Authentication and Authorization in Temporal

Goal
The possibility for the different “functions” in Temporal.io (Workflows, Child Workflows, activities) to check if the user requesting them is authorized.
Additionally, authorize the connection of a worker to a server in order to let only authorized workers to register their workflows and activities.

Requirements:

  • Temporal should provide a mechanism to authenticate and authorize connectivity of a new worker, for example using mTLS.
  • The CLI and GUI do not have a mechanism for authentication: only authenticated CLI and UI users should be allowed to access data and submit workflows.
  • Each workflow is able to call other workflows or activities: any workflow or activity should be able to check and validate if the caller Workflow has the authority for running and executing the related code (called Workflow or activities). In this scenario Temporal should provide a CLI admin extension for controlling authorization (e.g. workflow2 can be called only by workflow1, activity2 can be called only by Workflow1). In this way the cadence client can easily verify that the requester is really authorized.
  • In case of multi-tenancy extension the CLI and GUI authentication should be configurable at the tenant level, allowing only to submit work and check results for tenants users are authorized to.