Open dhiaayachi opened 2 weeks ago
Thank you for reporting this issue. We will investigate this behavior and look into adding the necessary permissions to the default authorizer. For now, you can achieve the desired behavior by customizing the authorizer to allow the necessary operations.
Please let me know if you have any other questions or concerns.
Thank you for reporting this issue. We understand the need to refine the default authorizer behavior for ListSearchAttributes
and other operations.
To work around this issue in the meantime, you can grant the necessary permissions to the namespace-reader and namespace-admin roles. For more information about configuring the default authorizer, please refer to the Temporal CLI operator command reference.
We are actively working on improving the authorization model to address these concerns.
Thank you for reporting this issue. We understand the need for more granular access control for namespace-reader and namespace-writer roles. We are working on enhancing the authorization model to allow specific operations like ListSearchAttributes
for namespace-reader and Add/RemoveSearchAttributes
& DeleteNamespace
for namespace-admin.
In the meantime, you can use the namespace-admin
role for operations like ListSearchAttributes
which are currently blocked for namespace-reader
. However, please be aware that this could potentially grant more access than intended.
We will update you on any changes made to the authorization model.
Current vs Desired Behavior
Currently default authorizer blocks all
OperatorService
calls to namespace-reader and namespace-writer (namespace-admin is required). The UI and (at least) Java SDK callListSearchAttributes
as part of normal operation. Default authorizer should allowListSearchAttributes
to namespace-reader andAdd/RemoveSearchAttributes
&DeleteNamespace
to namespace-admin. The remote cluster calls should require system permissions.Note that
AddSearchAttributes
on ES currently creates properties at the cluster level, so affects beyond a single namespace. This will be fixed eventually but users should be aware.