Security#

Securing Endpoint Access#

Server Side Authentication#

To enable authentication for a given BentoServer endpoint, An authentication middleware can be added to bentoml.Service’s via add_asgi_middleware API. This API supports mounting any ASGI middleware to the BentoServer endpoints. And many of the middlewares built by the Python community, provides authentication or security functionality.

For example, you may apply HTTPS redirect and set trusted host URLs this way:

from starlette.middleware.httpsredirect import HTTPSRedirectMiddleware
from starlette.middleware.trustedhost import TrustedHostMiddleware

svc = bentoml.Service('my_service', runners=[...])

svc.add_asgi_middleware(TrustedHostMiddleware, allowed_hosts=['example.com', '*.example.com'])
svc.add_asgi_middleware(HTTPSRedirectMiddleware)

For JWT authentication, check out the starlette-authlib and starlette-auth-toolkit. Here’s an example with starlette-authlib:

from starlette_authlib.middleware import AuthlibMiddleware as SessionMiddleware

svc = bentoml.Service('my_service', runners=[...])

svc.add_asgi_middleware(SessionMiddleware, secret_key='you_secret')

Reverse Proxy#

It is a common practice to set up a reverse proxy server to handle rate limiting and authentication for any given backend services.

Service Mesh#

For Kubernetes users looking for advanced authentication, access control, and routing policies, we recommend you to deploy Bentos with Yatai and use Yatai’s Istio integration.

Security Policy#

To report a vulnerability, we kindly ask you not to share it publicly on GitHub or in the community slack channel. Instead, contact the BentoML team directly at contact@bentoml.ai

View the full BentoML’s security policy here.

Todo

  • Base Image Security

  • Securing Yatai deployment

  • Reverse Proxy setup guide and sample code/config

  • Service Mesh setup guide and sample code/config