Required Claim Mapper Permissions for Worker Service

Aaron_Huntress · November 4, 2024, 10:28pm

We’ve build a custom claim mapper (all custom) and a customized authorizer (uses much of the default authorizer), and it’s a bit unclear what permissions are actually required by the worker service.

I initially thought restricting the worker service to the temporal-system namespace would be sufficient, but now I’m seeing errors where the worker service is failing auth checks on the default namespace against the temporal-sys-per-ns-tq task queue.

Is there some documentation regarding minimal permissions for the worker service or even other services for that matter?

tihomir · November 4, 2024, 10:59pm

Worker service would require System: RoleAdmin claim.
Note that since release 1.20 you can set up internal-frontend service where worker service can bypass your custom claims mapper and treat it as an internode service, see release notes Release v1.20.0 · temporalio/temporal · GitHub

Aaron_Huntress · November 5, 2024, 1:40pm

Thank you, @tihomir!

Is the same true for application workers?

Topic		Replies	Views
Custom Claim Mapper Server Deployment auth , security	0	148	July 1, 2024
I want to use temporal workers as runners for my multi-tenant platform Community Support multi-tenant	5	1460	August 1, 2024
Temporal Worker unable to talk to Internal Frontend, receiving Request Unauthorized Server Deployment general-impl	2	1587	March 30, 2024
Extending the custom authorisation (JWT) to the System Worker Community Support jwt , auth , worker	8	2024	December 28, 2021
Authorization, Untrusted workflow creation and namespace authentication Community Support auth	21	4419	July 29, 2024

Required Claim Mapper Permissions for Worker Service

Related Topics