Authorization, Untrusted workflow creation and namespace authentication

Hello all,

I have a question on the authorization around Temporal that’s existent at this point.

  1. Can we contribute to anything ASAP and/or use anything existent that would prevent tenants from seeing/accessing/subscribing to each other’s namespaces?

At the moment there’s nothing that prevents people from doing the above (as far as I saw). We don’t really want to have different namespaces (workflows, workers, etc.) have access to each other, see their workflows’ data, etc.

In addition (correct me if I am wrong please), I saw that there is no mechanism to authenticate the registration to a task queue/task list.

Thank you,

Marius

1 Like

Hey, sorry it took a while to get back to you. The direct answer is that neither Cadence or Temporal support any form of fine grained access control or authentication out of the box. Temporal does support mutual TLS over GRPC which actually does provide a means to achieve secure namespace isolation. I honestly am not educated enough to explain how this will work at the lowest level, but the gist is that you use custom TLS certs for different users/namespaces.

I’ll let Max chime in if there is anything that you can contribute.