Dashboard exposes redis PW on the command line

ray-project / ray

Ray is an AI compute engine. Ray consists of a core distributed runtime and a set of AI Libraries for accelerating ML workloads.

https://ray.io

Apache License 2.0

33.99k stars 5.77k forks source link

Dashboard exposes redis PW on the command line #18491

Open Hoeze opened 3 years ago

Hoeze commented 3 years ago

What is the problem?

When running ray init in a notebook, it starts a dashboard by passing --redis-password=<pw> on the CLI.

Ray version and other system information (Python version, TensorFlow version, OS): ray, version 2.0.0.dev0 running on Centos 8 with python 3.8

Reproduction (REQUIRED)

Spawn some ray (single-node) cluster and run the following command:

ps -aux -fww | grep dashboard | sed -e 's/ /\n/g' | grep redis

[x] I have verified my script runs in a clean environment and reproduces the issue.
[x] I have verified the issue also occurs with the latest wheels.

Fix

The dashboard should obtain passwords (and all other secret variables) via environment variables.

stale[bot] commented 2 years ago

Hi, I'm a bot from the Ray team :)

To help human contributors to focus on more relevant issues, I will automatically add the stale label to issues that have had no activity for more than 4 months.

If there is no further activity in the 14 days, the issue will be closed!

If you'd like to keep the issue open, just leave any comment, and the stale label will be removed!
If you'd like to get more attention to the issue, please tag one of Ray's contributors.

You can always ask for help on our discussion forum or Ray's public slack channel.

Hoeze commented 2 years ago

Is there a solution to this problem yet?

scottsun94 commented 2 years ago

@Hoeze In ray 2.0, we made the previous experimental dashboard the default dashboard. Not sure if you have upgraded to 2.0, but are you still running into this issue with this new dashboard?

Hoeze commented 2 years ago

Hi @scottsun94, sorry for the late answer. I just tested it with ray v2.0.0 and yes, this is still an issue. => Please keep this issue open :)

scottsun94 commented 2 years ago

@rkooo567 could you take a look?

rkooo567 commented 2 years ago

@Hoeze we completely deprecated redis. So there's no redis password. It is probably just legacy code we haven't cleaned up.

rkooo567 commented 2 years ago

I found it is indeed the legacy code. Let me remove them quickly.

jjyao commented 2 years ago

It's the raylet process not the dashboard process that accepts --redis-password, but we still need to fix it.