is it possible to enable authentication for the UI on the helm chart deployment?

This is not something we support as it’s a Cloud only feature. There are some threads in community about this though. Check this for example

I'll take a look at it, thanks!

Thanks for refering the case @Kevin Kho, just wondering about the complexity, is it about multi-tenancy? If I deploy prefect for single-tenant, will it be easier to add an authentication & authorization layer right into the server?

Hey @Chu Lục Ninh, you can find more info here. A lot of that still holds true. Auth is already a solved problem for Cloud and it took a lot of effort to get right. Auth in server will take a lot of work to get right and maintain. If you are referring to Prefect tenants, I think server is not multi-tenant. You only have one. I don't think auth is related to the tenancy. About complexity, authentication/authorization could mean just a simple password protection for some people. It could mean having accounts. I have seen some people just password protect it. I have also seen some people somehow hook it up to their active directory (they didn't outline the details though)

Hi @Kevin Kho, got it. So basically the auth is too broaden topic and there are plethora auth models. Due to that, one should implement it by their own opinion/framework right? Can you share more about the experience of decoupling it from the server? Did you completely decouple it or the server still share some common interface with auth service?

We really don't give advice on implementing it, but I guess the answer is yes. I believe it is decoupled. Like there are no Prefect API keys to use the API in Server.

@Kevin Kho regarding the cloud, in flexible enterprise environment, we sure will use the Cloud offering. But I'm working in kind of "restricted" environment where we have to consolidate our billing & infra totally in one place, that will push us to deploy prefect in on-prem-like environment :(

The thread linked with Aric Huang above gives info on how he set up auth. He added code that I think you can follow.

Yeah, I did read that before and actually are using nginx basic auth to handle. But just thinking to extend the auth, since we have to control authorization too, not only authentication. Maybe we will proxy nginx to our auth service then the auth service will handle the communication with server instead

I think it will be because Orion will be a Server + Agent deployed in one. Everyone will use that and there will be no Cloud/Server distinction. They will be very aligned.

cool, will take a look at Orion source code