mirror of
https://github.com/clearml/clearml-docs
synced 2025-01-31 14:37:18 +00:00
100 lines
4.7 KiB
Markdown
100 lines
4.7 KiB
Markdown
---
|
|
title: Securing ClearML Server
|
|
---
|
|
|
|
:::important
|
|
This documentation page applies to deploying your own open source ClearML Server. It does not apply to ClearML Hosted Service users.
|
|
:::
|
|
|
|
To ensure deployment is properly secure, follow the following best practices.
|
|
|
|
## Network Security
|
|
|
|
If the deployment is in an open network that allows public access, only allow access to the specific ports used by
|
|
ClearML Server (see [ClearML Server configurations](clearml_server_config.md#clearml-server-deployment-configuration)).
|
|
|
|
If HTTPS access is configured for the instance, allow access to port `443`.
|
|
|
|
For improved security, the ports for ClearML Server Elasticsearch, MongoDB, and Redis servers are not exposed by
|
|
default; they are only open internally in the docker network.
|
|
|
|
## User Access Security
|
|
|
|
Configure ClearML Server to use Web Login authentication, which requires a username and password for user access
|
|
(see [Web Login Authentication](clearml_server_config.md#web-login-authentication)).
|
|
|
|
## File Server Security
|
|
|
|
By default, the File Server is not secured even if [Web Login Authentication](clearml_server_config.md#web-login-authentication)
|
|
has been configured. Using an [object storage solution](../integrations/storage.md) that has built-in security is recommended.
|
|
|
|
## Server Credentials and Secrets
|
|
|
|
By default, ClearML Server comes with default values that are designed to allow to set it up quickly and to start working
|
|
with the ClearML SDK.
|
|
|
|
However, this also means that the **server must be secured** by either preventing any external access, or by changing
|
|
defaults so that the server's credentials are not publicly known.
|
|
|
|
The ClearML Server default secrets can be found [here](https://github.com/allegroai/clearml-server/blob/master/apiserver/config/default/secure.conf), and can be changed using the `secure.conf` configuration file or using environment variables
|
|
(see [ClearML Server Feature Configurations](clearml_server_config.md#clearml-server-feature-configurations)).
|
|
|
|
Specifically, the relevant settings are:
|
|
* `secure.http.session_secret.apiserver`
|
|
* `secure.auth.token_secret`
|
|
* `secure.credentials.apiserver.user_key`
|
|
* `secure.credentials.apiserver.user_secret`
|
|
* `secure.credentials.webserver.user_key` (automatically revoked by the server if using [Web Login Authentication](clearml_server_config.md#web-login-authentication))
|
|
* `secure.credentials.webserver.user_secret` (automatically revoked by the server if using [Web Login Authentication](./clearml_server_config.md#web-login-authentication))
|
|
* `secure.credentials.tests.user_key`
|
|
* `secure.credentials.tests.user_secret`
|
|
|
|
|
|
:::note
|
|
Securing the ClearML Server means also using [Web Login Authentication](clearml_server_config.md#web-login-authentication),
|
|
since the default "free access" login is inherently unsecure (and will not work once ``secure.credentials.webserver.user_key``
|
|
and ``secure.credentials.webserver.user_secret`` values are changed)
|
|
:::
|
|
|
|
|
|
### Example: Using Environment Variables
|
|
|
|
To set new values for these settings, use the following environment variables:
|
|
|
|
* `CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER="new-secret-string"`
|
|
* `CLEARML__SECURE__AUTH__TOKEN_SECRET="new-secret-string"`
|
|
* `CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY="new-key-string"`
|
|
* `CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET="new-secret-string"`
|
|
* `CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY="new-key-string"`
|
|
* `CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET="new-secret-string"`
|
|
* `CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY="new-key-string"`
|
|
* `CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET="new-secret-string"`
|
|
|
|
### Example: Using Docker Compose
|
|
|
|
If used in `docker-compose.yml`, these variables should be specified for the `apiserver` service, under the `environment` section as follows:
|
|
```yaml
|
|
version: "3.6"
|
|
services:
|
|
apiserver:
|
|
...
|
|
environment:
|
|
...
|
|
CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER: "new-secret-string"
|
|
CLEARML__SECURE__AUTH__TOKEN_SECRET: "new-secret-string"
|
|
CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY: "new-key-string"
|
|
CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET: "new-secret-string"
|
|
CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY: "new-key-string"
|
|
CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET: "new-secret-string"
|
|
CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY: "new-key-string"
|
|
CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET: "new-secret-string"
|
|
...
|
|
```
|
|
|
|
|
|
:::important
|
|
When generating new user keys and secrets, make sure to use sufficiently long strings (we use 30 chars for keys and 50-60
|
|
chars for secrets). See [here](https://github.com/allegroai/clearml-server/blob/master/apiserver/service_repo/auth/utils.py)
|
|
for Python example code to generate these strings.
|
|
:::
|