[jira] [Created] (UNOMI-942) TenantService robustness: null guards, error contracts, and quota accuracy

Fri, 05 Jun 2026 11:42:08 -0700 

Serge Huber created UNOMI-942:
---------------------------------

             Summary: TenantService robustness: null guards, error contracts, 
and quota accuracy
                 Key: UNOMI-942
                 URL: https://issues.apache.org/jira/browse/UNOMI-942
             Project: Apache Unomi
          Issue Type: Sub-task
          Components: unomi(-core)
    Affects Versions: unomi-3.1.0
            Reporter: Serge Huber
            Assignee: Serge Huber
             Fix For: unomi-3.1.0


Four robustness issues in {{TenantServiceImpl}} and {{{}TenantQuotaService{}}}:

*1. {{getTenantByApiKey}} NPE on tenants with null {{apiKeys}} 
({{{}TenantServiceImpl:222, 234{}}})* Both {{getTenantByApiKey}} overloads call 
{{tenant.getApiKeys().stream()}} without a null guard. A tenant created before 
this PR, or in a partial-create state, causes a {{NullPointerException}} inside 
the authentication filter, silently falling through. _Fix:_ Add 
{{tenant.getApiKeys() != null &&}} guard (already present in 
{{{}validateApiKeyWithType{}}}).

*2. {{createTenant}} can silently return null ({{{}TenantServiceImpl:106{}}})* 
After saving the tenant, {{getTenant()}} is called to reload it. If 
Elasticsearch has not yet flushed the index despite {{{}refreshIndex(){}}}, the 
reload returns null. This is returned to the caller as a successful creation 
with no exception. _Fix:_ Throw {{IllegalStateException}} if the post-creation 
reload returns null.

*3. {{deleteTenant}} silently succeeds for non-existent tenant 
({{{}TenantServiceImpl:167{}}})* The Javadoc states it throws 
{{IllegalArgumentException}} if the tenant does not exist. The implementation 
returns silently, bypassing all lifecycle listeners and leaving stale derived 
state. _Fix:_ Throw {{IllegalArgumentException}} when the tenant load returns 
null.

*4. Quota statistics use global cluster counts instead of per-tenant counts 
({{{}TenantQuotaService:107{}}})* {{updateUsageStatistics}} calls 
{{getAllItemsCount("profile")}} and {{getAllItemsCount("event")}} without a 
{{tenantId}} filter. In a multi-tenant deployment, every tenant's quota is 
measured against total system usage, causing all tenants to appear over-quota 
once any single tenant is large. _Fix:_ Add per-tenant count support to 
{{PersistenceService.getAllItemsCount}} and wire it through 
{{{}TenantQuotaService{}}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to