temporal-system:read role should have access to ListSearchAttributes RO API (when using default authorizer)

[dhiaayachi]

Expected Behavior

When using Temporal's default JWT authorizer, users with temporal-system:read permission should have access to temporal.api.operatorservice.v1.OperatorService/ListSearchAttributes API

https://github.com/temporalio/temporal/blob/release/v1.21.x/common/authorization/frontend_api.go#L50

Actual Behavior

Users with temporal-system:read permission do NOT have access to the ListSearchAttributes API. This can be confirmed via CLI (temporal operator search-attribute list) or just by opening Temporal UI. In case of CLI we get Request unauthorized error, when opening Temporal UI we get redirected back to the login screen after authentication because of the 403 Forbidden error to the /search-attributes endpoint

Steps to Reproduce the Problem

1. Deploy Temporal with default authorizer
2. Configure an Oauth2 client in your auth provider to add permissions: [ "temporal-system:read" ] claim to the access token.
3. Request to list search attributes via tctl or temporal cli with your access token or open Temporal UI.

Specifications

• Version: Temporal v1.21.4

[dhiaayachi]

Thanks for reporting this issue! It appears that the temporal-system:read permission is insufficient to access the ListSearchAttributes API, even though the documentation suggests otherwise.

This discrepancy might be a bug in Temporal's authorization logic, and we're actively investigating it.

In the meantime, here's a potential workaround:

• Grant the user the temporal-system:manage permission instead of temporal-system:read. This permission provides broader access and should allow the user to list search attributes.

Please note that this workaround might grant the user more permissions than intended, so carefully consider its implications before implementing it.

We'll keep you updated on any progress made towards resolving this issue.

[dhiaayachi]

Thanks for reporting this issue!

It looks like you're experiencing an issue with the default JWT authorizer in Temporal not granting access to the ListSearchAttributes API for users with temporal-system:read permissions.

To confirm, are you using a custom JWT authorizer or the default Temporal authorizer?

If you're using the default authorizer and the issue persists, could you please provide the following information:

• The exact version of the Temporal server you're using.
• The configuration settings for your JWT authorizer (specifically, the permissionsClaimName setting).
• A code snippet showing how you're starting your Temporal server and configuring the JWT authorizer.

Please let me know so I can further assist you in finding a solution.

[dhiaayachi]

Thank you for reporting this issue.

This seems to be a known issue that we're working on fixing. We have a documentation page with some workarounds that you can use for now. You can find more information about this issue and how to resolve it here.