chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 13:17:40 +08:00
commit f1825c8ceb
10096 changed files with 2364182 additions and 0 deletions
+185
View File
@@ -0,0 +1,185 @@
(runtime-env-auth)=
# Authenticating Remote URIs in runtime_env
This section helps you:
* Avoid leaking remote URI credentials in your `runtime_env`
* Provide credentials safely in KubeRay
* Understand best practices for authenticating your remote URI
## Authenticating Remote URIs
You can add dependencies to your `runtime_env` with [remote URIs](remote-uris). This is straightforward for files hosted publicly, because you simply paste the public URI into your `runtime_env`:
```python
runtime_env = {"working_dir": (
"https://github.com/"
"username/repo/archive/refs/heads/master.zip"
)
}
```
However, dependencies hosted privately, in a private GitHub repo for example, require authentication. One common way to authenticate is to insert credentials into the URI itself:
```python
runtime_env = {"working_dir": (
"https://username:personal_access_token@github.com/"
"username/repo/archive/refs/heads/master.zip"
)
}
```
In this example, `personal_access_token` is a secret credential that authenticates this URI. While Ray can successfully access your dependencies using authenticated URIs, **you should not include secret credentials in your URIs** for two reasons:
1. Ray may log the URIs used in your `runtime_env`, which means the Ray logs could contain your credentials.
2. Ray stores your remote dependency package in a local directory, and it uses a parsed version of the remote URIincluding your credentialas the directory's name.
In short, your remote URI is not treated as a secret, so it should not contain secret info. Instead, use a `netrc` file.
## Running on VMs: the netrc File
The [netrc file](https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html) contains credentials that Ray uses to automatically log into remote servers. Set your credentials in this file instead of in the remote URI:
```bash
# "$HOME/.netrc"
machine github.com
login username
password personal_access_token
```
In this example, the `machine github.com` line specifies that any access to `github.com` should be authenticated using the provided `login` and `password`.
:::{note}
On Unix, name the `netrc` file as `.netrc`. On Windows, name the file as `_netrc`.
:::
The `netrc` file requires owner read/write access, so make sure to run the `chmod` command after creating the file:
```bash
chmod 600 "$HOME/.netrc"
```
Add the `netrc` file to your VM container's home directory, so Ray can access the `runtime_env`'s private remote URIs, even when they don't contain credentials.
## Running on KubeRay: Secrets with netrc
[KubeRay](kuberay-index) can also obtain credentials from a `netrc` file for remote URIs. Supply your `netrc` file using a Kubernetes secret and a Kubernetes volume with these steps:
1\. Launch your Kubernetes cluster.
2\. Create the `netrc` file locally in your home directory.
3\. Store the `netrc` file's contents as a Kubernetes secret on your cluster:
```bash
kubectl create secret generic netrc-secret --from-file=.netrc="$HOME/.netrc"
```
4\. Expose the secret to your KubeRay application using a mounted volume, and update the `NETRC` environment variable to point to the `netrc` file. Include the following YAML in your KubeRay config.
```yaml
headGroupSpec:
...
containers:
- name: ...
image: rayproject/ray:latest
...
volumeMounts:
- mountPath: "/home/ray/netrcvolume/"
name: netrc-kuberay
readOnly: true
env:
- name: NETRC
value: "/home/ray/netrcvolume/.netrc"
volumes:
- name: netrc-kuberay
secret:
secretName: netrc-secret
workerGroupSpecs:
...
containers:
- name: ...
image: rayproject/ray:latest
...
volumeMounts:
- mountPath: "/home/ray/netrcvolume/"
name: netrc-kuberay
readOnly: true
env:
- name: NETRC
value: "/home/ray/netrcvolume/.netrc"
volumes:
- name: netrc-kuberay
secret:
secretName: netrc-secret
```
5\. Apply your KubeRay config.
Your KubeRay application can use the `netrc` file to access private remote URIs, even when they don't contain credentials.
## Using Bearer Tokens for HTTPS Authentication
As an alternative to using a `netrc` file, you can authenticate HTTPS remote URIs using bearer tokens. This is particularly useful when working with APIs that require OAuth2 or similar token-based authentication.
Set the `RAY_RUNTIME_ENV_BEARER_TOKEN` environment variable with your bearer token:
```bash
export RAY_RUNTIME_ENV_BEARER_TOKEN="your_bearer_token_here"
```
Ray will automatically include this token in the `Authorization` header when downloading HTTPS URIs in your `runtime_env`:
```python
runtime_env = {"working_dir": "https://example.com/private/repo.zip"}
```
The bearer token will be sent as an `Authorization: Bearer your_bearer_token_here` header with the HTTPS request.
### Running on KubeRay: Bearer Tokens with Secrets
For KubeRay deployments, you can securely provide the bearer token using Kubernetes secrets:
1\. Create a Kubernetes secret containing your bearer token:
```bash
kubectl create secret generic bearer-token-secret \
--from-literal=RAY_RUNTIME_ENV_BEARER_TOKEN="your_bearer_token_here"
```
2\. Expose the secret to your KubeRay application using environment variables. Include the following YAML in your KubeRay config:
```yaml
headGroupSpec:
...
containers:
- name: ...
image: rayproject/ray:latest
...
env:
- name: RAY_RUNTIME_ENV_BEARER_TOKEN
valueFrom:
secretKeyRef:
name: bearer-token-secret
key: RAY_RUNTIME_ENV_BEARER_TOKEN
workerGroupSpecs:
...
containers:
- name: ...
image: rayproject/ray:latest
...
env:
- name: RAY_RUNTIME_ENV_BEARER_TOKEN
valueFrom:
secretKeyRef:
name: bearer-token-secret
key: RAY_RUNTIME_ENV_BEARER_TOKEN
```
3\. Apply your KubeRay config.
Your KubeRay application will use the bearer token to authenticate HTTPS requests when downloading remote URIs in the `runtime_env`.