[Docs] Add user guide for configuring authentication for Ray clusters #49080
Conversation
andrewsykim
requested review from
maxpumperla,
pcmoritz,
kevin85421 and
a team
as code owners
|
Hi @andrewsykim , I found that the protection in the document is mainly for submitting ray jobs through port 8265. Is there a corresponding protection mechanism and document for interactive access to Ray Cluster through port 10001? (It seems that the |
|
@Moonquakes that's correct, for now we are starting with authentication for Ray dashboard only, in the future we will consider client port. @kevin85421 suggested we actually stay away from recommending interactive client but I can't recall the reasons |
andrewsykim
force-pushed
the
kuberay-auth
branch
from
9b12bff to
4635d69
Compare
| @@ -27,6 +27,7 @@ user-guides/tls | |||
| user-guides/k8s-autoscaler | |||
| user-guides/static-ray-cluster-without-kuberay | |||
| user-guides/kubectl-plugin | |||
| user-guides/kuberay-auth | |||
There was a problem hiding this comment.
Also, add:
* {ref}`kuberay-auth`
below. Currently, the page only appears in the sidebar.
|
|
||
| ## Prerequisites | ||
|
|
||
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). |
There was a problem hiding this comment.
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). | |
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). |
| ## Prerequisites | ||
|
|
||
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). | ||
| * `kubectl` installed and configured to interact with your cluster. |
There was a problem hiding this comment.
| * `kubectl` installed and configured to interact with your cluster. | |
| * `kubectl` installed and configured to interact with your cluster. |
|
|
||
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). | ||
| * `kubectl` installed and configured to interact with your cluster. | ||
| * `gcloud` CLI installed and configured (if using GKE). |
There was a problem hiding this comment.
| * `gcloud` CLI installed and configured (if using GKE). | |
| * `gcloud` CLI installed and configured (if using GKE). |
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). | ||
| * `kubectl` installed and configured to interact with your cluster. | ||
| * `gcloud` CLI installed and configured (if using GKE). | ||
| * Helm installed. |
There was a problem hiding this comment.
| * Helm installed. | |
| * [Helm](https://helm.sh/) installed. |
| * `kubectl` installed and configured to interact with your cluster. | ||
| * `gcloud` CLI installed and configured (if using GKE). | ||
| * Helm installed. | ||
| * Ray installed locally. |
There was a problem hiding this comment.
| * Ray installed locally. | |
| * Ray installed locally. |
| Get a token for the `ray-user` service account and store it in the `RAY_JOB_HEADERS` environment variable: | ||
|
|
||
| ```bash | ||
| export RAY_JOB_HEADERS="{\"Authorization\": \"Bearer $(kubectl create token ray-user)\"}" |
There was a problem hiding this comment.
Can you add a note that kubectl create token is only supported in kubectl versions >= 1.24 (ref) or update the "Prerequisites" section?
There was a problem hiding this comment.
1.24 has been EOL for a while now, it's probably safe to assume most users are using a newer version at this point?
There was a problem hiding this comment.
I followed this documentation and realized that I am using version 1.23.X on the client side. On the server side, I think most people use newer Kubernetes versions, but on the client side, users might not upgrade as frequently.
There was a problem hiding this comment.
good point, I'll add a note about this
|
|
||
| # Configure Ray Clusters with Authentication and Access Control using KubeRay | ||
|
|
||
| This guide demonstrates how to secure Ray clusters deployed with KubeRay by enabling authentication and access control using Kubernetes Role-Based Access Control (RBAC). |
There was a problem hiding this comment.
Can you add the current limitations to the documentation? For example, it currently doesn't support RayJob and RayService. How can I use the browser to view the dashboard? (follow up)
There was a problem hiding this comment.
ack, I can also add some instructions for accessing the dashboard via browser
There was a problem hiding this comment.
added instructions for using browser to access Ray dashboard
|
@Moonquakes, yeah, the Ray maintainers currently recommend that users avoid using the Ray client. It has not been actively maintained for years due to some fundamental stability issues. We have been discussing Ray Client V2, but it is still in the planning stage for now. |
Signed-off-by: Andrew Sy Kim <[email protected]>
andrewsykim
force-pushed
the
kuberay-auth
branch
3 times, most recently
from
8a2029f to
2b643b7
Compare
|
|
||
| This guide demonstrates how to secure Ray clusters deployed with KubeRay by enabling authentication and access control using Kubernetes Role-Based Access Control (RBAC). | ||
|
|
||
| > **Note:** This guide is only supported for the RayCluster custom resource. |
There was a problem hiding this comment.
How long does the token last before it expires? I followed the documentation before lunch, but after lunch, the token stopped working, and I had to create a new one. Not necessary to address this in this PR.
There was a problem hiding this comment.
I believe tokens last 1hour by default, you can specify the duration though:
kubectl create token ray-user --duration=24h
The server may return an expiration shorter than what the client requests though
There was a problem hiding this comment.
Would you mind adding some comments regarding the expiration? Thanks!
There was a problem hiding this comment.
Updated the example to include --duration so users know the flag exists
|
I will ping our doc team to review this PR. |
Signed-off-by: Andrew Sy Kim <[email protected]>
andrewsykim
force-pushed
the
kuberay-auth
branch
from
2b643b7 to
04201dd
Compare
|
Thank you for contributing to Ray docs. Just some style nits to be more consistent with our style guide. Thank you. |
|
@angelinalg I didn't see any comments for style nits, did you forget to submit the review? |
| @@ -0,0 +1,207 @@ | |||
| (kuberay-auth)= | |||
|
|
|||
| # Configure Ray Clusters with Authentication and Access Control using KubeRay | |||
There was a problem hiding this comment.
| # Configure Ray Clusters with Authentication and Access Control using KubeRay | |
| # Configure Ray clusters with authentication and access control using KubeRay |
There was a problem hiding this comment.
Trying to standardize on sentence case for titles.
|
|
||
| ## Prerequisites | ||
|
|
||
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). |
There was a problem hiding this comment.
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). | |
| * A Kubernetes cluster. This guide uses GKE, but the concepts apply to other Kubernetes distributions. |
There was a problem hiding this comment.
Avoiding excessive use of parentheses.
|
|
||
| * A Kubernetes cluster (this guide uses GKE, but the concepts apply to other Kubernetes distributions). | ||
| * `kubectl` installed and configured to interact with your cluster. | ||
| * `gcloud` CLI installed and configured (if using GKE). |
There was a problem hiding this comment.
| * `gcloud` CLI installed and configured (if using GKE). | |
| * `gcloud` CLI installed and configured, if using GKE. |
| * [Helm](https://helm.sh/) installed. | ||
| * Ray installed locally. | ||
|
|
||
| ## Create a GKE Cluster (or use an existing cluster) |
There was a problem hiding this comment.
| ## Create a GKE Cluster (or use an existing cluster) | |
| ## Create or use an existing GKE Cluster |
|
|
||
| ## Create a GKE Cluster (or use an existing cluster) | ||
|
|
||
| If you don't have a Kubernetes cluster, create one using the following command (or adapt it for your cloud provider): |
There was a problem hiding this comment.
| If you don't have a Kubernetes cluster, create one using the following command (or adapt it for your cloud provider): | |
| If you don't have a Kubernetes cluster, create one using the following command, or adapt it for your cloud provider: |
|
|
||
| The output should be `yes`. | ||
|
|
||
| ## Submit a Ray Job with Authentication |
There was a problem hiding this comment.
| ## Submit a Ray Job with Authentication | |
| ## Submit a Ray job with authentication |
| ray job submit --address http://localhost:8265 -- python -c "import ray; ray.init(); print(ray.cluster_resources())" | ||
| ``` | ||
|
|
||
| The job should now succeed, and you'll see output similar to this: |
There was a problem hiding this comment.
| The job should now succeed, and you'll see output similar to this: | |
| The job should now succeed, and you should see output similar to this: |
|
|
||
| ## Verify Access Using Cloud IAM (Optional) | ||
|
|
||
| Most cloud providers allow you to authenticate to your Kubernetes cluster as your cloud IAM user. This is a convenient way to interact with the cluster without managing separate Kubernetes credentials. |
There was a problem hiding this comment.
| Most cloud providers allow you to authenticate to your Kubernetes cluster as your cloud IAM user. This is a convenient way to interact with the cluster without managing separate Kubernetes credentials. | |
| Most cloud providers allow you to authenticate to the Kubernetes cluster as your cloud IAM user. This method is a convenient way to interact with the cluster without managing separate Kubernetes credentials. |
| ------------------------------------------ | ||
| ``` | ||
|
|
||
| ## Verify Access Using Cloud IAM (Optional) |
There was a problem hiding this comment.
| ## Verify Access Using Cloud IAM (Optional) | |
| ## Verify access using cloud IAM (Optional) |
| ray job submit --address http://localhost:8265 -- python -c "import ray; ray.init(); print(ray.cluster_resources())" | ||
| ``` | ||
|
|
||
| The job should succeed if your cloud user has the necessary Kubernetes RBAC permissions (you may need to configure additional RBAC rules for your cloud user). |
There was a problem hiding this comment.
| The job should succeed if your cloud user has the necessary Kubernetes RBAC permissions (you may need to configure additional RBAC rules for your cloud user). | |
| The job should succeed if your cloud user has the necessary Kubernetes RBAC permissions. You may need to configure additional RBAC rules for your cloud user. |
|
So sorry for the oversight, @andrewsykim! |
Signed-off-by: Andrew Sy Kim <[email protected]>
|
Thanks @angelinalg! I'm doing great, hope you're doing well too! :) |
Thanks for your answer! However, Ray Client will be very helpful in the scenario of using Jupyter, which can greatly improve development efficiency. I look forward to the release of Ray Client v2! |
Agree. A good Ray client provides better UX comparing with |
…ray-project#49080) Signed-off-by: Andrew Sy Kim <[email protected]> Signed-off-by: ujjawal-khare <[email protected]>
Why are these changes needed?
Add a user guide for configuring authenticadtion and access control for Ray clusters using KubeRay and Kubernetes RBAC.
Related issue number
Based on REP: https://github.com/ray-project/enhancements/blob/main/reps/2024-05-21-kuberay-authentication.md
Checks
git commit -s) in this PR.scripts/format.shto lint the changes in this PR.method in Tune, I've added it in
doc/source/tune/api/under thecorresponding
.rstfile.