Skip to content

Commit 4a89252

Browse files
lokeshranginenilokeshrangineni
authored
feat: Adding SSL support for the React UI server and feast UI command. (#4736)
Adding SSL support for the React UI server and feast UI command. Adding the separate documentation for all the feast servers to start in TLS mode except the offline server. We will add once the SSL support is added to offline server. Signed-off-by: lrangine <19699092+lokeshrangineni@users.noreply.github.com>
1 parent d4d94f8 commit 4a89252

File tree

4 files changed

+173
-1
lines changed

4 files changed

+173
-1
lines changed

docs/reference/starting-feast-servers-tls-mode.md

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
# Starting feast servers in TLS (SSL) mode.
2+
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are both protocols encrypts communications between a client and server to provide enhanced security.TLS or SSL words used interchangeably.
3+
This article is going to show the sample code to start all the feast servers such as online server, offline server, registry server and UI server in TLS mode.
4+
Also show examples related to feast clients to communicate with the feast servers started in TLS mode.
5+
6+
## Obtaining a self-signed TLS certificate and key
7+
In development mode we can generate a self-signed certificate for testing. In an actual production environment it is always recommended to get it from a trusted TLS certificate provider.
8+
9+
```shell
10+
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
11+
```
12+
13+
The above command will generate two files
14+
* `key.pem` : certificate private key
15+
* `cert.pem`: certificate public key
16+
17+
You can use the public or private keys generated from above command in the rest of the sections in this tutorial.
18+
19+
## Create the feast demo repo for the rest of the sections.
20+
create a feast repo using `feast init` command and use this repo as a demo for subsequent sections.
21+
22+
```shell
23+
feast init feast_repo_ssl_demo
24+
```
25+
26+
Output is
27+
```
28+
Creating a new Feast repository in /Documents/Src/feast/feast_repo_ssl_demo.
29+
```
30+
31+
You need to execute the feast cli commands from `feast_repo_ssl_demo/feature_repo` directory created from the above `feast init` command.
32+
33+
## Starting feast online server (feature server) in TLS mode
34+
To start the feature server in TLS mode, you need to provide the private and public keys using the `--key` and `--cert` arguments with the `feast serve` command.
35+
36+
```shell
37+
feast serve --key /path/to/key.pem --cert /path/to/cert.pem
38+
```
39+
You will see the output something similar to as below. Note the server url starts in the `https` mode.
40+
41+
```shell
42+
[2024-11-04 15:03:57 -0500] [77989] [INFO] Starting gunicorn 23.0.0
43+
[2024-11-04 15:03:57 -0500] [77989] [INFO] Listening at: https://127.0.0.1:6566 (77989)
44+
[2024-11-04 15:03:57 -0500] [77989] [INFO] Using worker: uvicorn_worker.UvicornWorker
45+
[2024-11-04 15:03:57 -0500] [77992] [INFO] Booting worker with pid: 77992
46+
[2024-11-04 15:03:57 -0500] [77992] [INFO] Started server process [77992]
47+
[2024-11-04 15:03:57 -0500] [77992] [INFO] Waiting for application startup.
48+
[2024-11-04 15:03:57 -0500] [77992] [INFO] Application startup complete.
49+
```
50+
51+
52+
### Feast client connecting to remote online sever started in TLS mode.
53+
54+
Sometimes you may need to pass the self-signed public key to connect to the remote online server started in SSL mode if you have not added the public key to the certificate store.
55+
56+
feast client example:
57+
The registry is pointing to registry of remote feature store. If it is not accessible then should be configured to use remote registry.
58+
59+
```yaml
60+
project: feast-project
61+
registry: /remote/data/registry.db
62+
provider: local
63+
online_store:
64+
path: http://localhost:6566
65+
type: remote
66+
cert: /path/to/cert.pem
67+
entity_key_serialization_version: 2
68+
auth:
69+
type: no_auth
70+
```
71+
{% endcode %}
72+
73+
`cert` is an optional configuration to the public certificate path when the online server starts in TLS(SSL) mode. Typically, this file ends with `*.crt`, `*.cer`, or `*.pem`.
74+
75+
## Starting feast Registry server in TLS mode
76+
To start the feature server in TLS mode, you need to provide the private and public keys using the `--key` and `--cert` arguments with the `feast serve_registry` command.
77+
78+
```shell
79+
feast serve_registry --key /path/to/key.pem --cert /path/to/cert.pem
80+
```
81+
You will see the output something similar to as below. Note the server url starts in the `https` mode.
82+
83+
```shell
84+
11/04/2024 03:10:27 PM feast.registry_server INFO: Starting grpc registry server in TLS(SSL) mode
85+
11/04/2024 03:10:27 PM feast.registry_server INFO: Grpc server started at https://localhost:6570
86+
```
87+
88+
### Feast client connecting to remote registry sever started in TLS mode.
89+
90+
Sometimes you may need to pass the self-signed public key to connect to the remote registry server started in SSL mode if you have not added the public key to the certificate store.
91+
92+
feast client example:
93+
94+
```yaml
95+
project: feast-project
96+
registry:
97+
registry_type: remote
98+
path: https://localhost:6570
99+
cert: /path/to/cert.pem
100+
provider: local
101+
online_store:
102+
path: http://localhost:6566
103+
type: remote
104+
cert: /path/to/cert.pem
105+
entity_key_serialization_version: 2
106+
auth:
107+
type: no_auth
108+
```
109+
{% endcode %}
110+
111+
`cert` is an optional configuration to the public certificate path when the registry server starts in TLS(SSL) mode. Typically, this file ends with `*.crt`, `*.cer`, or `*.pem`.
112+
113+
## Starting feast offline server in TLS mode
114+
115+
TBD
116+
117+
118+
## Starting feast UI server (react app) in TLS mode
119+
To start the feast UI server in TLS mode, you need to provide the private and public keys using the `--key` and `--cert` arguments with the `feast ui` command.
120+
121+
```shell
122+
feast ui --key /path/to/key.pem --cert /path/to/cert.pem
123+
```
124+
You will see the output something similar to as below. Note the server url starts in the `https` mode.
125+
126+
```shell
127+
INFO: Started server process [78872]
128+
INFO: Waiting for application startup.
129+
INFO: Application startup complete.
130+
INFO: Uvicorn running on https://0.0.0.0:8888 (Press CTRL+C to quit)
131+
```

sdk/python/feast/cli.py

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,17 +168,41 @@ def version():
168168
type=click.STRING,
169169
default="",
170170
)
171+
@click.option(
172+
"--key",
173+
"-k",
174+
"tls_key_path",
175+
type=click.STRING,
176+
default="",
177+
show_default=False,
178+
help="path to TLS(SSL) certificate private key. You need to pass --cert arg as well to start server in TLS mode",
179+
)
180+
@click.option(
181+
"--cert",
182+
"-c",
183+
"tls_cert_path",
184+
type=click.STRING,
185+
default="",
186+
show_default=False,
187+
help="path to TLS(SSL) certificate public key. You need to pass --key arg as well to start server in TLS mode",
188+
)
171189
@click.pass_context
172190
def ui(
173191
ctx: click.Context,
174192
host: str,
175193
port: int,
176194
registry_ttl_sec: int,
177195
root_path: str = "",
196+
tls_key_path: str = "",
197+
tls_cert_path: str = "",
178198
):
179199
"""
180200
Shows the Feast UI over the current directory
181201
"""
202+
if (tls_key_path and not tls_cert_path) or (not tls_key_path and tls_cert_path):
203+
raise click.BadParameter(
204+
"Please configure --key and --cert args to start the feature server in SSL mode."
205+
)
182206
store = create_feature_store(ctx)
183207
# Pass in the registry_dump method to get around a circular dependency
184208
store.serve_ui(
@@ -187,6 +211,8 @@ def ui(
187211
get_registry_dump=registry_dump,
188212
registry_ttl_sec=registry_ttl_sec,
189213
root_path=root_path,
214+
tls_key_path=tls_key_path,
215+
tls_cert_path=tls_cert_path,
190216
)
191217

192218

sdk/python/feast/feature_store.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1931,6 +1931,8 @@ def serve_ui(
19311931
get_registry_dump: Callable,
19321932
registry_ttl_sec: int,
19331933
root_path: str = "",
1934+
tls_key_path: str = "",
1935+
tls_cert_path: str = "",
19341936
) -> None:
19351937
"""Start the UI server locally"""
19361938
if flags_helper.is_test():
@@ -1947,6 +1949,8 @@ def serve_ui(
19471949
project_id=self.config.project,
19481950
registry_ttl_sec=registry_ttl_sec,
19491951
root_path=root_path,
1952+
tls_key_path=tls_key_path,
1953+
tls_cert_path=tls_cert_path,
19501954
)
19511955

19521956
def serve_registry(

sdk/python/feast/ui_server.py

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,11 +101,22 @@ def start_server(
101101
project_id: str,
102102
registry_ttl_sec: int,
103103
root_path: str = "",
104+
tls_key_path: str = "",
105+
tls_cert_path: str = "",
104106
):
105107
app = get_app(
106108
store,
107109
project_id,
108110
registry_ttl_sec,
109111
root_path,
110112
)
111-
uvicorn.run(app, host=host, port=port)
113+
if tls_key_path and tls_cert_path:
114+
uvicorn.run(
115+
app,
116+
host=host,
117+
port=port,
118+
ssl_keyfile=tls_key_path,
119+
ssl_certfile=tls_cert_path,
120+
)
121+
else:
122+
uvicorn.run(app, host=host, port=port)

0 commit comments

Comments
 (0)