The Tenant Culling filter is used on resources that need further specific tenant id information. The filter looks at all the tenants that Keystone returns for a user to creates and populates a list of them based on the specific roles that were used to grant access to the resource.

General filter information

  • Name: tenant-culling

  • Default Configuration: No configuration

  • Released: v8.7.0.0

  • Bundle: repose-filter-bundle

  • No Configuration Schema

Prerequisites & Postconditions

Required Request Headers

  • X-Map-Roles - Identifies the tenant-to-role mapping for all of the user’s tenants and roles. This header is a base 64 encoded JSON map of strings to array of strings (e.g., the base 64 encoding of {"someTenant": ["someRole", "sharedRole"], "otherTenant": ["otherRole", "sharedRole"]}). Roles without a tenant association will be mapped to the repose/domain/roles key (e.g., {"repose/domain/roles": ["tenantlessRole"]}).

  • X-Relevant-Roles - The roles this user was granted access based on.

Required Preceding Filters

The following filters are used to populate the Required Request Headers:

Request Headers Created

  • X-Tenant-Id - The tenants that match the roles this request was authorized with.

  • X-Map-Roles - The mapping will be updated to only contain those tenants that have a role that matched against relevant roles.

These headers prior values will be overwritten where existent.

Request Body Changes

This filter does not modify the request body.

This filter is not strictly required by any other filters.

Response Body Changes

This filter does not modify the response body.

Response Headers Created

Changes to response headers vary based on configuration.

Response Status Codes

Response Code Reason


X-Map-Roles is missing, can’t be decoded, or is a malformed JSON object.