https://prefect.io logo
j

Jan

08/20/2023, 5:37 PM
or, preferably, to 0.0.0.0 (any) ip address?
1
j

jawnsy

08/20/2023, 6:42 PM
Use the --host setting when running
prefect server start
or the PREFECT_SERVER_API_HOST environment variable. See this code: https://github.com/PrefectHQ/prefect/blob/6c7233bbe55fbe554956bbc70fbfa31de12c1543/src/prefect/cli/server.py#L111-L122
1
j

Jan

08/20/2023, 7:39 PM
ah thank you will try.
Perhaps add that to the docs?
And if I missed it, please link me to the docs?
Brilliant. That worked with 0.0.0.0
Thank you very much @jawnsy
I can now see if this fits our needs!
CORRECTION. It works to launch the dashboard with 0.0.0.0
trying with external ip
okay. So...
looks like code does not differentiate between UI and API urls.
So the expectation is the api and the ux run on the same host.
j

jawnsy

08/20/2023, 7:51 PM
There are two variables, one that determines the URL that the UI uses to find the API (PREFECT_UI_API_URL) and one that the server uses to determine where to bind (the PREFECT_SERVER_API_HOST variable). There are some defaults between the two. This is how we set things up in Kubernetes, we use --host to have the API listen on all interfaces: https://github.com/PrefectHQ/prefect-helm/blob/e94f1d49501431ee987d397875b3a19280fe680c/charts/prefect-server/templates/deployment.yaml#L63-L72 Then we use the env var to tell the client where to find the API endpoint (this is the external URL, e.g. https://prefect.contoso.com/api, that your users should hit from their browser) I think you can host the UI and API on separate hosts if you want, but I’m not sure why you’d want to do that. The UI is purely client-side code (single page app)
j

Jan

08/20/2023, 7:52 PM
Ahhhhhh.
I see.
Reconfiguring.
@jawnsy Brilliant. That seems to have worked.
To address why backend and frontend on different servers, we usually do this to put firewalls and authentication in between with the ux portions being in the DMZ (externally facing) and only particular hosts with particular credentials from that DMZ can inquire of the backend.
Up and running now, thanks.
I imagine this is an intentional choice (https://discourse.prefect.io/t/why-does-prefect-2-0-doesnt-include-auth-and-rbac-features-as-part-of-the-open-source-package/741) but no RBAC or Authentication in the non-cloud version is increasingly a turn-off for adoption across infrastructure tools. Please pass on to your product managers (if that isn't you). Market has woken up to excessive charges just for basic security.... in a world where security is increasingly important and expected out of the box. Cloud offerings need to differentiate on other value to be considered worth the adoption. YMMV, but the future is pretty clearly no tolerance for cloud requirements to get basic security for OSS solutions. If the cloud solutions offer value above the basics (security), there is attention to migration. Frankly, in today's world if you aren't OSS'ing your security, you're likely to end up less trusted out of the gate. </soapbox> Looking forward to playing with it but can't give to my users until I secure it in some way.
Have to say after searching through the options, Prefect rose to the top and thus am investing in exploring it.
But the security thing is an Achilles heel.
j

jawnsy

08/20/2023, 8:16 PM
Regarding authentication, I’ve passed along your feedback to our Head of Product.
To address why backend and frontend on different servers, we usually do this to put firewalls and authentication in between with the ux portions being in the DMZ (externally facing) and only particular hosts with particular credentials from that DMZ can inquire of the backend.
Both the frontend and backend need to be accessible to users. When we serve the frontend, we provide static content (JavaScript, HTML, CSS) and users’ browsers load content dynamically from the API endpoint. Whether or not the UI access is authenticated doesn’t really matter because there’s no sensitive content there; all requests go from the users’ browsers to the API endpoint via CORS requests. Have you evaluated our Prefect Cloud service? It’s free for small teams (up to 3 users and 1 workspace) and has capabilities that are not available in our OSS. You can also schedule a call with one of our engineers here: https://calendly.com/prefect-experts/prefect-product-advocates (other contact options including email are here: https://www.prefect.io/support)
j

Jan

08/20/2023, 9:02 PM
Thank you for passing on my feedback! 🙂
Will consider the cloud perspective but not until we have kicked the wheels and determined we can secure it on-premises. We do whitebox security testing as part of that process.