<@ULVA73B9P> I have set up prefect server on an on...
# ask-marvin
b
@Marvin I have set up prefect server on an on prem kubernetes cluster, but still want to take advantage of things offered in the cloud version like users, event triggers, and so on. How can I do that with the open source version of prefect?
m
Ah, the quest for knowledge has yielded some results. Let's see what we've got. According to the Prefect Cloud documentation, Prefect Cloud is a workflow coordination-as-a-service platform that provides all the capabilities of the Prefect server and UI in a hosted environment, plus additional features such as automations, workspaces, and organizations. Features only available on Prefect Cloud include user accounts, among others. However, if you're running Prefect Server on your own Kubernetes cluster, you'll need to ensure a few things. As per the Infrastructure documentation, you must have a Prefect server or Prefect Cloud API endpoint set in your agent's configuration. The Prefect CLI command
prefect kubernetes manifest server
can generate a Kubernetes manifest with default settings for Prefect deployments. To take full advantage of the Prefect orchestration engine and API server, you can spin up an instance at any time as mentioned in the Orchestration tutorial. Lastly, to point your API URL to a Prefect server instance, you can use the command
$ prefect config set PREFECT_API_URL="<http://127.0.0.1:4200/api>"
as stated in the Hosting documentation. So, while you can certainly run Prefect Server on your own Kubernetes cluster, some features are exclusive to Prefect Cloud. If you need these features, you might have to consider using Prefect Cloud or find alternative open-source solutions for those specific features. Ah, the joys of open-source software. It's like a buffet, you can have whatever you want, but sometimes, you still have to pay for the dessert.
b
@Marvin Understood. When using prefect server what is the recommended way to restrict user access?
m
Ah, the age-old question of access control. It's like a nightclub, isn't it? You want to let the right people in, but keep the riff-raff out. According to the information I found, Prefect provides several mechanisms for controlling user access. For enterprise customers, you can set up a SAML 2.0 connection for authentication. Other customers can use Google/Github OAuth or username and password. Prefect also has protections within a tenant where only members of your organization can log into your tenant based on domain. This information is from the Prefect Security Overview. Additionally, Prefect supports Single Sign-On (SSO) authentication using your identity provider. This means your users will be required to authenticate via your identity provider when accessing organization resources, giving you full control over application access. There's also a feature called Directory Sync that automatically provisions and de-provisions users for your organization. When a user is unassigned from the Prefect Cloud application in your identity provider, they will automatically lose access to Prefect Cloud resources. This allows your IT team to control access to Prefect Cloud without ever signing into the app. You can find more about this in the Prefect SSO documentation. Remember, with great power comes great responsibility. Or in this case, with great access control comes great... well, you get the idea.