Temporal Server

  • Commercial Systems
Channel Revision Published Runs on
latest/stable 23 08 Mar 2024
Ubuntu 22.04
latest/edge 42 14 Nov 2024
Ubuntu 22.04
juju deploy temporal-k8s
Show information

Platform:

Authentication

Clients of the Charmed Temporal k8s Operator can be authenticated in two different ways as described below. Authentication entails acquiring a Google OAuth access token, which will be attached to each request made to the Temporal Server on the Authorization header. The Authorization page will discuss further how this access token is further utilized on the Temporal Server.

1. Temporal Web UI Authentication

Enabling authentication through the web UI requires that you have an active Charmed Temporal UI K8s Operator deployed along with Nginx ingress integration as described in the tutorial.

Google OAuth can be enabled on the Charmed Temporal UI K8s Operator through the use of simple config parameters. First, you must set up a Google Cloud project.

Through this project, you will need to setup OAuth 2.0 as described here. This includes creating an OAuth client ID and configuring the OAuth consent screen. At a minimum, the scope that needs to be enabled is ./auth/userinfo.email.

When creating the OAuth client ID, the application type selected must be Web application. For Authorized JavaScript Origins, you must include your web UI’s external hostname (by default, this value is https://temporal-ui-k8s). For Authorized redirect URIs, you must include the URI https://<external_hostname>/auth/sso/callback, where <external_hostname> is the same value used for Authorized JavaScript Origins.

Once that is done, extract the client ID and secret of the OAuth 2.0 client you created. With the Charmed Temporal UI K8s Operator deployed and active, you can set the following configuration parameters:

juju config temporal-ui-k8s \
auth-enabled=true \
auth-client-id="<google_client_id>" \
auth-client-secret="<google_secret_id>"

And you’re done! When visiting the Temporal Web UI through the external hostname set previously, you should be presented with a ‘Sign In’ button which will redirect you to a Google OAuth login page before allowing you to access the web UI.

2. Google Cloud Service Account Authentication

Enabling authentication through service accounts requires that you have an active Charmed Temporal Worker K8s Operator deployed as described in the tutorial.

Service accounts can be used to programmatically trigger and execute workflows on the Temporal Server. They can be used by both Temporal clients or worker operator instances. To enable the use of Google Cloud service accounts, you will also need an active Google Cloud project. The steps for creating a service account are described here.

Once done, you can download a JSON file which contains your service account’s credentials. With the Charmed Temporal Worker K8s Operator deployed and active, you can create a config.yaml file with the following, replacing <> with the corresponding values from your service account’s JSON file:

temporal-worker-k8s:
    auth-provider: "google"
    oidc-auth-type: "service_account"
    oidc-auth-uri: "<auth_uri>"
    oidc-client-cert-url: "<client_x509_cert_url>"
    oidc-client-email: "<client_email>"
    oidc-client-id: "<client_id>"
    oidc-private-key: "<private_key>"
    oidc-private-key-id: "<private_key_id>"
    oidc-project-id: "<project_id>"
    oidc-token-uri: "<token_uri>"

You can then set the application’s configuration as follows:

juju config temporal-worker-k8s --file=config.yaml

And you’re done! Requests made by the Temporal worker will now contain an Authorization header with a valid Google OAuth access token, which will be further processed on the Temporal Server for authorization. For Temporal clients, you can also use the temporal-lib-go and temporal-lib-py client libraries and injecting your service account credentials.

The Authorization page discusses further how to authorize users and restrict their access to namespaces once they are authenticated.


Help improve this document in the forum (guidelines). Last updated 1 year, 4 days ago.