Default authorizer always allow health checks (#3920)

Author: dnr

common/authorization/default_authorizer.go

@@ -45,6 +45,11 @@ var resultAllow = Result{Decision: DecisionAllow}
 var resultDeny = Result{Decision: DecisionDeny}
 
 func (a *defaultAuthorizer) Authorize(_ context.Context, claims *Claims, target *CallTarget) (Result, error) {
+	// APIs that are essentially read-only health checks with no sensitive information are
+	// always allowed
+	if IsHealthCheckAPI(target.APIName) {
+		return resultAllow, nil
+	}
 
 	if claims == nil {
 		return resultDeny, nil

common/authorization/default_authorizer_test.go

@@ -37,6 +37,12 @@ import (
 )
 
 var (
+	claimsNone          = Claims{}
+	claimsNamespaceOnly = Claims{
+		Namespaces: map[string]Role{
+			testNamespace: RoleWriter,
+		},
+	}
 	claimsSystemAdmin = Claims{
 		System: RoleAdmin,
 	}
@@ -75,6 +81,14 @@ var (
 		APIName:   "/temporal.api.workflowservice.v1.WorkflowService/DescribeNamespace",
 		Namespace: "BAR",
 	}
+	targetGrpcHealthCheck = CallTarget{
+		APIName:   "/grpc.health.v1.Health/Check",
+		Namespace: "",
+	}
+	targetGetSystemInfo = CallTarget{
+		APIName:   "/temporal.api.workflowservice.v1.WorkflowService/GetSystemInfo",
+		Namespace: "",
+	}
 )
 
 type (
@@ -162,6 +176,29 @@ func (s *defaultAuthorizerSuite) TestSystemAdminListNamespaces() {
 	s.NoError(err)
 	s.Equal(DecisionAllow, result.Decision)
 }
+func (s *defaultAuthorizerSuite) TestNamespaceOnly() {
+	// don't need any system-level claims to do namespace-level apis
+	result, err := s.authorizer.Authorize(context.TODO(), &claimsNamespaceOnly, startWorkflowExecutionTarget)
+	s.NoError(err)
+	s.Equal(DecisionAllow, result.Decision)
+}
+func (s *defaultAuthorizerSuite) TestHealthChecks() {
+	// all health checks should work all the time
+	for _, claims := range []*Claims{
+		nil,
+		&claimsNone,
+		&claimsNamespaceOnly,
+	} {
+		for _, target := range []*CallTarget{
+			&targetGrpcHealthCheck,
+			&targetGetSystemInfo,
+		} {
+			result, err := s.authorizer.Authorize(context.TODO(), claims, target)
+			s.NoError(err)
+			s.Equal(DecisionAllow, result.Decision)
+		}
+	}
+}
 
 func (s *defaultAuthorizerSuite) TestGetAuthorizerFromConfigNoop() {
 	s.testGetAuthorizerFromConfig("", true, reflect.TypeOf(&noopAuthorizer{}))

common/authorization/frontend_api.go

@@ -37,7 +37,6 @@ var readOnlyNamespaceAPI = map[string]struct{}{
 	"QueryWorkflow":                      {},
 	"DescribeWorkflowExecution":          {},
 	"DescribeTaskQueue":                  {},
-	"GetSystemInfo":                      {},
 	"ListTaskQueuePartitions":            {},
 	"DescribeSchedule":                   {},
 	"ListSchedules":                      {},
@@ -50,6 +49,13 @@ var readOnlyGlobalAPI = map[string]struct{}{
 	"ListNamespaces":      {},
 	"GetSearchAttributes": {},
 	"GetClusterInfo":      {},
+	"GetSystemInfo":       {},
+}
+
+// note that these use the fully-qualified name
+var healthCheckAPI = map[string]struct{}{
+	"/grpc.health.v1.Health/Check":                                   {},
+	"/temporal.api.workflowservice.v1.WorkflowService/GetSystemInfo": {},
 }
 
 func IsReadOnlyNamespaceAPI(api string) bool {
@@ -61,3 +67,8 @@ func IsReadOnlyGlobalAPI(api string) bool {
 	_, found := readOnlyGlobalAPI[api]
 	return found
 }
+
+func IsHealthCheckAPI(fullApi string) bool {
+	_, found := healthCheckAPI[fullApi]
+	return found
+}