Authorization on task queue

Hello temporal team, our security team is asking us how we can restrict read/write access to temporal task queues based on microservice.
Their concern is that currently any microservice can poll any task queue, it seems to be a security issue.
We have implemented encryption using data converter, but to avoid to end with to many encryption key, we use the same key for all services, so data access is not restricted per microservice, this is why security team is asking for task queue acl.

As we are doing mTLS between frontend and our microservices, we want to be able to identify caller based on their CN or SubjectAlternativeName, instead of using jwt.
Then based on their identity, allow read/write access on task queue, in a similar manner than what we can do with kafka acls Authorization using ACLs | Confluent Documentation.

Is it possible to achieve this by leveraging authorization interface Temporal Server security | Temporal Documentation? If no, should i open an RFC on GitHub - temporalio/proposals: Temporal proposals

Or maybe it is an useless security measure, if so can you please detail why?

Authorizer sample: samples-server/extensibility/authorizer at main · temporalio/samples-server · GitHub
Associated docs: Temporal Server security | Temporal Documentation

Temporal server does not impose any authorization, and you can use the pluggable Authorizer and ClaimMapper. ClaimsMapper job is to translate caller identity (from TLS cert and/or Auth Token) into a set of role claims. Authorizer uses these claims as input to authorize these decisions.

If you don’t use the default configurable JWT based authorization you will need to write custom as shown in that sample in Go. In the future we want to provide ability to do this in different languages as well.

You should be able to get the task queue information via CallTarget APIName (PollWorkflowTaskQueueRequest) and cast it to workflowservice.PollWorkflowTaskQueueRequest, see here for similar impl. Give it a try and let us know if you run into issues.

2 Likes

Just to add, the CallTarget Request object should include the task queue name as well. I would test this however to make sure.

1 Like

Thanks a lot for your reply, it is very helpful, we will test and will update this thread to let you know how it goes.

The feature I am proposing here would help: [proposal #81] Add Open Policy Agent based Authorizer by ghaskins · Pull Request #4481 · temporalio/temporal · GitHub

I am looking to do things similar to the OP. In this model, a ClaimMapper providing integration with the Kubernetes TokenReview API will supply k8s namespace and pod claims. Then it’s just a matter of writing policy against the Temporal Calltarget facts, such as Namespace and TaskQueue.

One such model would be for the k8s and Temporal namespace to align, and the k8s pod/SA and Temporal TaskQueue to align.