Make default AuthZ work. Yeet custom image.

README.md

@@ -22,3 +22,63 @@ Deploy using the `-c` flag to specify one or multiple compose files.
 ```
 docker stack deploy temporal --detach=true -c compose.yaml
 ```
+
+## Additional setup steps
+
+### Creating the default namespace
+
+After deploying Temporal with authentication enabled, the default namespace is not created automatically. You need to create it manually using the `admin-tools` service.
+
+```
+docker exec -it $(docker ps -qf "name=temporal_admin-tools") bash
+```
+Then, inside the container, run:
+
+```
+temporal operator namespace create -n default
+```
+
+### Configuring permissions with the default Authorizer and Claim Mapper
+
+The default JWT `ClaimMapper` expects OAuth2 Access Tokens with the `permissions` claim containing a list of strings representing the user's permissions per namespace. For example:
+
+```json
+{
+  "permissions": [
+    "default:read",
+    "default:write",
+    "temporal-system:admin"
+  ]
+}
+```
+
+Make sure your Identity Provider is configured to include these claims in the tokens issued to Temporal clients. For more information about these claims and Temporal's authorization model, refer to the [official documentation](https://docs.temporal.io/self-hosted-guide/security#plugins).
+
+We include below an example configuration snippet for Keycloak to add these claims via a protocol mapper.
+
+### Keycloak Protocol Mapper Example
+
+There are several ways to configure Keycloak to include the necessary `permissions` claim in the Access Tokens, this is one example using a Protocol Mapper:
+
+1. Navigate to your Keycloak Admin Console.
+2. Go to the "Clients" section and select your Temporal client.
+3. Go to the "Roles" tab and define roles corresponding to the permissions you want to assign (e.g., `default:read`, `default:write`, `temporal-system:admin`).
+4. Go to the "Client Scopes" tab and select the dedicated scope for Temporal (or create one if it doesn't exist).
+5. Go to the "Mappers" tab and create a new mapper with the following settings:
+  - Mapper Type: "User Client Role"
+  - Name: "permissions"
+  - Multivalued: "On"
+  - Token Claim Name: "permissions"
+  - Claim JSON Type: "String"
+
+Make sure to assign the appropriate roles to users so that they receive the correct permissions in their Access Tokens. Use the evaluation tool in Keycloak to verify that the tokens contain the expected claims.
+
+This is just one way to set it up; depending on your requirements, you might need to adjust the configuration accordingly.
+
+## Development notes
+
+Those are notes for future improvements and clarifications of this configuration.
+
+- We need to better understand how static config files are managed in this setup.
+  - Are they baked into the image, or mounted at runtime? Where are they stored? What is a good default location?
+  

compose.yaml

@@ -2,19 +2,18 @@ services:
   db:
     image: postgres:18.0
     environment:
-      - POSTGRES_HOST_AUTH_METHOD=trust
       - POSTGRES_USER=temporal
       - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
       - POSTGRES_DB=temporal
     networks:
       - internal
     volumes:
-      - 'postgresql_data:/var/lib/postgresql/data'
+      - 'postgresql_data:/var/lib/postgresql'
     secrets:
       - db_password
 
   temporal:
-    image: temporalio/auto-setup:1.29.0
+    image: temporalio/auto-setup:1.29
     depends_on:
       - db
     configs:
@@ -26,12 +25,18 @@ services:
     entrypoint: /entrypoint.sh
     command: "autosetup"
     environment:
+      - SERVICES=frontend:history:matching:worker:internal-frontend
       - DB=postgres12
       - DB_PORT=5432
       - POSTGRES_USER=temporal
       - POSTGRES_PWD_FILE=/run/secrets/db_password # entrypoint.sh exports POSTGRES_PWD
       - POSTGRES_SEEDS=db
-      - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml # What is this
+      - DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml
+      - SKIP_DEFAULT_NAMESPACE_CREATION=true
+      - TEMPORAL_AUTH_AUTHORIZER=default
+      - TEMPORAL_AUTH_CLAIM_MAPPER=default
+      - TEMPORAL_JWT_KEY_SOURCE1
+      - USE_INTERNAL_FRONTEND=true
     networks:
       - internal
     secrets:
@@ -44,8 +49,8 @@ services:
     networks:
       - internal
     environment:
-      - TEMPORAL_ADDRESS=temporal:7233
-      - TEMPORAL_CLI_ADDRESS=temporal:7233
+      - TEMPORAL_ADDRESS=temporal:7236
+      - TEMPORAL_CLI_ADDRESS=temporal:7236 # Need to find out what this is for
 
   ui:
     image: temporalio/ui:2.41.0
@@ -93,4 +98,4 @@ configs:
   entrypoint:
     file: entrypoint.sh
   dynamicconfig:
-    file: dynamicconfig/development-sql.yaml
+    file: dynamicconfig/development-sql.yaml

entrypoint.sh

@@ -24,4 +24,10 @@ file_env() {
 
 file_env POSTGRES_PWD
 
+# : "${TEMPORAL_CONFIG_DIR:=/etc/temporal/config}"
+# : "${TEMPORAL_CONFIG_ENV:=development}"
+
+# export TEMPORAL_CONFIG_DIR
+# export TEMPORAL_CONFIG_ENV
+
 exec /etc/temporal/entrypoint.sh $@