Skip to content

Adding user info in plugin context and pass it to hooks#2510

Merged
crivetimihai merged 1 commit intoIBM:mainfrom
monshri:feat/add_user_role_plugin_context
Jan 27, 2026
Merged

Adding user info in plugin context and pass it to hooks#2510
crivetimihai merged 1 commit intoIBM:mainfrom
monshri:feat/add_user_role_plugin_context

Conversation

@monshri
Copy link
Copy Markdown
Collaborator

@monshri monshri commented Jan 26, 2026
edited
Loading

Description:

This pull request updates how user information is propagated from tool invocations from the UI to the Cedar plugin (and other potential plugins). Previously, only the user’s email address was included in the plugin context.

With this change, user information is now passed as a dictionary in the global plugin context, containing:

full_name: The user’s full name

email: The user’s email address

is_admin: A boolean flag indicating if the user has administrative privileges

As part of the authentication flow in auth.py, this dictionary is stored in request.state.plugin_global_context, making user attributes readily accessible to the Cedar RBAC plugin for policy enforcement.

This enhancement enables more granular access control decisions based on user attributes beyond email, aligning with the RBAC model implemented in the Cedar plugin.

For plugins to have this information,

added a key include_user_info in plugin_settings in plugins/config.yaml file for plugins

Global plugin settings

plugin_settings:
  parallel_execution_within_band: true
  plugin_timeout: 120
  fail_on_plugin_error: false
  enable_plugin_api: true
  plugin_health_check_interval: 120
  include_user_info: true

@monshri monshri self-assigned this Jan 26, 2026
@monshri monshri requested a review from crivetimihai as a code owner January 26, 2026 22:23
@monshri monshri marked this pull request as draft January 26, 2026 22:23
@monshri monshri requested review from araujof and terylt January 27, 2026 16:49
@monshri monshri marked this pull request as ready for review January 27, 2026 17:15
@monshri monshri added the enhancement New feature or request label Jan 27, 2026
@monshri monshri added this to the Release 1.0.0-GA milestone Jan 27, 2026
@monshri monshri linked an issue Jan 27, 2026 that may be closed by this pull request
[PERFORMANCE][PLUGIN]: Optimize Cedar plugin - Replace synchronous requests with async #2082
Closed
@crivetimihai crivetimihai self-assigned this Jan 27, 2026
@monshri @crivetimihai
feat(plugins): add user info to plugin context for RBAC hooks
0571dd5 
Add user information (email, full_name, is_admin) to the plugin global
context, enabling plugins like Cedar RBAC to make access control decisions
based on user attributes beyond just email.

Changes:
- Add _inject_userinfo_instate() function to auth.py that populates
  global_context.user as a dictionary when include_user_info is enabled
- Update GlobalContext.user type to Union[str, dict] for backward compat
- Add include_user_info config option to plugin_settings (default: false)
- Prevent tool_service from overwriting user dict with string email

The feature is disabled by default to maintain backward compatibility
with existing plugins that expect global_context.user to be a string.

Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the feat/add_user_role_plugin_context branch from e5f5cea to 0571dd5 Compare January 27, 2026 20:55
@crivetimihai
Copy link
Copy Markdown
Member

crivetimihai commented Jan 27, 2026

Changes Made During Review

The PR has been rebased onto main and the following changes were made:

1. Default Value Changed (Breaking Change Prevention)

Changed include_user_info default from true to false to maintain backward compatibility with existing plugins that expect global_context.user to be a string.

Files:

  • mcpgateway/plugins/framework/models.py: include_user_info: bool = False
  • plugins/config.yaml: include_user_info: false

2. Type Annotation Fix

Fixed the type annotation in _inject_userinfo_instate():

# Before
def _inject_userinfo_instate(request: Optional[object] = None, user: EmailUser = None) -> None:

# After  
def _inject_userinfo_instate(request: Optional[object] = None, user: Optional[EmailUser] = None) -> None:

3. Commits Squashed

Squashed 4 commits into 1 clean commit with proper sign-off and co-authorship.

Follow-up Recommendation: Update Cedar Plugin

For full functionality with this feature, the Cedar plugin should be updated in a follow-up PR to handle the new dict format when include_user_info=true. Currently, Cedar uses:

user = context.global_context.user  # expects string
user_role = self.jwt_info["users"].get(user)  # will fail if user is dict

The Cedar plugin should be updated to extract the email when user is a dict:

user = context.global_context.user
if isinstance(user, dict):
    user_email = user.get("email", "")
    is_admin = user.get("is_admin", False)
    full_name = user.get("full_name", "")
else:
    user_email = user or ""

This would enable Cedar to leverage the additional user attributes (is_admin, full_name) for more granular RBAC decisions.

@crivetimihai crivetimihai merged commit 3f0a726 into IBM:main Jan 27, 2026
52 checks passed
hughhennelly pushed a commit to hughhennelly/mcp-context-forge that referenced this pull request Feb 8, 2026
@monshri @crivetimihai @hughhennelly
feat(plugins): add user info to plugin context for RBAC hooks (IBM#2510)
ef3537b 
Add user information (email, full_name, is_admin) to the plugin global
context, enabling plugins like Cedar RBAC to make access control decisions
based on user attributes beyond just email.

Changes:
- Add _inject_userinfo_instate() function to auth.py that populates
  global_context.user as a dictionary when include_user_info is enabled
- Update GlobalContext.user type to Union[str, dict] for backward compat
- Add include_user_info config option to plugin_settings (default: false)
- Prevent tool_service from overwriting user dict with string email

The feature is disabled by default to maintain backward compatibility
with existing plugins that expect global_context.user to be a string.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: hughhennnelly <hughhennelly06@gmail.com>
kcostell06 pushed a commit to kcostell06/mcp-context-forge that referenced this pull request Feb 24, 2026
@monshri @crivetimihai
feat(plugins): add user info to plugin context for RBAC hooks (IBM#2510)
971e32e 
Add user information (email, full_name, is_admin) to the plugin global
context, enabling plugins like Cedar RBAC to make access control decisions
based on user attributes beyond just email.

Changes:
- Add _inject_userinfo_instate() function to auth.py that populates
  global_context.user as a dictionary when include_user_info is enabled
- Update GlobalContext.user type to Union[str, dict] for backward compat
- Add include_user_info config option to plugin_settings (default: false)
- Prevent tool_service from overwriting user dict with string email

The feature is disabled by default to maintain backward compatibility
with existing plugins that expect global_context.user to be a string.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai approved these changes

@araujof araujof Awaiting requested review from araujof araujof is a code owner

@terylt terylt Awaiting requested review from terylt terylt is a code owner

Assignees

@crivetimihai crivetimihai

@monshri monshri

Labels

enhancement New feature or request plugins

Projects

None yet

Milestone

Release 1.0.0-RC1

Development

Successfully merging this pull request may close these issues.

[PERFORMANCE][PLUGIN]: Optimize Cedar plugin - Replace synchronous requests with async

2 participants

@monshri @crivetimihai