-
-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement security option in VM cluster managers #222
Conversation
This is really great! +1 to make this the default option. Do you want to update docs in this PR ? I'm also happy to help write docs for this |
Yeah a docs update would be good, the docstrings already incorrectly contain this option (I got a bit over excited with my copy pasta when writing them). Do you suggest anywhere else that it would be useful to document this? |
Maybe the advanced section on RTD ? |
I've added a documentation page, a review would be appreciated. I'm going to move this into draft until dask/distributed#4364 is merged and a release happens that we can pin to. But other than that this is ready. |
@jacobtomlinson That's a really great doc write up. I especially appreciate the details on on why decisions were made and even when security might be disable in the case of troubleshooting |
Minimum version bumped in #243 |
This PR implements the
security
keyword argument forVMCluster
based cluster managers.This depends on dask/distributed#4364 as credentials are distributed via the Dask config and it seems there are a couple of bugs in the way this works.
Examples
Temporary credentials
Setting
security=True
will generate temporary credentials which will be distributed to the scheduler and workers at creation time. This is also the new default option.Note the TLS here in the connection URL. Only clients with the credentials will be able to connect. In this example the
Client
class retrieves the credentials from thecluster
object.Custom certificates
You can also set
security
to a customSecurity
object with your own generated certificates. Certificates will need to be accessible to the scheduler and workers so likely will need to be included in the Docker image.With this approach clients from other processes can connect in the same way.
Disabling security
This change makes secure connections the default option. You can also disable SSL/TLS by setting
security
toFalse
orNone
.