k2hr3-api 1.0.42 → 2.0.1

package/dist/src/lib/k2hr3tokens.js

@@ -0,0 +1,2643 @@
+"use strict";
+/*
+ * K2HR3 REST API
+ *
+ * Copyright 2017 Yahoo Japan Corporation.
+ *
+ * K2HR3 is K2hdkc based Resource and Roles and policy Rules, gathers
+ * common management information for the cloud.
+ * K2HR3 can dynamically manage information as "who", "what", "operate".
+ * These are stored as roles, resources, policies in K2hdkc, and the
+ * client system can dynamically read and modify these information.
+ *
+ * For the full copyright and license information, please view
+ * the license file that was distributed with this source code.
+ *
+ * AUTHOR:   Takeshi Nakatani
+ * CREATE:   Wed Jun 8 2017
+ * REVISION:
+ *
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.k2hr3tokens = void 0;
+const k2hr3dkc_1 = __importDefault(require("./k2hr3dkc"));
+const k2hr3apiutil_1 = __importDefault(require("./k2hr3apiutil"));
+const dbglogging_1 = __importDefault(require("./dbglogging"));
+const k2hr3keys_1 = require("./k2hr3keys");
+const r3keys = k2hr3keys_1.getK2hr3Keys;
+const k2hr3config_1 = require("./k2hr3config");
+const apiConf = new k2hr3config_1.r3ApiConfig();
+//
+// Check type
+//
+const rawIsDkcTypeSourceUserHostInfo = (val) => {
+    if (!k2hr3apiutil_1.default.isPlainObject(val)) {
+        return false;
+    }
+    if ((null !== val.user && !k2hr3apiutil_1.default.isString(val.user)) ||
+        (null !== val.hostname && !k2hr3apiutil_1.default.isString(val.hostname)) ||
+        (null !== val.ip && !k2hr3apiutil_1.default.isString(val.ip)) ||
+        !k2hr3apiutil_1.default.isSafeNumber(val.port) ||
+        (null !== val.cuk && !k2hr3apiutil_1.default.isString(val.cuk))) {
+        return false;
+    }
+    return true;
+};
+const rawIsValTypeUserTenantInfo = (val) => {
+    if (!k2hr3apiutil_1.default.isPlainObject(val)) {
+        return false;
+    }
+    if ((undefined !== val.user && null !== val.user && !k2hr3apiutil_1.default.isString(val.user)) ||
+        (undefined !== val.tenant && null !== val.tenant && !k2hr3apiutil_1.default.isString(val.tenant)) ||
+        (undefined !== val.userid && null !== val.userid && !k2hr3apiutil_1.default.isString(val.userid)) ||
+        (undefined !== val.display && null !== val.display && !k2hr3apiutil_1.default.isString(val.display)) ||
+        (undefined !== val.id && null !== val.id && !k2hr3apiutil_1.default.isString(val.id)) ||
+        (undefined !== val.description && null !== val.description && !k2hr3apiutil_1.default.isString(val.description)) ||
+        (undefined !== val.region && null !== val.region && !k2hr3apiutil_1.default.isString(val.region)) ||
+        !rawIsDkcTypeSourceUserHostInfo(val)) {
+        return false;
+    }
+    return true;
+};
+const rawIsDkcTypeBaseRoleToken = (val) => {
+    if (!k2hr3apiutil_1.default.isPlainObject(val)) {
+        return false;
+    }
+    if (!k2hr3apiutil_1.default.isString(val.date) ||
+        !k2hr3apiutil_1.default.isString(val.expire) ||
+        (undefined !== val.registerpath && !k2hr3apiutil_1.default.isString(val.registerpath))) {
+        return false;
+    }
+    return true;
+};
+const rawIsResTypeObjRoleTokens = (val) => {
+    if (!k2hr3apiutil_1.default.isPlainObject(val)) {
+        return false;
+    }
+    for (const [, value] of Object.entries(val)) {
+        if (!rawIsDkcTypeBaseRoleToken(value)) {
+            return false;
+        }
+    }
+    return true;
+};
+const rawIsResTypeCheckKindToken = (val) => {
+    if (!k2hr3apiutil_1.default.isPlainObject(val)) {
+        return false;
+    }
+    if ((null !== val.role && !k2hr3apiutil_1.default.isString(val.role)) ||
+        (null !== val.extra && !k2hr3apiutil_1.default.isString(val.extra)) ||
+        !k2hr3apiutil_1.default.isBoolean(val.scoped) ||
+        !rawIsDkcTypeSourceUserHostInfo(val)) {
+        return false;
+    }
+    return true;
+};
+const rawIsResTypeCheckUserToken = (val) => {
+    return rawIsResTypeCheckKindToken(val);
+};
+const rawIsResTypeCheckRoleToken = (val) => {
+    return rawIsResTypeCheckKindToken(val);
+};
+//---------------------------------------------------------
+// Configuration
+//	* Keystone api wrapper
+//	* Get expiration for role tokens
+//---------------------------------------------------------
+// [NOTE]
+// We use config which has keystone.type value.
+// Default value is "keystone_v3".
+//
+let osapi = null;
+let expire_rtoken = 0;
+let expire_reg_rtoken = 0;
+(async () => {
+    const keystone_type = './' + apiConf.getKeystoneType();
+    const osapiModule = await k2hr3apiutil_1.default.tryLoadModule(keystone_type);
+    if (k2hr3apiutil_1.default.isSafeEntity(osapiModule)) {
+        osapi = osapiModule;
+    }
+    expire_rtoken = apiConf.getExpireTimeRoleToken();
+    expire_reg_rtoken = apiConf.getExpireTimeRegRoleToken();
+})();
+//---------------------------------------------------------
+// set user/tenant token
+//---------------------------------------------------------
+//	tenant		undefined(or null) thus token must be unscoped.
+//	expire		UTC ISO 8601 format
+//
+//	[NOTE]		Must initialize User/Tenant before calling this function.
+//
+const rawSetUserToken = (user, tenant, token, expire, region, seed) => {
+    if (!k2hr3apiutil_1.default.isSafeString(user) || !k2hr3apiutil_1.default.isSafeString(token) || !k2hr3apiutil_1.default.isSafeString(expire) || !k2hr3apiutil_1.default.isSafeString(region)) { // allow tenant/seed is null
+        dbglogging_1.default.elog('some parameters are wrong : user=' + JSON.stringify(user) + ', tenant=' + JSON.stringify(tenant) + ', token=' + JSON.stringify(token) + ', expire=' + JSON.stringify(expire) + ', region=' + JSON.stringify(region));
+        return false;
+    }
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    const keys = r3keys(user, tenant);
+    if (!k2hr3apiutil_1.default.isPlainObject(dkcobj)) {
+        return false;
+    }
+    //
+    // Check user key exists and create these.
+    //
+    const expire_limit = k2hr3apiutil_1.default.calcExpire(expire); // UTC ISO 8601 to unixtime
+    const token_value_key = keys.TOKEN_USER_TOP_KEY + '/' + token; // "yrn:yahoo::::token:user/<token>"
+    const user_token_key = keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY + '/' + token; // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+    const user_token_seed_key = user_token_key + '/' + keys.SEED_KW; // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed"
+    // [NOTE]
+    // If tenant is null, following keys have not tenant keyword in that key string.
+    //												[ not have tenant name ]				vs		[ have tenant name ]
+    // keys.USER_TENANT_AMBIGUOUS_KEY			---> "yrn:yahoo::::user:<user>:tenant/"			or "yrn:yahoo::::user:<user>:tenant/<tenant>"
+    // keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY		---> "yrn:yahoo::::user:<user>:tenant//token"	or "yrn:yahoo::::user:<user>:tenant/<tenant>/token"
+    //
+    // token top
+    let subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.USER_TENANT_AMBIGUOUS_KEY, true));
+    if (k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY)) {
+        if (!dkcobj.setSubkeys(keys.USER_TENANT_AMBIGUOUS_KEY, subkeylist)) { // add subkey yrn:yahoo::::user:<user>:tenant/{<tenant>}/token -> yrn:yahoo::::user:<user>:tenant/{<tenant>}
+            dbglogging_1.default.elog('could not add ' + keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY + ' subkey under ' + keys.USER_TENANT_AMBIGUOUS_KEY + ' key');
+            dkcobj.clean();
+            return false;
+        }
+    }
+    // to token key
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY, true));
+    if (k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, user_token_key)) {
+        if (!dkcobj.setSubkeys(keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY, subkeylist)) { // add subkey yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token> -> yrn:yahoo::::user:<user>:tenant/{<tenant>}/token
+            dbglogging_1.default.elog('could not add ' + user_token_key + ' subkey under ' + keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY + ' key');
+            dkcobj.clean();
+            return false;
+        }
+    }
+    // get/set token value
+    let old_value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(user_token_key, null, true, null));
+    if (old_value != region) {
+        if (!dkcobj.setValue(user_token_key, region, null, null, expire_limit)) { // update new token key(value with region and expire) -> yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>
+            dbglogging_1.default.elog('could not set ' + k2hr3apiutil_1.default.getSafeString(region) + '(expire=' + k2hr3apiutil_1.default.getSafeString(expire) + ') to ' + user_token_key + ' key');
+            dkcobj.clean();
+            return false;
+        }
+    }
+    // get/set seed value
+    if (k2hr3apiutil_1.default.isSafeString(seed)) {
+        old_value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(user_token_seed_key, null, true, null));
+        if (old_value != seed) {
+            if (!dkcobj.setValue(user_token_seed_key, seed, null, null, expire_limit)) { // update new token seed key(value with expire) -> yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed
+                dbglogging_1.default.elog('could not set ' + seed + '(expire=' + expire + ') to ' + user_token_seed_key + ' key');
+                dkcobj.clean();
+                return false;
+            }
+        }
+        subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(user_token_key, true));
+        if (k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, user_token_seed_key)) {
+            if (!dkcobj.setSubkeys(user_token_key, subkeylist)) { // add subkey yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed -> yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>
+                dbglogging_1.default.elog('could not add ' + user_token_seed_key + ' subkey under ' + user_token_key + ' key');
+                dkcobj.clean();
+                return false;
+            }
+        }
+    }
+    // create new token under token top key
+    //
+    // [NOTE]
+    // This key is not set expire limit. if you need to check expire,
+    // you look up key under user key.
+    //
+    if (!dkcobj.setValue(token_value_key, user_token_key)) { // create(over write) value(="yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>") without expire -> yrn:yahoo::::token/<token>
+        dbglogging_1.default.elog('could not set ' + user_token_key + ' value without expire to ' + token_value_key + ' key');
+        dkcobj.clean();
+        return false;
+    }
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_USER_TOP_KEY, true));
+    if (k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, token_value_key)) {
+        if (!dkcobj.setSubkeys(keys.TOKEN_USER_TOP_KEY, subkeylist)) { // add subkey yrn:yahoo::::token:user/<token> -> yrn:yahoo::::token:user
+            dbglogging_1.default.elog('could not add ' + token_value_key + ' subkey under ' + keys.TOKEN_USER_TOP_KEY + ' key');
+            dkcobj.clean();
+            return false;
+        }
+    }
+    dkcobj.clean();
+    return true;
+};
+//---------------------------------------------------------
+// get user unscoped token
+//---------------------------------------------------------
+//
+// Get user token from keystone
+//
+//	result: null or resTypeUserToken
+//				{
+//					user:		user name(if existed, from parameter)
+//					userid:		user id(if existed, from "yrn:yahoo::::user:<user name>:id")
+//					scoped:		false(always false)
+//					token:		token string(id)
+//					expire:		expire string(if existed, null)
+//					region:		region string
+//				}
+//
+// [NOTE]
+// This function is wrapper for osapi.getUserUnscopedToken().
+// This function checks existing unscoped token before call it.
+//
+const rawGetUserUnscopedTokenWrap = (user, passwd, callback) => {
+    const _user = user;
+    const _passwd = k2hr3apiutil_1.default.getSafeString(passwd);
+    const _callback = callback;
+    if (!k2hr3apiutil_1.default.isSafeEntity(osapi)) {
+        const error = new Error('could not load osapi file(object)');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    // get unscoped token
+    osapi.getUserUnscopedToken(_user, _passwd, (err, jsonres) => {
+        if (null !== err || null === jsonres) {
+            const error = new Error('could not get user access token by ' + (err?.message ?? 'unknown'));
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // init user
+        const resobj = k2hr3dkc_1.default.initUser(jsonres.user, jsonres.userid, jsonres.user, null);
+        if (!resobj.result) {
+            const error = new Error(resobj.message ?? '');
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // set unscoped token
+        const token_seed = k2hr3apiutil_1.default.isSafeString(jsonres.token_seed) ? jsonres.token_seed : null;
+        if (!rawSetUserToken(jsonres.user, null, jsonres.token, jsonres.expire, jsonres.region, token_seed)) {
+            const error = new Error('failed to set unscoped/scoped user token');
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // succeed
+        _callback(null, jsonres);
+        return;
+    });
+};
+//---------------------------------------------------------
+// Get Scoped User Token from keystone
+//---------------------------------------------------------
+const rawGetScopedUserToken = (unscopedtoken, username, userid, tenant, callback) => {
+    const _callback = callback;
+    if (!k2hr3apiutil_1.default.isSafeEntity(osapi)) {
+        const error = new Error('could not load osapi file(object)');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    if (!k2hr3apiutil_1.default.isSafeString(unscopedtoken) || !k2hr3apiutil_1.default.isSafeString(username) || !k2hr3apiutil_1.default.isSafeString(userid) || !k2hr3apiutil_1.default.isSafeString(tenant)) {
+        const error = new Error('unscopedtoken or username or userid or tenant parameters are wrong');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    const _unscopedtoken = unscopedtoken;
+    const _username = username;
+    const _userid = userid;
+    const _tenant = tenant.toLowerCase();
+    // get tenant list for check
+    osapi.getUserTenantList(_unscopedtoken, _userid, (err, jsonres) => {
+        if (null !== err || null === jsonres) {
+            const error = new Error('could not get tenant list for user ' + _username + '(token=' + _unscopedtoken + ') by ' + (err?.message ?? 'unknown'));
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        //r3logger.dlog('get user tenant list jsonres=\n' + JSON.stringify(jsonres));
+        // check tenants(and initialize tenants)
+        let _tenant_name = null;
+        //let	_tenant_id: string | null		= null;
+        //let	_tenant_desc: string | null		= null;
+        //let	_tenant_display: string | null	= null;
+        const _tenant_list = new Array(0);
+        for (let cnt = 0; cnt < jsonres.length; ++cnt) {
+            if (!k2hr3apiutil_1.default.isSafeEntity(jsonres[cnt])) {
+                continue;
+            }
+            // over write
+            const resobj = k2hr3dkc_1.default.initUserTenant(_username, _userid, _username, jsonres[cnt].name, jsonres[cnt].id, jsonres[cnt].description, jsonres[cnt].display);
+            if (!resobj.result) {
+                const error = new Error(resobj.message ?? '');
+                dbglogging_1.default.elog(error.message);
+                _callback(error, null);
+                return;
+            }
+            if (k2hr3apiutil_1.default.compareCaseString(jsonres[cnt].name, _tenant)) {
+                // find target tenant
+                _tenant_name = jsonres[cnt].name;
+                //_tenant_id		= jsonres[cnt].id;
+                //_tenant_desc		= jsonres[cnt].description;
+                //_tenant_display	= jsonres[cnt].display;
+            }
+            _tenant_list.push(jsonres[cnt].name);
+        }
+        // get and add local tenants
+        const tmpresobj = k2hr3dkc_1.default.listLocalTenant(_username, true);
+        if (!k2hr3apiutil_1.default.isPlainObject(tmpresobj) || !k2hr3apiutil_1.default.isBoolean(tmpresobj.result) || false === tmpresobj.result || !k2hr3apiutil_1.default.isSafeEntity(tmpresobj.tenants)) {
+            if (k2hr3apiutil_1.default.isPlainObject(tmpresobj) && k2hr3apiutil_1.default.isSafeString(tmpresobj.message)) {
+                dbglogging_1.default.wlog('failed to get local tenant list by ' + tmpresobj.message);
+            }
+            else {
+                dbglogging_1.default.wlog('failed to get local tenant list.');
+            }
+        }
+        else {
+            if (k2hr3dkc_1.default.isDkcTypeTenantInfoList(tmpresobj.tenants)) {
+                for (let cnt2 = 0; cnt2 < tmpresobj.tenants.length; ++cnt2) {
+                    if (!k2hr3dkc_1.default.isDkcTypeTenantInfo(tmpresobj.tenants[cnt2])) {
+                        continue;
+                    }
+                    if (k2hr3apiutil_1.default.compareCaseString(tmpresobj.tenants[cnt2].name, _tenant)) {
+                        // find target tenant
+                        _tenant_name = tmpresobj.tenants[cnt2].name;
+                        //_tenant_id		= tmpresobj.tenants[cnt2].id;
+                        //_tenant_desc		= tmpresobj.tenants[cnt2].desc;
+                        //_tenant_display	= tmpresobj.tenants[cnt2].display;
+                    }
+                    _tenant_list.push(tmpresobj.tenants[cnt2].name);
+                }
+            }
+        }
+        // check and remove old tenant for user
+        if (!k2hr3dkc_1.default.removeComprehensionByNewTenants(_username, _tenant_list)) {
+            dbglogging_1.default.elog('failed to remove some tenant for user, but continue...');
+        }
+        if (!k2hr3apiutil_1.default.isSafeEntity(osapi)) {
+            const error = new Error('could not load osapi file(object)');
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // get scoped token
+        osapi.getUserScopedToken(_unscopedtoken, _tenant_name, (err, jsonres) => {
+            if (null !== err || null === jsonres) {
+                const error = new Error('could not get scoped user token for user ' + _username + ' by ' + (err?.message ?? 'unknown'));
+                dbglogging_1.default.elog(error.message);
+                _callback(error, null);
+                return;
+            }
+            //r3logger.dlog('get user scoped token jsonres=\n' + JSON.stringify(jsonres));
+            const token_seed = k2hr3apiutil_1.default.isSafeString(jsonres.token_seed) ? jsonres.token_seed : null;
+            if (!rawSetUserToken(_username, _tenant_name, jsonres.token, jsonres.expire, jsonres.region, token_seed)) {
+                const error = new Error('failed to set unscoped/scoped user token');
+                dbglogging_1.default.elog(error.message);
+                _callback(error, null);
+                return;
+            }
+            // succeed
+            _callback(null, jsonres.token);
+            return;
+        });
+    });
+};
+//---------------------------------------------------------
+// Get User Token
+//---------------------------------------------------------
+//
+// Get scoped/unscoped user token from keystone
+//
+const rawGetUserToken = (user, passwd, tenant, callback) => {
+    const _callback = callback;
+    if (!k2hr3apiutil_1.default.isSafeString(user)) {
+        const error = new Error('user parameter is wrong');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    const _tenant = k2hr3apiutil_1.default.getSafeString(tenant).toLowerCase();
+    let _user = user;
+    const _passwd = k2hr3apiutil_1.default.getSafeString(passwd);
+    // get unscoped token
+    rawGetUserUnscopedTokenWrap(_user, _passwd, (err, jsonres) => {
+        if (null !== err || null === jsonres) {
+            const error = new Error('could not get user access token by ' + (err?.message ?? 'unknown'));
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // save to local val
+        _user = jsonres.user; // over write
+        const _userid = jsonres.userid;
+        const _username = jsonres.user;
+        const _unscopedtoken = jsonres.token;
+        //const _tokenexpire	= jsonres.expire;
+        //const _region			= jsonres.region;
+        // break when unscoped token
+        if (!k2hr3apiutil_1.default.isSafeString(_tenant)) {
+            _callback(null, _unscopedtoken);
+            return;
+        }
+        // get scoped user token
+        return rawGetScopedUserToken(_unscopedtoken, _username, _userid, _tenant, _callback);
+    });
+};
+//---------------------------------------------------------
+// get user unscoped token from token issued by another authentication system
+//---------------------------------------------------------
+//
+// Get user token from token issued by another authentication system
+//
+//	result: null or resTypeUserToken
+//				{
+//					user:		user name(if existed, from parameter)
+//					userid:		user id(if existed, from "yrn:yahoo::::user:<user name>:id")
+//					scoped:		false(always false)
+//					token:		token string(id)
+//					expire:		expire string(if existed, null)
+//					region:		region string
+//				}
+//
+// [NOTE]
+// This function is wrapper for osapi.getUserUnscopedTokenByToken().
+// This function checks existing unscoped token before call it.
+//
+const rawGetUserUnscopedTokenbyTokenWrap = (token, callback) => {
+    const _orgtoken = token;
+    const _callback = callback;
+    if (!k2hr3apiutil_1.default.isSafeEntity(osapi)) {
+        const error = new Error('could not load osapi file(object)');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    // get unscoped token
+    osapi.getUserUnscopedTokenByToken(_orgtoken, (err, jsonres) => {
+        if (null !== err || null === jsonres) {
+            const error = new Error('could not get user access token by ' + (err?.message ?? 'unknown'));
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // init user
+        const resobj = k2hr3dkc_1.default.initUser(jsonres.user, jsonres.userid, jsonres.user, null);
+        if (!resobj.result) {
+            const error = new Error(resobj.message ?? '');
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // set unscoped token
+        const token_seed = k2hr3apiutil_1.default.isSafeString(jsonres.token_seed) ? jsonres.token_seed : null;
+        if (!rawSetUserToken(jsonres.user, null, jsonres.token, jsonres.expire, jsonres.region, token_seed)) {
+            const error = new Error('failed to set unscoped/scoped user token');
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // succeed
+        _callback(null, jsonres);
+        return;
+    });
+};
+//---------------------------------------------------------
+// Get User Token from token issued by another authentication system
+//---------------------------------------------------------
+//
+// Get scoped/unscoped user token from token issued by another authentication system
+// (ex. openstack identity token which is not registered in k2hr3 yet.)
+//
+const rawGetUserTokenByToken = (token, tenant, callback) => {
+    const _callback = callback;
+    if (!k2hr3apiutil_1.default.isSafeString(token)) {
+        const error = new Error('token parameter is wrong');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    const _tenant = k2hr3apiutil_1.default.getSafeString(tenant).toLowerCase();
+    const _orgtoken = token;
+    // get unscoped token
+    rawGetUserUnscopedTokenbyTokenWrap(_orgtoken, (err, jsonres) => {
+        if (null !== err || null === jsonres) {
+            const error = new Error('could not get user access token by ' + (err?.message ?? 'unknown'));
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        // save to local val
+        const _userid = jsonres.userid;
+        const _username = jsonres.user;
+        const _unscopedtoken = jsonres.token;
+        //const _tokenexpire	= jsonres.expire;							// eslint-disable-line no-unused-vars
+        //const _region			= jsonres.region;							// eslint-disable-line no-unused-vars
+        // break when unscoped token
+        if (!k2hr3apiutil_1.default.isSafeString(_tenant)) {
+            _callback(null, _unscopedtoken);
+            return;
+        }
+        // get scoped user token
+        return rawGetScopedUserToken(_unscopedtoken, _username, _userid, _tenant, _callback);
+    });
+};
+//
+// Get scoped user token from unscoped user token
+//
+const rawGetScopedUserTokenByUnscoped = (unscopedtoken, username, tenant, callback) => {
+    if (!k2hr3apiutil_1.default.isSafeString(unscopedtoken) || !k2hr3apiutil_1.default.isSafeString(username) || !k2hr3apiutil_1.default.isSafeString(tenant)) {
+        const error = new Error('unscopedtoken or username or tenant parameters are wrong');
+        dbglogging_1.default.elog(error.message);
+        callback(error, null);
+        return;
+    }
+    // user id from user name
+    const _tenant = tenant.toLowerCase();
+    const user_info = k2hr3dkc_1.default.getUserId(username); // user id from user name
+    if (null === user_info || !k2hr3apiutil_1.default.isSafeEntity(user_info.name) || !k2hr3apiutil_1.default.isSafeEntity(user_info.id)) {
+        const error = new Error('could not find username(' + username + ') from unscoped token in k2hdkc.');
+        dbglogging_1.default.elog(error.message);
+        callback(error, null);
+        return;
+    }
+    // get scoped user token
+    return rawGetScopedUserToken(unscopedtoken, user_info.name, user_info.id, _tenant, callback);
+};
+//---------------------------------------------------------
+// cleanup user/tenant by token
+//---------------------------------------------------------
+//	utility local function
+//
+// [NOTE]
+// This process can be time consuming when subkey list is too many.
+// In that case, there is a possibility that the consistency of the subkey will be lost.
+// If a new token is added to the subkey list during processing with this function, that
+// token subkey will be overwritten(lost) when this function completes processing.
+// Originally, this subkey list of "yrn:yahoo::::token:user" key has no direct use, so this
+// is not a problem. Because it normally reads the sub key(token key) directly.
+// Please do not read subkey(token key) from the subkey list of "yrn:yahoo::::token:user" key.
+// This subkeys are only useful for "notes".
+//
+const rawCleanupUserToken = (callback) => {
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isPlainObject(dkcobj)) {
+        callback(false);
+        return;
+    }
+    const keys = r3keys();
+    let subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_USER_TOP_KEY, true)); // get subkeys under "yrn:yahoo::::token:user"
+    const retrive_skeys = new Array(0);
+    for (let cnt = 0; cnt < subkeylist.length; ++cnt) {
+        const user_token_key = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(subkeylist[cnt], null, true, null));
+        if (!k2hr3apiutil_1.default.isSafeString(user_token_key)) {
+            // value is not existed, so this key should be removing
+            retrive_skeys.push(subkeylist[cnt]);
+        }
+        else {
+            //
+            // user_token_key => "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+            //
+            const value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(user_token_key, null, true, null));
+            if (!k2hr3apiutil_1.default.isSafeString(value)) {
+                // user_token_key is not existed or expired.
+                retrive_skeys.push(subkeylist[cnt]);
+                // try remove user_token_key from "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token" subkey list
+                const parent_user_key = k2hr3apiutil_1.default.getParentPath(user_token_key);
+                if (k2hr3apiutil_1.default.isSafeString(parent_user_key)) {
+                    const user_skeys = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(parent_user_key, true)); // get subkeys under "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token"
+                    if (k2hr3apiutil_1.default.removeStringFromArray(user_skeys, user_token_key)) {
+                        if (!dkcobj.setSubkeys(parent_user_key, user_skeys)) { // update subkey -> "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token"
+                            dbglogging_1.default.wlog('could not update subkey under ' + parent_user_key + ' key, but continue...');
+                        }
+                    }
+                }
+                else {
+                    dbglogging_1.default.wlog('could not get parent key from ' + user_token_key + ' key, but skip it and continue...');
+                }
+            }
+        }
+    }
+    if (0 < retrive_skeys.length) {
+        // need to remove keys from subkey list
+        let is_update = false;
+        subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_USER_TOP_KEY, true)); // re-get subkeys under "yrn:yahoo::::token:user"
+        for (let cnt = 0; cnt < retrive_skeys.length; ++cnt) {
+            if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, retrive_skeys[cnt])) {
+                is_update = true;
+            }
+        }
+        if (is_update) {
+            if (!dkcobj.setSubkeys(keys.TOKEN_USER_TOP_KEY, subkeylist)) { // update subkey -> "yrn:yahoo::::token:user"
+                dbglogging_1.default.elog('could not update subkey under ' + keys.TOKEN_USER_TOP_KEY + ' key, but continue...');
+                dkcobj.clean();
+                callback(false);
+                return;
+            }
+        }
+    }
+    dkcobj.clean();
+    callback(true);
+};
+//---------------------------------------------------------
+// get tenant list by token
+//---------------------------------------------------------
+// result:	resTypeUserTenantInfo = {
+//					user: xxx,
+//					tenant: xxxx,
+//					region: xxxxx
+//			}
+//
+//	[NOTE]		Must initialize User/Tenant before calling this function.
+//
+const rawGetUserTenantByToken = (token) => {
+    if (!k2hr3apiutil_1.default.isSafeString(token)) {
+        dbglogging_1.default.elog('token parameters are wrong : token=' + JSON.stringify(token));
+        return null;
+    }
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isPlainObject(dkcobj)) {
+        return null;
+    }
+    //
+    // Get subkeys under token top key
+    //
+    const keys = r3keys();
+    const token_value_key = keys.TOKEN_USER_TOP_KEY + '/' + token; // "yrn:yahoo::::token:user/<token>"
+    // get token key under user key
+    const user_token_key = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(token_value_key, null, true, null)); // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+    if (!k2hr3apiutil_1.default.isSafeString(user_token_key)) {
+        dbglogging_1.default.dlog('token key(' + token_value_key + ') for token(' + token + ') is not existed.');
+        dkcobj.clean();
+        //
+        // check and remove old token under token top key("yrn:yahoo::::token:user" and "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>")
+        // if old token is expired
+        //
+        // [NOTE]
+        // This processing is taking time, so it runs asynchronously.
+        // And for notes on this processing, refer to NOTE of rawCleanupUserToken function.
+        //
+        rawCleanupUserToken((result) => {
+            if (!result) {
+                dbglogging_1.default.wlog('Failed to cleanup expired user tokens under ' + keys.TOKEN_USER_TOP_KEY + ' key, but continue...');
+            }
+        });
+        return null;
+    }
+    // get user token key's value which is region
+    const region = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(user_token_key, null, true, null)); // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>" value is region
+    if (!k2hr3apiutil_1.default.isSafeString(region)) {
+        dbglogging_1.default.dlog('token key(' + user_token_key + ') for token(' + token + ') is not existed.');
+        dkcobj.clean();
+        //
+        // check and remove old token under token top key("yrn:yahoo::::token:user" and "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>")
+        // if old token is expired
+        //
+        // [NOTE] look forwards
+        //
+        rawCleanupUserToken((result) => {
+            if (!result) {
+                dbglogging_1.default.wlog('Failed to cleanup expired user tokens under ' + keys.TOKEN_USER_TOP_KEY + ' key, but continue...');
+            }
+        });
+        return null;
+    }
+    // user_token_key format is "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+    const pattern = new RegExp('^' + keys.MATCH_ANY_USER_TOKEN); // regex = /^yrn:yahoo::::user:(.*):tenant/(.*)/token/(.*)/
+    const matches = user_token_key.match(pattern); // reverse to user/tenant names
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(matches) || matches.length < 4 || '' === k2hr3apiutil_1.default.getSafeString(matches[1])) {
+        dbglogging_1.default.elog('token key(' + token_value_key + ') for token(' + token + ') has wrong format value(' + user_token_key + ')');
+        dkcobj.clean();
+        return null;
+    }
+    const user_name = k2hr3apiutil_1.default.getSafeString(matches[1]);
+    let tenant_name = k2hr3apiutil_1.default.getSafeString(matches[2]);
+    let tenant_display = null;
+    let tenant_id = null;
+    let tenant_desc = null;
+    if ('' === tenant_name) {
+        tenant_name = null;
+    }
+    else {
+        const tenant_keys = r3keys(user_name, tenant_name);
+        tenant_display = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(tenant_keys.TENANT_DISP_KEY, null, true, null));
+        tenant_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(tenant_keys.TENANT_ID_KEY, null, true, null));
+        tenant_desc = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(tenant_keys.TENANT_DESC_KEY, null, true, null));
+    }
+    // if token has seed, need to check seed
+    const user_token_seed_key = user_token_key + '/' + keys.SEED_KW; // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed"
+    const token_seed = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(user_token_seed_key, null, true, null));
+    if (k2hr3apiutil_1.default.isSafeString(token_seed)) {
+        // token has seed, then we need to check manually.
+        //
+        //r3logger.dlog('token key(' + user_token_key + ') has seed.');
+        if (!k2hr3apiutil_1.default.isSafeEntity(osapi)) {
+            dbglogging_1.default.elog('could not load osapi file(object)');
+            dkcobj.clean();
+            return null;
+        }
+        const vres = osapi.verifyUserToken(dkcobj, user_name, tenant_name, token, token_seed);
+        if (!vres.result) {
+            dbglogging_1.default.elog('failed to verify token(' + token + ') with seed by ' + (vres?.message ?? ''));
+            dkcobj.clean();
+            return null;
+        }
+    }
+    dkcobj.clean();
+    const result = {
+        user: user_name,
+        tenant: tenant_name,
+        display: tenant_display,
+        id: tenant_id,
+        description: tenant_desc,
+        region: region
+    };
+    return result;
+};
+//---------------------------------------------------------
+// Check User Token
+//---------------------------------------------------------
+//
+// Check User Token
+//
+// result		:	null or token information
+//					{
+//						role:			role name
+//						user:			user name
+//						hostname:		always null
+//						ip:				always null
+//						port:			always 0
+//						cuk:			always null
+//						extra:			always null
+//						tenant:			tenant name
+//						display:		display alias name for tenant
+//						id:				tenant id string
+//						description:	description for tenant
+//						scoped:			role token is always scoped(true)
+//						region:			when user token, the creator region name of the token
+//					}
+//
+const rawCheckUserToken = (token) => {
+    if (!k2hr3apiutil_1.default.isSafeString(token)) {
+        dbglogging_1.default.elog('token parameter is wrong');
+        return null;
+    }
+    // get user/tenant from token
+    const tenant_info = rawGetUserTenantByToken(token);
+    if (null === tenant_info || !k2hr3apiutil_1.default.isSafeEntity(tenant_info.user)) {
+        dbglogging_1.default.elog('token is not any user/tenant(expired or wrong token)');
+        return null;
+    }
+    // check scoped flag
+    let scoped = false;
+    if (k2hr3apiutil_1.default.isSafeEntity(tenant_info.tenant)) {
+        scoped = true;
+    }
+    const token_info = {
+        role: null,
+        user: tenant_info.user ?? null,
+        hostname: null,
+        ip: null,
+        port: 0,
+        cuk: null,
+        extra: null,
+        tenant: tenant_info.tenant ?? null,
+        display: tenant_info.display ?? null,
+        id: tenant_info.id ?? null,
+        description: tenant_info.description ?? null,
+        region: tenant_info.region ?? null,
+        scoped: scoped
+    };
+    return token_info;
+};
+//---------------------------------------------------------
+// remove scoped user token
+//---------------------------------------------------------
+//
+//	token		scoped user token
+//
+//	[NOTE]		This removes(force expire) scoped user token for
+//				using ACR API.
+//				The token used by ACR must be removed after checking
+//				it, because this case allows using token one time.
+//
+const rawRemoveScopedUserToken = (token) => {
+    if (!k2hr3apiutil_1.default.isSafeString(token)) {
+        dbglogging_1.default.elog('parameter is wrong : token=' + JSON.stringify(token));
+        return false;
+    }
+    //
+    // Check token
+    //
+    if (0 === token.indexOf('R=')) {
+        dbglogging_1.default.elog('token(' + JSON.stringify(token) + ') is role token.');
+        return false;
+    }
+    else if (0 === token.indexOf('U=')) {
+        token = token.substr(2); // cut 'U='
+    }
+    const token_info = rawCheckUserToken(token);
+    if (null === token_info ||
+        !k2hr3apiutil_1.default.isSafeString(token_info.user) ||
+        !k2hr3apiutil_1.default.isSafeString(token_info.tenant) ||
+        !k2hr3apiutil_1.default.isSafeEntity(token_info.scoped) ||
+        !k2hr3apiutil_1.default.isBoolean(token_info.scoped) ||
+        true !== token_info.scoped) {
+        dbglogging_1.default.elog('token(' + JSON.stringify(token) + ') is something wrong.');
+        return false;
+    }
+    //
+    // Remove token
+    //
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    let errmsg = '';
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        return false;
+    }
+    //
+    // Keys
+    //
+    const keys = r3keys(token_info.user, token_info.tenant);
+    const token_top_key = keys.TOKEN_USER_TOP_KEY; // "yrn:yahoo::::token:user"
+    const token_value_key = keys.TOKEN_USER_TOP_KEY + '/' + token; // "yrn:yahoo::::token:user/<token>"
+    const utoken_top_key = keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY; // "yrn:yahoo::::user:<user>:tenant/<tenant>/token"
+    const utoken_token_key = keys.USER_TENANT_AMBIGUOUS_TOKEN_KEY + '/' + token; // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+    const utoken_seed_key = utoken_token_key + '/' + keys.SEED_KW; // "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed"
+    //
+    // check under token top
+    //
+    let subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(token_top_key, true));
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, token_value_key)) { // remove subkeys "yrn:yahoo::::token:user/<token>" -> "yrn:yahoo::::token:user"
+        if (!dkcobj.setSubkeys(token_top_key, subkeylist)) {
+            errmsg += 'could not remove ' + token_value_key + ' subkey under ' + token_top_key + ' key, ';
+        }
+    }
+    if (!dkcobj.remove(token_value_key, false)) { // remove key "yrn:yahoo::::token:user/<token>"
+        errmsg += 'could not remove ' + token_value_key + 'key, probably it is not existed, ';
+    }
+    //
+    // check under user top
+    //
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(utoken_top_key, true));
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, utoken_token_key)) { // remove subkeys "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>" -> "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token"
+        if (!dkcobj.setSubkeys(utoken_top_key, subkeylist)) {
+            errmsg += 'could not remove ' + utoken_token_key + ' subkey under ' + utoken_top_key + ' key, ';
+        }
+    }
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(utoken_token_key, true));
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, utoken_seed_key)) { // remove subkeys "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed" -> "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+        if (!dkcobj.setSubkeys(utoken_token_key, subkeylist)) {
+            errmsg += 'could not remove ' + utoken_seed_key + ' subkey under ' + utoken_token_key + ' key, ';
+        }
+    }
+    if (!dkcobj.remove(utoken_seed_key, false)) { // remove key "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>/seed"
+        errmsg += 'could not remove ' + utoken_seed_key + 'key, probably it is not existed, ';
+    }
+    if (!dkcobj.remove(utoken_token_key, false)) { // remove key "yrn:yahoo::::user:<user>:tenant/{<tenant>}/token/<token>"
+        errmsg += 'could not remove ' + utoken_token_key + 'key, probably it is not existed, ';
+    }
+    if (k2hr3apiutil_1.default.isSafeString(errmsg)) {
+        dbglogging_1.default.elog(errmsg);
+    }
+    dkcobj.clean();
+    return true; // Returns true even if there is an error in deletion processing
+};
+//---------------------------------------------------------
+// [Role Token]
+//---------------------------------------------------------
+//
+// Token:				Token Id(################)
+// X-Auth-Token:		R=Token Id
+// Token Id:			The "Token Id" is a unique hex number string for 128bit.
+//						"Token Id" = "(<base id(64bit:8byte)> ^ <crypt id(64bit:8byte)>)" + "(<role id(64bit:8byte)> ^ <crypt id(64bit:8byte)>)"
+// Role Token Key:		"yrn:yahoo::::token:role/<Token Id>"
+// Role Token Value:	= dkcTypeRoleTokenValue {
+//							role:		"role full yrn"
+//							date:		"UTC ISO 8601 time at create"
+//							expire:		"UTC ISO 8601 time at expire"
+//							creator:	"Host full yrn" or "User full yrn"
+//							base:		"id from host" or "last 64bit string in UserToken"
+//							user:		"user name", if creator is user, this value is user name.(if not, this is null)
+//							ip:			"ip address", if creator is host, this value is ip address.(if not, this is null)
+//							hostname:	"hostname", if creator is host, this value is hostname.(if not, this is null)
+//							port:		"port number", if creator is host, this value is port number.(if not, this is 0)
+//							cuk:		"cuk", if creator is host on iaas, this value is cuk.(allowed null)
+//							extra:		"extra", if creator is host on iaas, this value is extra.(allowed null)
+//							tenant:		"tenant name" for this role token(this mean token is scoped)
+//							verify:		"random 64bit id for verify token"
+//						}
+//
+// [NOTE]
+// "role id" which is in "Token Id" is included from role key(yrn:yahoo:<Tenant>:::role:<role name>/id).
+// This value is secret, any API could not get this value directly.
+//
+//---------------------------------------------------------
+// Get Role Token From user(token)
+//---------------------------------------------------------
+//
+// user			:	this value is parsed from user token
+// tenant		:	this value is parsed from user token
+// role			:	target role name(full yrn or only role name)
+// expire_limit	:	specify expire second(default 24H = 24 * 60 * 60 sec, 0 means no expire time.)
+//
+// result		:	resTypeGetRoleToken = {
+//						result:		true/false
+//						message:	null or error message string
+//						token:		undefined(error) or role token string
+// 					}
+//
+// [NOTE]
+// set role token value is following:
+// 					dkcTypeRoleTokenValue = {
+//						role:		token's role yrn("yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}")
+//						date:		create date(UTC ISO 8601)
+//						expire:		expire date(UTC ISO 8601)
+//						creator:	creator yrn("yrn:yahoo::::user:<user>" or "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/hosts/ip/<ip:port>")
+//						user:		if creator is user, this value is user name.
+//						hostname:	always null
+//						ip:			always null
+//						port:		if creator is host, this value is port number.(if not, this is 0)
+//						cuk:		if creator is host on iaas, this value is cuk.(allowed null)
+//						extra:		if creator is host on iaas, this value is extra.(allowed null)
+//						tenant:		tenant name for this role token(this mean token is scoped)
+//						base:		32bytes hex string
+//					}
+//
+const rawGetRoleTokenByUser = (user, tenant, role, expire_limit) => {
+    const resobj = { result: true, message: null };
+    if (!k2hr3apiutil_1.default.isSafeString(user) || !k2hr3apiutil_1.default.isSafeString(tenant) || !k2hr3apiutil_1.default.isSafeString(role)) { // allow other argument is empty
+        resobj.result = false;
+        resobj.message = 'some parameters are wrong : user=' + JSON.stringify(user) + ', tenant=' + JSON.stringify(tenant) + ', role=' + JSON.stringify(role);
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    if (!k2hr3apiutil_1.default.isSafeNumber(expire_limit)) { // expire_limit must be number or null(undefined)
+        expire_limit = expire_rtoken; // default 24H
+    }
+    else {
+        if (0 == expire_limit) {
+            // [NOTE]
+            // If 0, set the maximum value to 10 years.
+            // Disable expire by setting a period of time within which this
+            // application is guaranteed not to survive, as permitted by ISO8601.
+            //
+            expire_limit = expire_reg_rtoken;
+        }
+    }
+    // check role name is only name or full yrn path
+    const keys = r3keys(user, tenant);
+    role = role.toLowerCase();
+    let roleptn = new RegExp('^' + keys.MATCH_ANY_TENANT_ROLE); // regex = /^yrn:yahoo:(.*)::(.*):role:(.*)/
+    const rolematchs = role.match(roleptn);
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(rolematchs) || rolematchs.length < 4) {
+        // role is not matched role(maybe not full yrn), then we need check it is another yrn path
+        roleptn = new RegExp('^' + keys.NO_TENANT_KEY); // regex = /^yrn:yahoo:/
+        if (role.match(roleptn)) {
+            resobj.result = false;
+            resobj.message = 'role(' + role + ') is not role yrn path)';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // role is only role name, then we do not modify it.
+    }
+    else {
+        // check tenant name
+        if (tenant !== rolematchs[2]) {
+            resobj.result = false;
+            resobj.message = 'role(' + role + ') yrn has tenant(' + rolematchs[2] + '), but it is not specified tenant(' + tenant + ')';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // role is set only role name
+        role = rolematchs[3];
+    }
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    let subkeylist;
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        resobj.result = false;
+        resobj.message = 'Not initialize yet.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    //
+    // keys
+    //
+    const role_key = keys.ROLE_TOP_KEY + ':' + role; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}"
+    const role_id_key = role_key + '/' + keys.ID_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/id"
+    const role_tokens_key = role_key + '/' + keys.ROLE_TOKEN_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens"
+    // user id
+    const user_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(keys.USER_ID_KEY, null, true, null)); // get user id from "yrn:yahoo::::user:<user name>:id"
+    if (!k2hr3apiutil_1.default.isSafeString(user_id)) {
+        resobj.result = false;
+        resobj.message = 'could not get user id(' + keys.USER_ID_KEY + ') value, or it is wrong value(' + JSON.stringify(user_id) + ').';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    // role id
+    let role_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(role_id_key, null, true, null));
+    if (!k2hr3apiutil_1.default.isSafeStrUuid4(role_id)) {
+        let isError = false;
+        const old_role_id = k2hr3apiutil_1.default.parseJSON(role_id);
+        if (k2hr3apiutil_1.default.isNotEmptyArray(old_role_id) && 4 == old_role_id.length) {
+            // old version id, so reset new valus(UUID4) here.
+            role_id = k2hr3apiutil_1.default.getStrUuid4();
+            if (!dkcobj.setValue(role_id_key, role_id)) { // set value -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/id
+                isError = true;
+                resobj.message = 'could not get role id(' + role_id_key + ') value, because failed to reset new role id instead of old id.';
+            }
+        }
+        else {
+            isError = true;
+            resobj.message = 'could not get role id(' + role_id_key + ') value, or it is wrong value(' + JSON.stringify(role_id) + ').';
+        }
+        if (isError) {
+            resobj.result = false;
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // make token value
+    const now_unixtime = k2hr3apiutil_1.default.getUnixtime();
+    const token_value = {
+        role: role_key, // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}"
+        date: (new Date(now_unixtime * 1000)).toISOString(), // now date(UTC ISO 8601)
+        expire: (new Date((now_unixtime + expire_limit) * 1000)).toISOString(), // expire date(UTC ISO 8601)
+        creator: keys.USER_KEY, // "yrn:yahoo::::user:<user>"
+        user: user, // user(creator)
+        hostname: null, // hostname(creator)
+        ip: null, // ip(creator)
+        port: 0, // port(creator)
+        cuk: null, // cuk(creator)
+        extra: null, // extra(creator)
+        tenant: tenant // tenant(scope)
+    };
+    // role token and yrn key
+    let role_token = '';
+    let token_role_key = null;
+    // create key
+    for (let is_loop = true; is_loop;) { // for eslint
+        // make role token
+        const token_elements = k2hr3apiutil_1.default.makeStringToken256(user_id, role_id);
+        if (!k2hr3apiutil_1.default.isSafeEntity(token_elements)) {
+            resobj.result = false;
+            resobj.message = 'could not make token from ' + JSON.stringify(user_id) + ' and ' + JSON.stringify(role_id);
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+        role_token = token_elements.str_token;
+        token_value.base = token_elements.str_base; // token base
+        // role token key
+        token_role_key = keys.TOKEN_ROLE_TOP_KEY + '/' + role_token; // "yrn:yahoo::::token:role/<role token>"
+        // get role token for existing check
+        const value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(token_role_key, null, true, null));
+        if (!k2hr3apiutil_1.default.isSafeString(value)) {
+            // set value to role token
+            if (!dkcobj.setValue(token_role_key, JSON.stringify(token_value), null, null, expire_limit)) { // set token value -> yrn:yahoo::::token:role/<role token>
+                resobj.result = false;
+                resobj.message = 'could not set ' + JSON.stringify(token_value) + ' value to ' + token_role_key + ' key';
+                dbglogging_1.default.elog(resobj.message);
+                dkcobj.clean();
+                return resobj;
+            }
+            break;
+        }
+        else {
+            dbglogging_1.default.dlog('conflict role token(' + role_token + ') which already is used, so remake token for uniq.');
+        }
+    }
+    // Add token to role token top key's subkey list
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_ROLE_TOP_KEY, true));
+    if (k2hr3apiutil_1.default.isSafeString(token_role_key) && k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, token_role_key)) {
+        if (!dkcobj.setSubkeys(keys.TOKEN_ROLE_TOP_KEY, subkeylist)) { // add subkey yrn:yahoo::::token:role/<role token> -> yrn:yahoo::::token:role
+            resobj.result = false;
+            resobj.message = 'could not add ' + token_role_key + ' subkey under ' + keys.TOKEN_ROLE_TOP_KEY + ' key';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // Add token to role tokens key's subkey list
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(role_tokens_key, true));
+    if (k2hr3apiutil_1.default.isSafeString(token_role_key) && k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, token_role_key)) {
+        if (!dkcobj.setSubkeys(role_tokens_key, subkeylist)) { // add subkey yrn:yahoo::::token:role/<role token> -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens
+            resobj.result = false;
+            resobj.message = 'could not add ' + token_role_key + ' subkey under ' + role_tokens_key + ' key';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // Add role token into result object.
+    resobj.token = role_token;
+    dkcobj.clean();
+    return resobj;
+};
+//---------------------------------------------------------
+// Get Role Token From ip address
+//---------------------------------------------------------
+// ip			:	ip address
+// port			:	port number(0, undefined, null means any port)
+// cuk			:	container unique key(undefined, null means any)
+// tenant		:	tenant name
+// role			:	target role name(full yrn or only role name)
+// expire_limit	:	specify expire second(default 24H = 24 * 60 * 60 sec)
+//
+// result		:	resTypeGetRoleToken = {
+//						result:		true/false
+//						message:	null or error message string
+//						token:		undefined(error) or role token string
+// 					}
+//
+// [NOTE]
+// set role token value is following:
+// 					dkcTypeRoleTokenValue = {
+//						role:		token's role yrn("yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}")
+//						date:		create date(UTC ISO 8601)
+//						expire:		expire date(UTC ISO 8601)
+//						creator:	creator yrn("yrn:yahoo::::user:<user>" or "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/hosts/ip/<ip:port>")
+//						user:		always null
+//						hostname:	always null
+//						ip:			if creator is host, this value is ip address.
+//						port:		if creator is host, this value is port number.(if not, this is 0)
+//						cuk:		if creator is host on iaas, this value is cuk.(allowed null)
+//						extra:		if creator is host on iaas, this value is extra.(allowed null)
+//						tenant:		tenant name for this role token(this mean token is scoped)
+//						base:		32bytes hex string
+//					}
+//
+// The role token which is built by host is made by only IP address.
+// Hostname can not build a role token, because it is not secure.(= Hostname can easily be disguised.)
+// Then only IP address can build a role token without UserToken.
+//
+const rawGetRoleTokenByIP = (ip, port, cuk, tenant, role, expire_limit) => {
+    const resobj = { result: true, message: null };
+    if (!k2hr3apiutil_1.default.isSafeString(tenant) || !k2hr3apiutil_1.default.isSafeString(role) || !k2hr3apiutil_1.default.isSafeString(ip)) { // allow other argument is empty
+        resobj.result = false;
+        resobj.message = 'some parameters are wrong : tenant=' + JSON.stringify(tenant) + ', role=' + JSON.stringify(role) + ', ip' + JSON.stringify(ip);
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    if (!k2hr3apiutil_1.default.isSafeNumber(port)) { // port must be number or null(undefined)
+        port = 0; // force set port 0(any).
+    }
+    if (!k2hr3apiutil_1.default.isSafeString(cuk)) { // cuk is string if spacified
+        cuk = null; // force set null.
+    }
+    if (!k2hr3apiutil_1.default.isSafeNumber(expire_limit)) { // expire_limit must be number or null(undefined)
+        expire_limit = expire_rtoken; // default 24H
+    }
+    // check role name is only name or full yrn path
+    const keys = r3keys(null, tenant);
+    role = role.toLowerCase();
+    let roleptn = new RegExp('^' + keys.MATCH_ANY_TENANT_ROLE); // regex = /^yrn:yahoo:(.*)::(.*):role:(.*)/
+    const rolematchs = role.match(roleptn);
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(rolematchs) || rolematchs.length < 4) {
+        // role is not matched role(maybe not full yrn), then we need check it is another yrn path
+        roleptn = new RegExp('^' + keys.NO_TENANT_KEY); // regex = /^yrn:yahoo:/
+        if (role.match(roleptn)) {
+            resobj.result = false;
+            resobj.message = 'role(' + role + ') is not role yrn path)';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // role is only role name, then we do not modify it.
+    }
+    else {
+        // check tenant name
+        if (tenant !== rolematchs[2]) {
+            resobj.result = false;
+            resobj.message = 'role(' + role + ') yrn has tenant(' + rolematchs[2] + '), but it is not specified tenant(' + tenant + ')';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // role is set only role name
+        role = rolematchs[3];
+    }
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        resobj.result = false;
+        resobj.message = 'Not initialize yet.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    //
+    // keys
+    //
+    const role_key = keys.ROLE_TOP_KEY + ':' + role; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}"
+    const role_id_key = role_key + '/' + keys.ID_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/id"
+    const role_tokens_key = role_key + '/' + keys.ROLE_TOKEN_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens"
+    // find host key and get host id for base id
+    const host_info = k2hr3dkc_1.default.findRoleHost(dkcobj, role_key, null, ip, port, cuk);
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(host_info)) {
+        resobj.result = false;
+        resobj.message = 'Not found ip(' + ip + ') with port(' + String(port) + ') and cuk(' + JSON.stringify(cuk) + ') in tenant(' + tenant + ') + role(' + role + ')';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    let host_value = null;
+    for (let pos = 0; pos < host_info.length; ++pos) {
+        const host_info_tmp = host_info[pos];
+        if (!k2hr3apiutil_1.default.isPlainObject(host_info_tmp) || !k2hr3apiutil_1.default.isSafeString(host_info_tmp.key)) {
+            dbglogging_1.default.dlog('Found ip(' + ip + ') with port(' + String(port) + ') in tenant(' + tenant + ') + role(' + role + '), but this host info(' + JSON.stringify(host_info_tmp) + ') is something wrong, skip it');
+            continue;
+        }
+        const host_value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(host_info_tmp.key, null, true, null));
+        host_value = k2hr3apiutil_1.default.parseJSON(host_value_tmp);
+        if (!k2hr3apiutil_1.default.isPlainObject(host_value) ||
+            (!k2hr3apiutil_1.default.isSafeString(host_value.hostname) && !k2hr3apiutil_1.default.isSafeString(host_value.ip)) || // hostname or ip is existed
+            !k2hr3apiutil_1.default.isSafeEntity(host_value.port) ||
+            !k2hr3apiutil_1.default.isSafeString(host_value[keys.ID_KW])) {
+            dbglogging_1.default.dlog('Found ip(' + ip + ') with port(' + String(port) + ') in tenant(' + tenant + ') + role(' + role + '), but this host value(' + JSON.stringify(host_value) + ') is something wrong, skip it');
+        }
+        else {
+            // found safe host info, we use this.
+            host_value.key = host_info_tmp.key;
+            host_value.cuk = host_info_tmp.cuk;
+            host_value.extra = host_info_tmp.extra;
+            break;
+        }
+        host_value = null;
+    }
+    if (!k2hr3apiutil_1.default.isPlainObject(host_value)) {
+        resobj.result = false;
+        resobj.message = 'Found ip(' + ip + ') with port(' + String(port) + ') in tenant(' + tenant + ') + role(' + role + '), but there is not safe any host info';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    // role id
+    let role_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(role_id_key, null, true, null));
+    if (!k2hr3apiutil_1.default.isSafeStrUuid4(role_id)) {
+        let isError = false;
+        const old_role_id = k2hr3apiutil_1.default.parseJSON(role_id);
+        if (k2hr3apiutil_1.default.isNotEmptyArray(old_role_id) && 4 == old_role_id.length) {
+            // old version id, so reset new valus(UUID4) here.
+            role_id = k2hr3apiutil_1.default.getStrUuid4();
+            if (!dkcobj.setValue(role_id_key, role_id)) { // set value -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/id
+                isError = true;
+                resobj.message = 'could not get role id(' + role_id_key + ') value, because failed to reset new role id instead of old id.';
+            }
+        }
+        else {
+            isError = true;
+            resobj.message = 'could not get role id(' + role_id_key + ') value, or it is wrong value(' + JSON.stringify(role_id) + ').';
+        }
+        if (isError) {
+            resobj.result = false;
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // make token value
+    const now_unixtime = k2hr3apiutil_1.default.getUnixtime();
+    const tmp_date = (new Date(now_unixtime * 1000)).toISOString();
+    const tmp_expire = (new Date((now_unixtime + expire_limit) * 1000)).toISOString();
+    const tmp_creator = k2hr3apiutil_1.default.getSafeString(host_value.key);
+    const tmp_ip = k2hr3apiutil_1.default.isSafeString(host_value.ip) ? host_value.ip : null;
+    const tmp_port = k2hr3apiutil_1.default.cvtToNumber(host_value.port) ?? 0;
+    const tmp_cuk = k2hr3apiutil_1.default.isSafeString(host_value.cuk) ? host_value.cuk : null;
+    const tmp_extra = k2hr3apiutil_1.default.isSafeString(host_value.extra) ? host_value.extra : null;
+    const token_value = {
+        role: role_key, // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}"
+        date: tmp_date, // now date(UTC ISO 8601)
+        expire: tmp_expire, // expire date(UTC ISO 8601)
+        creator: tmp_creator, // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/hosts/ip/<ip:port>"
+        user: null, // user(creator)
+        hostname: null, // hostname(null)
+        ip: tmp_ip, // ip(creator)
+        port: tmp_port, // port(creator)
+        cuk: tmp_cuk, // cuk(creator)
+        extra: tmp_extra, // extra(creator)
+        tenant: tenant, // tenant(scope)
+    };
+    // role token and yrn key
+    let role_token = '';
+    let token_role_key = null;
+    // create key
+    for (let is_loop = true; is_loop;) { // for eslint
+        // make role token
+        const token_elements = k2hr3apiutil_1.default.makeStringToken256(host_value[keys.ID_KW], role_id);
+        if (!k2hr3apiutil_1.default.isSafeEntity(token_elements)) {
+            resobj.result = false;
+            resobj.message = 'could not make token from ' + JSON.stringify(host_value[keys.ID_KW]) + ' and ' + JSON.stringify(role_id);
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+        role_token = token_elements.str_token;
+        token_value.base = token_elements.str_base; // token base
+        // role token key
+        token_role_key = keys.TOKEN_ROLE_TOP_KEY + '/' + role_token; // "yrn:yahoo::::token:role/<role token>"
+        // get role token for existing check
+        const value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(token_role_key, null, true, null));
+        if (!k2hr3apiutil_1.default.isSafeString(value)) {
+            // set value to role token
+            if (!dkcobj.setValue(token_role_key, JSON.stringify(token_value), null, null, expire_limit)) { // set token value -> yrn:yahoo::::token:role/<role token>
+                resobj.result = false;
+                resobj.message = 'could not set ' + JSON.stringify(token_value) + ' value to ' + token_role_key + ' key';
+                dbglogging_1.default.elog(resobj.message);
+                dkcobj.clean();
+                return resobj;
+            }
+            break;
+        }
+        else {
+            dbglogging_1.default.dlog('conflict role token(' + role_token + ') which already is used, so remake token for uniq.');
+        }
+    }
+    // Add token to role token top key's subkey list
+    let subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_ROLE_TOP_KEY, true));
+    if (k2hr3apiutil_1.default.isSafeString(token_role_key) && k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, token_role_key)) {
+        if (!dkcobj.setSubkeys(keys.TOKEN_ROLE_TOP_KEY, subkeylist)) { // add subkey yrn:yahoo::::token:role/<role token> -> yrn:yahoo::::token:role
+            dbglogging_1.default.elog('could not add ' + token_role_key + ' subkey under ' + keys.TOKEN_ROLE_TOP_KEY + ' key');
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // Add token to role tokens key's subkey list
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(role_tokens_key, true));
+    if (k2hr3apiutil_1.default.isSafeString(token_role_key) && k2hr3apiutil_1.default.tryAddStringToArray(subkeylist, token_role_key)) {
+        if (!dkcobj.setSubkeys(role_tokens_key, subkeylist)) { // add subkey yrn:yahoo::::token:role/<role token> -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens
+            resobj.result = false;
+            resobj.message = 'could not add ' + token_role_key + ' subkey under ' + role_tokens_key + ' key';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // Add role token into result object.
+    resobj.token = role_token;
+    dkcobj.clean();
+    return resobj;
+};
+//---------------------------------------------------------
+// cleanup role by token
+//---------------------------------------------------------
+// utility local function
+//
+// [NOTE]
+// This process can be time consuming when subkey list is too many.
+// In that case, there is a possibility that the consistency of the subkey will be lost.
+// If a new token is added to the subkey list during processing with this function, that
+// token subkey will be overwritten(lost) when this function completes processing.
+// Originally, this subkey list of "yrn:yahoo::::token:role" key has no direct use, so this
+// is not a problem. Because it normally reads the sub key(token key) directly.
+// Please do not read subkey(token key) from the subkey list of "yrn:yahoo::::token:role" key.
+// This subkeys are only useful for "notes".
+//
+const rawCleanupRoleToken = (callback) => {
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        callback(false);
+        return;
+    }
+    const keys = r3keys();
+    const subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_ROLE_TOP_KEY, true)); // get subkeys under "yrn:yahoo::::token:role"
+    let is_changed = false;
+    const newsubkeylist = new Array(0);
+    for (let cnt = 0; cnt < subkeylist.length; ++cnt) {
+        let role_tokens_key;
+        // not use attributes for getting role path
+        const value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(subkeylist[cnt], null, false, null));
+        let value = k2hr3apiutil_1.default.parseJSON(value_tmp);
+        if (k2hr3apiutil_1.default.isPlainObject(value) && k2hr3apiutil_1.default.isSafeString(value.role)) {
+            role_tokens_key = value.role + '/' + keys.ROLE_TOKEN_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens"
+        }
+        else {
+            role_tokens_key = null;
+        }
+        // use attributes for getting role path
+        value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(subkeylist[cnt], null, true, null));
+        if (!k2hr3apiutil_1.default.isSafeString(value)) {
+            is_changed = true;
+            // remove role token from role's tokens subkey
+            if (null !== role_tokens_key) {
+                const tokenlist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(role_tokens_key, true));
+                if (k2hr3apiutil_1.default.removeStringFromArray(tokenlist, subkeylist[cnt])) {
+                    if (!dkcobj.setSubkeys(role_tokens_key, tokenlist)) { // update subkey -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens
+                        dbglogging_1.default.elog('could not update subkey under ' + role_tokens_key + ' key, but continue...');
+                    }
+                }
+            }
+        }
+        else {
+            newsubkeylist.push(subkeylist[cnt]);
+        }
+    }
+    if (false === is_changed) {
+        dkcobj.clean();
+        callback(true);
+        return;
+    }
+    if (!dkcobj.setSubkeys(keys.TOKEN_ROLE_TOP_KEY, newsubkeylist)) { // add subkeys -> yrn:yahoo::::token:role
+        dbglogging_1.default.elog('could not update subkeys(tokens) under ' + keys.TOKEN_ROLE_TOP_KEY + ' key');
+        dkcobj.clean();
+        callback(false);
+        return;
+    }
+    dkcobj.clean();
+    callback(true);
+};
+//---------------------------------------------------------
+// Remove Role Token by User/IP
+//---------------------------------------------------------
+// token		:	role token
+// user			:	this value is parsed from user token(or null)
+// tenant		:	this value is parsed from user token(or null)
+// ip			:	client ip address(or null)
+// port			:	port number when ip address parameter exists
+// cuk			:	cuk value when ip address parameter exists
+//
+// result		:	{
+//						result:		true/false
+//						message:	null or error message string
+// 					}
+//
+const rawRemoveRoleToken = (token, user, tenant, ip, port, cuk) => {
+    const resobj = { result: true, message: null };
+    if (!k2hr3apiutil_1.default.isSafeString(token)) { // allow other argument is empty
+        resobj.result = false;
+        resobj.message = 'token parameter is empty';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    if ((k2hr3apiutil_1.default.isSafeString(ip) && (k2hr3apiutil_1.default.isSafeString(user) || k2hr3apiutil_1.default.isSafeString(tenant))) ||
+        (!k2hr3apiutil_1.default.isSafeString(ip) && (!k2hr3apiutil_1.default.isSafeString(user) || !k2hr3apiutil_1.default.isSafeString(tenant)))) {
+        resobj.result = false;
+        resobj.message = 'tenant(' + JSON.stringify(tenant) + '), user(' + JSON.stringify(user) + '), ip(' + JSON.stringify(ip) + ') parameters are wrong pattern.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    let dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        resobj.result = false;
+        resobj.message = 'Not initialize yet.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    //
+    // keys
+    //
+    const keys = (k2hr3apiutil_1.default.isSafeString(ip) ? r3keys() : r3keys(user, tenant));
+    const role_token_key = keys.TOKEN_ROLE_TOP_KEY + '/' + token; // "yrn:yahoo::::token:role/<role token>"
+    // get role token value
+    const value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(role_token_key, null, true, null));
+    const value = k2hr3apiutil_1.default.parseJSON(value_tmp);
+    if (!k2hr3apiutil_1.default.isPlainObject(value)) {
+        // already role token is removed or expired.
+        dbglogging_1.default.dlog('could not get role token(' + role_token_key + ') value, or it is wrong value(' + JSON.stringify(value) + '). We check all role token for expire here.');
+        dkcobj.clean();
+        //
+        // check and remove old role token under token top key("yrn:yahoo::::token:role") if old token is expired
+        //
+        // [NOTE]
+        // This processing is taking time, so it runs asynchronously.
+        // And for notes on this processing, refer to NOTE of rawCleanupRoleToken function.
+        //
+        rawCleanupRoleToken((result) => {
+            if (!result) {
+                dbglogging_1.default.wlog('Failed to cleanup expired role tokens under ' + keys.TOKEN_ROLE_TOP_KEY + ' key, but continue...');
+            }
+        });
+        // return success
+        return resobj;
+    }
+    // check token value
+    if (!k2hr3apiutil_1.default.isSafeString(value.role) ||
+        !k2hr3apiutil_1.default.isSafeString(value.date) ||
+        !k2hr3apiutil_1.default.isSafeString(value.expire) ||
+        !k2hr3apiutil_1.default.isSafeString(value.creator) ||
+        (!k2hr3apiutil_1.default.isSafeString(value.user) && !k2hr3apiutil_1.default.isSafeString(value.hostname) && !k2hr3apiutil_1.default.isSafeString(value.ip)) ||
+        !k2hr3apiutil_1.default.isSafeNumber(value.port) ||
+        !k2hr3apiutil_1.default.isSafeString(value.tenant) ||
+        !k2hr3apiutil_1.default.isSafeString(value.base)) {
+        //
+        // Not check expired token and ip address is empty here.
+        //
+        resobj.result = false;
+        resobj.message = 'could not get role token(' + role_token_key + ') value, or it is wrong value(' + JSON.stringify(value) + ').';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    // check expire
+    if (k2hr3apiutil_1.default.isExpired(value.expire)) {
+        resobj.result = false;
+        resobj.message = 'role token(' + role_token_key + ') is expired by expire date(' + value.expire + ').';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    // keep role tokens key for removing key in its subkey list.
+    const role_tokens_key = value.role + '/' + keys.ROLE_TOKEN_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens"
+    // check requester
+    if (k2hr3apiutil_1.default.isSafeString(ip)) {
+        // check ip address bases
+        //
+        // port
+        if (!k2hr3apiutil_1.default.isSafeNumber(port)) {
+            port = 0;
+        }
+        // cuk
+        cuk = k2hr3apiutil_1.default.getSafeString(cuk).trim();
+        if (!k2hr3apiutil_1.default.isSafeString(cuk)) {
+            cuk = null;
+        }
+        // check
+        if (value.port != port ||
+            k2hr3apiutil_1.default.isSafeString(value.cuk) != k2hr3apiutil_1.default.isSafeString(cuk) ||
+            k2hr3apiutil_1.default.getSafeString(value.cuk) != k2hr3apiutil_1.default.getSafeString(cuk)) {
+            resobj.result = false;
+            resobj.message = 'could not remove role token(' + token + '), because port(' + JSON.stringify(port) + ' vs ' + JSON.stringify(value.port) + ')/cuk(' + JSON.stringify(cuk) + ' vs ' + JSON.stringify(value.cuk) + ') value is not same.';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+        // [NOTE]
+        // findHost() is creating k2hdkc object in it, thus we close dkc object here.
+        // and re-create dkc object after returning that function.
+        //
+        dkcobj.clean();
+        const find_result = k2hr3dkc_1.default.findHost(value.tenant, value.role, null, ip, port, cuk, false); // not strict checking
+        if (!find_result.result || !k2hr3apiutil_1.default.isNotEmptyArray(find_result.host_info)) {
+            // ip address is not member of role
+            resobj.result = false;
+            resobj.message = 'could not remove role token(' + token + '), because ip(' + ip + ') is not role host member.';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // re-creating permanent object(need to clean)
+        if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+            resobj.result = false;
+            resobj.message = 'Failed to re-initialize.';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+    }
+    else {
+        // check tenant name
+        if (0 !== value.role.indexOf(keys.ROLE_TOP_KEY)) {
+            // not same tenant name
+            resobj.result = false;
+            resobj.message = 'could not remove role token(' + token + '), because user(' + JSON.stringify(user) + ')/tenant(' + JSON.stringify(tenant) + ') is not role member.';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // remove token
+    if (!dkcobj.remove(role_token_key, false)) { // remove yrn:yahoo::::token:role/<role token>
+        resobj.result = false;
+        resobj.message = 'could not remove role token(' + token + '), probably it is not existed.';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    let subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_ROLE_TOP_KEY, true));
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, role_token_key)) {
+        if (!dkcobj.setSubkeys(keys.TOKEN_ROLE_TOP_KEY, subkeylist)) { // update subkey -> yrn:yahoo::::token:role
+            resobj.result = false;
+            resobj.message = 'could not update subkey under ' + keys.TOKEN_ROLE_TOP_KEY + ' key';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    // remove token key from role's tokens subkey.
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(role_tokens_key, true));
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, role_token_key)) {
+        if (!dkcobj.setSubkeys(role_tokens_key, subkeylist)) { // update subkey -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens
+            resobj.result = false;
+            resobj.message = 'could not update subkey under ' + role_tokens_key + ' key';
+            dbglogging_1.default.elog(resobj.message);
+            dkcobj.clean();
+            return resobj;
+        }
+    }
+    dkcobj.clean();
+    return resobj;
+};
+//---------------------------------------------------------
+// Remove Role Tokens Directly
+//---------------------------------------------------------
+// dkcobj_permanent	:	dkcobj object
+// tokens			:	array to role token yrn path
+//
+// result			:	true/false
+//
+const rawDirectRemoveRoleTokens = (dkcobj_permanent, tokens) => {
+    if (!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()) {
+        dbglogging_1.default.elog('dkcobj_parameters are wrong : dkcobj_permanent=' + JSON.stringify(dkcobj_permanent));
+        return false;
+    }
+    if (k2hr3apiutil_1.default.isSafeString(tokens)) {
+        tokens = [tokens];
+    }
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(tokens)) {
+        dbglogging_1.default.dlog('tokens(' + JSON.stringify(tokens) + ') is empty or not array');
+        return true;
+    }
+    //
+    // Keys
+    //
+    const keys = r3keys();
+    const subkeylist = dkcobj_permanent.getSubkeys(keys.TOKEN_ROLE_TOP_KEY, true); // get subkeys under "yrn:yahoo::::token:role"
+    const matchptn = keys.TOKEN_ROLE_TOP_KEY + '/'; // matching pattern "yrn:yahoo::::token:role/"
+    let needupdate = false;
+    // remove each token
+    for (let cnt = 0; cnt < tokens.length; ++cnt) {
+        if (!k2hr3apiutil_1.default.isSafeString(tokens[cnt])) {
+            dbglogging_1.default.elog('token(' + JSON.stringify(tokens[cnt]) + ') yrn path is not string, but continue...');
+            continue;
+        }
+        if (0 !== tokens[cnt].indexOf(matchptn)) {
+            dbglogging_1.default.elog('token(' + JSON.stringify(tokens[cnt]) + ') is not full yrn path, but continue...');
+            continue;
+        }
+        // remove token
+        if (!dkcobj_permanent.remove(tokens[cnt], false)) { // remove yrn:yahoo::::token:role/<role token>
+            dbglogging_1.default.elog('failed to remove token(' + JSON.stringify(tokens[cnt]) + '), but continue...');
+        }
+        else {
+            // remove token from subkeys(token top key)
+            if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, tokens[cnt])) {
+                needupdate = true;
+            }
+        }
+    }
+    if (needupdate) {
+        if (!dkcobj_permanent.setSubkeys(keys.TOKEN_ROLE_TOP_KEY, subkeylist)) { // update subkey -> yrn:yahoo::::token:role
+            dbglogging_1.default.elog('failed to reset role token subkeys to ' + keys.TOKEN_ROLE_TOP_KEY + ' top key, but continue...');
+        }
+    }
+    return true;
+};
+//---------------------------------------------------------
+// Remove Role Token with checking tenant
+//---------------------------------------------------------
+// token_string	:	role token string
+// tenant		:	tenant name
+//
+// result		:	true/false
+//
+const rawRemoveRoleTokenByPath = (token_string, tenant) => {
+    if (!k2hr3apiutil_1.default.isSafeString(token_string) || !k2hr3apiutil_1.default.isSafeString(tenant)) {
+        dbglogging_1.default.elog('token_string(' + JSON.stringify(token_string) + ') or tenant(' + JSON.stringify(tenant) + ') parameter is something wrong.');
+        return false;
+    }
+    //
+    // Keys
+    //
+    const keys = r3keys(null, tenant);
+    const role_token_key = keys.TOKEN_ROLE_TOP_KEY + '/' + token_string; // role token path "yrn:yahoo::::token:role/<token>"
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        dbglogging_1.default.elog('Not initialize yet.');
+        return false;
+    }
+    // get token value
+    const value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(role_token_key, null, true, null));
+    const value = k2hr3apiutil_1.default.parseJSON(value_tmp);
+    if (!k2hr3apiutil_1.default.isPlainObject(value) ||
+        !k2hr3apiutil_1.default.isSafeString(value.role) ||
+        !k2hr3apiutil_1.default.isSafeString(value.date) ||
+        !k2hr3apiutil_1.default.isSafeString(value.expire) ||
+        !k2hr3apiutil_1.default.isSafeString(value.creator) ||
+        (!k2hr3apiutil_1.default.isSafeString(value.user) && !k2hr3apiutil_1.default.isSafeString(value.hostname) && !k2hr3apiutil_1.default.isSafeString(value.ip)) ||
+        !k2hr3apiutil_1.default.isSafeNumber(value.port) ||
+        !k2hr3apiutil_1.default.isSafeString(value.tenant) ||
+        !k2hr3apiutil_1.default.isSafeString(value.base)) {
+        dbglogging_1.default.elog('could not get role role_token_key(' + role_token_key + ') value, or it is wrong value(' + JSON.stringify(value) + ') or already expired.');
+        dkcobj.clean();
+        return false;
+    }
+    // check tenant name
+    const roleptn = new RegExp('^' + keys.MATCH_ANY_TENANT_ROLE); // regex = /^yrn:yahoo:(.*)::(.*):role:(.*)/
+    const rolematchs = value.role.match(roleptn);
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(rolematchs) || rolematchs.length < 4) {
+        // token's role is not matched role yrn
+        dbglogging_1.default.elog('role path(' + JSON.stringify(value.role) + ') in role token(' + role_token_key + ') value is not role yrn full path.');
+        dkcobj.clean();
+        return false;
+    }
+    if (tenant !== rolematchs[2]) {
+        // tenant name is not matched.
+        dbglogging_1.default.elog('tenant name(' + JSON.stringify(rolematchs[2]) + ') in role token(' + role_token_key + ') value is not as same as specified tenant(' + JSON.stringify(tenant) + ').');
+        dkcobj.clean();
+        return false;
+    }
+    // remove token
+    if (!dkcobj.remove(role_token_key, false)) { // remove yrn:yahoo::::token:role/<role token>
+        dbglogging_1.default.elog('failed to remove token(' + JSON.stringify(role_token_key) + ').');
+        dkcobj.clean();
+        return false;
+    }
+    // remove token from subkeys(token top key)
+    let subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(keys.TOKEN_ROLE_TOP_KEY, true)); // get subkeys under "yrn:yahoo::::token:role"
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, role_token_key)) {
+        // update subkey
+        if (!dkcobj.setSubkeys(keys.TOKEN_ROLE_TOP_KEY, subkeylist)) { // update subkey -> yrn:yahoo::::token:role
+            dbglogging_1.default.elog('failed to reset role token subkeys to ' + keys.TOKEN_ROLE_TOP_KEY + ' top key, but continue...');
+        }
+    }
+    // remove token key from role's tokens subkey.
+    const role_tokens_key = value.role + '/' + keys.ROLE_TOKEN_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens"
+    subkeylist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(role_tokens_key, true));
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, role_token_key)) {
+        if (!dkcobj.setSubkeys(role_tokens_key, subkeylist)) { // update subkey -> yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens
+            dbglogging_1.default.elog('could not update subkey under ' + role_tokens_key + ' key, but continue...');
+        }
+    }
+    dkcobj.clean();
+    return true;
+};
+//---------------------------------------------------------
+// Get Role Token Directly
+//---------------------------------------------------------
+// dkcobj_permanent	:	dkcobj object
+// tokens			:	array to role token yrn path
+//
+// result			:	{
+//							"token": {
+//								date:		create date(UTC ISO 8601)
+//								expire:		expire date(UTC ISO 8601)
+//								user:		user name if user created this token
+//								hostname:	hostname if this token was created by host(name)
+//								ip:			ip address if this token was created by ip
+//								port:		port number, if specified port when created token
+//								cuk:		cuk, if specified cuk when created token
+//							},
+//							...
+//						}
+//						or null(if error)
+//
+const rawGetDirectRoleTokenInfo = (dkcobj_permanent, tokens) => {
+    if (!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()) {
+        dbglogging_1.default.elog('dkcobj_parameters are wrong : dkcobj_permanent=' + JSON.stringify(dkcobj_permanent));
+        return null;
+    }
+    if (k2hr3apiutil_1.default.isSafeString(tokens)) {
+        tokens = [tokens];
+    }
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(tokens)) {
+        dbglogging_1.default.dlog('tokens(' + JSON.stringify(tokens) + ') is empty or not array');
+        return null;
+    }
+    //
+    // Keys
+    //
+    const keys = r3keys();
+    const matchptn = keys.TOKEN_ROLE_TOP_KEY + '/'; // matching pattern "yrn:yahoo::::token:role/"
+    const resobj = {};
+    for (let cnt = 0; cnt < tokens.length; ++cnt) {
+        // check role token path and split token string
+        if (!k2hr3apiutil_1.default.isSafeString(tokens[cnt])) {
+            dbglogging_1.default.elog('token(' + JSON.stringify(tokens[cnt]) + ') yrn path is not string, but continue...');
+            continue;
+        }
+        if (0 !== tokens[cnt].indexOf(matchptn)) {
+            dbglogging_1.default.elog('token(' + JSON.stringify(tokens[cnt]) + ') is not full yrn path, but continue...');
+            continue;
+        }
+        const token_key = tokens[cnt].split(matchptn)[1];
+        // get/check role token value
+        const value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj_permanent.getValue(tokens[cnt], null, true, null));
+        const value = k2hr3apiutil_1.default.parseJSON(value_tmp);
+        if (!k2hr3apiutil_1.default.isPlainObject(value) ||
+            !k2hr3apiutil_1.default.isSafeString(value.role) ||
+            !k2hr3apiutil_1.default.isSafeString(value.date) ||
+            !k2hr3apiutil_1.default.isSafeString(value.expire) ||
+            !k2hr3apiutil_1.default.isSafeString(value.creator) ||
+            (!k2hr3apiutil_1.default.isSafeString(value.user) && !k2hr3apiutil_1.default.isSafeString(value.hostname) && !k2hr3apiutil_1.default.isSafeString(value.ip)) ||
+            !k2hr3apiutil_1.default.isSafeNumber(value.port) ||
+            !k2hr3apiutil_1.default.isSafeString(value.tenant) ||
+            !k2hr3apiutil_1.default.isSafeString(value.base) ||
+            !k2hr3apiutil_1.default.isSafeString(value.expire)) {
+            dbglogging_1.default.dlog('could not get role token(' + tokens[cnt] + ') value, or it is wrong value(' + JSON.stringify(value) + ') or expired, thus skip this.');
+            continue;
+        }
+        // check expire by token value
+        if (k2hr3apiutil_1.default.isExpired(value.expire)) {
+            // expired
+            continue;
+        }
+        // add result
+        resobj[token_key] = {
+            user: (k2hr3apiutil_1.default.isSafeString(value.user) ? value.user : null),
+            hostname: (k2hr3apiutil_1.default.isSafeString(value.hostname) ? value.hostname : null),
+            ip: (k2hr3apiutil_1.default.isSafeString(value.ip) ? value.ip : null),
+            port: value.port,
+            cuk: (k2hr3apiutil_1.default.isSafeString(value.cuk) ? value.cuk : null),
+            date: value.date,
+            expire: value.expire
+        };
+    }
+    return resobj;
+};
+//---------------------------------------------------------
+// Get List of Role Tokens
+//---------------------------------------------------------
+// role			:	role yrn full path or role name(path)
+// tenant		:	for checking role full yrn path
+// expand		:	whether to expand token information(default false)
+//
+// result		:	not expand
+//					{
+//						result:		true/false
+//						message:	null or error message string
+//						tokens: [
+//							"role token",
+//							....
+//						]
+// 					}
+//
+// result		:	expand
+//					{
+//						result:		true/false
+//						message:	null or error message string
+//						tokens:	{
+//							"token": {
+//								date:		create date(UTC ISO 8601)
+//								expire:		expire date(UTC ISO 8601)
+//								user:		user name if user created this token
+//								hostname:	hostname if this token was created by host(name)
+//								ip:			ip address if this token was created by ip
+//								port:		port number, if specified port when created token
+//								cuk:		cuk, if specified cuk when created token
+//							},
+//							...
+//						}
+// 					}
+//
+const rawGetListRoleTokens = (role, tenant, expand) => {
+    const resobj = { result: true, message: null };
+    if (!k2hr3apiutil_1.default.isSafeString(role) || !k2hr3apiutil_1.default.isSafeString(tenant)) {
+        resobj.result = false;
+        resobj.message = 'role(' + JSON.stringify(role) + '), tenant(' + JSON.stringify(tenant) + ') parameters are wrong.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    if (!k2hr3apiutil_1.default.isBoolean(expand)) {
+        expand = false;
+    }
+    // check role is full yrn path and tenant
+    const keys = r3keys(null, tenant);
+    const roleptn = new RegExp('^' + keys.MATCH_ANY_TENANT_ROLE); // regex = /^yrn:yahoo:(.*)::(.*):role:(.*)/
+    const rolematchs = role.match(roleptn);
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(rolematchs) || rolematchs.length < 4) {
+        // role is not full yrn
+        resobj.result = false;
+        resobj.message = 'role(' + JSON.stringify(role) + ') is nor full yrn path.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    else {
+        // role is full yrn to role
+        if (!k2hr3apiutil_1.default.compareCaseString(rolematchs[2], tenant)) {
+            resobj.result = false;
+            resobj.message = 'tenant(' + tenant + ') is not as same as tenant in role(' + role + ') full yrn.';
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+    }
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        resobj.result = false;
+        resobj.message = 'Not initialize yet.';
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    // check role path(check id key under role key)
+    const id_key = role + '/' + keys.ID_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/id"
+    const value = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(id_key, null, true, null));
+    if (!k2hr3apiutil_1.default.isSafeString(value)) {
+        resobj.result = false;
+        resobj.message = 'role(' + JSON.stringify(role) + ') does not exist';
+        dbglogging_1.default.elog(resobj.message);
+        dkcobj.clean();
+        return resobj;
+    }
+    // get all role tokens
+    const tokens_key = role + '/' + keys.ROLE_TOKEN_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/tokens"
+    let tokenlist = k2hr3apiutil_1.default.getSafeStringArray(dkcobj.getSubkeys(tokens_key, true));
+    if (expand) {
+        // get each token information
+        const token_info = rawGetDirectRoleTokenInfo(dkcobj, tokenlist);
+        if (null === token_info) {
+            resobj.tokens = {};
+        }
+        else {
+            resobj.tokens = token_info;
+        }
+    }
+    else {
+        // set token list
+        const tokenptn = new RegExp('^' + keys.MATCH_ANY_ROLE_TOKEN); // regex = /^yrn:yahoo::::token:role\/(.*)/
+        const token_info_list = [];
+        if (!k2hr3apiutil_1.default.isNotEmptyArray(tokenlist)) { // token list is full yrn path
+            tokenlist = [];
+        }
+        for (let cnt = 0; cnt < tokenlist.length; ++cnt) {
+            if (!k2hr3apiutil_1.default.isSafeString(tokenlist[cnt])) {
+                dbglogging_1.default.wlog('Found wrong token string(' + JSON.stringify(tokenlist[cnt]) + ') in token list, skip this.');
+            }
+            else {
+                const tokenmatches = tokenlist[cnt].match(tokenptn);
+                if (k2hr3apiutil_1.default.isNotEmptyArray(tokenmatches) && 2 <= tokenmatches.length && k2hr3apiutil_1.default.isSafeString(tokenmatches[1])) {
+                    token_info_list.push(tokenmatches[1]);
+                }
+                else {
+                    dbglogging_1.default.wlog('Found wrong token string(' + JSON.stringify(tokenlist[cnt]) + ') in token list, skip this.');
+                }
+            }
+        }
+        resobj.tokens = token_info_list;
+    }
+    dkcobj.clean();
+    return resobj;
+};
+//---------------------------------------------------------
+// Check Role Token
+//---------------------------------------------------------
+// token		:	role token
+// ip			:	client ip address
+// port			:	if is_strict is true, check port number
+// cuk			:	if is_strict is true, check cuk
+// is_strict	:	true means strict checking
+//
+// result		:	null or token information
+//					{
+//						role:			role name
+//						user:			null or user name
+//						hostname:		null or host name
+//						ip:				null or ip address
+//						port:			port number(if host is existed), 0 means any
+//						cuk:			cuk(allowed null)
+//						extra:			extra(allowed null)
+//						tenant:			tenant name
+//						display:		display alias name for tenant
+//						id:				tenant id string
+//						description:	description for tenant
+//						scoped:			role token is always scoped(true)
+//						region:			role token is always null
+//					}
+//
+const rawCheckRoleToken = (token, ip, port, cuk, is_strict) => {
+    if (!k2hr3apiutil_1.default.isSafeString(token)) {
+        dbglogging_1.default.elog('some parameters are wrong : token=' + JSON.stringify(token));
+        return null;
+    }
+    if (!k2hr3apiutil_1.default.isSafeEntity(port)) {
+        port = 0;
+    }
+    else if (!k2hr3apiutil_1.default.isSafeNumber(port)) {
+        dbglogging_1.default.elog('port(' + JSON.stringify(port) + ') parameter is wrong.');
+        return null;
+    }
+    if (!k2hr3apiutil_1.default.isSafeString(cuk)) {
+        cuk = null;
+    }
+    if (!k2hr3apiutil_1.default.isBoolean(is_strict)) {
+        is_strict = false;
+    }
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        return null;
+    }
+    //
+    // keys
+    //
+    let keys = r3keys();
+    const role_token_key = keys.TOKEN_ROLE_TOP_KEY + '/' + token; // "yrn:yahoo::::token:role/<role token>"
+    // get role token value
+    const value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(role_token_key, null, true, null));
+    const value = k2hr3apiutil_1.default.parseJSON(value_tmp);
+    if (!k2hr3apiutil_1.default.isPlainObject(value)) {
+        dbglogging_1.default.dlog('could not get role token(' + role_token_key + ') value, or it is wrong value(' + JSON.stringify(value) + '). We check all role token for expire here.');
+        dkcobj.clean();
+        //
+        // check and remove old role token under token top key("yrn:yahoo::::token:role") if old token is expired
+        //
+        // [NOTE]
+        // This processing is taking time, so it runs asynchronously.
+        // And for notes on this processing, refer to NOTE of rawCleanupRoleToken function.
+        //
+        rawCleanupRoleToken((result) => {
+            if (!result) {
+                dbglogging_1.default.wlog('Failed to cleanup expired role tokens under ' + keys.TOKEN_ROLE_TOP_KEY + ' key, but continue...');
+            }
+        });
+        return null;
+    }
+    if (!k2hr3apiutil_1.default.isSafeString(value.role) ||
+        !k2hr3apiutil_1.default.isSafeString(value.date) ||
+        !k2hr3apiutil_1.default.isSafeString(value.expire) ||
+        !k2hr3apiutil_1.default.isSafeString(value.creator) ||
+        (!k2hr3apiutil_1.default.isSafeString(value.user) && !k2hr3apiutil_1.default.isSafeString(value.hostname) && !k2hr3apiutil_1.default.isSafeString(value.ip)) ||
+        !k2hr3apiutil_1.default.isSafeNumber(value.port) ||
+        !k2hr3apiutil_1.default.isSafeString(value.tenant) ||
+        !k2hr3apiutil_1.default.isSafeString(value.base) ||
+        (null !== value.ip && undefined !== value.ip && !k2hr3apiutil_1.default.isSafeString(value.ip)) ||
+        (null !== value.cuk && undefined !== value.cuk && !k2hr3apiutil_1.default.isSafeString(value.cuk)) ||
+        (null !== value.extra && undefined !== value.extra && !k2hr3apiutil_1.default.isSafeString(value.extra))) {
+        //
+        // Not check expired token and ip address is empty here.
+        //
+        dbglogging_1.default.dlog('could not get role token(' + role_token_key + ') value, or it is wrong value(' + JSON.stringify(value) + ').');
+        dkcobj.clean();
+        return null;
+    }
+    const tmp_role = value.role;
+    //const tmp_date	= value.date;
+    const tmp_expire = value.expire;
+    //const tmp_creator	= value.creator;
+    const tmp_user = k2hr3apiutil_1.default.isSafeString(value.user) ? value.user : null;
+    const tmp_hostname = k2hr3apiutil_1.default.isSafeString(value.hostname) ? value.hostname : null;
+    const tmp_port = value.port;
+    const tmp_tenant = value.tenant;
+    const tmp_base = value.base;
+    const tmp_ip = k2hr3apiutil_1.default.isSafeString(value.ip) ? value.ip : null;
+    const tmp_cuk = k2hr3apiutil_1.default.isSafeString(value.cuk) ? value.cuk : null;
+    const tmp_extra = k2hr3apiutil_1.default.isSafeString(value.extra) ? value.extra : null;
+    // Get tenant information
+    const tenant_keys = r3keys(null, value.tenant);
+    const tmp_display = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(tenant_keys.TENANT_DISP_KEY, null, true, null));
+    const tmp_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(tenant_keys.TENANT_ID_KEY, null, true, null));
+    const tmp_description = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(tenant_keys.TENANT_DESC_KEY, null, true, null));
+    // compare ip address, if they are specified and token is not created by user
+    if (!k2hr3apiutil_1.default.isSafeString(tmp_user)) {
+        if (!k2hr3apiutil_1.default.isSafeString(ip) || ip !== tmp_ip) {
+            dbglogging_1.default.dlog('role token(' + role_token_key + ') has value(' + JSON.stringify(value) + '), but it is not same ip(' + ip + ').');
+            dkcobj.clean();
+            return null;
+        }
+        // strict checking
+        if (is_strict) {
+            if (tmp_port != port ||
+                !k2hr3apiutil_1.default.isSafeString(tmp_cuk) != k2hr3apiutil_1.default.isSafeString(cuk) ||
+                (k2hr3apiutil_1.default.isSafeString(tmp_cuk) && tmp_cuk != cuk)) {
+                dbglogging_1.default.dlog('failed strictly checking role token(' + role_token_key + ').');
+                dkcobj.clean();
+                return null;
+            }
+        }
+    }
+    // check expire
+    if (k2hr3apiutil_1.default.isExpired(tmp_expire)) {
+        dbglogging_1.default.dlog('token(' + token + ') is expired.');
+        dkcobj.clean();
+        return null;
+    }
+    // get seed id(user id or host(ip) id)
+    let seed_id;
+    if (!k2hr3apiutil_1.default.isSafeString(tmp_user)) {
+        // creator is host(ip), then get it's id
+        const host_value_tmp = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(value.creator, null, true, null)); // get value from "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/hosts/ip/<ip:port>"
+        const host_value = k2hr3apiutil_1.default.parseJSON(host_value_tmp);
+        if (!k2hr3apiutil_1.default.isPlainObject(host_value) ||
+            (!k2hr3apiutil_1.default.isSafeString(host_value.hostname) && !k2hr3apiutil_1.default.isSafeString(host_value.ip)) || // hostname or ip is existed
+            !k2hr3apiutil_1.default.isSafeEntity(host_value.port) ||
+            !k2hr3apiutil_1.default.isSafeString(host_value[keys.ID_KW])) {
+            dbglogging_1.default.dlog('could not get host or ip(' + value.creator + ') value, or it is wrong value(' + JSON.stringify(host_value) + ').');
+            dkcobj.clean();
+            return null;
+        }
+        seed_id = k2hr3apiutil_1.default.getSafeString(host_value[keys.ID_KW]);
+    }
+    else {
+        // creator is user, then get user's id
+        const user_id_key = value.creator + ':' + keys.ID_KW; // "yrn:yahoo::::user:<user name>:id"
+        seed_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(user_id_key, null, true, null));
+        if (!k2hr3apiutil_1.default.isSafeString(seed_id)) {
+            dbglogging_1.default.dlog('could not get user id(' + user_id_key + ') value, or it is wrong value(' + JSON.stringify(seed_id) + ').');
+            dkcobj.clean();
+            return null;
+        }
+    }
+    // get role id for verify
+    keys = r3keys(null, value.tenant); // remake keys
+    const role_key = tmp_role; // role member is full yrn => "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}"
+    const role_id_key = role_key + '/' + keys.ID_KW; // "yrn:yahoo:<service>::<tenant>:role:<role>{/<role>{...}}/id"
+    const role_id = k2hr3apiutil_1.default.getSafeString(dkcobj.getValue(role_id_key, null, true, null));
+    if (!k2hr3apiutil_1.default.isSafeStrUuid4(role_id)) {
+        dbglogging_1.default.dlog('could not get role id(' + role_id_key + ') value, or it is wrong value(' + JSON.stringify(role_id) + '), maybe expired this token');
+        dkcobj.clean();
+        return null;
+    }
+    dkcobj.clean();
+    // make verify token
+    const token_elements = k2hr3apiutil_1.default.makeStringToken256(seed_id, role_id, tmp_base);
+    if (!k2hr3apiutil_1.default.isSafeEntity(token_elements)) {
+        dbglogging_1.default.dlog('could not make verify token from ' + JSON.stringify(seed_id) + ' and ' + JSON.stringify(role_id) + ' and ' + JSON.stringify(value));
+        dkcobj.clean();
+        return null;
+    }
+    if (token !== token_elements.str_token) {
+        dbglogging_1.default.elog('token(' + token + ') verify is failure, verify token is ' + token_elements.str_token + '.');
+        dkcobj.clean();
+        return null;
+    }
+    // make result
+    const token_info = {
+        role: tmp_role,
+        user: tmp_user,
+        hostname: tmp_hostname, // hostname
+        ip: tmp_ip,
+        port: tmp_port,
+        cuk: tmp_cuk,
+        extra: tmp_extra,
+        tenant: tmp_tenant,
+        display: tmp_display,
+        id: tmp_id,
+        description: tmp_description,
+        scoped: true, // role token is always scoped
+        region: null
+    };
+    return token_info;
+};
+//---------------------------------------------------------
+// get tenant list by user(with DKC)
+//---------------------------------------------------------
+//	result		[
+//					{
+//						name:			"tenant name",			=> tenant name which is "key" in k2hdkc
+//						display:		"display tenant name"	=> display alias name for tenant
+//						id:				"tenant id"				=> tenant id string
+//						description:	"tenant description"	=> description for tenant
+//					},
+//					...
+//				]
+//
+//	[NOTE]		Must initialize User/Tenant before calling this function.
+//
+const rawGetTenantListByUserWithDkc = (dkcobj_permanent, user) => {
+    if (!(dkcobj_permanent instanceof Object) || !dkcobj_permanent.isPermanent()) {
+        dbglogging_1.default.elog('dkcobj_parameters are wrong : dkcobj_permanent=' + JSON.stringify(dkcobj_permanent));
+        return null;
+    }
+    if (!k2hr3apiutil_1.default.isSafeString(user)) {
+        dbglogging_1.default.elog('user parameters are wrong : user=' + JSON.stringify(user));
+        return null;
+    }
+    //
+    // Get subkeys under token top key
+    //
+    const keys = r3keys(user);
+    const subkeylist = dkcobj_permanent.getSubkeys(keys.USER_TENANT_TOP_KEY, true); // get subkeys from "yrn:yahoo::::user:<user>:tenant"
+    // remove no tenant key in tenant subkey list
+    if (k2hr3apiutil_1.default.removeStringFromArray(subkeylist, keys.USER_TENANT_COMMON_KEY)) { // remove "yrn:yahoo::::user:<user>:tenant/"
+        dbglogging_1.default.dlog('found ' + keys.USER_TENANT_COMMON_KEY + ' subkey in ' + keys.USER_TENANT_TOP_KEY + ' = user(' + user + ') tenant top key');
+    }
+    else {
+        dbglogging_1.default.dlog('not found ' + keys.USER_TENANT_COMMON_KEY + ' subkey in ' + keys.USER_TENANT_TOP_KEY + ' = user(' + user + ') tenant top key');
+    }
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(subkeylist)) {
+        dbglogging_1.default.wlog('There is no tenant for user(' + user + ')');
+        return null;
+    }
+    // modify tenant name from yrn full path to only tenant name
+    const pattern = new RegExp('^' + keys.USER_TENANT_COMMON_KEY + '(.*)'); // regex = /^yrn:yahoo::::user:<user>\:tenant\/(.*)/
+    const name_list = [];
+    for (let cnt = 0; cnt < subkeylist.length; ++cnt) {
+        const tenant_matches = subkeylist[cnt].match(pattern); // reverse to tenant name
+        if (k2hr3apiutil_1.default.isNotEmptyArray(tenant_matches) && 2 <= tenant_matches.length && '' !== k2hr3apiutil_1.default.getSafeString(tenant_matches[1])) {
+            name_list.push(k2hr3apiutil_1.default.getSafeString(tenant_matches[1]));
+        }
+    }
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(name_list)) {
+        dbglogging_1.default.wlog('There is no tenant for user(' + user + ')');
+        return null;
+    }
+    // get display name for each tenant
+    const tenant_list = [];
+    for (let cnt = 0; cnt < name_list.length; ++cnt) {
+        const tenant_keys = r3keys(user, name_list[cnt]);
+        const tenant_display = k2hr3apiutil_1.default.getSafeString(dkcobj_permanent.getValue(tenant_keys.TENANT_DISP_KEY, null, true, null));
+        const tenant_id = k2hr3apiutil_1.default.getSafeString(dkcobj_permanent.getValue(tenant_keys.TENANT_ID_KEY, null, true, null));
+        const tenant_desc = k2hr3apiutil_1.default.getSafeString(dkcobj_permanent.getValue(tenant_keys.TENANT_DESC_KEY, null, true, null));
+        tenant_list.push({
+            name: name_list[cnt],
+            display: tenant_display,
+            id: tenant_id,
+            description: tenant_desc
+        });
+    }
+    return tenant_list;
+};
+//---------------------------------------------------------
+// get tenant list by user
+//---------------------------------------------------------
+//	result		[
+//					{
+//						name:			"tenant name",			=> tenant name which is "key" in k2hdkc
+//						display:		"display tenant name"	=> display alias name for tenant
+//						id:				"tenant id"				=> tenant id string
+//						description:	"tenant description"	=> description for tenant
+//					},
+//					...
+//				]
+//
+//	[NOTE]		Must initialize User/Tenant before calling this function.
+//
+const rawGetTenantListByUser = (user) => {
+    const dkcobj = k2hr3dkc_1.default.getK2hdkc(true, false); // use permanent object(need to clean)
+    if (!k2hr3apiutil_1.default.isSafeEntity(dkcobj)) {
+        return null;
+    }
+    const result = rawGetTenantListByUserWithDkc(dkcobj, user);
+    dkcobj.clean();
+    return result;
+};
+//---------------------------------------------------------
+// Initialize tenant list
+//---------------------------------------------------------
+const rawInitializeTenantListByToken = (unscopedtoken, username, userid, callback) => {
+    const _callback = callback;
+    if (!k2hr3apiutil_1.default.isSafeEntity(osapi)) {
+        const error = new Error('could not load osapi file(object)');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    if (!k2hr3apiutil_1.default.isSafeString(unscopedtoken) || !k2hr3apiutil_1.default.isSafeString(username) || !k2hr3apiutil_1.default.isSafeString(userid)) {
+        const error = new Error('unscopedtoken or username or userid parameters are wrong');
+        dbglogging_1.default.elog(error.message);
+        _callback(error, null);
+        return;
+    }
+    const _unscopedtoken = unscopedtoken;
+    const _username = username;
+    const _userid = userid;
+    // get tenant list for check
+    osapi.getUserTenantList(_unscopedtoken, _userid, (err, jsonres) => {
+        if (null !== err || null === jsonres) {
+            const error = new Error('could not get tenant list for user ' + _username + '(token=' + _unscopedtoken + ') by ' + (err?.message ?? 'unknown'));
+            dbglogging_1.default.elog(error.message);
+            _callback(error, null);
+            return;
+        }
+        //r3logger.dlog('get user tenant list jsonres=\n' + JSON.stringify(jsonres));
+        // check tenants(and initialize tenants)
+        const _name_list = [];
+        const _tenant_list = [];
+        for (let cnt = 0; cnt < jsonres.length; ++cnt) {
+            if (!k2hr3apiutil_1.default.isSafeEntity(jsonres[cnt])) {
+                continue;
+            }
+            // over write
+            const resobj = k2hr3dkc_1.default.initUserTenant(_username, _userid, _username, jsonres[cnt].name, jsonres[cnt].id, jsonres[cnt].description, jsonres[cnt].display);
+            if (!resobj.result) {
+                const error = new Error(resobj.message ?? '');
+                dbglogging_1.default.elog(error.message);
+                _callback(error, null);
+                return;
+            }
+            _name_list.push(jsonres[cnt].name);
+            _tenant_list.push({
+                name: jsonres[cnt].name,
+                display: k2hr3apiutil_1.default.getSafeString(jsonres[cnt].display)
+            });
+        }
+        // get and add local tenants
+        const tmpresobj = k2hr3dkc_1.default.listLocalTenant(_username, true);
+        if (!k2hr3apiutil_1.default.isPlainObject(tmpresobj) || !k2hr3apiutil_1.default.isSafeEntity(tmpresobj.result) || false === tmpresobj.result || !k2hr3apiutil_1.default.isSafeEntity(tmpresobj.tenants)) {
+            if (k2hr3apiutil_1.default.isPlainObject(tmpresobj) && k2hr3apiutil_1.default.isSafeString(tmpresobj.message)) {
+                dbglogging_1.default.wlog('failed to get local tenant list by ' + tmpresobj.message);
+            }
+            else {
+                dbglogging_1.default.wlog('failed to get local tenant list.');
+            }
+        }
+        else {
+            if (k2hr3apiutil_1.default.isNotEmptyArray(tmpresobj.tenants)) {
+                for (let cnt2 = 0; cnt2 < tmpresobj.tenants.length; ++cnt2) {
+                    const tmpTenatInfo = tmpresobj.tenants[cnt2];
+                    if (k2hr3dkc_1.default.isDkcTypeTenantInfo(tmpTenatInfo)) {
+                        _name_list.push(tmpTenatInfo.name);
+                        _tenant_list.push({
+                            name: tmpTenatInfo.name,
+                            display: k2hr3apiutil_1.default.getSafeString(tmpTenatInfo.display)
+                        });
+                    }
+                    else if (k2hr3apiutil_1.default.isStringArray(tmpTenatInfo)) {
+                        _name_list.push(tmpTenatInfo);
+                        _tenant_list.push({
+                            name: tmpTenatInfo,
+                            display: ''
+                        });
+                    }
+                }
+            }
+        }
+        // check and remove old tenant for user
+        if (!k2hr3dkc_1.default.removeComprehensionByNewTenants(_username, _name_list)) {
+            dbglogging_1.default.elog('failed to remove some tenant for user, but continue...');
+        }
+        // succeed
+        _callback(null, _tenant_list);
+        return;
+    });
+};
+//---------------------------------------------------------
+// Initialize tenant list by unscoped user token
+//---------------------------------------------------------
+const rawInitializeTenantListByUnscoped = (unscopedtoken, username, callback) => {
+    if (!k2hr3apiutil_1.default.isSafeString(unscopedtoken) || !k2hr3apiutil_1.default.isSafeString(username)) {
+        const error = new Error('unscopedtoken or username parameters are wrong');
+        dbglogging_1.default.elog(error.message);
+        callback(error, null);
+        return;
+    }
+    // user id from user name
+    const user_info = k2hr3dkc_1.default.getUserId(username); // user id from user name
+    if (null === user_info || !k2hr3apiutil_1.default.isSafeEntity(user_info.name) || !k2hr3apiutil_1.default.isSafeEntity(user_info.id)) {
+        const error = new Error('could not find username(' + username + ') from unscoped token in k2hdkc.');
+        dbglogging_1.default.elog(error.message);
+        callback(error, null);
+        return;
+    }
+    // get scoped user token
+    return rawInitializeTenantListByToken(unscopedtoken, user_info.name, user_info.id, callback);
+};
+const rawCheckTenantInTenantList = (tenants, tenant) => {
+    if (!k2hr3apiutil_1.default.isNotEmptyArray(tenants) || !k2hr3apiutil_1.default.isSafeString(tenant)) {
+        return false;
+    }
+    for (let cnt = 0; cnt < tenants.length; ++cnt) {
+        if (!k2hr3apiutil_1.default.isSafeString(tenants[cnt].name)) {
+            continue;
+        }
+        if (String(tenants[cnt].name).trim().toLowerCase() === String(tenant).trim().toLowerCase()) {
+            // found
+            return true;
+        }
+    }
+    return false;
+};
+//---------------------------------------------------------
+// Check Token Automatically
+//---------------------------------------------------------
+// req			:	request from http(s)
+// is_scoped	:	check scoped token(default not scoped check)
+// is_user		:	= true	: token must be user token
+//					= false	: token must be role token
+//					= other	: both token type is allowed, automatically checking.
+//
+// result		:	{
+//						result:		true/false
+//						message:	null or error message string
+//						status:		status code
+//						token:		undefined(error) or token string
+//						token_type;	undefined(error) or "user" or "role"
+//						token_info:	undefined(error) or token information object
+// 					}
+//
+// token is following:
+//					{
+//						role:			role name
+//						user:			null or user name
+//						hostname:		null or host name
+//						ip:				null or host ip address
+//						port:			port number(if host is existed), 0 means any
+//						cuk:			cuk(allowed null)
+//						extra:			extra(allowed null)
+//						tenant:			tenant name
+//						display:		display alias name for tenant
+//						id:				tenant id string
+//						description:	description for tenant
+//						scoped:			role token is always scoped(true)
+//						region:			role token is always null / user token is the creator region name of the token
+//					}
+const rawCheckToken = (req, is_scoped, is_user) => {
+    const resobj = { result: true, status: 200, message: null };
+    if (!k2hr3apiutil_1.default.isPlainObject(req)) {
+        resobj.result = false;
+        resobj.message = 'POST body does not have policy data';
+        resobj.status = 400; // 400: Bad Request
+        dbglogging_1.default.elog(resobj.message);
+        return resobj;
+    }
+    if (!k2hr3apiutil_1.default.isBoolean(is_scoped)) {
+        is_scoped = false; // default no scope check
+    }
+    let user_type = true;
+    let role_type = true;
+    if (k2hr3apiutil_1.default.isBoolean(is_user)) {
+        if (is_user) {
+            role_type = false;
+        }
+        else {
+            user_type = false;
+        }
+    }
+    //------------------------------
+    // check token
+    //------------------------------
+    let token;
+    let token_type;
+    let token_info;
+    if (rawIsRoleAuthToken(req)) {
+        // Get IP address
+        const ip = k2hr3apiutil_1.default.getClientIpAddress(req);
+        if (!k2hr3apiutil_1.default.isSafeString(ip)) {
+            resobj.result = false;
+            resobj.message = 'Could not get client ip address from request';
+            resobj.status = 401; // 401: Unauthorized
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // Token is ROLE
+        if (!role_type) {
+            resobj.result = false;
+            resobj.message = 'x-auth-token header token is not role token';
+            resobj.status = 400; // 400: Bad Request
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // get token
+        token = rawGetAuthTokenHeader(req, true);
+        if (null === token) {
+            resobj.result = false;
+            resobj.message = 'There is no x-auth-token header';
+            resobj.status = 400; // 400: Bad Request
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // get token information
+        //
+        // [NOTE]
+        // we set always ip address to token(and role/hosts) value now.
+        // then we do not need to convert ip to hostname here.
+        //
+        token_info = rawCheckRoleToken(token, ip); // not strictly checking
+        if (null === token_info || !k2hr3apiutil_1.default.isSafeEntity(token_info.role)) {
+            resobj.result = false;
+            resobj.message = 'token(' + token + ') is not existed, because it is expired or not set yet.';
+            resobj.status = 401; // 401: Unauthorized
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        else if (is_scoped && !token_info.scoped) {
+            resobj.result = false;
+            resobj.message = 'token(' + token + ') is not scoped.';
+            resobj.status = 401; // 401: Unauthorized
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        token_type = 'role';
+    }
+    else {
+        // Token is USER
+        if (!user_type) {
+            resobj.result = false;
+            resobj.message = 'x-auth-token header token is not user token';
+            resobj.status = 400; // 400: Bad Request
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // get token
+        token = rawGetAuthTokenHeader(req, false);
+        if (null === token) {
+            resobj.result = false;
+            resobj.message = 'There is no x-auth-token header';
+            resobj.status = 400; // 400: Bad Request
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        // get token information
+        token_info = rawCheckUserToken(token);
+        if (null === token_info || !k2hr3apiutil_1.default.isSafeEntity(token_info.user)) {
+            resobj.result = false;
+            resobj.message = 'token(' + token + ') is not existed, because it is expired or not set yet.';
+            resobj.status = 401; // 401: Unauthorized
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        else if (is_scoped && !token_info.scoped) {
+            resobj.result = false;
+            resobj.message = 'token(' + token + ') is not scoped.';
+            resobj.status = 401; // 401: Unauthorized
+            dbglogging_1.default.elog(resobj.message);
+            return resobj;
+        }
+        token_type = 'user';
+    }
+    resobj.token = token;
+    resobj.token_type = token_type;
+    resobj.token_info = token_info;
+    return resobj;
+};
+//---------------------------------------------------------
+// Parse Token from X-Auth-Token header in request
+//---------------------------------------------------------
+const rawHasAuthTokenHeader = (req) => {
+    if (k2hr3apiutil_1.default.isPlainObject(req) &&
+        k2hr3apiutil_1.default.isPlainObject(req.headers) &&
+        k2hr3apiutil_1.default.isSafeString(req.headers['x-auth-token'])) {
+        return true;
+    }
+    return false;
+};
+const rawGetAuthTokenHeader = (req, is_role) => {
+    if (!k2hr3apiutil_1.default.isBoolean(is_role)) {
+        is_role = false;
+    }
+    if (k2hr3apiutil_1.default.isPlainObject(req) &&
+        k2hr3apiutil_1.default.isPlainObject(req.headers) &&
+        k2hr3apiutil_1.default.isSafeString(req.headers['x-auth-token'])) {
+        let token = req.headers['x-auth-token'];
+        if (!k2hr3apiutil_1.default.isString(token)) {
+            return null;
+        }
+        if (is_role) {
+            if (0 !== token.indexOf('R=')) {
+                return null;
+            }
+            token = token.substr(2); // cut 'R='
+        }
+        else {
+            if (0 === token.indexOf('U=')) {
+                token = token.substr(2); // cut 'U='
+            }
+        }
+        return token;
+    }
+    return null;
+};
+const rawIsUserAuthToken = (req) => {
+    if (k2hr3apiutil_1.default.isPlainObject(req) &&
+        k2hr3apiutil_1.default.isPlainObject(req.headers) &&
+        k2hr3apiutil_1.default.isSafeString(req.headers['x-auth-token'])) {
+        const token = req.headers['x-auth-token'];
+        if (!k2hr3apiutil_1.default.isString(token)) {
+            return false;
+        }
+        if (-1 === token.indexOf('U=')) { // user token has 'U='
+            return true;
+        }
+        else if (-1 === token.indexOf('R=')) {
+            return true; // user token does not have any prefix
+        }
+    }
+    return false;
+};
+const rawIsRoleAuthToken = (req) => {
+    if (k2hr3apiutil_1.default.isPlainObject(req) &&
+        k2hr3apiutil_1.default.isPlainObject(req.headers) &&
+        k2hr3apiutil_1.default.isSafeString(req.headers['x-auth-token'])) {
+        const token = req.headers['x-auth-token'];
+        if (!k2hr3apiutil_1.default.isString(token)) {
+            return false;
+        }
+        if (0 === token.indexOf('R=')) {
+            return true; // role token has 'R='
+        }
+    }
+    return false;
+};
+//---------------------------------------------------------
+// Exports
+//---------------------------------------------------------
+exports.k2hr3tokens = {
+    isDkcTypeSourceUserHostInfo: rawIsDkcTypeSourceUserHostInfo,
+    isValTypeUserTenantInfo: rawIsValTypeUserTenantInfo,
+    isDkcTypeBaseRoleToken: rawIsDkcTypeBaseRoleToken,
+    isResTypeObjRoleTokens: rawIsResTypeObjRoleTokens,
+    isResTypeCheckKindToken: rawIsResTypeCheckKindToken,
+    isResTypeCheckUserToken: rawIsResTypeCheckUserToken,
+    isResTypeCheckRoleToken: rawIsResTypeCheckRoleToken,
+    getUserToken: rawGetUserToken,
+    getUserTokenByToken: rawGetUserTokenByToken,
+    getScopedUserToken: rawGetScopedUserTokenByUnscoped,
+    removeScopedUserToken: rawRemoveScopedUserToken,
+    checkUserToken: rawCheckUserToken,
+    getRoleTokenByUser: rawGetRoleTokenByUser,
+    getRoleTokenByIP: rawGetRoleTokenByIP,
+    removeRoleTokenByUser: (token, user, tenant) => rawRemoveRoleToken(token, user, tenant, null, 0, null),
+    directRemoveRoleTokens: rawDirectRemoveRoleTokens,
+    removeRoleTokenByPath: rawRemoveRoleTokenByPath,
+    getListRoleTokens: rawGetListRoleTokens,
+    getDirectRoleTokenInfo: rawGetDirectRoleTokenInfo,
+    removeRoleTokenByIP: (token, ip, port, cuk) => rawRemoveRoleToken(token, null, null, ip, port, cuk),
+    checkRoleToken: rawCheckRoleToken,
+    getTenantListWithDkc: rawGetTenantListByUserWithDkc,
+    getTenantList: rawGetTenantListByUser,
+    initializeTenantList: rawInitializeTenantListByUnscoped,
+    checkTenantInTenantList: rawCheckTenantInTenantList,
+    hasAuthTokenHeader: rawHasAuthTokenHeader,
+    getAuthTokenHeader: rawGetAuthTokenHeader,
+    isUserAuthToken: rawIsUserAuthToken,
+    isRoleAuthToken: rawIsRoleAuthToken,
+    checkToken: rawCheckToken
+};
+//
+// Default
+//
+exports.default = exports.k2hr3tokens;
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: noexpandtab sw=4 ts=4 fdm=marker
+ * vim<600: noexpandtab sw=4 ts=4
+ */