2021-05-13 23:48:51 +00:00
---
title: Securing ClearML Server
---
:::important
This documentation page applies to deploying your own open source ClearML Server. It does not apply to ClearML Hosted Service users.
:::
2022-05-19 06:59:10 +00:00
To ensure deployment is properly secure, follow the following best practices.
2021-05-13 23:48:51 +00:00
## Network Security
If the deployment is in an open network that allows public access, only allow access to the specific ports used by
2022-05-19 06:59:10 +00:00
ClearML Server (see [ClearML Server configurations ](clearml_server_config.md#clearml-server-deployment-configuration )).
2021-05-13 23:48:51 +00:00
If HTTPS access is configured for the instance, allow access to port `443` .
2022-05-19 06:59:10 +00:00
For improved security, the ports for ClearML Server Elasticsearch, MongoDB, and Redis servers are not exposed by
2021-05-13 23:48:51 +00:00
default; they are only open internally in the docker network.
## User Access Security
2022-05-19 06:59:10 +00:00
Configure ClearML Server to use Web Login authentication, which requires a username and password for user access
2021-05-13 23:48:51 +00:00
(see [Web Login Authentication ](clearml_server_config.md#web-login-authentication )).
2022-04-17 06:32:17 +00:00
## File Server Security
2024-06-28 13:55:34 +00:00
Prior to ClearML version 1.16.0, the File Server was not secured even if [Web Login Authentication ](clearml_server_config.md#web-login-authentication )
2022-05-19 06:59:10 +00:00
has been configured. Using an [object storage solution ](../integrations/storage.md ) that has built-in security is recommended.
2024-06-28 13:55:34 +00:00
Version 1.16.0 added token authentication to the File Server by default.
2022-04-17 06:32:17 +00:00
2021-05-13 23:48:51 +00:00
## Server Credentials and Secrets
2022-05-19 06:59:10 +00:00
By default, ClearML Server comes with default values that are designed to allow to set it up quickly and to start working
2021-05-13 23:48:51 +00:00
with the ClearML SDK.
However, this also means that the **server must be secured** by either preventing any external access, or by changing
defaults so that the server's credentials are not publicly known.
2022-05-19 06:59:10 +00:00
The ClearML Server default secrets can be found [here ](https://github.com/allegroai/clearml-server/blob/master/apiserver/config/default/secure.conf ), and can be changed using the `secure.conf` configuration file or using environment variables
2021-05-13 23:48:51 +00:00
(see [ClearML Server Feature Configurations ](clearml_server_config.md#clearml-server-feature-configurations )).
Specifically, the relevant settings are:
* `secure.http.session_secret.apiserver`
* `secure.auth.token_secret`
* `secure.credentials.apiserver.user_key`
* `secure.credentials.apiserver.user_secret`
2024-06-30 13:48:54 +00:00
* `secure.credentials.fileserver.user_key`
* `secure.credentials.fileserver.user_secret`
2021-05-13 23:48:51 +00:00
* `secure.credentials.webserver.user_key` (automatically revoked by the server if using [Web Login Authentication ](clearml_server_config.md#web-login-authentication ))
* `secure.credentials.webserver.user_secret` (automatically revoked by the server if using [Web Login Authentication ](./clearml_server_config.md#web-login-authentication ))
* `secure.credentials.tests.user_key`
* `secure.credentials.tests.user_secret`
:::note
Securing the ClearML Server means also using [Web Login Authentication ](clearml_server_config.md#web-login-authentication ),
since the default "free access" login is inherently unsecure (and will not work once ``secure.credentials.webserver.user_key``
and ``secure.credentials.webserver.user_secret`` values are changed)
:::
### Example: Using Environment Variables
To set new values for these settings, use the following environment variables:
* `CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER="new-secret-string"`
* `CLEARML__SECURE__AUTH__TOKEN_SECRET="new-secret-string"`
* `CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET="new-secret-string"`
2024-06-30 13:48:54 +00:00
* `CLEARML__SECURE__CREDENTIALS__FILESERVER__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__FILESERVER__USER_SECRET="new-secret-string"`
2021-05-13 23:48:51 +00:00
* `CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET="new-secret-string"`
* `CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY="new-key-string"`
* `CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET="new-secret-string"`
### Example: Using Docker Compose
If used in `docker-compose.yml` , these variables should be specified for the `apiserver` service, under the `environment` section as follows:
```yaml
version: "3.6"
services:
apiserver:
...
environment:
...
CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER: "new-secret-string"
CLEARML__SECURE__AUTH__TOKEN_SECRET: "new-secret-string"
CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY: "new-key-string"
CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET: "new-secret-string"
CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY: "new-key-string"
CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET: "new-secret-string"
CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY: "new-key-string"
CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET: "new-secret-string"
...
```
:::important
When generating new user keys and secrets, make sure to use sufficiently long strings (we use 30 chars for keys and 50-60
chars for secrets). See [here ](https://github.com/allegroai/clearml-server/blob/master/apiserver/service_repo/auth/utils.py )
for Python example code to generate these strings.
:::
