Authorization for local deployment

PrefectHQ / prefect

Prefect is a workflow orchestration framework for building resilient data pipelines in Python.

https://prefect.io

Apache License 2.0

17.42k stars 1.64k forks source link

Authorization for local deployment #15711

Open Jesse-jApps opened 1 month ago

Jesse-jApps commented 1 month ago

Describe the current behavior

When deploying Prefect on-premise, it is not possible to configure custom authorization methods, such as Basic Auth. For example, when somebody uses a reverse-proxy setup and wants to protect the API and Dashboard with additional authorization. While Prefect Cloud uses API keys for Bearer-like authorization, on-premise deployments lack configurable authorization options.

Describe the proposed behavior

The option to define httpx_settings globally. The idea is, that this somehow implemented:

auth = httpx.BasicAuth(username='USER', password='PASSWORD')
httpx_settings['auth'] = auth

But properly, generally and via a proper config.

Example Use

Possibly authorization can be defined via ENV-Variables.

PREFECT_AUTHORIZATION_TYPE
PREFECT_AUTHORIZATION_USERNAME
PREFECT_AUTHORIZATION_PASSWORD
PREFECT_AUTHORIZATION_TOKEN

Additional context

No response

zzstoatzz commented 1 month ago

hi @Jesse-jApps - thank you for the issue!

there's been some discussion on this here, and I think its worth revisiting at this point.

I think we'd want to avoid user/pass auth, as there is explicitly no concept of a user in OSS, but a simple token auth might be a good option. What do you think about that?

soamicharan commented 1 month ago

@zzstoatzz It it good have same authorization as prefect cloud where we can use prefect api key in authorization to secure the prefect OSS server

ChillarAnand commented 3 weeks ago

If you are willing to add this feature, there were users who were willing to add a PR. @pbecotte ?

Jesse-jApps commented 3 weeks ago

Thanks for the feedback. Back in 2020 the decision was to not add any auth, since it is expected to be network internal only, see here. I don't know how much of the view has changed by now. In my case I work and have worked on plenty of smaller projects (shops, web tools, etc.), which are all publicly accessible and run 80% on self-managed servers. When using prefect for those projects, I can do everything without exposing the prefect api, except using the dashboard. If setting the --host to a internal address, I can setup a protected nginx to gain access to the dashboard, but since the dashboard is using the --host address for lookups, it doesn't properly work. So an alternative to implementing an auth-mechanism, is by having more control over how the dashboard accesses the api. So beside the PREFECT_API_URL a PREFECT_DASHBOARD_API_URL (optional) would be helpful.