is it possible to enable authentication for the UI...
# prefect-serverg
Gabriel Milan
10/22/2021, 8:43 PMis it possible to enable authentication for the UI on the helm chart deployment?
k
Kevin Kho
10/22/2021, 8:46 PM
This is not something we support as it’s a Cloud only feature. There are some threads in community about this though. Check this for example
g
Gabriel Milan
10/22/2021, 8:50 PMI'll take a look at it, thanks!
c
Chu Lục Ninh
10/23/2021, 5:57 AMThanks for refering the case @Kevin Kho, just wondering about the complexity, is it about multi-tenancy? If I deploy prefect for single-tenant, will it be easier to add an authentication & authorization layer right into the server?
k
Kevin Kho
10/23/2021, 6:35 AM
Hey @Chu Lục Ninh, you can find more info here. A lot of that still holds true. Auth is already a solved problem for Cloud and it took a lot of effort to get right. Auth in server will take a lot of work to get right and maintain. If you are referring to Prefect tenants, I think server is not multi-tenant. You only have one. I don't think auth is related to the tenancy. About complexity, authentication/authorization could mean just a simple password protection for some people. It could mean having accounts. I have seen some people just password protect it. I have also seen some people somehow hook it up to their active directory (they didn't outline the details though)
Kevin Kho
10/23/2021, 6:36 AM
In case you don't know though, Cloud does have 10000 free task runs every month which is more than enough for a lot of use cases
c
Chu Lục Ninh
10/23/2021, 6:39 AMHi @Kevin Kho, got it. So basically the auth is too broaden topic and there are plethora auth models. Due to that, one should implement it by their own opinion/framework right? Can you share more about the experience of decoupling it from the server? Did you completely decouple it or the server still share some common interface with auth service?
k
Kevin Kho
10/23/2021, 6:42 AM
We really don't give advice on implementing it, but I guess the answer is yes. I believe it is decoupled. Like there are no Prefect API keys to use the API in Server.
c
Chu Lục Ninh
10/23/2021, 6:44 AM@Kevin Kho regarding the cloud, in flexible enterprise environment, we sure will use the Cloud offering. But I'm working in kind of "restricted" environment where we have to consolidate our billing & infra totally in one place, that will push us to deploy prefect in on-prem-like environment :(
k
Kevin Kho
10/23/2021, 6:47 AM
The thread linked with Aric Huang above gives info on how he set up auth. He added code that I think you can follow.
c
Chu Lục Ninh
10/23/2021, 6:52 AMYeah, I did read that before and actually are using nginx basic auth to handle. But just thinking to extend the auth, since we have to control authorization too, not only authentication. Maybe we will proxy nginx to our auth service then the auth service will handle the communication with server instead
Chu Lục Ninh
10/23/2021, 6:53 AMIn Orion, can you consider a modulus design so we can make plugins to further customize Prefect?
k
Kevin Kho
10/23/2021, 7:14 AM
I think it will be because Orion will be a Server + Agent deployed in one. Everyone will use that and there will be no Cloud/Server distinction. They will be very aligned.
👍 2
c
Chu Lục Ninh
10/23/2021, 9:21 AMcool, will take a look at Orion source code
7 Views