ClearML/clearml-docs
1
0
Fork 0
mirror of https://github.com/clearml/clearml-docs synced 2025-01-31 14:37:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7137669f24
clearml-docs/docs/deploying_clearml/clearml_server_security.md

101 lines
4.8 KiB
Markdown
Raw Normal View History

Initial commit
2021-05-13 23:48:51 +00:00
---
title: Securing ClearML Server
---
:::important
This documentation page applies to deploying your own open source ClearML Server. It does not apply to ClearML Hosted Service users.
:::
Small edits (#256)
2022-05-19 06:59:10 +00:00
To ensure deployment is properly secure, follow the following best practices.
Initial commit
2021-05-13 23:48:51 +00:00
## Network Security
If the deployment is in an open network that allows public access, only allow access to the specific ports used by
Small edits (#256)
2022-05-19 06:59:10 +00:00
ClearML Server (see [ClearML Server configurations](clearml_server_config.md#clearml-server-deployment-configuration)).
Initial commit
2021-05-13 23:48:51 +00:00
If HTTPS access is configured for the instance, allow access to port `443`.
Small edits (#256)
2022-05-19 06:59:10 +00:00
For improved security, the ports for ClearML Server Elasticsearch, MongoDB, and Redis servers are not exposed by
Initial commit
2021-05-13 23:48:51 +00:00
default; they are only open internally in the docker network.
## User Access Security
Small edits (#256)
2022-05-19 06:59:10 +00:00
Configure ClearML Server to use Web Login authentication, which requires a username and password for user access
Initial commit
2021-05-13 23:48:51 +00:00
(see [Web Login Authentication](clearml_server_config.md#web-login-authentication)).
Add note about File Server security (#235)
2022-04-17 06:32:17 +00:00
## File Server Security
update fileserver doc (#860)
2024-06-28 13:55:34 +00:00
Prior to ClearML version 1.16.0, the File Server was not secured even if [Web Login Authentication](clearml_server_config.md#web-login-authentication)
Small edits (#256)
2022-05-19 06:59:10 +00:00
has been configured. Using an [object storage solution](../integrations/storage.md) that has built-in security is recommended.
update fileserver doc (#860)
2024-06-28 13:55:34 +00:00
Version 1.16.0 added token authentication to the File Server by default.
Add note about File Server security (#235)
2022-04-17 06:32:17 +00:00
Initial commit
2021-05-13 23:48:51 +00:00
## Server Credentials and Secrets
Small edits (#256)
2022-05-19 06:59:10 +00:00
By default, ClearML Server comes with default values that are designed to allow to set it up quickly and to start working
Initial commit
2021-05-13 23:48:51 +00:00
with the ClearML SDK.
However, this also means that the **server must be secured** by either preventing any external access, or by changing
defaults so that the server's credentials are not publicly known.
Small edits (#256)
2022-05-19 06:59:10 +00:00
The ClearML Server default secrets can be found [here](https://github.com/allegroai/clearml-server/blob/master/apiserver/config/default/secure.conf), and can be changed using the `secure.conf` configuration file or using environment variables
Initial commit
2021-05-13 23:48:51 +00:00
(see [ClearML Server Feature Configurations](clearml_server_config.md#clearml-server-feature-configurations)).
Specifically, the relevant settings are:
* `secure.http.session_secret.apiserver`
* `secure.auth.token_secret`
* `secure.credentials.apiserver.user_key`
* `secure.credentials.apiserver.user_secret`
* `secure.credentials.webserver.user_key` (automatically revoked by the server if using [Web Login Authentication](clearml_server_config.md#web-login-authentication))
* `secure.credentials.webserver.user_secret` (automatically revoked by the server if using [Web Login Authentication](./clearml_server_config.md#web-login-authentication))
* `secure.credentials.tests.user_key`
* `secure.credentials.tests.user_secret`
:::note
Securing the ClearML Server means also using [Web Login Authentication](clearml_server_config.md#web-login-authentication),
since the default "free access" login is inherently unsecure (and will not work once ``secure.credentials.webserver.user_key``
and ``secure.credentials.webserver.user_secret`` values are changed)
:::
### Example: Using Environment Variables
To set new values for these settings, use the following environment variables:
* `CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER="new-secret-string"`
* `CLEARML__SECURE__AUTH__TOKEN_SECRET="new-secret-string"`
* `CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET="new-secret-string"`
* `CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET="new-secret-string"`
* `CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET="new-secret-string"`
### Example: Using Docker Compose
If used in `docker-compose.yml`, these variables should be specified for the `apiserver` service, under the `environment` section as follows:
```yaml
version: "3.6"
services:
apiserver:
...
environment:
...
CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER: "new-secret-string"
CLEARML__SECURE__AUTH__TOKEN_SECRET: "new-secret-string"
CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY: "new-key-string"
CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET: "new-secret-string"
CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY: "new-key-string"
CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET: "new-secret-string"
CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY: "new-key-string"
CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET: "new-secret-string"
...
```
:::important
When generating new user keys and secrets, make sure to use sufficiently long strings (we use 30 chars for keys and 50-60
chars for secrets). See [here](https://github.com/allegroai/clearml-server/blob/master/apiserver/service_repo/auth/utils.py)
for Python example code to generate these strings.
:::
Reference in New Issue Copy Permalink