ex0ns
ex0ns3d ago

[solver] Agent workers and permissioned_as

Hi there, I'm trying to execute some script in an un-trusted environments, I organized my scripts and secrets inside folder, and I currently have: - /f/customer1/remote_exec.ts - /f/customer2/remote_exec.ts Those two scripts are quite simple for now, they are simply doing await wmill.getVariable("f/customer1/secret_value"); await wmill.getVariable("f/customer2/secret_value")
I created two groups: - g/customer1 - g/customer2 Is there a way to prevent the script from customer1 to be able to read secret from customer2, and the other way around ? In the documentation I saw something about the permissioned_at but I can't find anyway to "downgrade" my permission to g/customer1 or g/customer2 to run the script (both from the UI and the CLI). Am I missing something ? Is what I want to do even possible ? Thanks
6 Replies
rubenf
rubenf3d ago
The permissionned_as is tied to the caller, not executor So as long as caller has the reduced permissions yes it will work
ex0ns
ex0nsOP3d ago
Thanks ! That completely makes complete sense So now my question is: how can I reduce the permission of the caller, or create a caller (token?) that only has access to one of those two groups
rubenf
rubenf3d ago
You can create users with those permissions and do that on the fly with the jwt EE feature We will bill for those users as operators
ex0ns
ex0nsOP3d ago
Very interesting, thanks for the information that's exactly how I would have see this working ! Is this the documentation about the feature: https://www.windmill.dev/docs/advanced/external_auth_with_jwt ? I think that it's perfect for what I want to achieve
External auth with JWT | Windmill
Instead of using the built-in authentication and authorization mechanisms, you can generate your own JWT tokens with the desired permissions for your already authenticated users and pass them to Windmill.
rubenf
rubenf3d ago
Yes correct
ex0ns
ex0nsOP2d ago
This is working as expected, thanks a lot ! Side note: I created a JWT with is_admin: false and is_operator: false (copy pasted from the doc), and all the permissions seems to be respected (tried with an empty folders attribute, and then added the folder I wanted to grant access to. However when testing the token against the whoami endpoint, I noticed that the role was superadmin: 
{
  "workspace_id": "ex0ns",
  "email": "john.doe@company.com",
  "username": "john.doe@company.com",
  "is_admin": false,
  "is_super_admin": false,
  "created_at": "2025-05-29T06:14:39.226068726Z",
  "groups": [
    "customer-1"
  ],
  "operator": false,
  "disabled": false,
  "role": "superadmin",
  "folders_read": [
    "customer-1",
  ],
  "folders": [],
  "folders_owners": [],
  "name": null
}
{
  "workspace_id": "ex0ns",
  "email": "john.doe@company.com",
  "username": "john.doe@company.com",
  "is_admin": false,
  "is_super_admin": false,
  "created_at": "2025-05-29T06:14:39.226068726Z",
  "groups": [
    "customer-1"
  ],
  "operator": false,
  "disabled": false,
  "role": "superadmin",
  "folders_read": [
    "customer-1",
  ],
  "folders": [],
  "folders_owners": [],
  "name": null
}
This does not seem to have any impact on anything, but I wanted to raise this in case it was an issue. What is this role used for ?

Did you find this page helpful?