Aric Huang

    Aric Huang

    11 months ago
    Hi, I am running Prefect Server+UI and was able to place it behind an nginx reverse proxy with basic auth. However I'm also trying to secure access using the CLI, and looking through the code it doesn't seem to support passing any kind of auth data when using the
    server
    backend. Are there any recommended ways of handling server auth through the CLI, and/or is there a possibility of adding some auth options (e.g. basic auth, bearer token) to the CLI when using
    server
    backend?
    Kevin Kho

    Kevin Kho

    11 months ago
    Hey @Aric Huang, unfortunately we don’t support auth for server but I know there are a couple of people here who did something. Let me find those threads.
    Aric Huang

    Aric Huang

    11 months ago
    Thanks!
    Kevin Kho

    Kevin Kho

    11 months ago
    Yeah they are too buried unfortunately. I swear someone attached Azure AD to it, but am not 100% sure. Let’s see if the community can chime in here.
    Aric Huang

    Aric Huang

    11 months ago
    Thanks for checking, would be interested to see what solutions are out there.
    Kevin Kho

    Kevin Kho

    11 months ago
    This may be worth a read also
    Aric Huang

    Aric Huang

    11 months ago
    Looking at the CLI code it looks potentially doable to add some basic support for reading some credentials (e.g. from a file) and adding a header to the graphql requests - we may try doing that. Do you have a sense whether Prefect would be interested in something like that as a PR?
    Kevin Kho

    Kevin Kho

    11 months ago
    I honestly doubt it because it would imply that we maintain the solution, but I am sure that documenting your experience through a Github discussion would be a good resource to point people towards
    Aric Huang

    Aric Huang

    11 months ago
    That's fair. I did see that link when searching around, I can appreciate how difficult auth is to get right and that it can be considered out of scope for server. At least for my team's needs I think running our own auth server is fine, but having the CLI requests pass auth data is the only real missing piece.
    I'll be trying a few things and will update if any nice solution emerges, thanks for your help @Kevin Kho
    Michael Hadorn

    Michael Hadorn

    11 months ago
    @Aric Huang Did you find a solution? We use also the auth_basic, and for the graphql access an ip filter:
    satisfy any;
    allow 123.123.123.123; # ip of your computer which makes the graphql request
    We would be interested as well for authentication.
    Aric Huang

    Aric Huang

    11 months ago
    @Michael Hadorn I was able to make a few changes to the
    prefect
    CLI to allow using
    prefect auth login
    to store basic auth credentials (or a bearer token) and send them with each request. I have these changes on a fork here: https://github.com/concreted/prefect/commit/c0c404e760d32b1eef8c3de6eb6eb0e0be67d153
    this has been working well for our use case, we were able to proxy the UI and graphql server both through nginx with basic auth and use the prefect CLI with these changes to make authed requests to graphql
    Michael Hadorn

    Michael Hadorn

    11 months ago
    @Aric Huang Nice! Thanks a lot for sharing
    Tadej Svetina

    Tadej Svetina

    11 months ago
    @Aric Huang how did you handle communication between UI and server (apollo)? I've put both behing basic auth, but the problem is that requests from UI to server don't include the authorization header, and I don't see a way to add this
    Figured out you can use a Chrome extension (https://modheader.com/) to manually add basic auth header, which will be added to all requests the UI will make to graphql.
    @Aric Huang another option for interacting with prefect using basic auth is to use the
    Client
    instead of the cli. Then you do not need to do any modification to the source code, this suffices:
    client = Client(api_server="<http://localhost:4200>")
    client.attach_headers({"Authorization": "Basic <base64 encoded user:password>"})
    Kevin Kho

    Kevin Kho

    11 months ago
    @Marvin archive “Basic Auth in Server” in server
    Marvin

    Marvin

    11 months ago
    Aric Huang

    Aric Huang

    11 months ago
    @Tadej Svetina do you mean for the Interactive API tab in the UI? I did find this open issue related to using basic auth with that: https://github.com/PrefectHQ/ui/issues/620
    Tadej Svetina

    Tadej Svetina

    11 months ago
    @Aric Huang no, I meant basic UI (in your browser) to API communication - to show you any data, your browser needs to make calls to Apollo, which you have put behind basic auth
    Aric Huang

    Aric Huang

    11 months ago
    the rest of the UI is working fine for me with basic auth except the interactive API tab, i didn't make any other changes or use extensions
    my nginx proxy is serving both the UI and Apollo from the same IP - my understanding is that the browser can automatically add basic auth to requests to the same server address
    i think it wouldn't work if you have UI and apollo located at two different addresses
    thanks for the tip about using
    Client
    instead of the CLI - that will be useful 💯
    Tadej Svetina

    Tadej Svetina

    11 months ago
    Ah got it - I see my problem was giving UI and apollo different URL endpoints...