temporal icon indicating copy to clipboard operation
temporal copied to clipboard
verified publisher icon temporalio

auth-header to be included in MCR-requests

Open sonrel opened this issue 2 years ago • 5 comments

What changed?

I have included the auth header in propagation heade, issue: #4823

Why?

So when doing a MCR-request cluster-1 can be authorized on cluster-2 if you are using token based auth.

How did you test it?

Set up two token based auth clusters and verified that cluster 1 can make MCR request to cluster 2

Potential risks

None

Is hotfix candidate?

No

sonrel avatar Dec 04 '23 10:12 sonrel

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Dec 04 '23 10:12 CLAassistant

First, what is an "MCR" request?

Second, I'm not sure this is the best way to do it: this will forward authorization from frontend to all internal services (even for multiple hops), which is probably harmless, but misleading: only the frontend pays attention to authorization. I think this should be forwarded only on frontend→remote frontend calls.

MCR is multi cluster replication I have described the issue here: https://github.com/temporalio/temporal/issues/4823

TLDR: When doing a multi cluster replication request from frontend 1 targeting remote frontend 2, auth header from frontend 1 request is not forwarded to frontend 2.

"I think this should be forwarded only on frontend→remote frontend calls."

Fair point. Is there another place to achieve this behaviour or are you thinking an if check in this file?

sonrel avatar Dec 12 '23 09:12 sonrel

MCR is multi cluster replication I have described the issue here: #4823

I got the issue, just the acronym is new. We usually use "xdc" (cross-datacenter) to refer to the replication features internally.

Fair point. Is there another place to achieve this behaviour or are you thinking an if check in this file?

I tried this myself: #5226. It turned out a little more messy than I wanted, but I think it does the right thing. If you could try it that would be great

dnr avatar Dec 13 '23 07:12 dnr

MCR is multi cluster replication I have described the issue here: #4823

I got the issue, just the acronym is new. We usually use "xdc" (cross-datacenter) to refer to the replication features internally.

Fair point. Is there another place to achieve this behaviour or are you thinking an if check in this file?

I tried this myself: #5226. It turned out a little more messy than I wanted, but I think it does the right thing. If you could try it that would be great

Thank you, I will try to run it and verify and let you know when I have tested it.

sonrel avatar Dec 13 '23 11:12 sonrel

This PR was marked as stale. Please update or close it.

github-actions[bot] avatar May 16 '24 00:05 github-actions[bot]