Hi, I am running Prefect Server+UI and was able to...
# prefect-server
a
Hi, I am running Prefect Server+UI and was able to place it behind an nginx reverse proxy with basic auth. However I'm also trying to secure access using the CLI, and looking through the code it doesn't seem to support passing any kind of auth data when using the
server
backend. Are there any recommended ways of handling server auth through the CLI, and/or is there a possibility of adding some auth options (e.g. basic auth, bearer token) to the CLI when using
server
backend?
k
Hey @Aric Huang, unfortunately we don’t support auth for server but I know there are a couple of people here who did something. Let me find those threads.
a
Thanks!
k
Yeah they are too buried unfortunately. I swear someone attached Azure AD to it, but am not 100% sure. Let’s see if the community can chime in here.
a
Thanks for checking, would be interested to see what solutions are out there.
k
This may be worth a read also
a
Looking at the CLI code it looks potentially doable to add some basic support for reading some credentials (e.g. from a file) and adding a header to the graphql requests - we may try doing that. Do you have a sense whether Prefect would be interested in something like that as a PR?
k
I honestly doubt it because it would imply that we maintain the solution, but I am sure that documenting your experience through a Github discussion would be a good resource to point people towards
a
That's fair. I did see that link when searching around, I can appreciate how difficult auth is to get right and that it can be considered out of scope for server. At least for my team's needs I think running our own auth server is fine, but having the CLI requests pass auth data is the only real missing piece.
I'll be trying a few things and will update if any nice solution emerges, thanks for your help @Kevin Kho
👍 1
m
@Aric Huang Did you find a solution? We use also the auth_basic, and for the graphql access an ip filter:
Copy code
satisfy any;
allow 123.123.123.123; # ip of your computer which makes the graphql request
We would be interested as well for authentication.
a
@Michael Hadorn I was able to make a few changes to the
prefect
CLI to allow using
prefect auth login
to store basic auth credentials (or a bearer token) and send them with each request. I have these changes on a fork here: https://github.com/concreted/prefect/commit/c0c404e760d32b1eef8c3de6eb6eb0e0be67d153
marvin 1
this has been working well for our use case, we were able to proxy the UI and graphql server both through nginx with basic auth and use the prefect CLI with these changes to make authed requests to graphql
m
@Aric Huang Nice! Thanks a lot for sharing
t
@Aric Huang how did you handle communication between UI and server (apollo)? I've put both behing basic auth, but the problem is that requests from UI to server don't include the authorization header, and I don't see a way to add this
Figured out you can use a Chrome extension (https://modheader.com/) to manually add basic auth header, which will be added to all requests the UI will make to graphql.
@Aric Huang another option for interacting with prefect using basic auth is to use the
Client
instead of the cli. Then you do not need to do any modification to the source code, this suffices:
Copy code
client = Client(api_server="<http://localhost:4200>")
client.attach_headers({"Authorization": "Basic <base64 encoded user:password>"})
👍 1
k
@Marvin archive “Basic Auth in Server” in server
a
@Tadej Svetina do you mean for the Interactive API tab in the UI? I did find this open issue related to using basic auth with that: https://github.com/PrefectHQ/ui/issues/620
t
@Aric Huang no, I meant basic UI (in your browser) to API communication - to show you any data, your browser needs to make calls to Apollo, which you have put behind basic auth
a
the rest of the UI is working fine for me with basic auth except the interactive API tab, i didn't make any other changes or use extensions
my nginx proxy is serving both the UI and Apollo from the same IP - my understanding is that the browser can automatically add basic auth to requests to the same server address
i think it wouldn't work if you have UI and apollo located at two different addresses
thanks for the tip about using
Client
instead of the CLI - that will be useful 💯
t
Ah got it - I see my problem was giving UI and apollo different URL endpoints...