wiki-cafe/temporal
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 2 Branches 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Temporal

Wiki Cafe's configuration for a Temporal deployment.

Deploying the app with Docker Swarm

Set the environment variables from the .env file during the shell session.

set -a && source .env && set +a

Set the secrets.

printf "SECRET_HERE" | docker secret create SECRET_NAME -

Deploy using the -c flag to specify one or multiple compose files.

docker stack deploy temporal --detach=true -c compose.yaml

Additional setup steps

Creating the default namespace

After deploying Temporal with authentication enabled, the default namespace is not created automatically. You need to create it manually using the admin-tools service.

docker exec -it $(docker ps -qf "name=temporal_admin-tools") bash

Then, inside the container, run:

temporal operator namespace create -n default

Configuring permissions with the default Authorizer and Claim Mapper

The default JWT ClaimMapper expects OAuth2 Access Tokens with the permissions claim containing a list of strings representing the user's permissions per namespace. For example:

{
  "permissions": [
    "default:read",
    "default:write",
    "temporal-system:admin"
  ]
}

Make sure your Identity Provider is configured to include these claims in the tokens issued to Temporal clients. For more information about these claims and Temporal's authorization model, refer to the official documentation.

We include below an example configuration snippet for Keycloak to add these claims via a protocol mapper.

Keycloak Protocol Mapper Example

There are several ways to configure Keycloak to include the necessary permissions claim in the Access Tokens, this is one example using a Protocol Mapper:

  1. Navigate to your Keycloak Admin Console.
  2. Go to the "Clients" section and select your Temporal client.
  3. Go to the "Roles" tab and define roles corresponding to the permissions you want to assign (e.g., default:read, default:write, temporal-system:admin).
  4. Go to the "Client Scopes" tab and select the dedicated scope for Temporal (or create one if it doesn't exist).
  5. Go to the "Mappers" tab and create a new mapper with the following settings:
  • Mapper Type: "User Client Role"
  • Name: "permissions"
  • Multivalued: "On"
  • Token Claim Name: "permissions"
  • Claim JSON Type: "String"

Make sure to assign the appropriate roles to users so that they receive the correct permissions in their Access Tokens. Use the evaluation tool in Keycloak to verify that the tokens contain the expected claims.

This is just one way to set it up; depending on your requirements, you might need to adjust the configuration accordingly.

Development notes

Those are notes for future improvements and clarifications of this configuration.

  • We need to better understand how static config files are managed in this setup.
    • Are they baked into the image, or mounted at runtime? Where are they stored? What is a good default location?
Description
Open source durable execution platform for workflows.
Readme 99 KiB
Languages
Shell 100%