I want to use Temporal to orchestrate bioinformatics workflows in the cloud. Writing fault-tolerant workflows in Java has tremendous advantages over many of the existing bioinformatics workflow frameworks (e.g. nextflow, snakemake, etc.).
One area of interest is to allow users to bring their own compute infrastructure. We would provide a small java executable that would effectively turn their machine into a temporal activity worker pointed at our temporal server. They could then call our API to launch a workflow, which would be executed in the user namespace, and thus use the user-provided compute hardware and file-storage.
Can this architecture be made secure?
Yes, such a setup can be made secure. We have a limited support for Mutual TLS out of the box today and plan to expand it further in the near future.
How would I ensure that a client can only access task-lists belonging to a specific namespace?
Such an authorization story is not directly supported yet (requires custom code to replace the default authorizer component). We are working on a more robust authorization story as we speak.
Can you share details?
How it might work?
The authorization approach that’s been implemented since is described in Temporal Server security | Temporal documentation.
There’s also a sample for how one can authorize calls differently for different namespaces. The sample is rather old. We need to update it to the latest version because more features have been added since.