Nexus caller identity propagation [wip]#10573
Draft
stephanos wants to merge 1 commit into
Draft
Conversation
stephanos
changed the title
stephanos
force-pushed
the
stephanos/prototype-nexus-identity-propagation
branch
9 times, most recently
from
099ee31 to
7c645b7
Compare
stephanos
force-pushed
the
stephanos/prototype-nexus-identity-propagation
branch
from
7c645b7 to
553d1bc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed?
Prototype for Nexus caller-identity propagation (OSS). A signed, short-lived principal token (JWS, ES256) carries the caller identity across the Nexus HTTP hop, server-to-server:
common/nexus/principaltokenpackage: pluggableSigner/Verifier/KeyProvider/PrincipalResolver/PeerTrustFuncbehind interfaces, with OSS defaults (ECDSA signer, JWS verifier, transport verifier, deny-all peer trust, noop resolver). Verifier is selected by aTrustModeconfig:signature(JWS) ortransport(trust the cell-mTLS peer).AttributedPrincipals captured on the CHASM Nexus operation; handler side verifies and promotes the principals.PollNexusTaskQueueResponse.caller_info(NexusCallerInfo{root, service, namespace}) surfaces the verified caller chain to the handler worker.WorkflowExecutionInfo.root_caller_principalsurfaced on Describe.StartWorkflowExecutionso a workflow started in response to a Nexus operation inherits the original end-user asRootCallerPrincipal.config.Global.NexusPrincipalPropagation+ a registered JWKS endpoint.Depends on the matching
temporalio/api/api-gobranch (stephanos/prototype-nexus-identity-propagation).Why?
Nexus handlers today only know which namespace called, not who. This lets Temporal (and handler code) make per-caller AuthZ/audit decisions. See the blueprint: "Nexus caller identity propagation".
How did you test it?
Unit tests for
principaltoken(signer/verifier/transport/JWKS/fx) andnexusoperationprincipal capture; a two-cluster functional test (tests/nexus_propagation_test.go) exercises both trust modes, asserts the worker-observablecaller_info, and the forwarded-token →RootCallerPrincipalattach via Describe.Potential risks
Prototype / WIP — not for merge as-is. It pins unreleased
api/api-goprototype branches (socheck-dependenciesandlint-apifail until those are released). The feature is off by default (no signer / deny-all peer trust); when enabled it only adds a server-to-server header verified by signature or trusted peer, and strips spoofed inbound principal headers/tokens at ingress.