Default authorizer should allow some OperatorService calls with namespace claims

dhiaayachi / temporal

Temporal service

https://docs.temporal.io

MIT License

0 stars 0 forks source link

Default authorizer should allow some OperatorService calls with namespace claims #328

Open dhiaayachi opened 2 weeks ago

dhiaayachi commented 2 weeks ago

Current vs Desired Behavior

Currently default authorizer blocks all OperatorService calls to namespace-reader and namespace-writer (namespace-admin is required). The UI and (at least) Java SDK call ListSearchAttributes as part of normal operation. Default authorizer should allow ListSearchAttributes to namespace-reader and Add/RemoveSearchAttributes & DeleteNamespace to namespace-admin. The remote cluster calls should require system permissions.

Note that AddSearchAttributes on ES currently creates properties at the cluster level, so affects beyond a single namespace. This will be fixed eventually but users should be aware.

dhiaayachi commented 1 day ago

Thank you for reporting this issue. We will investigate this behavior and look into adding the necessary permissions to the default authorizer. For now, you can achieve the desired behavior by customizing the authorizer to allow the necessary operations.

Please let me know if you have any other questions or concerns.

dhiaayachi commented 1 day ago

Thank you for reporting this issue. We understand the need to refine the default authorizer behavior for ListSearchAttributes and other operations.

To work around this issue in the meantime, you can grant the necessary permissions to the namespace-reader and namespace-admin roles. For more information about configuring the default authorizer, please refer to the Temporal CLI operator command reference.

We are actively working on improving the authorization model to address these concerns.

dhiaayachi commented 1 day ago

Thank you for reporting this issue. We understand the need for more granular access control for namespace-reader and namespace-writer roles. We are working on enhancing the authorization model to allow specific operations like ListSearchAttributes for namespace-reader and Add/RemoveSearchAttributes & DeleteNamespace for namespace-admin.

In the meantime, you can use the namespace-admin role for operations like ListSearchAttributes which are currently blocked for namespace-reader. However, please be aware that this could potentially grant more access than intended.

We will update you on any changes made to the authorization model.