https://prefect.io logo
Title
a

Aric Huang

09/27/2021, 5:32 PM
Hi, I am running Prefect Server+UI and was able to place it behind an nginx reverse proxy with basic auth. However I'm also trying to secure access using the CLI, and looking through the code it doesn't seem to support passing any kind of auth data when using the
server
backend. Are there any recommended ways of handling server auth through the CLI, and/or is there a possibility of adding some auth options (e.g. basic auth, bearer token) to the CLI when using
server
backend?
k

Kevin Kho

09/27/2021, 5:46 PM
Hey @Aric Huang, unfortunately we don’t support auth for server but I know there are a couple of people here who did something. Let me find those threads.
a

Aric Huang

09/27/2021, 5:54 PM
Thanks!
k

Kevin Kho

09/27/2021, 5:58 PM
Yeah they are too buried unfortunately. I swear someone attached Azure AD to it, but am not 100% sure. Let’s see if the community can chime in here.
a

Aric Huang

09/27/2021, 6:00 PM
Thanks for checking, would be interested to see what solutions are out there.
k

Kevin Kho

09/27/2021, 6:04 PM
This may be worth a read also
a

Aric Huang

09/27/2021, 6:06 PM
Looking at the CLI code it looks potentially doable to add some basic support for reading some credentials (e.g. from a file) and adding a header to the graphql requests - we may try doing that. Do you have a sense whether Prefect would be interested in something like that as a PR?
k

Kevin Kho

09/27/2021, 6:09 PM
I honestly doubt it because it would imply that we maintain the solution, but I am sure that documenting your experience through a Github discussion would be a good resource to point people towards
a

Aric Huang

09/27/2021, 6:13 PM
That's fair. I did see that link when searching around, I can appreciate how difficult auth is to get right and that it can be considered out of scope for server. At least for my team's needs I think running our own auth server is fine, but having the CLI requests pass auth data is the only real missing piece.
I'll be trying a few things and will update if any nice solution emerges, thanks for your help @Kevin Kho
👍 1
m

Michael Hadorn

10/04/2021, 12:25 PM
@Aric Huang Did you find a solution? We use also the auth_basic, and for the graphql access an ip filter:
satisfy any;
allow 123.123.123.123; # ip of your computer which makes the graphql request
We would be interested as well for authentication.
a

Aric Huang

10/04/2021, 7:25 PM
@Michael Hadorn I was able to make a few changes to the
prefect
CLI to allow using
prefect auth login
to store basic auth credentials (or a bearer token) and send them with each request. I have these changes on a fork here: https://github.com/concreted/prefect/commit/c0c404e760d32b1eef8c3de6eb6eb0e0be67d153
:marvin: 1
this has been working well for our use case, we were able to proxy the UI and graphql server both through nginx with basic auth and use the prefect CLI with these changes to make authed requests to graphql
m

Michael Hadorn

10/06/2021, 12:56 PM
@Aric Huang Nice! Thanks a lot for sharing
t

Tadej Svetina

10/10/2021, 10:51 AM
@Aric Huang how did you handle communication between UI and server (apollo)? I've put both behing basic auth, but the problem is that requests from UI to server don't include the authorization header, and I don't see a way to add this
Figured out you can use a Chrome extension (https://modheader.com/) to manually add basic auth header, which will be added to all requests the UI will make to graphql.
@Aric Huang another option for interacting with prefect using basic auth is to use the
Client
instead of the cli. Then you do not need to do any modification to the source code, this suffices:
client = Client(api_server="<http://localhost:4200>")
client.attach_headers({"Authorization": "Basic <base64 encoded user:password>"})
👍 1
k

Kevin Kho

10/10/2021, 4:55 PM
@Marvin archive “Basic Auth in Server” in server
a

Aric Huang

10/11/2021, 5:10 PM
@Tadej Svetina do you mean for the Interactive API tab in the UI? I did find this open issue related to using basic auth with that: https://github.com/PrefectHQ/ui/issues/620
t

Tadej Svetina

10/11/2021, 5:12 PM
@Aric Huang no, I meant basic UI (in your browser) to API communication - to show you any data, your browser needs to make calls to Apollo, which you have put behind basic auth
a

Aric Huang

10/11/2021, 5:12 PM
the rest of the UI is working fine for me with basic auth except the interactive API tab, i didn't make any other changes or use extensions
my nginx proxy is serving both the UI and Apollo from the same IP - my understanding is that the browser can automatically add basic auth to requests to the same server address
i think it wouldn't work if you have UI and apollo located at two different addresses
thanks for the tip about using
Client
instead of the CLI - that will be useful 💯
t

Tadej Svetina

10/11/2021, 5:38 PM
Ah got it - I see my problem was giving UI and apollo different URL endpoints...