Securing Your Own ClearML Server

Important

This documentation page applies to deploying your own open source ClearML Server. It does not apply to ClearML Hosted Service users.

To ensure you properly secure your deployment we recommend you follow the following best practices.

Network Security

If your deployment is in an open network that allows public access, only allow access to the specific ports used by ClearML Server (see ClearML Server configurations).

If HTTPS access is configured for your instance, allow access to port 443.

For improved security, the ports for ClearML Server Elasticsearch, MongoDB, and Redis servers are not exposed by default; they are only open internally in the docker network.

User Access Security

Configure ClearML Server to use Web Login authentication by requiring username and password for user access (see Web Login Authentication).

Server Credentials and Secrets

By default, ClearML Server comes with default values that are designed to allow you to quickly set it up and start working with the ClearML SDK.

However, this also means that you must secure your server by either preventing any external access, or by changing defaults so that your server’s credentials are not publicly known.

The ClearML Server default secrets can be found here, and can be changed using the secure.conf configuration file or using environment variables (see ClearML Server Feature Configurations).

Specifically, the relevant settings are:

  • secure.http.session_secret.apiserver

  • secure.auth.token_secret

  • secure.credentials.apiserver.user_key

  • secure.credentials.apiserver.user_secret

  • secure.credentials.webserver.user_key (automatically revoked by the server if using Web Login Authentication)

  • secure.credentials.webserver.user_secret (automatically revoked by the server if using Web Login Authentication)

  • secure.credentials.tests.user_key

  • secure.credentials.tests.user_secret

Note

Securing the ClearML Server means you must also use Web Login Authentication, as the default “free access” login is inherently unsecure (and will not work once you change the secure.credentials.webserver.user_key and secure.credentials.webserver.user_secret values)

Example: Using Environment Variables

To set new values for these settings, use the following environment variables:

  • CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER="new-secret-string"

  • CLEARML__SECURE__AUTH__TOKEN_SECRET="new-secret-string"

  • CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY="new-key-string"

  • CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET="new-secret-string"

  • CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY="new-key-string"

  • CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET="new-secret-string"

  • CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY="new-key-string"

  • CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET="new-secret-string"

Example: Using Docker Compose

If used in docker-compose.yml, these variables should be specified for the apiserver service, under the environment section as follows:

version: "3.6"
services:
  apiserver:
    ...
    environment:
      ...
      CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER: "new-secret-string"
      CLEARML__SECURE__AUTH__TOKEN_SECRET: "new-secret-string"
      CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY: "new-key-string"
      CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET: "new-secret-string"
      CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY: "new-key-string"
      CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET: "new-secret-string"
      CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY: "new-key-string"
      CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET: "new-secret-string"
  ...

Important

When generating new user keys and secrets, make sure to use sufficiently long strings (we use 30 chars for keys and 50-60 chars for secrets). See here for Python example code to generate these strings.