I am trying to set up security in a multitenant way, where I have multiple client applications separated by namespaces with JWT tokens containing permissions for each application/namespace.
I have switched on default security plugins (Claim Mapper and Authorizer), and it turned out that I also need mTLS as internode requests were being rejected due to missing privileges.
So I switched on mTLS as well, and now I have the following setup:
- internode communication is secured by mTLS
- workers use mTLS and JWT
- client applications use mTLS and JWT
- end-users accessing Temporal UI web app use JWT
My question is, would that be possible to enable mTLS only for internode communication, and don’t require it from workers and client applications, since they use JWT auth anyway?
I looked at the configuration, but found out that environment variable TEMPORAL_TLS_REQUIRE_CLIENT_AUTH is common for frontend and internode section. Also, changing requireClientAuth for frontend section directly did not work for me somehow.