Hi Keith, in addition to Cole's excellent suggestions, you might consider putting a Caddy webserver
in front of the Orion server and then add Caddy security
. It has authentication
, so you could hide the UI behind a login screen
It also has RBAC
and can filter by HTTP method, so you can make your access controls quite fine-grained. Users would still be able to see
everything in the UI, but you should be able to make it so they can't do
everything depending on their role.
Also note that if you set PREFECT_API_KEY in your Prefect config on the machine(s) where you run Prefect agents, HTTP requests sent by the agent should contain the API key in the Authorization header
. I believe you'd be able to configure Caddy security to grant full access to the Prefect API if an HTTP request contains a valid API key in the header.