← Back to DevBytes

Authentication and Authorization in Dask Applications

Authentication and Authorization in Dask Applications

What Is Authentication and Authorization in Dask?

In distributed computing environments like Dask, authentication ensures that only legitimate clients, schedulers, and workers can communicate with each other. Authorization defines what actions authenticated entities are allowed to perform – for example, submitting tasks, accessing specific datasets, or scaling clusters. Without these controls, an unsecured Dask cluster is vulnerable to unauthorized access, data leaks, and resource abuse.

Dask’s security model operates at two levels:

For multi-tenant deployments, Dask Gateway adds an additional layer, managing cluster lifecycle and user authentication via proxy authentication, OAuth, or JWT.

Why Authentication and Authorization Matter

Unsecured Dask clusters expose several risks:

By implementing authentication and authorization, you protect your infrastructure, enforce multi-tenancy, and meet security compliance standards.

How to Use Authentication and Authorization in Dask

1. TLS Encryption and Mutual Authentication

Dask supports TLS for encrypted communication. When using mutual TLS (mTLS), each component presents a certificate, verifying identity on both sides. This is the most robust foundation for authentication.

Step 1: Generate certificates
Use OpenSSL to create a Certificate Authority (CA), server certificates for the scheduler and workers, and client certificates for users.

# Create CA
openssl req -new -x509 -days 365 -nodes -out ca.crt -keyout ca.key -subj "/CN=MyDaskCA"

# Scheduler cert
openssl req -new -nodes -out scheduler.csr -keyout scheduler.key -subj "/CN=scheduler"
openssl x509 -req -in scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out scheduler.crt -days 365

# Worker cert (repeat for each worker or use wildcard)
openssl req -new -nodes -out worker.csr -keyout worker.key -subj "/CN=worker"
openssl x509 -req -in worker.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out worker.crt -days 365

# Client cert
openssl req -new -nodes -out client.csr -keyout client.key -subj "/CN=client"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

Step 2: Start the scheduler with TLS

dask-scheduler \
  --tls-ca-file ca.crt \
  --tls-cert scheduler.crt \
  --tls-key scheduler.key \
  --require-encryption

Step 3: Start workers with TLS

dask-worker tcp://scheduler:8786 \
  --tls-ca-file ca.crt \
  --tls-cert worker.crt \
  --tls-key worker.key \
  --require-encryption

Step 4: Connect a client with TLS

from dask.distributed import Client
import dask.config

dask.config.set({
    "distributed.comm.tls.ca_file": "ca.crt",
    "distributed.comm.tls.client_cert": "client.crt",
    "distributed.comm.tls.client_key": "client.key",
    "distributed.comm.require_encryption": True
})

client = Client("tls://scheduler:8786")
print(client.scheduler_info())

Now all communication is encrypted and authenticated. Without valid certificates, connections are rejected.

2. Using Dask’s Security Module for Authentication

Beyond TLS, Dask’s Security class allows you to define authentication backends and authorization rules. This is useful when you need user-based access control on top of encryption.

Example: Password-based authentication
First, create a Security object with a password for the scheduler:

from dask.distributed import Security, Client

# On the scheduler side (e.g., in a config file or environment variable)
# We set a shared password:
sec = Security(
    require_encryption=True,
    tls_ca_file="ca.crt",
    tls_scheduler_cert="scheduler.crt",
    tls_scheduler_key="scheduler.key",
    # Custom authentication
    authentication="password",
    authentication_arguments={"password": "my_secret_pass"}
)

# The scheduler can be started with:
# dask-scheduler --security sec ... (or via config)

For the client to authenticate:

sec_client = Security(
    require_encryption=True,
    tls_ca_file="ca.crt",
    tls_client_cert="client.crt",
    tls_client_key="client.key",
    authentication="password",
    authentication_arguments={"password": "my_secret_pass"}
)

client = Client("tls://scheduler:8786", security=sec_client)

If the password doesn’t match, the scheduler refuses the connection.

3. Authorization with Dask’s Security Module

Dask also supports fine-grained authorization by defining allowed operations. You can restrict which users can submit tasks, access key-value store, or perform administrative actions.

Example: Define authorized users

from dask.distributed import Security

# Define a security policy with authorization rules
sec = Security(
    require_encryption=True,
    # ... TLS settings
    authentication="password",
    authentication_arguments={"password": "pass"},
    # Authorization: only allow user "alice" to submit tasks
    authorization="user",
    authorization_arguments={
        "users": {
            "alice": {"submit": True, "admin": False},
            "bob": {"submit": False, "admin": False}
        }
    }
)

In this example, even if Bob authenticates successfully, he cannot submit tasks because his submit permission is False. The scheduler enforces these rules per operation.

4. Multi-Tenant Authentication with Dask Gateway

Dask Gateway is the recommended way to offer Dask as a service. It acts as a proxy that authenticates users, manages clusters, and enforces resource limits. It supports multiple authentication providers.

Setup Dask Gateway with JWT authentication

First, configure the gateway server (e

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles