I’m facing a problem about user authorization while creating a process instance in a multi-tenancy scenario. I’m testing this functionality, and I have configured identity in this way:
Tenants: Defaul, tenant1, tenant2
Users: demo (default user), user1, user2
Groups: group1, group2
I have also two process definitions in tenant2: paymentProcess and tenant2-paymentProcess.
I have tried three different approaches:
Assign user2 to group2, who is associated to tenant2 and has all possible rights over processes and DMN with *.
Assign directly all those rights to user2 and link user2 to tenant2.
Use demo user who has all rights.
Regardless of the approach used, I receive an error when trying to start a new instance. The log of Tasklist is the following (I have omitted the stack trace):
.t.w.a.r.v.c.i.ProcessInternalController : Expected to handle gRPC request CreateProcessInstance with tenant identifier 'tenant2', but tenant is not authorized to perform this request
io.camunda.tasklist.exceptions.TasklistRuntimeException: Expected to handle gRPC request CreateProcessInstance with tenant identifier 'tenant2', but tenant is not authorized to perform this request
Caused by: io.camunda.zeebe.client.api.command.ClientStatusException: Expected to handle gRPC request CreateProcessInstance with tenant identifier 'tenant2', but tenant is not authorized to perform this request
Caused by: java.util.concurrent.ExecutionException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Expected to handle gRPC request CreateProcessInstance with tenant identifier 'tenant2', but tenant is not authorized to perform this request
Caused by: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Expected to handle gRPC request CreateProcessInstance with tenant identifier 'tenant2', but tenant is not authorized to perform this request
I have started from zero and disabled multi-tenancy. I’m now able to start process instances, but even though I limit ‘Authorization’ to certain processes, it still allows me to create them.
It looks like the authorization for specific resources is not working, but I wanted to make sure before filing an issue, since it is not a hidden feature, and I find it strange that it doesn’t work.
Does anyone have any suggestion?
@crodrigo - it seems to me we are troubleshooting/confirming two things:
What the user should be authorized to do within a given tenant, and;
Whether those processes are in the correct tenant
For #1, partial wildcards aren’t supported in the permissions (see the “Tip” under step #3 here). I’m guessing the system is defaulting to a wildcard, so any process can be started by that user. If you update the process ID in the authorization to tenant1-paymentProcess, you should see the result you are expecting (you may need to log out and back in to update your user session with the new permissions).
For #2, is the user a member of both tenants? Is it possible the process was deployed to the wrong tenant?
Sorry @nathan.loding , because I think I caused confusion by changing the scenario. For testing purposes, I simplified the system configuration by reinstalling it from scratch without multi-tenancy. The processes are created as tenant1-… and tenant2-…, but multi-tenancy is not currently active.
Short answer to your questions:
That’s what I read, and I expected not to be able to start the processes. Then I thought about what you indicated, that I was using * and removed that authorization. However, it still allowed me to start any process. I restarted everything before testing to avoid cache issues.
There are no tenants in the example above.
Could it be that I need to configure something in Tasklist to take into account the authorizations set up in Identity?
I’ll reinstall Camunda with multi-tenancy to recover the original scenario and I’ll be back with the screenshots of the error. In that case, the problem is the opposite, it doesn’t allow me to start any process.
The real goal is to keep the modification of BPMN and DMN allowed only for a specific group, but without the need to register a new authorization each time a new process belonging to that group is created. This could be achieved with multi-tenancy, but I think it would conflict with a second requirement, which is that BPMNs from other groups can be invoked as sub-processes.
Either way, I opened the post because it is not respecting the authorization configuration. First, I tried with multi-tenancy, and now without multi-tenancy with different consequences. In the case of multi-tenancy, the configuration was exactly the same, but associating each group with a tenant and acting accordingly with the deployments.
The User1 configuration it’s only the Group1 assignment.
I have created also another user, but instead of assigning a group, I have granted all the rights individually. The result was the same.
Could you provide any idea to solve this problem?
Error description from logs: PERMISSION_DENIED: Expected to handle gRPC request CreateProcessInstance with tenant identifier ‘tenant1’, but tenant is not authorized to perform this request
After reviewing some permissions, I found that some Roles have access to Camunda Identity Resource Server with read:users permissions. So, I tried to grant that permission to Tasklist role, and it started to work.
This permission was not granted to Tasklist initially.
@crodrigo - glad you were able to find a fix! I’m still not entirely clear on what is going on here, and whether it’s a bug or intentional. I’ve shared this with the product teams so they are aware.
In the meantime, I’m curious if you have any suggestions on how this could be clarified in the docs? What might have helped you understand this configuration better or more quickly?
@nathan.loding , I think this is more about the deployment with Helm chart. I believe that in the case of the Tasklist, the proper role configuration has been omitted when enabling Identity. I have not reviewed the chart, but it’s the most logical reason from my point of view.
Regarding your request on how to improve the documentation, perhaps the necessary configuration for each predefined role could be included.
PD: If you shared this with the product team, could you also share that a partial name with a wildcard would be desirable. Where can I make this kind of suggestions?