How to Use SecurityToken in Namespaces

Hey Folks,

I was looking into hardening our namespaces and am curious how to properly leverage the SecurityToken feature on Namespaces. As described in the namespace registration help, the token is an “optional token for security check”

~ % tctl namespace register -h  
NAME:
   tctl namespace register - Register workflow namespace

USAGE:
   tctl namespace register [command options] [arguments...]

OPTIONS:
   --description value, --desc value               Namespace description
   --owner_email value, --oe value                 Owner email
   --retention value, --rd value                   Workflow execution retention in days
   --active_cluster value, --ac value              Active cluster name
   --clusters value, --cl value                    Clusters
   --global_namespace value, --gd value            Flag to indicate whether namespace is a global namespace
   --namespace_data value, --dmd value             Namespace data of key value pairs, in format of k1:v1,k2:v2,k3:v3
   --security_token value, --st value              Optional token for security check
   --history_archival_state value, --has value     Flag to set history archival state, valid values are "disabled" and "enabled"
   --history_uri value, --huri value               Optionally specify history archival URI (cannot be changed after first time archival is enabled)
   --visibility_archival_state value, --vas value  Flag to set visibility archival state, valid values are "disabled" and "enabled"
   --visibility_uri value, --vuri value            Optionally specify visibility archival URI (cannot be changed after first time archival is enabled)

I had assumed this might act like an API Key or something so that you can only publish to a namespace if you pass it as the matching header or something of that nature. This would be a useful feature for safety more than security, preventing different groups in the org from publishing to the wrong namespace by accident.

However, I only found it in the protobuffs for updating namespaces, and could not find it being set in the SDK for a request. I would have expected it on client/workflow options for example. I also didn’t see where it was validated in the main server codebase.

Is there any documentation about what the SecurityToken on a namespace is and how to leverage it? Is it just to protect updates to the namespace?

Thank you for the support!

Security token is not used at all. It’s a leftover that we overlooked to remove. If you are looking for how to authorize access to a namespace, Authorization section of the docs describes how that can be done via the server options.

Got it, thank you for the clarification.

To summarize for future readers, the SecurityToken option has no docs because it is unused and should be discarded. In order to provide access control on namespaces one has to create their own authorization layer in golang and add it as a server option, making the move to running temporal server as a golang application you compile and run yourself.

One can probably use the Temporal Server security | Temporal documentation as a headstart on that implementation.

This is a great summary. Thank you, @Tristan_Fletcher!