kailash 0.6.1__py3-none-any.whl → 0.6.2__py3-none-any.whl

kailash/nodes/admin/schema.sql

@@ -0,0 +1,387 @@
+-- Unified Admin Node Database Schema
+-- Complete RBAC/ABAC system with user management and permission checking
+-- Production-ready schema for Kailash Admin Nodes
+
+-- =====================================================
+-- Core User Management
+-- =====================================================
+
+-- Users table - Central user registry
+CREATE TABLE IF NOT EXISTS users (
+    user_id VARCHAR(255) PRIMARY KEY,
+    email VARCHAR(255) UNIQUE NOT NULL,
+    username VARCHAR(255),
+    password_hash VARCHAR(255), -- Optional, for local auth
+    first_name VARCHAR(255),
+    last_name VARCHAR(255),
+    display_name VARCHAR(255),
+
+    -- Admin node compatibility fields
+    roles JSONB DEFAULT '[]', -- For compatibility with PermissionCheckNode
+    attributes JSONB DEFAULT '{}', -- User attributes for ABAC
+
+    -- Status and lifecycle
+    status VARCHAR(50) DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'suspended', 'pending', 'deleted')),
+    is_active BOOLEAN DEFAULT TRUE,
+    is_system_user BOOLEAN DEFAULT FALSE,
+
+    -- Multi-tenancy
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- External auth integration
+    external_auth_id VARCHAR(255), -- For SSO integration
+    auth_provider VARCHAR(100), -- 'local', 'oauth2', 'saml', etc.
+
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+    last_login_at TIMESTAMP WITH TIME ZONE,
+
+    -- Constraints
+    UNIQUE(email, tenant_id),
+    UNIQUE(username, tenant_id) -- Allow same username across tenants
+);
+
+-- =====================================================
+-- Role-Based Access Control (RBAC)
+-- =====================================================
+
+-- Roles table - Hierarchical role definitions
+CREATE TABLE IF NOT EXISTS roles (
+    role_id VARCHAR(255) PRIMARY KEY,
+    name VARCHAR(255) NOT NULL,
+    description TEXT,
+    role_type VARCHAR(50) DEFAULT 'custom' CHECK (role_type IN ('system', 'custom', 'template', 'temporary')),
+
+    -- RBAC permissions and hierarchy
+    permissions JSONB DEFAULT '[]', -- Direct permissions
+    parent_roles JSONB DEFAULT '[]', -- Role inheritance
+    child_roles JSONB DEFAULT '[]', -- Derived roles (maintained automatically)
+
+    -- ABAC attributes and conditions
+    attributes JSONB DEFAULT '{}', -- Role attributes
+    conditions JSONB DEFAULT '{}', -- Dynamic conditions for role activation
+
+    -- Lifecycle and constraints
+    is_active BOOLEAN DEFAULT TRUE,
+    is_system_role BOOLEAN DEFAULT FALSE,
+    expires_at TIMESTAMP WITH TIME ZONE, -- For temporary roles
+
+    -- Multi-tenancy
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+
+    -- Constraints
+    UNIQUE(name, tenant_id)
+);
+
+-- User Role Assignments - Many-to-many with metadata
+CREATE TABLE IF NOT EXISTS user_role_assignments (
+    id SERIAL PRIMARY KEY,
+    user_id VARCHAR(255) NOT NULL,
+    role_id VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Assignment metadata
+    assigned_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    assigned_by VARCHAR(255) DEFAULT 'system',
+    expires_at TIMESTAMP WITH TIME ZONE, -- For temporary assignments
+
+    -- Conditional assignments (ABAC)
+    conditions JSONB DEFAULT '{}', -- When this assignment is active
+    context_requirements JSONB DEFAULT '{}', -- Required context for activation
+
+    -- Status
+    is_active BOOLEAN DEFAULT TRUE,
+    is_inherited BOOLEAN DEFAULT FALSE, -- True if inherited from group/org
+
+    -- Constraints
+    UNIQUE(user_id, role_id, tenant_id),
+
+    -- Foreign keys (enforced at application level for flexibility)
+    CONSTRAINT fk_user_role_user CHECK (user_id IS NOT NULL),
+    CONSTRAINT fk_user_role_role CHECK (role_id IS NOT NULL)
+);
+
+-- =====================================================
+-- Permission Management and Caching
+-- =====================================================
+
+-- Permission definitions - Centralized permission registry
+CREATE TABLE IF NOT EXISTS permissions (
+    permission_id VARCHAR(255) PRIMARY KEY,
+    name VARCHAR(255) NOT NULL,
+    description TEXT,
+    resource_type VARCHAR(100) NOT NULL, -- 'workflow', 'node', 'data', etc.
+    action VARCHAR(100) NOT NULL, -- 'read', 'write', 'execute', etc.
+
+    -- Permission metadata
+    scope VARCHAR(100) DEFAULT 'tenant', -- 'global', 'tenant', 'user'
+    is_system_permission BOOLEAN DEFAULT FALSE,
+
+    -- ABAC conditions
+    default_conditions JSONB DEFAULT '{}', -- Default conditions for this permission
+    required_attributes JSONB DEFAULT '{}', -- Required user/resource attributes
+
+    -- Multi-tenancy
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+
+    -- Constraints
+    UNIQUE(name, resource_type, action, tenant_id)
+);
+
+-- Permission Cache - High-performance permission checking
+CREATE TABLE IF NOT EXISTS permission_cache (
+    cache_key VARCHAR(512) PRIMARY KEY,
+    user_id VARCHAR(255) NOT NULL,
+    resource VARCHAR(255) NOT NULL,
+    permission VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Cache result
+    result BOOLEAN NOT NULL,
+    decision_path JSONB, -- How the decision was made (for auditing)
+    context_hash VARCHAR(64), -- Hash of context used for decision
+
+    -- Cache metadata
+    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    hit_count INTEGER DEFAULT 0,
+    last_accessed TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+
+    -- Indexes will be created separately
+    CHECK (expires_at > created_at)
+);
+
+-- =====================================================
+-- Attribute-Based Access Control (ABAC)
+-- =====================================================
+
+-- User Attributes - Dynamic user properties for ABAC
+CREATE TABLE IF NOT EXISTS user_attributes (
+    id SERIAL PRIMARY KEY,
+    user_id VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Attribute definition
+    attribute_name VARCHAR(255) NOT NULL,
+    attribute_value JSONB NOT NULL,
+    attribute_type VARCHAR(50) DEFAULT 'string', -- 'string', 'number', 'boolean', 'array', 'object'
+
+    -- Attribute metadata
+    is_computed BOOLEAN DEFAULT FALSE, -- True if computed from other attributes
+    computation_rule JSONB, -- How to compute this attribute
+    source VARCHAR(100) DEFAULT 'manual', -- 'manual', 'computed', 'imported', 'inherited'
+
+    -- Lifecycle
+    is_active BOOLEAN DEFAULT TRUE,
+    expires_at TIMESTAMP WITH TIME ZONE,
+
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+
+    -- Constraints
+    UNIQUE(user_id, attribute_name, tenant_id)
+);
+
+-- Resource Attributes - Dynamic resource properties for ABAC
+CREATE TABLE IF NOT EXISTS resource_attributes (
+    id SERIAL PRIMARY KEY,
+    resource_id VARCHAR(255) NOT NULL,
+    resource_type VARCHAR(100) NOT NULL, -- 'workflow', 'node', 'data', etc.
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Attribute definition
+    attribute_name VARCHAR(255) NOT NULL,
+    attribute_value JSONB NOT NULL,
+    attribute_type VARCHAR(50) DEFAULT 'string',
+
+    -- Attribute metadata
+    is_computed BOOLEAN DEFAULT FALSE,
+    computation_rule JSONB,
+    source VARCHAR(100) DEFAULT 'manual',
+
+    -- Lifecycle
+    is_active BOOLEAN DEFAULT TRUE,
+    expires_at TIMESTAMP WITH TIME ZONE,
+
+    -- Audit fields
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    created_by VARCHAR(255) DEFAULT 'system',
+
+    -- Constraints
+    UNIQUE(resource_id, attribute_name, tenant_id)
+);
+
+-- =====================================================
+-- Sessions and Security
+-- =====================================================
+
+-- User Sessions - Track active user sessions
+CREATE TABLE IF NOT EXISTS user_sessions (
+    session_id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id VARCHAR(255) NOT NULL,
+    tenant_id VARCHAR(255) NOT NULL,
+
+    -- Session data
+    session_token_hash VARCHAR(255) UNIQUE NOT NULL,
+    refresh_token_hash VARCHAR(255),
+    device_info JSONB DEFAULT '{}',
+    ip_address INET,
+    user_agent TEXT,
+
+    -- Session lifecycle
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    last_accessed TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
+    is_active BOOLEAN DEFAULT TRUE,
+
+    -- Security
+    failed_attempts INTEGER DEFAULT 0,
+    locked_until TIMESTAMP WITH TIME ZONE,
+
+    CHECK (expires_at > created_at)
+);
+
+-- =====================================================
+-- Audit and Compliance
+-- =====================================================
+
+-- Admin Audit Log - Comprehensive audit trail
+CREATE TABLE IF NOT EXISTS admin_audit_log (
+    id SERIAL PRIMARY KEY,
+
+    -- Who, What, When, Where
+    user_id VARCHAR(255),
+    tenant_id VARCHAR(255) NOT NULL,
+    action VARCHAR(100) NOT NULL,
+    resource_type VARCHAR(100) NOT NULL,
+    resource_id VARCHAR(255),
+
+    -- Action details
+    operation VARCHAR(100), -- 'create', 'read', 'update', 'delete', 'execute'
+    old_values JSONB, -- Before state
+    new_values JSONB, -- After state
+    context JSONB DEFAULT '{}', -- Request context
+
+    -- Result
+    success BOOLEAN NOT NULL,
+    error_message TEXT,
+    duration_ms INTEGER,
+
+    -- Request metadata
+    ip_address INET,
+    user_agent TEXT,
+    session_id UUID,
+    request_id VARCHAR(255),
+
+    -- Timestamp
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP
+);
+
+-- =====================================================
+-- Performance Indexes
+-- =====================================================
+
+-- User indexes
+CREATE INDEX IF NOT EXISTS idx_users_tenant_status ON users(tenant_id, status);
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+CREATE INDEX IF NOT EXISTS idx_users_external_auth ON users(external_auth_id, auth_provider);
+CREATE INDEX IF NOT EXISTS idx_users_last_login ON users(last_login_at);
+
+-- Role indexes
+CREATE INDEX IF NOT EXISTS idx_roles_tenant_active ON roles(tenant_id, is_active);
+CREATE INDEX IF NOT EXISTS idx_roles_type ON roles(role_type);
+CREATE INDEX IF NOT EXISTS idx_roles_parent_roles ON roles USING GIN(parent_roles);
+CREATE INDEX IF NOT EXISTS idx_roles_permissions ON roles USING GIN(permissions);
+
+-- Assignment indexes
+CREATE INDEX IF NOT EXISTS idx_user_roles_user ON user_role_assignments(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_role ON user_role_assignments(role_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_user_roles_active ON user_role_assignments(is_active, expires_at);
+
+-- Permission cache indexes
+CREATE INDEX IF NOT EXISTS idx_permission_cache_user ON permission_cache(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_permission_cache_expires ON permission_cache(expires_at);
+CREATE INDEX IF NOT EXISTS idx_permission_cache_resource ON permission_cache(resource, permission);
+
+-- Attribute indexes
+CREATE INDEX IF NOT EXISTS idx_user_attributes_user ON user_attributes(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_user_attributes_name ON user_attributes(attribute_name, is_active);
+CREATE INDEX IF NOT EXISTS idx_resource_attributes_resource ON resource_attributes(resource_id, resource_type);
+
+-- Session indexes
+CREATE INDEX IF NOT EXISTS idx_sessions_user ON user_sessions(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_token ON user_sessions(session_token_hash);
+CREATE INDEX IF NOT EXISTS idx_sessions_expires ON user_sessions(expires_at, is_active);
+
+-- Audit indexes
+CREATE INDEX IF NOT EXISTS idx_audit_user ON admin_audit_log(user_id, tenant_id);
+CREATE INDEX IF NOT EXISTS idx_audit_resource ON admin_audit_log(resource_type, resource_id);
+CREATE INDEX IF NOT EXISTS idx_audit_timestamp ON admin_audit_log(created_at);
+CREATE INDEX IF NOT EXISTS idx_audit_action ON admin_audit_log(action, operation);
+
+-- =====================================================
+-- Data Integrity and Maintenance
+-- =====================================================
+
+-- Auto-update timestamps trigger function
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = CURRENT_TIMESTAMP;
+    RETURN NEW;
+END;
+$$ language 'plpgsql';
+
+-- Apply auto-update triggers
+CREATE TRIGGER update_users_updated_at BEFORE UPDATE ON users
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+CREATE TRIGGER update_roles_updated_at BEFORE UPDATE ON roles
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+CREATE TRIGGER update_permissions_updated_at BEFORE UPDATE ON permissions
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+CREATE TRIGGER update_user_attributes_updated_at BEFORE UPDATE ON user_attributes
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+CREATE TRIGGER update_resource_attributes_updated_at BEFORE UPDATE ON resource_attributes
+    FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+-- Cache cleanup function
+CREATE OR REPLACE FUNCTION cleanup_expired_cache()
+RETURNS INTEGER AS $$
+DECLARE
+    deleted_count INTEGER;
+BEGIN
+    DELETE FROM permission_cache WHERE expires_at < CURRENT_TIMESTAMP;
+    GET DIAGNOSTICS deleted_count = ROW_COUNT;
+    RETURN deleted_count;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Session cleanup function
+CREATE OR REPLACE FUNCTION cleanup_expired_sessions()
+RETURNS INTEGER AS $$
+DECLARE
+    deleted_count INTEGER;
+BEGIN
+    DELETE FROM user_sessions WHERE expires_at < CURRENT_TIMESTAMP;
+    GET DIAGNOSTICS deleted_count = ROW_COUNT;
+    RETURN deleted_count;
+END;
+$$ LANGUAGE plpgsql;

kailash/nodes/admin/tenant_isolation.py

@@ -0,0 +1,249 @@
+"""Enhanced tenant isolation utilities for admin nodes.
+
+This module provides robust tenant isolation mechanisms to ensure that
+multi-tenant operations properly enforce data boundaries and prevent
+cross-tenant access.
+"""
+
+import logging
+from dataclasses import dataclass
+from typing import Any, Dict, List, Optional, Set
+
+from kailash.sdk_exceptions import NodeExecutionError, NodeValidationError
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class TenantContext:
+    """Represents the context for a specific tenant."""
+
+    tenant_id: str
+    permissions: Set[str]
+    user_ids: Set[str]
+    role_ids: Set[str]
+    resource_prefixes: Set[str]
+
+
+class TenantIsolationManager:
+    """Manages tenant isolation for admin operations."""
+
+    def __init__(self, db_node):
+        """
+        Initialize tenant isolation manager.
+
+        Args:
+            db_node: Database node for tenant context queries
+        """
+        self.db_node = db_node
+        self._tenant_cache = {}
+
+    def get_tenant_context(self, tenant_id: str) -> TenantContext:
+        """
+        Get the context for a specific tenant.
+
+        Args:
+            tenant_id: The tenant ID
+
+        Returns:
+            TenantContext with tenant-specific data
+        """
+        if tenant_id not in self._tenant_cache:
+            self._tenant_cache[tenant_id] = self._load_tenant_context(tenant_id)
+
+        return self._tenant_cache[tenant_id]
+
+    def _load_tenant_context(self, tenant_id: str) -> TenantContext:
+        """Load tenant context from database."""
+        # Get all users for this tenant
+        users_query = """
+            SELECT user_id FROM users WHERE tenant_id = $1 AND status = 'active'
+        """
+        users_result = self.db_node.run(
+            query=users_query, parameters=[tenant_id], result_format="dict"
+        )
+        user_ids = {row["user_id"] for row in users_result.get("data", [])}
+
+        # Get all roles for this tenant
+        roles_query = """
+            SELECT role_id FROM roles WHERE tenant_id = $1 AND is_active = true
+        """
+        roles_result = self.db_node.run(
+            query=roles_query, parameters=[tenant_id], result_format="dict"
+        )
+        role_ids = {row["role_id"] for row in roles_result.get("data", [])}
+
+        # Get all permissions for this tenant (from roles)
+        permissions_query = """
+            SELECT DISTINCT unnest(
+                CASE
+                    WHEN jsonb_typeof(permissions) = 'array'
+                    THEN ARRAY(SELECT jsonb_array_elements_text(permissions))
+                    ELSE ARRAY[]::text[]
+                END
+            ) as permission
+            FROM roles
+            WHERE tenant_id = $1 AND is_active = true
+        """
+        permissions_result = self.db_node.run(
+            query=permissions_query, parameters=[tenant_id], result_format="dict"
+        )
+        permissions = {row["permission"] for row in permissions_result.get("data", [])}
+
+        # Create resource prefixes for this tenant
+        resource_prefixes = {f"{tenant_id}:*", "*"}
+
+        return TenantContext(
+            tenant_id=tenant_id,
+            permissions=permissions,
+            user_ids=user_ids,
+            role_ids=role_ids,
+            resource_prefixes=resource_prefixes,
+        )
+
+    def validate_user_tenant_access(self, user_id: str, target_tenant_id: str) -> bool:
+        """
+        Validate that a user has access within a specific tenant.
+
+        Args:
+            user_id: The user ID to check
+            target_tenant_id: The tenant being accessed
+
+        Returns:
+            True if access is allowed, False otherwise
+        """
+        tenant_context = self.get_tenant_context(target_tenant_id)
+        return user_id in tenant_context.user_ids
+
+    def validate_role_tenant_access(self, role_id: str, target_tenant_id: str) -> bool:
+        """
+        Validate that a role belongs to a specific tenant.
+
+        Args:
+            role_id: The role ID to check
+            target_tenant_id: The tenant being accessed
+
+        Returns:
+            True if role belongs to tenant, False otherwise
+        """
+        tenant_context = self.get_tenant_context(target_tenant_id)
+        return role_id in tenant_context.role_ids
+
+    def check_cross_tenant_permission(
+        self,
+        user_id: str,
+        user_tenant_id: str,
+        resource_tenant_id: str,
+        permission: str,
+    ) -> bool:
+        """
+        Check if a user from one tenant can access resources in another tenant.
+
+        Args:
+            user_id: The user attempting access
+            user_tenant_id: The tenant the user belongs to
+            resource_tenant_id: The tenant of the resource being accessed
+            permission: The permission being requested
+
+        Returns:
+            True if cross-tenant access is allowed, False otherwise
+        """
+        # For now, enforce strict tenant isolation
+        # Users can only access resources in their own tenant
+        if user_tenant_id != resource_tenant_id:
+            logger.debug(
+                f"Cross-tenant access denied: user {user_id} from {user_tenant_id} "
+                f"attempting to access {resource_tenant_id}"
+            )
+            return False
+
+        # Same tenant access - check if user exists in tenant
+        return self.validate_user_tenant_access(user_id, resource_tenant_id)
+
+    def enforce_tenant_isolation(
+        self, user_id: str, user_tenant_id: str, operation_tenant_id: str
+    ) -> None:
+        """
+        Enforce tenant isolation for an operation.
+
+        Args:
+            user_id: The user performing the operation
+            user_tenant_id: The tenant the user belongs to
+            operation_tenant_id: The tenant context for the operation
+
+        Raises:
+            NodeValidationError: If tenant isolation is violated
+        """
+        if not self.check_cross_tenant_permission(
+            user_id, user_tenant_id, operation_tenant_id, "access"
+        ):
+            raise NodeValidationError(
+                f"Tenant isolation violation: user {user_id} from tenant "
+                f"{user_tenant_id} cannot access tenant {operation_tenant_id}"
+            )
+
+    def get_tenant_scoped_permission(
+        self, permission: str, tenant_id: str, resource_id: Optional[str] = None
+    ) -> str:
+        """
+        Create a tenant-scoped permission string.
+
+        Args:
+            permission: Base permission (e.g., "read", "write")
+            tenant_id: Tenant ID
+            resource_id: Optional resource ID
+
+        Returns:
+            Tenant-scoped permission string
+        """
+        if resource_id:
+            return f"{tenant_id}:{resource_id}:{permission}"
+        else:
+            return f"{tenant_id}:*:{permission}"
+
+    def clear_tenant_cache(self, tenant_id: Optional[str] = None) -> None:
+        """
+        Clear the tenant context cache.
+
+        Args:
+            tenant_id: Specific tenant to clear, or None to clear all
+        """
+        if tenant_id:
+            self._tenant_cache.pop(tenant_id, None)
+        else:
+            self._tenant_cache.clear()
+
+        logger.debug(f"Cleared tenant cache for {tenant_id or 'all tenants'}")
+
+
+def enforce_tenant_boundary(tenant_id_param: str = "tenant_id"):
+    """
+    Decorator to enforce tenant boundaries on admin node methods.
+
+    Args:
+        tenant_id_param: Name of the parameter containing the tenant ID
+    """
+
+    def decorator(func):
+        def wrapper(self, *args, **kwargs):
+            # Extract tenant ID from parameters
+            tenant_id = kwargs.get(tenant_id_param)
+            if not tenant_id:
+                raise NodeValidationError(
+                    f"Missing required parameter: {tenant_id_param}"
+                )
+
+            # Create tenant isolation manager if not exists
+            if not hasattr(self, "_tenant_isolation"):
+                self._tenant_isolation = TenantIsolationManager(self._db_node)
+
+            # Perform the operation within tenant context
+            try:
+                return func(self, *args, **kwargs)
+            except Exception as e:
+                logger.error(f"Tenant-scoped operation failed for {tenant_id}: {e}")
+                raise
+
+        return wrapper
+
+    return decorator