Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization for local deployment #15711

Open
Jesse-jApps opened this issue Oct 16, 2024 · 4 comments
Open

Authorization for local deployment #15711

Jesse-jApps opened this issue Oct 16, 2024 · 4 comments
Labels
enhancement An improvement of an existing feature

Comments

@Jesse-jApps
Copy link

Describe the current behavior

When deploying Prefect on-premise, it is not possible to configure custom authorization methods, such as Basic Auth. For example, when somebody uses a reverse-proxy setup and wants to protect the API and Dashboard with additional authorization. While Prefect Cloud uses API keys for Bearer-like authorization, on-premise deployments lack configurable authorization options.

Describe the proposed behavior

The option to define httpx_settings globally. The idea is, that this somehow implemented:

auth = httpx.BasicAuth(username='USER', password='PASSWORD')
httpx_settings['auth'] = auth

But properly, generally and via a proper config.

Example Use

Possibly authorization can be defined via ENV-Variables.

PREFECT_AUTHORIZATION_TYPE
PREFECT_AUTHORIZATION_USERNAME
PREFECT_AUTHORIZATION_PASSWORD
PREFECT_AUTHORIZATION_TOKEN

Additional context

No response
@Jesse-jApps Jesse-jApps added the enhancement An improvement of an existing feature label Oct 16, 2024
@zzstoatzz
Copy link
Collaborator

hi @Jesse-jApps - thank you for the issue!

there's been some discussion on this here, and I think its worth revisiting at this point.

I think we'd want to avoid user/pass auth, as there is explicitly no concept of a user in OSS, but a simple token auth might be a good option. What do you think about that?

@soamicharan
Copy link
Contributor

@zzstoatzz It it good have same authorization as prefect cloud where we can use prefect api key in authorization to secure the prefect OSS server

@ChillarAnand
Copy link

If you are willing to add this feature, there were users who were willing to add a PR. @pbecotte ?

@Jesse-jApps
Copy link
Author

Thanks for the feedback. Back in 2020 the decision was to not add any auth, since it is expected to be network internal only, see here.
I don't know how much of the view has changed by now.
In my case I work and have worked on plenty of smaller projects (shops, web tools, etc.), which are all publicly accessible and run 80% on self-managed servers.
When using prefect for those projects, I can do everything without exposing the prefect api, except using the dashboard.
If setting the --host to a internal address, I can setup a protected nginx to gain access to the dashboard, but since the dashboard is using the --host address for lookups, it doesn't properly work.
So an alternative to implementing an auth-mechanism, is by having more control over how the dashboard accesses the api.
So beside the PREFECT_API_URL a PREFECT_DASHBOARD_API_URL (optional) would be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement An improvement of an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ChillarAnand @Jesse-jApps @soamicharan @zzstoatzz