Hi Keith, in addition to Cole's excellent suggestions, you might consider putting a
Caddy webserver in front of the Orion server and then add
Caddy security. It has
authentication, so you could hide the UI behind
a login screen.
It also has
RBAC and can filter by HTTP method, so you can make your access controls quite fine-grained. Users would still be able to
see everything in the UI, but you should be able to make it so they can't
do everything depending on their role.
Also note that if you set PREFECT_API_KEY in your Prefect config on the machine(s) where you run Prefect agents, HTTP requests sent by the agent should contain the API key
in the Authorization header. I believe you'd be able to configure Caddy security to grant full access to the Prefect API if an HTTP request contains a valid API key in the header.