This recipe shows you how to configure your filters to support rest resources that contain multiple tenants in the uri all of which need authorization applied to them.

For the remainder of this recipe we are going to assume that you are trying to secure this resource: /a_tenant/do/something/on/another_tenant.

Derive Tenants

The first thing to do is to use the URL Extractor to Header filter to pull out both tenants we care about into a common header.

<url-extractor-to-header xmlns="">
    <extraction header="Requested-Tenant-Id" url-regex="/(\d*)/.*"> (1)

    <extraction header="Requested-Tenant-Id" url-regex=".*/do/something/on/(\d*)"/> (2)
1 This regex will grab the first tenant with the assumption that the tenant is used throughout your api.
2 This regex is specifically grabbing the second tenant that we want to authorize on.

Configure Authentication

For authentication we need to configure a couple of options on Keystone v2 filter.

<?xml version="1.0" encoding="UTF-8"?>
<keystone-v2 xmlns="">
    <identity-service uri=""
        set-catalog-in-header="true"/> (1)
    <tenant-handling send-all-tenant-ids="true"/> (2)
1 If you want to do endpoint authorization you have to turn on this option.
2 This option ensures that all the tenants reported by keystone are added to the request for use in authorization.

Configure Tenant Authorization

For basic tenant and endpoint authorization we use Keystone v2 Authorization filter.

<?xml version="1.0" encoding="UTF-8"?>
<keystone-v2-authorization xmlns="">
            <header-extraction-name>Requested-Tenant-Id</header-extraction-name> (1)
    <require-service-endpoint (2)
1 The header that contains the tenants to verify. This has to match the name provided in the Url Extractor Header filter.
Every value found in this header has to be present among those returned by keystone.
2 The endpoint that you want to verify that the user has, note that this only works if you configure authentication to send the catalog.

Configure Role Based Access Control

To get per tenant based access control you need to configure the API Validator filter and the accompanying wadl.

<?xml version="1.1" encoding="UTF-8"?>
<validators multi-role-match="true" xmlns='' version="1">
    <validator role="default"
               enable-rax-roles="true" (1)
1 This enables the rax roles translation on the wadl.
<application xmlns="" xmlns:rax="">
    <resources base="">
        <resource path="/{tenant}/do/something/on/{secondtenant}"
                  rax:roles="a:admin/{tenant}"> (1)
            <param name="tenant" style="template"/>
            <param name="secondtenant" style="template"/>
            <method name="POST" rax:roles="a:creator/{secondtenant}"/> (2)
1 This indicates that for all calls on this resource the user must have the a:admin role on the first tenant.
2 This indicates that for POST requests to this resource the user must have the a:creator role on the second tenant.

You can find more info about configuring Role Based Access Control, here