AFIK, Ray doesn’t have any security / authorization capability and is essentially wide open to anyone that has identified where the cluster is deployed.
Are there plans to support a native security / authorization capability?
Has anyone addressed this themselves? (curious to how other view this issue)
I don’t think there are current plans for that either, but feature requests are always welcome. For sure, we could use more documentation on the topic.
Securing Ray clusters is up to users. Details are dependent on deployment strategy and access pattern.
We’re glad to discuss security configuration for your particular setup, if that would be helpful.
Our concern is mainly that in this setup, someone with knowledge of the cluster location could run arbitrary code with potentially elevated account authorizations.
Grant it - this would be an easy way to get fired! - but ideally there could be some form of user/pwd that could be used to lock down access to the cluster. If there a way to extend the request pipeline or inject custom logic at the head node we would but from my understanding this doesn’t exist. For some enterprise customers this would actually be a deal-breaker in terms of adoption.