Examples: query, "exact match", wildcard*, wild?ard, wild*rd
Fuzzy search: cake~ (finds cakes, bake)
Term boost: "red velvet"^4, chocolate^2
Field grouping: tags:(+work -"fun-stuff")
Escaping: Escape characters +-&|!(){}[]^"~*?:\ with \, e.g. \+
Range search: properties.timestamp:[1587729413488 TO *] (inclusive), properties.title:{A TO Z}(excluding A and Z)
Combinations: chocolate AND vanilla, chocolate OR vanilla, (chocolate OR vanilla) NOT "vanilla pudding"
Field search: properties.title:"The Title" AND text
Answered
Hi Everyone, I'M Using A Self-Hosted Clearml Server And I Added A Small Nginx-Reverse Proxy To Sit In Front Of The Fileserver So At Least There'S Some Level Of Security To The Files. I'M Trying To Test It Now Using A Small Experiment, And I"M Running Into

Hi everyone, I'm using a self-hosted ClearML server and I added a small nginx-reverse proxy to sit in front of the fileserver so at least there's some level of security to the files. I'm trying to test it now using a small experiment, and I"m running into an issue:

2023-11-08 13:20:12,473 - clearml.metrics - WARNING - Failed uploading to https://<my-host>/files (Failed uploading object <my-object>).

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <p>Additionally, a 302 Found error was encountered while trying to use an ErrorDocument to handle the request.</p> </body></html> )

I was wondering how ClearML handles sending stuff into the fileserver, and if there's anyway to get around this issue while at least preserving the proxy server since I want to keep my files private.

  
  
Posted one year ago
Votes Newest

Answers 13


Everything works fine when I access the /files endpoint from a browser after logging in via the webserver. However, when I run an experiment using the ClearML Python package and it tries to upload the artifacts to the /files endpoint, it gets blocked with a 401 Unauthorized error.

I’ve checked the ClearML Python package and it seems to be attaching the auth headers correctly. However, the JWT token it’s using is different from the one used by the browser, and it’s not being accepted by the server. I’ve tested this by manually sending requests to the server with both tokens, and only the browser token is accepted.

I’ve gone through the ClearML configuration file and didn't find any settings that could be causing this issue. Perhaps it is because I am using the wrong endpoint, since I am doing this:

local res, err = httpc:request_uri(" http://<my_host_ip>:8008/users.get_current_user ", {
method = "POST",
headers = {
["Authorization"] = "Bearer " .. token
}
})
if not res or res.status ~= 200 then
ngx.exit(ngx.HTTP_UNAUTHORIZED)
return
end

  
  
Posted one year ago

Yes @<1523701087100473344:profile|SuccessfulKoala55> , basically like this:

local token = ngx.req.get_headers()["Authorization"] or ngx.var.cookie_clearml_token_basic
if not token then
ngx.exit(ngx.HTTP_UNAUTHORIZED)
return
end

  
  
Posted one year ago

Is there any information on how the ClearML python package authenticates itself with the ClearML server? I am almost certain that the endpoint I am using to check the token validity can only handle the browser session, and fails when the package tries to access files, i.e. the server isn't correctly setup to validate the JWT from the ClearML Python package.

  
  
Posted one year ago

So I read that in the ClearML docs that the file server has no security whatsoever and that you guys recommend to use object storage (s3/azure/etc). I currently do not have resources to use those sadly. However, I do know that the webserver has JWT auth, and so the proxy uses some lua scripting to verify a valid token before access the /files endpoint.

  
  
Posted one year ago

Yes @<1523701087100473344:profile|SuccessfulKoala55> , I'm using a Lua script which makes a light api call to /users.get_current_user to check the validity of the JWT, not just its existence, before access the /files endpoint. This way, trying to access before logging in (no presence of token/invalid token) gets blocked, and logging in (presence of valid token in request header) grants access to the files. Works all fine and dandy in the browser, but I'm now realizing the application itself behaves differently and won't have access to these headers.

  
  
Posted one year ago

Looking at this for reference:
None

  
  
Posted one year ago

I assume you're taking this token from the cookie header?

  
  
Posted one year ago

But did you set up the proxy to verify the JWT token?

  
  
Posted one year ago

Does ClearML have configuration settings or environment variables that allow you to specify additional headers for HTTP requests?

  
  
Posted one year ago

It works fine in the browser when you try to access None , it gets blocked when you haven't logged in via the /login page first. I didn't forsee how the package may need to access this endpoint, meaning it'll also need a valid JWT in it's header.

  
  
Posted one year ago

Hi @<1600661428556009472:profile|HighCoyote66> , there's currently no place where you can add custom headers to the ClearML calls (it's not very hard to add, of course, as we already do that for authorization headers).

  
  
Posted one year ago

As for the proxy, what exactly does using it provide you with regards to keeping your files private?

  
  
Posted one year ago

nvm I fixed it thank you @<1523701087100473344:profile|SuccessfulKoala55> 🙏

  
  
Posted one year ago
846 Views
13 Answers
one year ago
one year ago
Tags