Temporal web UI extension for restart , reply tctl commands

Hi ,

Can we give some direction how to we extend temporal web for addition re-start , reply and tctl commands . When can we expect next gen web UI will be available for public release .

Is it possible for tctl commands to be wrapped against UI . any directions to be appreciated .

Thanks
phani

As i understand you would like functionality to

  • restart workflows
  • is second one is to replay history?
  • some of the tctl commands (and/or tctl integration?)

By extending Web UI, do you mean how to implement these in Web v1 source code? If so, contributions are welcome:) In such case please still let us know in advance though so we are in-line with the approach

As for next gen UI (v2) - no public timeline. Please feel free to try it out and provide your feedback. Currently it’s not very stable though, we are focusing on improving the stability and the looks

Hi Ruslan,

Can you please give us URL for next gen UI( V2 ) and
Will the next gen UI will have role based access to terminate and reply etc …

Thanks
phani

UI v2:

Running the UI atm requires to start up both ^. I’m currently working on having a single docker image that will serve both the ui-server and ui

The design of the new UI also allows to start it from the temporal process. So in future you might be able to just start temporal server and it will serve the UI too

Role based functionality:
Is the question specifically targeted at the UI functionality, or generally role based security?

If we speak about the UI functionality, for example to disable the Terminate button if the person is not supposed to have access to it based on roles - this is something i’m happy to look into and understand better, though at this moment we don’t have such feature in plans. cc @ryland @steve @swyx to correct me about this ^

If we speak about general security: the UI is just a temporal client. For the actual security Temporal server endpoints have to be secured foremost. This is already available: Temporal Server security | Temporal documentation

Lmk if this answers your question

1 Like

Hi Ruslan,

Thank you for quick response .

Once a user logged in temporal web ui by authenticating our active directory how do we restrict the user from functions like terminate ( currently this is the only option available ) .

I have seen the security of temporal working on workflow to pass a valid jwt token but how do we configure temporal web to pass the jwt token to temporal server .

New UI server i am getting below exception i am still looking into it .

temporal-ui@0.0.1 preview:local
TEMPORAL_UI_BUILD_TARGET=local svelte-kit preview

sh: svelte-kit: command not found

To allow or deny a user to perform a certain operation, such as terminating a workflow, you will need to:

  • configure users permissions in your auth provider. Typically you would give permissions to users for example read:my-namespace if you want them to have read access but not perform Terminate and other “write” operations (you can have your own pattern for the permission naming).

  • secure Temporal server endpoints

  • once the Web UI’s oidc is configured (oidc is enabled, client_id and other oidc params are passed) and a user is authenticated, Web UI will start passing the JWT token with each request to your Temporal server. Here is when the claim mapper and authorizer plugins will process the JWT token and make a decision

As for Active Directory and OIDC, i haven’t personally tried using it with Temporal Web UI, though have seen few docs Issue in Enabling SSO for Web - #10 by Ruslan

Let me know if this answers some of your questions and helps to understand how the OIDC integration works

Oh and lastly, there is an environment variable that will remove the Terminate button from the Web UI

TEMPORAL_PERMIT_WRITE_API , see for more details GitHub - temporalio/web: Temporal Web UI. Set it to false when starting the Web UI and the button itself should not render on the UI

This was an initial quick feature to remove the Terminate button from the UI prior to implementing Auth. For proper security it is still advised to follow Temporal Server security | Temporal documentation

Hi Ruslan,

I am able to make workers communicate with temporal server using jwt token .
Where do i provide private key for temporal web to signin the token and send it to temporal server .

I have used the below parameters in temporal server .

  • TEMPORAL_AUTH_AUTHORIZER=default
    • TEMPORAL_AUTH_CLAIM_MAPPER=default
    • TEMPORAL_JWT_KEY_SOURCE1=http://10.0.0.216:8095/eaiapi/jwks
    • TEMPORAL_JWT_KEY_SOURCE2=http://10.0.0.216:8095/eaiapi/jwks
    • TEMPORAL_JWT_KEY_REFRESH=1m

Do you mean you intend to use jwts from http://10.0.0.216:8095/eaiapi/jwks in Temporal Web?

Temporal Web expects that users will authenticate through an OIDC provider. That way users don’t have to spin up the web manually and provide jwt tokens, but rather click the Sign In button and follow login process. OIDC provider will provide the jwt token that the Web will use and send to temporal server with each request

Hi Ruslan,

We have jwt service which will generate a token and give us the jwks url with public keys to verify the signed jwt token .

Temporal workflows sending these token to temporal server and provided the jwks url to validate the token and it is working as expected . Now we want the temporal web also use the same service to send the token to temporal service and temporal service use the jwks url to validate the token .

Thanks
phani