Skip to content

tenants

Tenant dataclass

Represents a single tenant in the multi-tenant deployment.

Attributes:

Name Type Description
tenant_id str

Unique string identifier for the tenant (slug).
display_name str

Human-readable name.
status TenantStatus

Current lifecycle state.
label_studio_org_id int | None

Label Studio organisation ID (per-tenant).
named_graph_prefix str

Base IRI prefix for this tenant's named graphs.
Source code in src/riverbank/tenants/__init__.py 
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
@dataclass
class Tenant:
    """Represents a single tenant in the multi-tenant deployment.

    Attributes:
        tenant_id:   Unique string identifier for the tenant (slug).
        display_name: Human-readable name.
        status:      Current lifecycle state.
        label_studio_org_id: Label Studio organisation ID (per-tenant).
        named_graph_prefix: Base IRI prefix for this tenant's named graphs.
    """

    tenant_id: str
    display_name: str = ""
    status: TenantStatus = TenantStatus.ACTIVE
    label_studio_org_id: int | None = None
    named_graph_prefix: str = ""

    def __post_init__(self) -> None:
        if not self.named_graph_prefix:
            self.named_graph_prefix = f"http://riverbank.example/tenant/{self.tenant_id}/graph/"

TenantStatus

Bases: str, Enum

Lifecycle state of a tenant.

Source code in src/riverbank/tenants/__init__.py 
30
31
32
33
34
35
class TenantStatus(str, Enum):
    """Lifecycle state of a tenant."""

    ACTIVE = "active"
    SUSPENDED = "suspended"
    DELETED = "deleted"

activate_rls_for_all_tables(conn)

Enable RLS and create tenant-isolation policies on all catalog tables.

Returns a dict mapping table_name -> success.

Source code in src/riverbank/tenants/__init__.py 
127
128
129
130
131
132
133
134
135
136
137
def activate_rls_for_all_tables(conn: Any) -> dict[str, bool]:
    """Enable RLS and create tenant-isolation policies on all catalog tables.

    Returns a dict mapping ``table_name -> success``.
    """
    results: dict[str, bool] = {}
    for table in _RLS_TABLES:
        enabled = enable_rls(conn, table)
        policy_ok = create_rls_policy(conn, table) if enabled else False
        results[table] = enabled and policy_ok
    return results

assign_label_studio_org(conn, tenant_id, org_id)

Associate a Label Studio organisation ID with a tenant.

Each tenant has exactly one Label Studio organisation; reviewer assignments respect tenant boundaries.

Source code in src/riverbank/tenants/__init__.py 
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
def assign_label_studio_org(conn: Any, tenant_id: str, org_id: int) -> bool:
    """Associate a Label Studio organisation ID with a tenant.

    Each tenant has exactly one Label Studio organisation; reviewer
    assignments respect tenant boundaries.
    """
    try:
        conn.execute(
            "UPDATE _riverbank.tenants SET label_studio_org_id = %s, updated_at = now() "
            "WHERE tenant_id = %s",
            (org_id, tenant_id),
        )
        logger.info("Tenant %s assigned Label Studio org %d", tenant_id, org_id)
        return True
    except Exception as exc:  # noqa: BLE001
        logger.warning("Could not assign LS org to tenant %s: %s", tenant_id, exc)
        return False

clear_current_tenant(conn)

Clear the current tenant GUC (reset to superuser / no tenant scope).

Source code in src/riverbank/tenants/__init__.py 
152
153
154
def clear_current_tenant(conn: Any) -> None:
    """Clear the current tenant GUC (reset to superuser / no tenant scope)."""
    conn.execute("RESET app.current_tenant_id")

create_rls_policy(conn, table)

Create the tenant isolation RLS policy for a table.

The policy allows rows where tenant_id matches the session-local app.current_tenant_id GUC, or where tenant_id IS NULL (system rows that pre-date multi-tenancy).

Policy name: riverbank_tenant_isolation.

Source code in src/riverbank/tenants/__init__.py 
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
def create_rls_policy(conn: Any, table: str) -> bool:
    """Create the tenant isolation RLS policy for a table.

    The policy allows rows where ``tenant_id`` matches the session-local
    ``app.current_tenant_id`` GUC, or where ``tenant_id`` IS NULL (system
    rows that pre-date multi-tenancy).

    Policy name: ``riverbank_tenant_isolation``.
    """
    policy_name = "riverbank_tenant_isolation"
    try:
        # Drop existing policy first (idempotent)
        conn.execute(
            f"DROP POLICY IF EXISTS {policy_name} ON _riverbank.{table}"
        )
        conn.execute(
            f"""
            CREATE POLICY {policy_name}
            ON _riverbank.{table}
            USING (
                tenant_id IS NULL
                OR tenant_id = current_setting('app.current_tenant_id', TRUE)
            )
            """
        )
        logger.info("RLS policy created on _riverbank.%s", table)
        return True
    except Exception as exc:  # noqa: BLE001
        logger.warning("Could not create RLS policy on _riverbank.%s: %s", table, exc)
        return False

create_tenant(conn, tenant)

Persist a new tenant record in _riverbank.tenants.

Creates the _riverbank.tenants table if it does not yet exist, then inserts the tenant row. Returns True on success.

Source code in src/riverbank/tenants/__init__.py 
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
def create_tenant(
    conn: Any,
    tenant: Tenant,
) -> bool:
    """Persist a new tenant record in ``_riverbank.tenants``.

    Creates the ``_riverbank.tenants`` table if it does not yet exist, then
    inserts the tenant row.  Returns ``True`` on success.
    """
    try:
        conn.execute(
            """
            CREATE TABLE IF NOT EXISTS _riverbank.tenants (
                id           SERIAL PRIMARY KEY,
                tenant_id    TEXT UNIQUE NOT NULL,
                display_name TEXT NOT NULL DEFAULT '',
                status       TEXT NOT NULL DEFAULT 'active',
                label_studio_org_id INTEGER,
                named_graph_prefix  TEXT NOT NULL DEFAULT '',
                created_at   TIMESTAMPTZ NOT NULL DEFAULT now(),
                updated_at   TIMESTAMPTZ NOT NULL DEFAULT now()
            )
            """
        )
        conn.execute(
            """
            INSERT INTO _riverbank.tenants
                (tenant_id, display_name, status, label_studio_org_id, named_graph_prefix)
            VALUES (%s, %s, %s, %s, %s)
            ON CONFLICT (tenant_id) DO UPDATE
              SET display_name = EXCLUDED.display_name,
                  status       = EXCLUDED.status,
                  updated_at   = now()
            """,
            (
                tenant.tenant_id,
                tenant.display_name,
                tenant.status.value,
                tenant.label_studio_org_id,
                tenant.named_graph_prefix,
            ),
        )
        logger.info("Tenant created/updated: %s", tenant.tenant_id)
        return True
    except Exception as exc:  # noqa: BLE001
        logger.error("Failed to create tenant %s: %s", tenant.tenant_id, exc)
        return False

delete_tenant(conn, tenant_id, gdpr_erasure=False)

Delete a tenant and optionally erase all tenant-scoped data (GDPR).

When gdpr_erasure=True this deletes all rows in the catalog tables where tenant_id matches before removing the tenant record. The audit log rows are also removed (GDPR erasure overrides append-only).

When gdpr_erasure=False the tenant record is marked as deleted and data rows are retained for archival.

Source code in src/riverbank/tenants/__init__.py 
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
def delete_tenant(conn: Any, tenant_id: str, gdpr_erasure: bool = False) -> bool:
    """Delete a tenant and optionally erase all tenant-scoped data (GDPR).

    When ``gdpr_erasure=True`` this deletes all rows in the catalog tables
    where ``tenant_id`` matches *before* removing the tenant record.  The
    audit log rows are also removed (GDPR erasure overrides append-only).

    When ``gdpr_erasure=False`` the tenant record is marked as ``deleted``
    and data rows are retained for archival.
    """
    try:
        if gdpr_erasure:
            for table in _RLS_TABLES:
                conn.execute(
                    f"DELETE FROM _riverbank.{table} WHERE tenant_id = %s",
                    (tenant_id,),
                )
            conn.execute(
                "DELETE FROM _riverbank.tenants WHERE tenant_id = %s",
                (tenant_id,),
            )
            logger.info("Tenant GDPR-erased: %s", tenant_id)
        else:
            conn.execute(
                "UPDATE _riverbank.tenants SET status = 'deleted', updated_at = now() "
                "WHERE tenant_id = %s",
                (tenant_id,),
            )
            logger.info("Tenant soft-deleted: %s", tenant_id)
        return True
    except Exception as exc:  # noqa: BLE001
        logger.warning("Could not delete tenant %s: %s", tenant_id, exc)
        return False

enable_rls(conn, table)

Enable Row-Level Security on a single _riverbank table.

Idempotent — safe to call when RLS is already enabled. Returns True on success, False when the table does not exist or the operation fails.

Source code in src/riverbank/tenants/__init__.py 
79
80
81
82
83
84
85
86
87
88
89
90
91
92
def enable_rls(conn: Any, table: str) -> bool:
    """Enable Row-Level Security on a single ``_riverbank`` table.

    Idempotent — safe to call when RLS is already enabled.
    Returns ``True`` on success, ``False`` when the table does not exist or the
    operation fails.
    """
    try:
        conn.execute(f"ALTER TABLE _riverbank.{table} ENABLE ROW LEVEL SECURITY")
        logger.info("RLS enabled on _riverbank.%s", table)
        return True
    except Exception as exc:  # noqa: BLE001
        logger.warning("Could not enable RLS on _riverbank.%s: %s", table, exc)
        return False

list_tenants(conn)

Return all tenants from _riverbank.tenants.

Returns an empty list when the table does not exist (pre-migration state).

Source code in src/riverbank/tenants/__init__.py 
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
def list_tenants(conn: Any) -> list[Tenant]:
    """Return all tenants from ``_riverbank.tenants``.

    Returns an empty list when the table does not exist (pre-migration state).
    """
    try:
        rows = conn.execute(
            "SELECT tenant_id, display_name, status, label_studio_org_id, "
            "       named_graph_prefix "
            "FROM _riverbank.tenants ORDER BY tenant_id"
        ).fetchall()
        return [
            Tenant(
                tenant_id=r[0],
                display_name=r[1] or "",
                status=TenantStatus(r[2]),
                label_studio_org_id=r[3],
                named_graph_prefix=r[4] or "",
            )
            for r in rows
        ]
    except Exception as exc:  # noqa: BLE001
        logger.warning("Could not list tenants: %s", exc)
        return []

set_current_tenant(conn, tenant_id)

Set the app.current_tenant_id session GUC for the current connection.

All RLS policies use this setting to filter rows to the active tenant. Call this at the start of every tenant-scoped database session.

Source code in src/riverbank/tenants/__init__.py 
140
141
142
143
144
145
146
147
148
149
def set_current_tenant(conn: Any, tenant_id: str) -> None:
    """Set the ``app.current_tenant_id`` session GUC for the current connection.

    All RLS policies use this setting to filter rows to the active tenant.
    Call this at the start of every tenant-scoped database session.
    """
    # Sanitise: tenant_id must be alphanumeric/hyphen/underscore
    if not all(c.isalnum() or c in ("-", "_") for c in tenant_id):
        raise ValueError(f"Invalid tenant_id: {tenant_id!r}")
    conn.execute(f"SET app.current_tenant_id = '{tenant_id}'")

suspend_tenant(conn, tenant_id)

Mark a tenant as suspended (all RLS-gated operations will fail).

Source code in src/riverbank/tenants/__init__.py 
210
211
212
213
214
215
216
217
218
219
220
221
222
def suspend_tenant(conn: Any, tenant_id: str) -> bool:
    """Mark a tenant as suspended (all RLS-gated operations will fail)."""
    try:
        conn.execute(
            "UPDATE _riverbank.tenants SET status = 'suspended', updated_at = now() "
            "WHERE tenant_id = %s",
            (tenant_id,),
        )
        logger.info("Tenant suspended: %s", tenant_id)
        return True
    except Exception as exc:  # noqa: BLE001
        logger.warning("Could not suspend tenant %s: %s", tenant_id, exc)
        return False