npm - k2hr3-api - Versions diffs - 1.0.24 → 1.0.26 - Mend

k2hr3-api 1.0.24 → 1.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/ChangeLog +12 -0
package/app.js +63 -30
package/bin/run.sh +14 -0
package/config/default.json +3 -2
package/lib/k2hr3config.js +12 -0
package/lib/k2hr3dkc.js +903 -13
package/lib/k2hr3keys.js +1 -0
package/lib/k2hr3tokens.js +147 -60
package/package.json +10 -5
package/routes/tenant.js +1014 -0
package/routes/userTokens.js +77 -126
package/tests/auto_all_spec.js +4 -0
package/tests/auto_tenant.js +989 -0
package/tests/auto_tenant_spec.js +79 -0
package/tests/auto_usertokens.js +6 -6
package/tests/manual_acr_delete.js +1 -0
package/tests/manual_acr_get.js +1 -0
package/tests/manual_acr_postput.js +1 -0
package/tests/manual_allusertenant_get.js +58 -3
package/tests/manual_extdata_get.js +1 -0
package/tests/manual_list_gethead.js +1 -0
package/tests/manual_policy_delete.js +1 -0
package/tests/manual_policy_gethead.js +3 -1
package/tests/manual_policy_postput.js +1 -0
package/tests/manual_resource_delete.js +1 -0
package/tests/manual_resource_gethead.js +1 -0
package/tests/manual_resource_postput.js +1 -0
package/tests/manual_role_delete.js +2 -0
package/tests/manual_role_gethead.js +4 -0
package/tests/manual_role_postput.js +2 -0
package/tests/manual_service_delete.js +1 -0
package/tests/manual_service_gethead.js +1 -0
package/tests/manual_service_postput.js +1 -0
package/tests/manual_tenant_delete.js +152 -0
package/tests/manual_tenant_gethead.js +268 -0
package/tests/manual_tenant_postput.js +293 -0
package/tests/manual_test.sh +21 -7
package/tests/manual_userdata_get.js +1 -0
package/tests/manual_usertoken_gethead.js +1 -0
package/tests/manual_usertoken_postput.js +1 -0
package/tests/manual_version_get.js +1 -0
package/tests/test.sh +2 -0

package/lib/k2hr3dkc.js CHANGED Viewed

@@ -1550,21 +1550,851 @@ function rawCheckTenantInServiceMember(servicename, tenantname)
 }
 //---------------------------------------------------------
-// Common raw create tenant key
+// Common raw find tenant key
+//---------------------------------------------------------
+//	tenant			: tenant name
+//	user			: user name
+//	id				: tenant id (if user is specified, need this.)
+//
+//	result			: null is not found
+//					  tenant object is found:
+//						{
+//							name:		<name>
+//							id:			<id>
+//							desc:		<description>
+//							display:	<display tenant name>
+//							users:		[user, ...]					<-- "user name"(not yrn path)
+//						}
+//
+// [NOTE]
+// If user and id are not specified, all tenants will be searched.
+// If user and id are specified, it will be searched by those exact matches.
+//
+function rawFindTenantEx(dkcobj_permanent, tenant, user, id)
+{
+	if(!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()){
+		r3logger.elog('parameter dkcobj_permanent is not object or not permanent');
+		return null;
+	}
+	if(!apiutil.isSafeString(tenant)){														// allow user and id are null
+		r3logger.elog('some parameters are wrong : tenant=' + JSON.stringify(tenant));
+		return null;
+	}
+	if(apiutil.isSafeString(user) != apiutil.isSafeString(id)){								// allow both user and id are empty or not empty
+		r3logger.elog('some parameters are wrong : tenant=' + JSON.stringify(tenant) + ', user=' + JSON.stringify(user) + ', id=' + JSON.stringify(id));
+		return null;
+	}
+	tenant	= apiutil.getSafeString(tenant);
+	user	= apiutil.getSafeString(user);
+	id		= apiutil.getSafeString(id);
+	//
+	// Keys
+	//
+	var	keys = r3keys(user, tenant);
+	//
+	// Check tenant
+	//
+	var	tenantval = dkcobj_permanent.getValue(keys.MASTER_TENANT_TOP_KEY, null, true, null);	// get value in yrn:yahoo:::<tenant>
+	if(!apiutil.isSafeString(tenantval) || tenantval != keys.VALUE_ENABLE){
+		r3logger.dlog('not found tenant(' + tenant + ') or its value is not ' + keys.VALUE_ENABLE + '.');
+		return null;
+	}
+	var	subkeylist = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.NO_SERVICE_REGION_KEY, true));
+	if(!apiutil.findStringInArray(subkeylist, keys.MASTER_TENANT_TOP_KEY)){						// check subkey yrn:yahoo:::<tenant> -> yrn:yahoo::
+		r3logger.dlog('not found tenant(' + tenant + ') under ' + keys.NO_SERVICE_REGION_KEY + ' key.');
+		return null;
+	}
+	//
+	// Get tenant information
+	//
+	var id_value		= dkcobj_permanent.getValue(keys.TENANT_ID_KEY, null, true, null);
+	var	desc_value		= dkcobj_permanent.getValue(keys.TENANT_DESC_KEY, null, true, null);
+	var	display_value	= dkcobj_permanent.getValue(keys.TENANT_DISP_KEY, null, true, null);
+	var	userlist		= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.TENANT_USER_KEY, true));
+	//
+	// Check id and user
+	//
+	if(apiutil.isSafeString(id) && apiutil.isSafeString(user)){
+		//
+		// Check id value
+		//
+		if(id_value != id){
+			r3logger.elog('Tenant(' + tenant + ') id(' + id_value + ') is not as same as id(' + id + ')');
+			return null;
+		}
+		//
+		// Check user in list
+		//
+		if(!apiutil.findStringInArray(userlist, keys.USER_KEY)){
+			r3logger.elog('Tenant(' + tenant + ') does not have user(' + user + ')');
+			return null;
+		}
+	}
+	//
+	// Make result user list
+	//
+	var	username_list = Array();
+	for(var cnt = 0; cnt < userlist.length; ++cnt){
+		var	tmpuser = apiutil.getSafeString(userlist[cnt]);
+		if(0 !== tmpuser.indexOf(keys.USER_TOP_KEY + ':')){
+			r3logger.wlog('Tenant(' + tenant + ') has unknown formatted user value(' + tmpuser + ')');
+			continue;
+		}
+		// cut yrn path
+		tmpuser = tmpuser.replace(keys.USER_TOP_KEY + ':', '');
+		// add
+		apiutil.tryAddStringToArray(username_list, tmpuser);
+	}
+	username_list.sort();
+	//
+	// result object
+	//
+	var	resobj = {
+		name:		tenant,
+		id:			id_value,
+		desc:		desc_value,
+		display:	display_value,
+		users:		username_list
+	};
+	return resobj;
+}
+//
+//	tenant			: tenant name
+//	user			: user name
+//	id				: tenant id, if user is specified(service is specified, do not need this)
+//
+//	result			{
+//						result:			true/false
+//						message:		null or error message
+//						tenant:			undefined or object
+//										{
+//											name:		<name>
+//											id:			<id>
+//											desc:		<description>
+//											display:	<display tenant name>
+//											users:		[user, ...]					<-- "user name"(not yrn path)
+//										}
+//					}
+//
+// [NOTE]
+// If user and id are not specified, all tenants will be searched.
+// If user and id are specified, it will be searched by those exact matches.
+//
+function rawFindTenant(tenant, user, id)
+{
+	var	resobj = {result: true, message: null};
+	if(!apiutil.isSafeStrings(tenant)){												// allow user and id are null
+		resobj.result	= false;
+		resobj.message	= 'some parameters are wrong : tenant=' + JSON.stringify(tenant);
+		r3logger.elog(resobj.message);
+		return resobj;
+	}
+	if(apiutil.isSafeString(user) != apiutil.isSafeString(id)){								// allow both user and id are empty or not empty
+		resobj.result	= false;
+		resobj.message	= 'some parameters are wrong : tenant=' + JSON.stringify(tenant) + ', user=' + JSON.stringify(user) + ', id=' + JSON.stringify(id);
+		r3logger.elog(resobj.message);
+		return resobj;
+	}
+	var	dkcobj			= k2hdkc(dkcconf, dkcport, dkccuk, true, false);					// use permanent object(need to clean)
+	if(!rawInitKeyHierarchy(dkcobj)){
+		resobj.result	= false;
+		resobj.message	= 'Not initialize yet, or configuration is not set';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Find tenant
+	//
+	var	result = rawFindTenantEx(dkcobj, tenant, user, id);
+	if(!apiutil.isSafeEntity(result)){
+		resobj.result	= false;
+		resobj.message	= 'could not find tenant(' + tenant + ') with user=' + JSON.stringify(user) + ' and id=' + JSON.stringify(id);
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	dkcobj.clean();
+	//
+	// Set found tenant object
+	//
+	resobj.tenant = result;
+	return resobj;
+}
+//---------------------------------------------------------
+// Common raw list local tenant
+//---------------------------------------------------------
+//
+//	user			: user name
+//
+//	result			: null is not found
+//					  tenant object is found:
+//						{
+//							name:		<name>
+//							id:			<id>
+//							desc:		<description>
+//							display:	<display tenant name>
+//							users:		[user, ...]					<-- "user name"(not yrn path)
+//						}
+//
+function rawGetLocalTenantList(dkcobj_permanent, user)
+{
+	if(!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()){
+		r3logger.elog('parameter dkcobj_permanent is not object or not permanent');
+		return null;
+	}
+	if(!apiutil.isSafeString(user)){															// allow user and id are null
+		r3logger.elog('some parameters are wrong : tenant=' + JSON.stringify(tenant));
+		return null;
+	}
+	//
+	// Keys
+	//
+	var	keys = r3keys(user);
+	//
+	// Loop: tenant key
+	//
+	var	tenants		= [];
+	var	subkeylist	= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.NO_SERVICE_REGION_KEY, true));
+	for(var cnt = 0; cnt < subkeylist.length; ++cnt){
+		// tenant path
+		var	tenant = apiutil.getSafeString(subkeylist[cnt]);						// tenant => "yrn:yahoo:::<tenant>"
+		// check
+		if(0 !== tenant.indexOf(keys.NO_SERVICE_TENANT_KEY)){
+			r3logger.wlog('Tenant yrn path (' + tenant + ') is unknown format, skip it...');
+			continue;
+		}
+		if(tenant === keys.NO_SERVICE_TENANT_KEY){									// tenant => "yrn:yahoo:::"
+			continue;
+		}
+		// cut yrn path
+		var	tenant_name = tenant.replace(keys.USER_TENANT_COMMON_KEY, '');
+		// check local tenant
+		if(0 !== tenant_name.indexOf(keys.VALUE_PREFIX_LOCAL_TENANT)){
+			continue;
+		}
+		// change keys
+		keys = r3keys(user, tenant_name);
+		//
+		// Get tenant information
+		//
+		var id_value		= dkcobj_permanent.getValue(keys.TENANT_ID_KEY, null, true, null);
+		var	desc_value		= dkcobj_permanent.getValue(keys.TENANT_DESC_KEY, null, true, null);
+		var	display_value	= dkcobj_permanent.getValue(keys.TENANT_DISP_KEY, null, true, null);
+		var	userlist		= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.TENANT_USER_KEY, true));
+		//
+		// Check id value
+		//
+		if(!apiutil.isSafeString(id_value)){
+			r3logger.wlog('Tenant yrn path (' + tenant + ') has wrong id value, skip it...');
+			continue;
+		}
+		//
+		// Check user in list
+		//
+		if(!apiutil.findStringInArray(userlist, keys.TENANT_USER_KEY)){
+			r3logger.dlog('User(' + user + ') is not Tenant(' + tenant + ') member, skip it.');
+			return null;
+		}
+		//
+		// Make result user list
+		//
+		var	username_list = Array();
+		for(var cnt2 = 0; cnt2 < userlist.length; ++cnt2){
+			var	tmpuser = apiutil.getSafeString(userlist[cnt2]);
+			if(0 !== tmpuser.indexOf(keys.USER_TOP_KEY + ':')){
+				r3logger.wlog('Tenant(' + tenant_name + ') has unknown formatted user value(' + tmpuser + ')');
+				continue;
+			}
+			// cut yrn path
+			tmpuser = tmpuser.replace(keys.USER_TOP_KEY + ':', '');
+			// add
+			apiutil.tryAddStringToArray(username_list, tmpuser);
+		}
+		username_list.sort();
+		//
+		// add tenant object
+		//
+		tenants.push({
+			name:		tenant_name,
+			id:			id_value,
+			desc:		desc_value,
+			display:	display_value,
+			users:		username_list
+		});
+	}
+	return tenants;
+}
+//
+//	user		: user name
+//	is_expand	: expand tenant object
+//
+//	result		{
+//					result:			true/false
+//					message:		null or error message
+//					tenants:		undefined or object array
+//									[
+//										"tenant name",
+//										...
+//									]
+//									or
+//									[
+//										{
+//											name:		<name>
+//											id:			<id>
+//											desc:		<description>
+//											display:	<display tenant name>
+//											users:		[user, ...]					<-- "user name"(not yrn path)
+//										},
+//									]
+//				}
+//
+// [NOTE]
+// If find an unnecessary tenant key, update it.
+//
+function rawListLocalTenant(user, is_expand)
+{
+	var	resobj = {result: true, message: null};
+	if('boolean' !== typeof is_expand){
+		is_expand	= false;														// default not expand
+	}
+	if(!apiutil.isSafeString(user)){
+		resobj.result	= false;
+		resobj.message	= 'some parameters are wrong : user=' + JSON.stringify(user);
+		r3logger.elog(resobj.message);
+		return resobj;
+	}
+	var	dkcobj			= k2hdkc(dkcconf, dkcport, dkccuk, true, false);			// use permanent object(need to clean)
+	if(!rawInitKeyHierarchy(dkcobj)){
+		resobj.result	= false;
+		resobj.message	= 'Not initialize yet, or configuration is not set';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Keys
+	//
+	var	keys = r3keys(user);
+	//
+	// Check all local tenant list for user (if not existed, add it)
+	//
+	var	localtenantlist = apiutil.getSafeArray(rawGetLocalTenantList(dkcobj, user));
+	var	usertenantlist	= apiutil.getSafeArray(dkcobj.getSubkeys(keys.USER_TENANT_TOP_KEY, true));
+	var	need_update		= false;
+	for(var cnt = 0; cnt < localtenantlist.length; ++cnt){
+		// tmpkeys
+		var	tmpkeys = r3keys(user, localtenantlist[cnt].name);
+		// check
+		if(!apiutil.findStringInArray(usertenantlist, tmpkeys.USER_TENANT_KEY)){
+			r3logger.dlog('user(' + user + ') does not have local tenant(' + localtenantlist[cnt].name + '), so add it.');
+			usertenantlist.push(tmpkeys.USER_TENANT_KEY);
+			need_update	= true;														// for add local tenant
+		}
+	}
+	if(need_update){
+		if(!dkcobj.setSubkeys(keys.USER_TENANT_TOP_KEY, usertenantlist)){			//  Update subkey "yrn:yahoo::::user:<user>:tenant"
+			r3logger.elog('could not update (' + keys.USER_TENANT_TOP_KEY + ') subkey, but continue...');
+		}
+	}
+	//
+	// Make list from tenant list in users
+	//
+	var	tenants		= [];
+	var	subkeylist	= apiutil.getSafeArray(dkcobj.getSubkeys(keys.USER_TENANT_TOP_KEY, true));
+	var	update_list	= [];
+	need_update		= false;
+	for(cnt = 0; cnt < subkeylist.length; ++cnt){
+		var	tenant_name = apiutil.getSafeString(subkeylist[cnt]);					// tenant_name => "yrn:yahoo::::user:<user>:tenant/" or "yrn:yahoo::::user:<user>:tenant/<name>"
+		if(0 !== tenant_name.indexOf(keys.USER_TENANT_COMMON_KEY)){
+			r3logger.wlog('Tenant yrn path (' + tenant_name + ') in user(' + user + ') is unknown format, remove this subkey...');
+			need_update	= true;														// for cut this invalid subkey
+			continue;
+		}
+		// cut yrn path
+		tenant_name = tenant_name.replace(keys.USER_TENANT_COMMON_KEY, '');
+		if(!apiutil.isSafeString(tenant_name)){										// tenant key is "yrn:yahoo::::user:<user>:tenant/"
+			apiutil.tryAddStringToArray(update_list, subkeylist[cnt]);				// set subkey list(if update it)
+			continue;
+		}
+		// check local tenant
+		if(0 !== tenant_name.indexOf(keys.VALUE_PREFIX_LOCAL_TENANT)){
+			apiutil.tryAddStringToArray(update_list, subkeylist[cnt]);				// set subkey list(if update it)
+			continue;
+		}
+		// get tenant object
+		var	tenant_obj = rawFindTenantEx(dkcobj, tenant_name);
+		if(!apiutil.isSafeEntity(tenant_obj)){
+			r3logger.wlog('could not get tenant object for tenant(' + tenant_name + ') in user(' + user + '), remove this subkey...');
+			need_update	= true;														// for cut this invalid subkey
+			continue;
+		}
+		// check user in list
+		if(!apiutil.findStringInArray(tenant_obj.users, user)){
+			r3logger.wlog('could not find user(' + user + ') in tenant(' + tenant_name + '), remove this subkey...');
+			need_update	= true;														// for cut this invalid subkey
+			continue;
+		}
+		apiutil.tryAddStringToArray(update_list, subkeylist[cnt]);					// set subkey list(if update it)
+		// make result
+		if(is_expand){
+			tenants.push(tenant_obj);
+		}else{
+			tenants.push(tenant_name);
+		}
+	}
+	// update
+	if(need_update){
+		if(!dkcobj.setSubkeys(keys.USER_TENANT_TOP_KEY, update_list)){				//  Update subkey "yrn:yahoo::::user:<user>:tenant"
+			r3logger.elog('could not update (' + keys.USER_TENANT_TOP_KEY + ') subkey, but continue...');
+		}
+	}
+	dkcobj.clean();
+	resobj.tenants = tenants;
+	return resobj;
+}
+//---------------------------------------------------------
+// Remove tenant from user
+//---------------------------------------------------------
+//	user		user name
+//	tenant		tenant name
+//
+// [NOTE]
+// Call this function together with rawRemoveUserFromTenant.
+// And it should be called before rawRemoveUserFromTenant.
+//
+function rawRemoveTenantFromUser(dkcobj_permanent, user, tenant)
+{
+	if(!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()){
+		r3logger.elog('parameter dkcobj_permanent is not object or not permanent');
+		return false;
+	}
+	if(!apiutil.isSafeStrings(user, tenant)){
+		r3logger.elog('parameters are wrong : user=' + JSON.stringify(user) + ', tenant=' + JSON.stringify(tenant));
+		return false;
+	}
+	//
+	// Keys
+	//
+	var	result	= true;
+	var	keys	= r3keys(user, tenant);
+	//
+	// Get tenant list under user key
+	//
+	var	user_tenants = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.USER_TENANT_TOP_KEY, true));	// get user's tenant list
+	if(apiutil.findStringInArray(user_tenants, keys.USER_TENANT_KEY)){
+		//
+		// Found tenant yrn path in list, update tenant list in user
+		//
+		if(!apiutil.removeStringFromArray(user_tenants, keys.USER_TENANT_KEY)){
+			r3logger.wlog('not found tenant(' + tenant + ') in subkey list for user(' + user + '), but continue...');
+		}else{
+			if(!dkcobj_permanent.setSubkeys(keys.USER_TENANT_TOP_KEY, user_tenants)){		// update subkey in "yrn:yahoo::::user:<user>:tenant"
+				r3logger.elog('could not remove tenant(' + tenant + ') in subkey list for user(' + user + '), but continue...');
+				result = false;
+			}
+		}
+	}
+	//
+	// Remove token for tenant key/tenant key in user
+	//
+	if(!dkcobj_permanent.remove(keys.USER_TENANT_SCOPE_TOKEN_KEY, false)){					// remove "yrn:yahoo::::user:<user>:tenant/<tenant>/token"
+		r3logger.dlog('could not remove token key(' + keys.USER_TENANT_SCOPE_TOKEN_KEY + '), probably it is not existed.');
+	}
+	if(!dkcobj_permanent.remove(keys.USER_TENANT_KEY, false)){								// remove "yrn:yahoo::::user:<user>:tenant/<tenant>"
+		r3logger.dlog('could not remove token key(' + keys.USER_TENANT_SCOPE_TOKEN_KEY + '), probably it is not existed.');
+	}
+	return result;
+}
+//---------------------------------------------------------
+// Remove user from tenant
+//---------------------------------------------------------
+//	tenant		tenant name
+//	user		user name
+//
+// [NOTE]
+// Call this function together with rawRemoveTenantFromUser.
+// And you have to call rawRemoveTenantFromUser before calling it.
+//
+// If there are no users or services in the target tenant, the tenant will also be deleted.
+//
+function rawRemoveUserFromTenant(dkcobj_permanent, tenant, user)
+{
+	if(!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()){
+		r3logger.elog('parameter dkcobj_permanent is not object or not permanent');
+		return false;
+	}
+	if(!apiutil.isSafeStrings(tenant, user)){
+		r3logger.elog('parameters are wrong : tenant=' + JSON.stringify(tenant) + ', user=' + JSON.stringify(user));
+		return false;
+	}
+	//
+	// Keys
+	//
+	var	result	= true;
+	var	keys	= r3keys(user, tenant);
+	var	cnt;
+	var	tmpsubkey;
+	//
+	// Get user list under tenant key
+	//
+	var	tenant_users = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.TENANT_USER_KEY, true));		// get tenant's user list
+	if(apiutil.findStringInArray(tenant_users, keys.USER_KEY)){
+		//
+		// Found user yrn path in list, update user list in tenant
+		//
+		if(!apiutil.removeStringFromArray(tenant_users, keys.USER_KEY)){
+			r3logger.wlog('not found user(' + user + ') in subkey list for tenant(' + tenant + '), but continue...');
+		}else{
+			if(!dkcobj_permanent.setSubkeys(keys.TENANT_USER_KEY, tenant_users)){			// update subkey in "yrn:yahoo:::<tenant>:user"
+				r3logger.elog('could not remove user(' + user + ') in subkey list for tenant(' + tenant + '), but continue...');
+				result = false;
+			}
+		}
+	}
+	//
+	// Check users and services for tenant, if both are empty, remove tenant
+	//
+	var	tenant_services = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.TENANT_SERVICE_KEY, true));	// get tenant's service list
+	if(apiutil.isEmptyArray(tenant_users) && apiutil.isEmptyArray(tenant_services)){
+		//
+		// Remove tenant subkey in "yrn:yahoo:::"
+		//
+		var subkeylist = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.NO_SERVICE_REGION_KEY, true));
+		if(!apiutil.removeStringFromArray(subkeylist, keys.MASTER_TENANT_TOP_KEY)){
+			r3logger.wlog('not found tenant(' + tenant + ') in subkey list for no region key(' + keys.NO_SERVICE_REGION_KEY + '), but continue...');
+		}else{
+			if(!dkcobj_permanent.setSubkeys(keys.NO_SERVICE_REGION_KEY, subkeylist)){		// update subkey in "yrn:yahoo:::"
+				r3logger.elog('could not remove tenant(' + tenant + ') in subkey list for no region key(' + keys.NO_SERVICE_REGION_KEY + '), but continue...');
+				result = false;
+			}
+		}
+		//
+		// Remove all resources("yrn:yahoo:<service>::<tenant>:resource:*")
+		//
+		subkeylist	= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.RESOURCE_TOP_KEY, true));
+		if(!apiutil.isEmptyArray(subkeylist)){
+			for(cnt = 0; cnt < subkeylist.length; ++cnt){
+				tmpsubkey = apiutil.getSafeString(subkeylist[cnt]);
+				if(0 !== tmpsubkey.indexOf(keys.RESOURCE_TOP_KEY + ':')){
+					r3logger.wlog('tenant(' + tenant + ') has unknown formatted resource value(' + tmpsubkey + ')');
+					continue;
+				}
+				// cut yrn path
+				tmpsubkey = tmpsubkey.replace(keys.RESOURCE_TOP_KEY + ':', '');
+				if(!rawRemovePolicyEx(dkcobj_permanent, tenant, null, tmpsubkey)){
+					r3logger.elog('failed to remove resource(' + tmpsubkey + ') in tenant(' + tenant + '), but continue...');
+					result = false;
+				}
+			}
+		}
+		//
+		// Remove all policies("yrn:yahoo:<service>::<tenant>:policy:*")
+		//
+		subkeylist	= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.POLICY_TOP_KEY, true));
+		if(!apiutil.isEmptyArray(subkeylist)){
+			for(cnt = 0; cnt < subkeylist.length; ++cnt){
+				tmpsubkey = apiutil.getSafeString(subkeylist[cnt]);
+				if(0 !== tmpsubkey.indexOf(keys.POLICY_TOP_KEY + ':')){
+					r3logger.wlog('tenant(' + tenant + ') has unknown formatted policy value(' + tmpsubkey + ')');
+					continue;
+				}
+				// cut yrn path
+				tmpsubkey = tmpsubkey.replace(keys.POLICY_TOP_KEY + ':', '');
+				if(!rawRemovePolicyEx(dkcobj_permanent, tenant, null, tmpsubkey)){
+					r3logger.elog('failed to remove policy(' + tmpsubkey + ') in tenant(' + tenant + '), but continue...');
+					result = false;
+				}
+			}
+		}
+		//
+		// Remove all roles("yrn:yahoo:<service>::<tenant>:role:*")
+		//
+		subkeylist	= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.ROLE_TOP_KEY, true));
+		if(!apiutil.isEmptyArray(subkeylist)){
+			for(cnt = 0; cnt < subkeylist.length; ++cnt){
+				tmpsubkey = apiutil.getSafeString(subkeylist[cnt]);
+				if(0 !== tmpsubkey.indexOf(keys.ROLE_TOP_KEY + ':')){
+					r3logger.wlog('tenant(' + tenant + ') has unknown formatted role value(' + tmpsubkey + ')');
+					continue;
+				}
+				// cut yrn path
+				tmpsubkey = tmpsubkey.replace(keys.ROLE_TOP_KEY + ':', '');
+				if(!rawRemoveRoleEx(dkcobj_permanent, tenant, null, tmpsubkey)){
+					r3logger.elog('failed to remove role(' + tmpsubkey + ') in tenant(' + tenant + '), but continue...');
+					result = false;
+				}
+			}
+		}
+		//
+		// Remove all subkey in tenant
+		//
+		if(!dkcobj_permanent.remove(keys.TENANT_ID_KEY, false)){							// remove "yrn:yahoo:::<tenant>:id"
+			r3logger.elog('could not remove id key(' + keys.TENANT_ID_KEY + '), probably it is not existed.');
+			result = false;
+		}
+		if(!dkcobj_permanent.remove(keys.TENANT_DESC_KEY, false)){							// remove "yrn:yahoo:::<tenant>:desc"
+			r3logger.elog('could not remove description key(' + keys.TENANT_DESC_KEY + '), probably it is not existed.');
+			result = false;
+		}
+		if(!dkcobj_permanent.remove(keys.TENANT_DISP_KEY, false)){							// remove "yrn:yahoo:::<tenant>:display"
+			r3logger.elog('could not remove display key(' + keys.TENANT_DISP_KEY + '), probably it is not existed.');
+			result = false;
+		}
+		if(!dkcobj_permanent.remove(keys.TENANT_USER_KEY, false)){							// remove "yrn:yahoo:::<tenant>:user"
+			r3logger.elog('could not remove user key(' + keys.TENANT_USER_KEY + '), probably it is not existed.');
+			result = false;
+		}
+		if(!dkcobj_permanent.remove(keys.TENANT_SERVICE_KEY, false)){						// remove "yrn:yahoo:::<tenant>:service"
+			r3logger.elog('could not remove service key(' + keys.TENANT_SERVICE_KEY + '), probably it is not existed.');
+			result = false;
+		}
+		//
+		// Remove tenant key
+		//
+		if(!dkcobj_permanent.remove(keys.MASTER_TENANT_TOP_KEY, false)){					// remove "yrn:yahoo:::<tenant>"
+			r3logger.elog('could not remove service key(' + keys.MASTER_TENANT_TOP_KEY + '), probably it is not existed.');
+			result = false;
+		}
+	}
+	return result;
+}
+//---------------------------------------------------------
+// Common remove user from local tenant
+//---------------------------------------------------------
+//	tenant		: tenant name
+//	user		: user name
+//	id			: tenant id
+//
+//	result		{
+//					result:			true/false
+//					message:		null or error message
+//				}
+//
+function rawRemoveUserFromLocalTenant(tenant, user, id)
+{
+	var	resobj = {result: true, message: null};
+	if(!apiutil.isSafeStrings(tenant, user, id)){
+		resobj.result	= false;
+		resobj.message	= 'some parameters are wrong : tenant=' + JSON.stringify(tenant) + ', user=' + JSON.stringify(user) + ', id=' + JSON.stringify(id);
+		r3logger.elog(resobj.message);
+		return resobj;
+	}
+	var	dkcobj			= k2hdkc(dkcconf, dkcport, dkccuk, true, false);			// use permanent object(need to clean)
+	if(!rawInitKeyHierarchy(dkcobj)){
+		resobj.result	= false;
+		resobj.message	= 'Not initialize yet, or configuration is not set';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Keys
+	//
+	var	keys = r3keys(user, tenant);
+	//
+	// Check tenant name
+	//
+	if(0 !== tenant.indexOf(keys.VALUE_PREFIX_LOCAL_TENANT)){
+		// Not have prefix("local@")
+		resobj.result	= false;
+		resobj.message	= 'tenant(' + tenant + ') must be start ' + keys.VALUE_PREFIX_LOCAL_TENANT + ' prefix for local tenant.';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Find tenant
+	//
+	var	result = rawFindTenantEx(dkcobj, tenant, user, id);
+	if(!apiutil.isSafeEntity(result)){
+		resobj.result	= false;
+		resobj.message	= 'could not find tenant(' + tenant + ') with user=' + JSON.stringify(user) + ' and id=' + JSON.stringify(id);
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Check user list in tenant
+	//
+	if(!apiutil.findStringInArray(result.users, user)){
+		resobj.result	= false;
+		resobj.message	= 'user(' + user + ') is not tenant(' + tenant + ') member.';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Remove tenant from user
+	//
+	if(!rawRemoveTenantFromUser(dkcobj, user, tenant)){
+		resobj.result	= false;
+		resobj.message	= 'failed to remove tenant(' + tenant + ') from user(' + user + ').';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	//
+	// Remove user from tenant
+	//
+	if(!rawRemoveUserFromTenant(dkcobj, tenant, user)){
+		resobj.result	= false;
+		resobj.message	= 'failed to remove user(' + user + ') from tenant(' + tenant + ').';
+		r3logger.elog(resobj.message);
+		dkcobj.clean();
+		return resobj;
+	}
+	dkcobj.clean();
+	return resobj;
+}
+//---------------------------------------------------------
+// Add tenant to existed user key
 //---------------------------------------------------------
 //	user			: user name
 //	tenant			: tenant name
+//
+//	result			: null for failure
+//					  user yrn full path for success
+//
+// [NOTE]
+// Both user and service can not be specified at same time.
+// This function create keys without resource/policy/role, you must be careful for service
+// case.
+//
+function rawAddTenantToExistedUser(dkcobj_permanent, user, tenant)
+{
+	if(!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()){
+		r3logger.elog('parameter dkcobj_permanent is not object or not permanent');
+		return null;
+	}
+	if(!apiutil.isSafeStrings(user, tenant)){
+		r3logger.elog('some parameters are wrong : user=' + JSON.stringify(user) + ', tenant=' + JSON.stringify(tenant));
+		return null;
+	}
+	var	keys = r3keys(user, tenant);
+	//
+	// Check user exists
+	//
+	var	subkeylist = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.USER_KEY, true));
+	if(apiutil.isEmptyArray(subkeylist) || !apiutil.findStringInArray(subkeylist, keys.USER_ID_KEY)){
+		r3logger.elog('user(' + user + ') does not exist.');
+		return null;
+	}
+	//
+	// Add tenant key to user subkey list
+	//
+	subkeylist = apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.USER_TENANT_TOP_KEY, true));
+	if(apiutil.tryAddStringToArray(subkeylist, keys.USER_TENANT_KEY)){
+		if(!dkcobj_permanent.setSubkeys(keys.USER_TENANT_TOP_KEY, subkeylist)){				// add subkey [..., yrn:yahoo::::user:<user>:tenant/<tenant>] -> yrn:yahoo::::user:<user>:tenant
+			r3logger.elog('could not add ' + keys.USER_TENANT_KEY + ' subkey under ' + keys.USER_TENANT_TOP_KEY + ' key');
+			return null;
+		}
+	}
+	// [NOTE]
+	// We do not create "yrn:yahoo::::user:<user>:tenant/<tenant>" keys
+	// These keys have token(scoped and unscoped) value, these values is set another function.
+	//
+	return keys.USER_KEY;
+}
+//---------------------------------------------------------
+// Common raw create tenant key
+//---------------------------------------------------------
+//	user			: user name(existed main user)
+//	tenant			: tenant name
 //	service			: service name
 //	id				: tenant id, if user is specified(service is specified, do not need this)
 //	desc			: tenant description, if user is specified(service is specified, do not need this)
 //	display			: display name, if user is specified(service is specified, do not need this)
+//	other_users		: other users in this tenant (this parameter is invalid if service is specified)
 //
 // [NOTE]
 // Both user and service can not be specified at same time.
 // This function create keys without resource/policy/role, you must be careful for service
 // case.
 //
-function rawCreateTenantEx(dkcobj_permanent, user, tenant, service, id, desc, display)
+function rawCreateTenantEx(dkcobj_permanent, user, tenant, service, id, desc, display, other_users)
 {
 	if(!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()){
 		r3logger.elog('parameter dkcobj_permanent is not object or not permanent');
@@ -1589,12 +2419,19 @@ function rawCreateTenantEx(dkcobj_permanent, user, tenant, service, id, desc, di
 			id = String(id);
 		}
 		service	= null;
+		if(apiutil.isEmptyArray(other_users)){
+			other_users = [];
+		}
+		apiutil.tryAddStringToArray(other_users, user);		// add user to other_users
 	}else if(apiutil.isSafeString(service) && !apiutil.isSafeString(user)){
 		//
 		// case: specified service parameter
 		//
-		service	= service.toLowerCase();
-		user	= null;
+		service		= service.toLowerCase();
+		user		= null;
+		other_users	= null;
 	}else{
 		r3logger.elog('some parameters are wrong(both are empty or not empty) : service=' + JSON.stringify(service) + ', user=' + JSON.stringify(user));
 		return false;
@@ -1792,9 +2629,14 @@ function rawCreateTenantEx(dkcobj_permanent, user, tenant, service, id, desc, di
 				return false;
 			}
 		}
-		subkeylist	= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.TENANT_USER_KEY, true));
-		if(apiutil.tryAddStringToArray(subkeylist, keys.USER_KEY)){
-			if(!dkcobj_permanent.setSubkeys(keys.TENANT_USER_KEY, subkeylist)){				// add subkey yrn:yahoo::::user:<user> -> yrn:yahoo:::<tenant>:user
+		// [NOTE]
+		// Only add direct users here.
+		//
+		var	user_subkeylist	= apiutil.getSafeArray(dkcobj_permanent.getSubkeys(keys.TENANT_USER_KEY, true));
+		user_subkeylist.sort();
+		if(apiutil.tryAddStringToArray(user_subkeylist, keys.USER_KEY)){
+			user_subkeylist.sort();
+			if(!dkcobj_permanent.setSubkeys(keys.TENANT_USER_KEY, user_subkeylist)){		// add subkey yrn:yahoo::::user:<user> -> yrn:yahoo:::<tenant>:user
 				r3logger.elog('could not add ' + keys.USER_KEY + ' subkey under ' + keys.TENANT_USER_KEY + ' key');
 				return false;
 			}
@@ -1817,6 +2659,34 @@ function rawCreateTenantEx(dkcobj_permanent, user, tenant, service, id, desc, di
 				return false;
 			}
 		}
+		//
+		// Add other users(with user) to tenant
+		//
+		if(!apiutil.isEmptyArray(other_users)){
+			var	need_update_user_key = false;
+			for(var cnt = 0; cnt < other_users.length; ++cnt){
+				// add one other user
+				var	added_other_user = rawAddTenantToExistedUser(dkcobj_permanent, other_users[cnt], tenant);
+				if(!apiutil.isSafeString(added_other_user)){
+					continue;
+				}
+				// check new adding user
+				if(apiutil.tryAddStringToArray(user_subkeylist, added_other_user)){
+					user_subkeylist.sort();
+					need_update_user_key = true;
+				}
+			}
+			//
+			// Re-update user key in tenant
+			//
+			if(need_update_user_key){
+				if(!dkcobj_permanent.setSubkeys(keys.TENANT_USER_KEY, user_subkeylist)){	// add subkey yrn:yahoo::::user:<user> -> yrn:yahoo:::<tenant>:user
+					r3logger.elog('could not add ' + keys.USER_KEY + ' subkey under ' + keys.TENANT_USER_KEY + ' key');
+					return false;
+				}
+			}
+		}
 	}
 	//
@@ -1981,17 +2851,18 @@ function rawCheckTenantEnable(dkcobj_permanent, tenant, servicename)
 //---------------------------------------------------------
 // create tenant key(no service)
 //---------------------------------------------------------
+//	user			: user name
 //	tenant			: tenant name
 //	id				: tenant id
 //	desc			: tenant description
 //	display			: display name
-//	user			: user name
+//	other_users		: other users in this tenant (this parameter is invalid if service is specified)
 //
 // [NOTE]
 // This function does not check the user is a member in tenant, then
 // you must check it before calling this function.
 //
-function rawCreateTenant(user, tenant, id, desc, display)
+function rawCreateTenant(user, tenant, id, desc, display, other_users)
 {
 	var	resobj = {result: true, message: null};
@@ -2026,7 +2897,7 @@ function rawCreateTenant(user, tenant, id, desc, display)
 	//
 	// Create tenant top
 	//
-	if(!rawCreateTenantEx(dkcobj, user, tenant, null, id, desc, display)){
+	if(!rawCreateTenantEx(dkcobj, user, tenant, null, id, desc, display, other_users)){
 		resobj.result	= false;
 		resobj.message	= 'could not create tenant(' + tenant + ') with id(' + id + '), desc(' + JSON.stringify(desc) + '), display(' + JSON.stringify(display) + '), user(' + user + ')';
 		r3logger.elog(resobj.message);
@@ -2822,10 +3693,14 @@ function rawRemoveComprehensionByNewTenants(user, tenant_list)
 	var	tg_tenant_keys		= new Array(0);														// tenant key name which has user name who must be removed
 	var	pattern				= new RegExp('^' + notenant_keys.USER_TENANT_COMMON_KEY + '(.*)');	// regex = /^yrn:yahoo::::user:<user>\:tenant\/(.*)/
 	var	is_changed			= false;
+	var	localtenant_prefix	= notenant_keys.USER_TENANT_COMMON_KEY + notenant_keys.VALUE_PREFIX_LOCAL_TENANT;	// "yrn:yahoo::::user:<user>:tenant/<local tenant prefix>"
 	if(!apiutil.isEmptyArray(cur_user_tenants)){
 		for(cnt = 0; cnt < cur_user_tenants.length; ){
 			var	cur_tenant	= cur_user_tenants[cnt].toLowerCase();
-			if(!apiutil.findStringInArray(new_user_tenants, cur_tenant)){
+			// check tenant in list and not local tenant
+			if(!apiutil.findStringInArray(new_user_tenants, cur_tenant) && 0 !== cur_tenant.indexOf(localtenant_prefix)){
 				// not found current tenant key in new tenants list, so add removed key list
 				cur_user_tenants.splice(cnt, 1);
 				rm_user_tenants.push(cur_tenant);
@@ -10908,12 +11783,12 @@ function rawCompareChildrenListName(child1, child2)
 //
 // These functions initializing tenant is without service.
 //
-exports.initTenant = function(tenantname, id, desc, display, user)
+exports.initTenant = function(tenantname, id, desc, display, user, other_users)
 {
 	//
 	// Must initialize service key before calling this if specified service parameter
 	//
-	return rawCreateTenant(user, tenantname, id, desc, display);
+	return rawCreateTenant(user, tenantname, id, desc, display, other_users);
 };
 exports.initUser = function(user, id, username, tenant)
@@ -10933,6 +11808,21 @@ exports.initUserTenant = function(user, userid, username, tenant, tenantid, tena
 	return resobj;
 };
+exports.findTenant = function(tenant, user, id)
+{
+	return rawFindTenant(tenant, user, id);
+};
+exports.listLocalTenant = function(user, is_expand)
+{
+	return rawListLocalTenant(user, is_expand);
+};
+exports.removeUserFromLocalTenant = function(tenant, user, id)
+{
+	return rawRemoveUserFromLocalTenant(tenant, user, id);
+};
 exports.getUserId = function(username)
 {
 	return rawGetUserId(username);