configuration sources, i.e. profile-specific.yaml > application.yaml

@korthout korthout added this pull request to the merge queue Aug 18, 2025
Merged via the queue into main with commit dca02d0 Aug 18, 2025
103 of 104 checks passed
@korthout korthout deleted the korthout-36597-multi-tenancy-checks-enabled-kebab branch August 18, 2025 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ana-vinogradova-camunda ana-vinogradova-camunda ana-vinogradova-camunda approved these changes

Assignees
No one assigned
Labels
component/operate Related to the Operate component/team component/optimize Related to Optimize component/team component/tasklist Related to the Tasklist component/team component/zeebe Related to the Zeebe component/team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Operate/Tasklist API doesn't apply tenancy checks when configuring tenancy properties using kebab case
2 participants
@korthout @ana-vinogradova-camunda