Hello we have an implementation of custom authorizer to control the StartWorkflowExecution through a defined set of permissions.
A subject → namespace mapping determines which subject can create workflows in which namespace.
It works fine for a new workflow.
However when a child workflow is created in namespace B
from a parent workflow in namespace A,
What we expect is authorizer to check if the subject has access to namespace B - which is not happening. I am assuming this is because childworkflow is not an api call to frontend from client and authorizer is added only to the front end services.
Will adding authorizer to history, matching help to fix this ?
All communication of your client code (and workers) go through the frontend service.
In your custom authorizer maybe you try doing something similar to here, with operation being "CreateWorkflowExecution"
Did something like below in authorizer. It does the job however a plain deny for RespondWorkflowTaskCompletedRequest just results in workflow task timeout in parent workflow and it is retrying infinitely.
if request, ok := target.Request.(*workflowservice.RespondWorkflowTaskCompletedRequest); ok {
for _, command := range request.Commands {
if command.GetCommandType() == enumspb.COMMAND_TYPE_START_CHILD_WORKFLOW_EXECUTION {
attributes := command.GetStartChildWorkflowExecutionCommandAttributes()
cwfNamespace := attributes.GetNamespace()
if cwfNamespace != "" && !allow(cwfNamespace) {
return authorization.Result{
Decision: authorization.DecisionDeny,
Reason: "Not authorized to start child workflow in Namespace: " + target.Namespace,
}, nil
}
}
}
}
plain deny for RespondWorkflowTaskCompletedRequest just results in workflow task timeout in parent workflow and it is retrying infinitely.
This is by design as you either want to fix permissions or change workflow code to not make this call. After the issue is fixed the workflow continues from that point.