-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Core] runtime_env remote URI authentication issue #28253
Comments
The importing issue should be resolved by #28250. The |
One option for Kuberay:
|
Closing as this has been answered by @shrekris-anyscale and thanks @Xalag for providing the code same in KubeRay |
…Is (#35578) Users can provide dependencies via a remote URI in their runtime_env. To access private dependencies, users must include authentication information with their request. Commonly, this is done by including credentials in the URI itself. However, this pattern can be insecure since Ray may log the URI or use it to name temporary directories. Instead, users should supply their credentials using a .netrc file. This change adds documentation explaining how to use a .netrc file on VMs or KubeRay. Thanks to @Xalag and @Martin4R for the discussion in #28253. Some of the examples have been adapted from that issue. netrc documentation link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/runtime_env_auth.html runtime_env URL templates link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/handling-dependencies.html#option-2-manually-create-url-slower-to-implement-but-recommended-for-production-environments Related issue number See #28253
…Is (ray-project#35578) Users can provide dependencies via a remote URI in their runtime_env. To access private dependencies, users must include authentication information with their request. Commonly, this is done by including credentials in the URI itself. However, this pattern can be insecure since Ray may log the URI or use it to name temporary directories. Instead, users should supply their credentials using a .netrc file. This change adds documentation explaining how to use a .netrc file on VMs or KubeRay. Thanks to @Xalag and @Martin4R for the discussion in ray-project#28253. Some of the examples have been adapted from that issue. netrc documentation link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/runtime_env_auth.html runtime_env URL templates link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/handling-dependencies.html#option-2-manually-create-url-slower-to-implement-but-recommended-for-production-environments Related issue number See ray-project#28253
…Is (#35578) (#35784) Users can provide dependencies via a remote URI in their runtime_env. To access private dependencies, users must include authentication information with their request. Commonly, this is done by including credentials in the URI itself. However, this pattern can be insecure since Ray may log the URI or use it to name temporary directories. Instead, users should supply their credentials using a .netrc file. This change adds documentation explaining how to use a .netrc file on VMs or KubeRay. Thanks to @Xalag and @Martin4R for the discussion in #28253. Some of the examples have been adapted from that issue. netrc documentation link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/runtime_env_auth.html runtime_env URL templates link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/handling-dependencies.html#option-2-manually-create-url-slower-to-implement-but-recommended-for-production-environments Related issue number See #28253
…Is (ray-project#35578) Users can provide dependencies via a remote URI in their runtime_env. To access private dependencies, users must include authentication information with their request. Commonly, this is done by including credentials in the URI itself. However, this pattern can be insecure since Ray may log the URI or use it to name temporary directories. Instead, users should supply their credentials using a .netrc file. This change adds documentation explaining how to use a .netrc file on VMs or KubeRay. Thanks to @Xalag and @Martin4R for the discussion in ray-project#28253. Some of the examples have been adapted from that issue. netrc documentation link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/runtime_env_auth.html runtime_env URL templates link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/handling-dependencies.html#option-2-manually-create-url-slower-to-implement-but-recommended-for-production-environments Related issue number See ray-project#28253
…Is (ray-project#35578) Users can provide dependencies via a remote URI in their runtime_env. To access private dependencies, users must include authentication information with their request. Commonly, this is done by including credentials in the URI itself. However, this pattern can be insecure since Ray may log the URI or use it to name temporary directories. Instead, users should supply their credentials using a .netrc file. This change adds documentation explaining how to use a .netrc file on VMs or KubeRay. Thanks to @Xalag and @Martin4R for the discussion in ray-project#28253. Some of the examples have been adapted from that issue. netrc documentation link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/runtime_env_auth.html runtime_env URL templates link: https://anyscale-ray--35578.com.readthedocs.build/en/35578/ray-core/handling-dependencies.html#option-2-manually-create-url-slower-to-implement-but-recommended-for-production-environments Related issue number See ray-project#28253 Signed-off-by: e428265 <[email protected]>
What happened + What you expected to happen
I tried to use remote URLs in working_dir and py_module params of runtime-environments to download zip files from a private GitLab package registry. I did this with the fruit-example of Ray Serve with KubeRay.
The way mentioned in the documentation is to use HTTP-Basic authentication directly in the URL (see https://docs.ray.io/en/latest/ray-core/handling-dependencies.html#option-2-manually-create-url-slower-to-implement-but-recommended-for-production-environments).
The described approach from the docs does not work for me and also has some side effects:
/tmp/ray/session_latest/runtime-resources/working_dir_files/https_ray-cluster:realpwdwouldbehere@gitlab_com_api_v4_projects_42_packages_generic_fruit_example_b5b4a19a_fruit_example
To work around the issues, I used a .netrc file instead for authentication.
Versions / Dependencies
Reproduction script
I used the example of a Kuberay RayService from here: https://docs.ray.io/en/latest/serve/production-guide/kubernetes.html
I used this example RayService CR with an HTTP-Basic protected zip-file for the working_dir param.
Issue Severity
Medium: It is a significant difficulty but I can work around it.
The text was updated successfully, but these errors were encountered: