I want to use Temporal to orchestrate bioinformatics workflows in the cloud. Writing fault-tolerant workflows in Java has tremendous advantages over many of the existing bioinformatics workflow frameworks (e.g. nextflow, snakemake, etc.).
One area of interest is to allow users to bring their own compute infrastructure. We would provide a small java executable that would effectively turn their machine into a temporal activity worker pointed at our temporal server. They could then call our API to launch a workflow, which would be executed in the user namespace, and thus use the user-provided compute hardware and file-storage.
Can this architecture be made secure?
Yes, such a setup can be made secure. We have a limited support for Mutual TLS out of the box today and plan to expand it further in the near future.
1 Like
How would I ensure that a client can only access task-lists belonging to a specific namespace?
1 Like
Such an authorization story is not directly supported yet (requires custom code to replace the default authorizer component). We are working on a more robust authorization story as we speak.
1 Like
Can you share details?
How it might work?
1 Like
The authorization approach that’s been implemented since is described in Temporal Server security | Temporal documentation.
There’s also a sample for how one can authorize calls differently for different namespaces. The sample is rather old. We need to update it to the latest version because more features have been added since.
1 Like