https://prefect.io logo
Title
g

Gabriel Milan

10/22/2021, 8:43 PM
is it possible to enable authentication for the UI on the helm chart deployment?
k

Kevin Kho

10/22/2021, 8:46 PM
This is not something we support as it’s a Cloud only feature. There are some threads in community about this though. Check this for example
g

Gabriel Milan

10/22/2021, 8:50 PM
I'll take a look at it, thanks!
c

Chu Lục Ninh

10/23/2021, 5:57 AM
Thanks for refering the case @Kevin Kho, just wondering about the complexity, is it about multi-tenancy? If I deploy prefect for single-tenant, will it be easier to add an authentication & authorization layer right into the server?
k

Kevin Kho

10/23/2021, 6:35 AM
Hey @Chu Lục Ninh, you can find more info here. A lot of that still holds true. Auth is already a solved problem for Cloud and it took a lot of effort to get right. Auth in server will take a lot of work to get right and maintain. If you are referring to Prefect tenants, I think server is not multi-tenant. You only have one. I don't think auth is related to the tenancy. About complexity, authentication/authorization could mean just a simple password protection for some people. It could mean having accounts. I have seen some people just password protect it. I have also seen some people somehow hook it up to their active directory (they didn't outline the details though)
In case you don't know though, Cloud does have 10000 free task runs every month which is more than enough for a lot of use cases
c

Chu Lục Ninh

10/23/2021, 6:39 AM
Hi @Kevin Kho, got it. So basically the auth is too broaden topic and there are plethora auth models. Due to that, one should implement it by their own opinion/framework right? Can you share more about the experience of decoupling it from the server? Did you completely decouple it or the server still share some common interface with auth service?
k

Kevin Kho

10/23/2021, 6:42 AM
We really don't give advice on implementing it, but I guess the answer is yes. I believe it is decoupled. Like there are no Prefect API keys to use the API in Server.
c

Chu Lục Ninh

10/23/2021, 6:44 AM
@Kevin Kho regarding the cloud, in flexible enterprise environment, we sure will use the Cloud offering. But I'm working in kind of "restricted" environment where we have to consolidate our billing & infra totally in one place, that will push us to deploy prefect in on-prem-like environment :(
k

Kevin Kho

10/23/2021, 6:47 AM
The thread linked with Aric Huang above gives info on how he set up auth. He added code that I think you can follow.
c

Chu Lục Ninh

10/23/2021, 6:52 AM
Yeah, I did read that before and actually are using nginx basic auth to handle. But just thinking to extend the auth, since we have to control authorization too, not only authentication. Maybe we will proxy nginx to our auth service then the auth service will handle the communication with server instead
In Orion, can you consider a modulus design so we can make plugins to further customize Prefect?
k

Kevin Kho

10/23/2021, 7:14 AM
I think it will be because Orion will be a Server + Agent deployed in one. Everyone will use that and there will be no Cloud/Server distinction. They will be very aligned.
👍 2
c

Chu Lục Ninh

10/23/2021, 9:21 AM
cool, will take a look at Orion source code