This documentation page applies to deploying your own open source ClearML Server. It does not apply to ClearML Hosted Service users.
To ensure deployment is properly secure, we recommend you follow the following best practices.
If the deployment is in an open network that allows public access, only allow access to the specific ports used by ClearML Server (see ClearML Server configurations).
If HTTPS access is configured for the instance, allow access to port
For improved security, the ports for ClearML Server Elasticsearch, MongoDB, and Redis servers are not exposed by default; they are only open internally in the docker network.
Configure ClearML Server to use Web Login authentication, which requires a username and password for user access (see Web Login Authentication).
By default, ClearML Server comes with default values that are designed to allow to set it up quickly and to start working with the ClearML SDK.
However, this also means that the server must be secured by either preventing any external access, or by changing defaults so that the server's credentials are not publicly known.
Specifically, the relevant settings are:
secure.credentials.webserver.user_key(automatically revoked by the server if using Web Login Authentication)
secure.credentials.webserver.user_secret(automatically revoked by the server if using Web Login Authentication)
Securing the ClearML Server means also using Web Login Authentication,
since the default "free access" login is inherently unsecure (and will not work once
secure.credentials.webserver.user_secret values are changed)
To set new values for these settings, use the following environment variables:
If used in
docker-compose.yml, these variables should be specified for the
apiserver service, under the
environment section as follows:
When generating new user keys and secrets, make sure to use sufficiently long strings (we use 30 chars for keys and 50-60 chars for secrets). See here for Python example code to generate these strings.