https://prefect.io logo
Title
e

EmGarr

10/20/2020, 4:01 PM
Hi, I got an annoying issue we have been starting using Prefect at my company. Everything got well with the deployment of Prefect on our K8s but now we want to protect it with some BasicAuth and now nothing works: We are able to build and store flow easily on the server by using the attach_headers method of the client:
headers = {'Authorization': "Basic {}".format(XXXXX)}
client = prefect.Client()
client.attach_headers(headers)
However, when the agent deploys a flow we hit a small issue: 1. The docker is runned with the following command:
prefect execute flow-run
2. Inside the docker we run it leads to
prefect.execute.cli
with
_execute_flow_run
:
client = Client()
result = client.graphql(query) # Authorization error
Is there a simple way to avoid this issue and being able to add BasicAuth to the client? We could maybe add an env variable which would select the proper auth method by the client (example): https://github.com/PrefectHQ/prefect/blob/bd6e47379594d4e26e6810380482320eeee714ae/src/prefect/client/client.py#L385
def select_auth_method(token):
   if config.AUTH.BASIC:
       return "Basic {}".format(token)
   # else OAuth
   return "Basic {}".format(token)

if token:
  headers["Authorization"] = "Bearer {}".format(token)
c

Chris White

10/20/2020, 4:14 PM
Hi @EmGarr - as the description of your issue shows, Auth is handled differently by every institution. That is one of the many reasons we don’t support auth changes in our open source products, as it would quickly get confusing for users and get in the way of our actual authorized deployment (Cloud). In your case, since you’ve already deployed middleware to intercept these requests, can you update the header parsing there to accept a Bearer token?
e

EmGarr

10/20/2020, 4:23 PM
Thanks I'm gonna ask to the infra team 👍
👍 1
I agree with your point of view but since you have open-sourced more components of Prefect, you should be clearer on it.
Maybe a new design for the client to allow users to handle their auth at will?
c

Chris White

10/20/2020, 4:25 PM
If you search our GitHub repo for authorization questions you’ll find this comes up frequently and we’re always very up front about our stance here
e

EmGarr

10/20/2020, 4:26 PM
Yep I read about it 🙂 . I meant in the official doc 👍
👍 1
Just to say your trick did the job. We just rewrite the authorization header with haproxy
thanks for the trick 👍
👍 1