[1.18] WorkflowAccessPolicy#5114
Open
JoshVanL wants to merge 10 commits into
Open
Conversation
Implementation based on dapr/dapr#9790 Signed-off-by: joshvanl <me@joshvanl.dev>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds documentation for the preview WorkflowAccessPolicy feature, including a CRD schema reference and operational guidance, and links it from existing workflow/security docs.
Changes:
- Introduces new docs pages for WorkflowAccessPolicy (how-to + resource spec schema).
- Adds WorkflowAccessPolicy to the preview-features list.
- Cross-links the feature from workflow overview, multi-app workflow docs, and security concepts.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| daprdocs/content/en/reference/resource-specs/workflow-access-policy-schema.md | New CRD/spec reference page for WorkflowAccessPolicy. |
| daprdocs/content/en/operations/support/support-preview-features.md | Adds WorkflowAccessPolicy to the preview feature table. |
| daprdocs/content/en/operations/security/workflow-access-policy.md | New how-to page describing semantics, setup, and examples. |
| daprdocs/content/en/developing-applications/building-blocks/workflow/workflow-overview.md | Adds a “Workflow security” section pointing to the new how-to. |
| daprdocs/content/en/developing-applications/building-blocks/workflow/workflow-multi-app.md | Adds a security section + example policy for multi-app workflows. |
| daprdocs/content/en/concepts/security-concept.md | Adds a workflow access control subsection linking to the how-to. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: joshvanl <me@joshvanl.dev>
This was referenced Apr 14, 2026
Reflect the policy reshape from dapr/dapr#9850, #9870, and #9838: - Schema now uses separate workflows/activities blocks; workflows have an operations list (schedule, terminate, raise, pause, resume, purge, get, rerun). No defaultAction, no per-rule action; rules are a pure allow-list. - Self-calls (caller appID == target appID) are always allowed. The multi-app example no longer needs the target to list itself in callers. - Remove the WorkflowAccessPolicy feature flag entry from the preview features page and drop the "enable the feature flag" instructions; the gate was deleted upstream. - Update the security concept page and CRD reference doc to match. Signed-off-by: joshvanl <me@joshvanl.dev>
Contributor
nelson-parente
left a comment
nelson-parente
left a comment
There was a problem hiding this comment.
Pre-review for @marcduiker handoff: LGTM — large but well-structured.
This is a substantial new feature (376 lines across 5 files) covering WorkflowAccessPolicy for v1.18. Key observations:
- New CRD spec page (
workflow-access-policy.md) is thorough: allow-list semantics, self-call bypass, SPIFFE identity note, glob patterns, all 8 operations documented. - Security concept page and workflow-overview/multi-app pointers are consistently updated.
- The
scopesfield behavior (empty = applies to all apps) is correctly noted with the backward-compat implication. - The note that mTLS must be active for cross-app enforcement is present.
- The new resource-specs schema page is a nice addition.
Nit:with no rules and policies loaded, all cross-app calls are deniedin the spec fields table contradicts the earlier prose that sayswith no policies loaded, all calls are allowed— these are different conditions (no rules vs. no policies) and the distinction matters for users. @JoshVanL — could you clarify: if a policy exists but has emptyrules, are all calls denied? If yes, a concrete example would help readers avoid an accidental deny-all.
Nothing else blocking — Marc, your call on whether the contradiction needs resolution first.
msfussell
reviewed
May 26, 2026
Member
msfussell
left a comment
msfussell
left a comment
There was a problem hiding this comment.
My comments. Mostly this is providing additional clarity.
I always love having a diagram where possible. Can we have a diagram that shows policies being loaded and applied to an application?
|
|
||
| ## Self-hosted setup | ||
|
|
||
| In self-hosted mode, place the workflow access policy YAML in the resources directory (default: `$HOME/.dapr/components`, or the path passed via `--resources-path`). |
Member
There was a problem hiding this comment.
should this not be
Suggested change
| In self-hosted mode, place the workflow access policy YAML in the resources directory (default: `$HOME/.dapr/components`, or the path passed via `--resources-path`). | |
| In self-hosted mode, place the workflow access policy YAML in the resources directory (default: `$HOME/.dapr/resources`, or the path passed via `--resources-path`). |
Contributor
Author
There was a problem hiding this comment.
No, components is the right directory
Member
There was a problem hiding this comment.
? Do we still create a components directory then on Dapr install?
Contributor
Author
There was a problem hiding this comment.
Yes-
$ find .dapr -maxdepth 1
.dapr
.dapr/components
.dapr/bin
.dapr/config.yaml
Signed-off-by: joshvanl <me@joshvanl.dev>
JoshVanL
force-pushed
the
workflow-access-policy
branch
from
389934d to
cf98d00
Compare
Contributor
Author
|
@msfussell @nelson-parente please can you take another look? All the feedback should be addressed. I have also updated the docs to only focus on the |
msfussell
reviewed
May 27, 2026
Co-authored-by: Mark Fussell <markfussell@gmail.com> Signed-off-by: Josh van Leeuwen <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implementation based on dapr/dapr#9790