Multi Tenant Architecture
Tenant Identity
Every tenant has:
- A UUID
tenant_id. - An isolation boundary: API path prefix, data partition prefix, RBAC principal set.
- Optional data-residency constraint (US, EU, AP, CUSTOMER_VPC).
API Surface
/v1/<tenant_id>/incidents
/v1/<tenant_id>/diagnostics/<id>
/v1/<tenant_id>/remediation/<id>/approve
/v1/<tenant_id>/audit
/v1/<tenant_id>/export
The first segment is extracted by middleware before the request reaches the handler. Missing or unparseable tenant id returns 400.
Data Partitioning
data/
├── tenant_<id_a>/
│ ├── metrics/
│ ├── logs/
│ ├── traces/
│ └── graph.ron
├── tenant_<id_b>/
│ └── ...
Per-tenant storage keys: <bucket>/<tenant_id>/<type>/....
Row-level filtering for cross-tenant analytics tables:
SELECT * FROM time_series
WHERE tenant_id = :tenant_id
AND time_unix_nano >= :since
Indexes: idx_ts_tenant and idx_ts_entity_tenant per table.
Rate Limits + Quotas
| Tier | RPS | Quota (events/day) |
|---|---|---|
| Team | 50 | 10,000,000 |
| Scale | 200 | 100,000,000 |
| Growth | 1,000 | 1,000,000,000 |
Enforcement: token-bucket per tenant in limits.rs. 429 + Retry-After on overflow.
Per-Tenant RBAC
Roles are mapped to principals per tenant. A user is "tenant_admin on tenant A" but may only be "researcher on tenant B" via separate auth tokens.
Audit Export
Each tenant can stream their audit log out to:
- A managed SIEM (Splunk HEC, Elastic ECS) with per-tenant index.
- S3 bucket with a tenant-prefixed key path.
Cross-Tenant Operations
Platform Admins have a separate auth context (platform_admin scope) and operate against /v1/platform/.... Every platform-admin operation emits an audit record tagged cross_tenant=true.