19913d85-f662-4518-a9a1-7adc1793dfd4.png){kind=small}
Channels
#dagster-support
Title
# dagster-support
a
Andrew Reslan
05/24/2022, 2:33 PMHi, I have successfully deployed dagster to a kubernetes cluster in AWS using the standard helm chart.
I have setup SSO to prevent public access to the dagit web UI.
I am now looking at how remote clients (python and CLI) can interact with the cluster.
If I understand correctly both these clients use the graphql API hosted under the same URL as dagit e.g.
http://dagit.example.com/graphql
I need to prevent public access to this API, is there any built-in authentication mechanism, or does this need to be managed externally to dagit/dagster.
🤖 1
s
sean
05/24/2022, 3:36 PMcc @daniel
d
daniel
05/24/2022, 3:59 PMHi Andrew - right now SSO needs to be managed externally to dagit. For example, we run an open source dagster deployment in GCP and make use of Google OAuth using a BackendConfig: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
There's also a cloud version of Dagster that manages Dagit for you, that does provide SSO out of the box since it's hosted on our servers
a
Andrew Reslan
05/24/2022, 4:01 PM@daniel Thanks for confirming that, am I right that the remote (local) python and CLI use the dagit hosted graphql endpoint? Or is there another endpoint I need to protct.
d
daniel
05/24/2022, 4:03 PMrunning the dagster CLI locally hits the storage defined in your dagster.yaml directly - it doesn't go through dagit
a
Andrew Reslan
05/24/2022, 4:09 PMAre there any docs/blogs on how to configure dagster.yaml for access to a remote (kubernetes) dagster cluster. I can’t find anything in the online docs
d
daniel
05/24/2022, 4:17 PMYou mean to access the same cloud storage that the pods in the cluster are using? Or to access dagit over the GraphQL API?
a
Andrew Reslan
05/24/2022, 4:24 PMAfter deploying the cluster via the standard helm chart I can access dagit and the /graphql endpoint from a web browser.
I’m struggling to understand how I need to setup access for the team that want to use dagit from python and the CLI on their laptops/desktops.
The cluster is using an external AWS RDS PostgreSQL instance. Are you saying that python and the CLI access the PostrgeSQL storage directly?
d
daniel
05/24/2022, 4:26 PMThat's exactly right, yeah. the CLI accesses your storage directly via the URL/credentials referenced in the dagster.yaml file. So if your postgres DB is hosted in e.g. Amazon RDS, you would need to get those credentials available on the machine running the dagster CLI in a dagster.yaml file
I think generally we don't recommend hitting the 'production' Dagster storage from a local machine, but it's possible to do so
a
Andrew Reslan
05/24/2022, 4:30 PMHmm, what would be the recommendation for accessing a production dagster cluster? Running CLI from a client pod deployed to the cluster, we already have auth/access controls for cluster access in place.
d
daniel
05/31/2022, 1:20 PMHey Andrew, sorry for not following up here - generally we recommend accessing dagster in prod by using Dagit or the dagster graphql API
3 Views