https://github.com/Netflix/conductor/discussions/3052

[jgard]

Re-upping conversation from Netflix/conductor#3052

As I begin to evaluate Conductor, it still seems true that there is simply no authentication or authorization in any part of the (OSS, non-Orkes) platform, by default. Is that correct? Nothing preventing an inappropriate user on our network from launching a workflow (via API or UI), nothing preventing a pen-tester (for example) from starting a worker process that handles tasks?

Unless we use network controls (like iptables or AWS Security groups) and/or an authorizing reverse proxy.

Again, is this correct?

[jgard]

(recreating to correct title)