Use Case
We have multiple applications running on a single temporal server, but on different name spaces.
App 1 → namespace 1
App 2 → namespace 2
Questions
How to ensure the workers corresponding to App1 are only authorised to connect to namespace1 ?
There’s an extension mechanism that allows for custom authorization decisions. Have you found this documentation page?
Thanks, Sergey.
Have a few questions
Silly one, the Frontend in the image doesn’t mean the temporal web right? The flow is applicable whenever I try to connect to Temporal server right? Say, I’m using the temporal service library to run a query method, even then this flow will be applied right?
Say, I’m using JWT for authorization. Where should I set the JWT so that claimMapper gets it when I try to connect to Temporal Server?
the Frontend in the image doesn’t mean the temporal web right?
Correct. Frontend is the Temporal service that handles client gRPC connections.
The flow is applicable whenever I try to connect to Temporal server right? Say, I’m using the temporal service library to run a query method, even then this flow will be applied right?
Correct and correct.
Say, I’m using JWT for authorization. Where should I set the JWT so that claimMapper gets it when I try to connect to Temporal Server?
You put the token into the standard HTTP “Authorization” header as
Authorization: Bearer <token>
You might need to implement a call interceptor in order to be able to set add the header to outgoing gRPC calls. That depends on the SDK you are using.
