temporal icon indicating copy to clipboard operation
temporal copied to clipboard
verified publisher icon temporalio

Include GetWorkflowExecutionHistoryReverse API to readOnlyNamespaceAPI for defaultAuthorizer

Open ddavidyuk opened this issue 3 years ago • 1 comments

Expected Behavior

GetWorkflowExecutionHistoryReverse should be included to readOnlyNamespaceAPI in frontend_api.go

Actual Behavior

GetWorkflowExecutionHistoryReverse is not included

Steps to Reproduce the Problem

  1. Enable default authorizer and claim mapper and start Temporal
  2. Start new Temporal UI with enabled auth (via OpenID Connect)
  3. Configure your IDP to include "permissions": ["system:read"] claim to your access token.
  4. Open Temporal UI and try to navigate to any workflow details. Actual: the UI shows an error and then redirects the user to the login screen. The root cause is that the UI tries to use the GetWorkflowExecutionHistoryReverse API but the default authorizer rejects this request because this API is not included into the readonlyNamespaceAPI map (and the permissions claim is system:read)

Specifications

  • Version: Temporal Server 1.17.5, Temporal UI 2.5.1
  • Platform:

ddavidyuk avatar Sep 15 '22 14:09 ddavidyuk

It looks like this was already fixed by https://github.com/temporalio/temporal/commit/c5ccbd5963bc280163eff2aed798b2e060b8334c . I think if you upgrade your server version to the latest, this shouldn't be an issue anymore. Could you try that? @ddavidyuk

MichaelSnowden avatar Sep 20 '22 19:09 MichaelSnowden

This should already be fixed.

MichaelSnowden avatar Sep 23 '22 16:09 MichaelSnowden