or, preferably, to 0.0.0.0 (any) ip address?
# prefect-getting-startedj
Jan
08/20/2023, 5:37 PMor, preferably, to 0.0.0.0 (any) ip address?
✅ 1
j
jawnsy
08/20/2023, 6:42 PMUse the --host setting when running
prefect server start✅ 1
j
Jan
08/20/2023, 7:39 PMah thank you will try.
Jan
08/20/2023, 7:39 PMPerhaps add that to the docs?
Jan
08/20/2023, 7:40 PMAnd if I missed it, please link me to the docs?
Jan
08/20/2023, 7:43 PMBrilliant. That worked with 0.0.0.0
Jan
08/20/2023, 7:43 PMThank you very much @jawnsy
Jan
08/20/2023, 7:43 PMI can now see if this fits our needs!
Jan
08/20/2023, 7:44 PMCORRECTION. It works to launch the dashboard with 0.0.0.0
Jan
08/20/2023, 7:44 PMtrying with external ip
Jan
08/20/2023, 7:49 PMokay. So...
Jan
08/20/2023, 7:49 PMlooks like code does not differentiate between UI and API urls.
Jan
08/20/2023, 7:50 PMSo the expectation is the api and the ux run on the same host.
j
jawnsy
08/20/2023, 7:51 PMThere are two variables, one that determines the URL that the UI uses to find the API (PREFECT_UI_API_URL) and one that the server uses to determine where to bind (the PREFECT_SERVER_API_HOST variable). There are some defaults between the two.
This is how we set things up in Kubernetes, we use --host to have the API listen on all interfaces: https://github.com/PrefectHQ/prefect-helm/blob/e94f1d49501431ee987d397875b3a19280fe680c/charts/prefect-server/templates/deployment.yaml#L63-L72
Then we use the env var to tell the client where to find the API endpoint (this is the external URL, e.g. https://prefect.contoso.com/api, that your users should hit from their browser)
I think you can host the UI and API on separate hosts if you want, but I’m not sure why you’d want to do that. The UI is purely client-side code (single page app)
j
Jan
08/20/2023, 7:52 PMAhhhhhh.
Jan
08/20/2023, 7:52 PMI see.
Jan
08/20/2023, 7:52 PMReconfiguring.
Jan
08/20/2023, 7:58 PM@jawnsy Brilliant. That seems to have worked.
Jan
08/20/2023, 7:59 PMTo address why backend and frontend on different servers, we usually do this to put firewalls and authentication in between with the ux portions being in the DMZ (externally facing) and only particular hosts with particular credentials from that DMZ can inquire of the backend.
Jan
08/20/2023, 8:00 PMUp and running now, thanks.
Jan
08/20/2023, 8:07 PMI imagine this is an intentional choice (https://discourse.prefect.io/t/why-does-prefect-2-0-doesnt-include-auth-and-rbac-features-as-part-of-the-open-source-package/741) but no RBAC or Authentication in the non-cloud version is increasingly a turn-off for adoption across infrastructure tools. Please pass on to your product managers (if that isn't you). Market has woken up to excessive charges just for basic security.... in a world where security is increasingly important and expected out of the box. Cloud offerings need to differentiate on other value to be considered worth the adoption. YMMV, but the future is pretty clearly no tolerance for cloud requirements to get basic security for OSS solutions. If the cloud solutions offer value above the basics (security), there is attention to migration. Frankly, in today's world if you aren't OSS'ing your security, you're likely to end up less trusted out of the gate. </soapbox>
Looking forward to playing with it but can't give to my users until I secure it in some way.
Jan
08/20/2023, 8:08 PMAlso, I'm this guy: https://www.linkedin.com/janman
Jan
08/20/2023, 8:08 PMHave to say after searching through the options, Prefect rose to the top and thus am investing in exploring it.
Jan
08/20/2023, 8:09 PMBut the security thing is an Achilles heel.
j
jawnsy
08/20/2023, 8:16 PMRegarding authentication, I’ve passed along your feedback to our Head of Product.
To address why backend and frontend on different servers, we usually do this to put firewalls and authentication in between with the ux portions being in the DMZ (externally facing) and only particular hosts with particular credentials from that DMZ can inquire of the backend.Both the frontend and backend need to be accessible to users. When we serve the frontend, we provide static content (JavaScript, HTML, CSS) and users’ browsers load content dynamically from the API endpoint. Whether or not the UI access is authenticated doesn’t really matter because there’s no sensitive content there; all requests go from the users’ browsers to the API endpoint via CORS requests. Have you evaluated our Prefect Cloud service? It’s free for small teams (up to 3 users and 1 workspace) and has capabilities that are not available in our OSS. You can also schedule a call with one of our engineers here: https://calendly.com/prefect-experts/prefect-product-advocates (other contact options including email are here: https://www.prefect.io/support)
j
Jan
08/20/2023, 9:02 PMThank you for passing on my feedback! 🙂
Jan
08/20/2023, 9:03 PMWill consider the cloud perspective but not until we have kicked the wheels and determined we can secure it on-premises. We do whitebox security testing as part of that process.
3 Views