Gabriel Milan

    Gabriel Milan

    11 months ago
    is it possible to enable authentication for the UI on the helm chart deployment?
    Kevin Kho

    Kevin Kho

    11 months ago
    This is not something we support as it’s a Cloud only feature. There are some threads in community about this though. Check this for example
    Gabriel Milan

    Gabriel Milan

    11 months ago
    I'll take a look at it, thanks!
    Chu Lục Ninh

    Chu Lục Ninh

    11 months ago
    Thanks for refering the case @Kevin Kho, just wondering about the complexity, is it about multi-tenancy? If I deploy prefect for single-tenant, will it be easier to add an authentication & authorization layer right into the server?
    Kevin Kho

    Kevin Kho

    11 months ago
    Hey @Chu Lục Ninh, you can find more info here. A lot of that still holds true. Auth is already a solved problem for Cloud and it took a lot of effort to get right. Auth in server will take a lot of work to get right and maintain. If you are referring to Prefect tenants, I think server is not multi-tenant. You only have one. I don't think auth is related to the tenancy. About complexity, authentication/authorization could mean just a simple password protection for some people. It could mean having accounts. I have seen some people just password protect it. I have also seen some people somehow hook it up to their active directory (they didn't outline the details though)
    In case you don't know though, Cloud does have 10000 free task runs every month which is more than enough for a lot of use cases
    Chu Lục Ninh

    Chu Lục Ninh

    11 months ago
    Hi @Kevin Kho, got it. So basically the auth is too broaden topic and there are plethora auth models. Due to that, one should implement it by their own opinion/framework right? Can you share more about the experience of decoupling it from the server? Did you completely decouple it or the server still share some common interface with auth service?
    Kevin Kho

    Kevin Kho

    11 months ago
    We really don't give advice on implementing it, but I guess the answer is yes. I believe it is decoupled. Like there are no Prefect API keys to use the API in Server.
    Chu Lục Ninh

    Chu Lục Ninh

    11 months ago
    @Kevin Kho regarding the cloud, in flexible enterprise environment, we sure will use the Cloud offering. But I'm working in kind of "restricted" environment where we have to consolidate our billing & infra totally in one place, that will push us to deploy prefect in on-prem-like environment 😦
    Kevin Kho

    Kevin Kho

    11 months ago
    The thread linked with Aric Huang above gives info on how he set up auth. He added code that I think you can follow.
    Chu Lục Ninh

    Chu Lục Ninh

    11 months ago
    Yeah, I did read that before and actually are using nginx basic auth to handle. But just thinking to extend the auth, since we have to control authorization too, not only authentication. Maybe we will proxy nginx to our auth service then the auth service will handle the communication with server instead
    In Orion, can you consider a modulus design so we can make plugins to further customize Prefect?
    Kevin Kho

    Kevin Kho

    11 months ago
    I think it will be because Orion will be a Server + Agent deployed in one. Everyone will use that and there will be no Cloud/Server distinction. They will be very aligned.
    Chu Lục Ninh

    Chu Lục Ninh

    11 months ago
    cool, will take a look at Orion source code