-
Notifications
You must be signed in to change notification settings - Fork 851
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request unauthorized for SQL search-attributes (claims are not passed) #6664
Comments
I did one more test - I enabled ES (changed flag I checked Temporal documentation and I shouldn't have any problems with using search attributes without ES.
I just wonder if this is the reason of the problem. For PSQL it should be namespace specific, but command was created for admin. I also checked UI and |
For 503 error I added additional logs into the code and found that claims are not send for DescribeNamespace: Changes in default_authorizer.go func (a *defaultAuthorizer) Authorize(_ context.Context, claims *Claims, target *CallTarget) (Result, error) {
// APIs that are essentially read-only health checks with no sensitive information are
// always allowed
if IsHealthCheckAPI(target.APIName) {
return resultAllow, nil
}
fmt.Println("Check claims for ", target.APIName)
dbg2(claims)
if claims == nil {
return resultDeny, nil
}
metadata := api.GetMethodMetadata(target.APIName)
fmt.Println("API nAME", target.APIName) Logs from frontend service:
In docker-builds/temporal/service/frontend/admin_handler.go I see function Is there any easy way to add claims to the function execution? Edit: To confirm I added a condition to bypass claims check for if (strings.Contains(target.APIName, "DescribeNamespace")) {
return resultAllow, nil
} Edit 2: |
Thanks for the report. While these admin APIs are deprecated and so is |
Expected Behavior
I can execute CRUD commands with admin and non admin x-search-attributes without errors.
Actual Behavior
I have
devl:admin
andtemporal-system:admin
roles assigned. I use only sql, postgres12 driver for "default" and "visibility" dbs.When I execute one of x-search-attributes command inside admintools pod it fails with error:
When I run this command with not existing namespace I get different error:
Cluster is working:
I tested other admin commands (provided auth token as an env variable) related to cluster info (
tctl --namespace=devl admin cluster describe
,tctl --namespace=devl admin cluster list
), namespaces (tctl --namespace=devl namespace list
,tctl --namespace=devl namespace describe
), etc. and they are working. Only search-attributes has this problem. Non-admin command (tctl --namespace=devl cluster get-search-attributes
) works as expected.Unfortunately only admin command allows to add attributes.Update: The newest Temporal version allows to add new search attributes, admin commands are marked as deprecated.
Log from frontend pod:
Stacktrace from command:
Steps to Reproduce the Problem
temporal operator namespace create --namespace <namespace> --grpc-meta=Authorization='Bearer <token_from_ui>'
(works)tctl --namespace=devl cluster get-search-attributes --auth='Bearer <token_from_ui>'
ortemporal operator search-attribute create --name email --type Keyword --grpc-meta=Authorization='Bearer <token_from_ui>'
Specifications
Question
Do I miss something related to role assignment? I searched frontend, admintools and worker logs, but I couldn't find anything which might help me to debug this problem.Update: See my comments below. Looks like a bug. Claims are not passed for DescribeNamespace and UpdateNamespace endpoints which are executed by *SearchAttributesSQL functions. This is the source of the error.
The text was updated successfully, but these errors were encountered: