Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SSL how-to-guide to use Flower Next #3408

Merged
merged 5 commits into from
May 6, 2024
Merged

Update SSL how-to-guide to use Flower Next #3408

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
45237c8
Fix ssl guide to use Flower Next
danielnugraha May 6, 2024
3d273cd
Add sentence
danielnugraha May 6, 2024
bca4e2c
Format
danielnugraha May 6, 2024
c9ef093
Merge branch 'main' into fix-ssl-docs
danieljanes May 6, 2024
2e1e1b9
Edit SSL docs
danieljanes May 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 24 additions & 48 deletions doc/source/how-to-enable-ssl-connections.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
Enable SSL connections
======================

This guide describes how to a SSL-enabled secure Flower server can be started and
how a Flower client can establish a secure connections to it.
This guide describes how to a SSL-enabled secure Flower server (:code:`SuperLink`) can be started and
how a Flower client (:code:`SuperNode`) can establish a secure connections to it.

A complete code example demonstrating a secure connection can be found
`here <https://github.com/adap/flower/tree/main/examples/advanced-tensorflow>`_.

The code example comes with a README.md file which will explain how to start it. Although it is
already SSL-enabled, it might be less descriptive on how. Stick to this guide for a deeper
The code example comes with a :code:`README.md` file which explains how to start it. Although it is
already SSL-enabled, it might be less descriptive on how it does so. Stick to this guide for a deeper
introduction to the topic.


Expand All @@ -19,7 +19,6 @@ Using SSL-enabled connections requires certificates to be passed to the server a
the purpose of this guide we are going to generate self-signed certificates. As this can become
quite complex we are going to ask you to run the script in
:code:`examples/advanced-tensorflow/certificates/generate.sh`

with the following command sequence:

.. code-block:: bash
Expand All @@ -29,67 +28,44 @@ with the following command sequence:

This will generate the certificates in :code:`examples/advanced-tensorflow/.cache/certificates`.

The approach how the SSL certificates are generated in this example can serve as an inspiration and
starting point but should not be taken as complete for production environments. Please refer to other
The approach for generating SSL certificates in the context of this example can serve as an inspiration and
starting point, but it should not be used as a reference for production environments. Please refer to other
sources regarding the issue of correctly generating certificates for production environments.
For non-critical prototyping or research projects, it might be sufficient to use the self-signed certificates generated using
the scripts mentioned in this guide.

In case you are a researcher you might be just fine using the self-signed certificates generated using
the scripts which are part of this guide.


Server
------

We are now going to show how to write a sever which uses the previously generated scripts.

.. code-block:: python
Server (SuperLink)
------------------

from pathlib import Path
import flwr as fl
Use the following terminal command to start a sever (SuperLink) that uses the previously generated certificates:

# Start server
fl.server.start_server(
server_address="0.0.0.0:8080",
config=fl.server.ServerConfig(num_rounds=4),
certificates=(
Path(".cache/certificates/ca.crt").read_bytes(),
Path(".cache/certificates/server.pem").read_bytes(),
Path(".cache/certificates/server.key").read_bytes(),
)
)

When providing certificates, the server expects a tuple of three certificates. :code:`Path` can be used to easily read the contents of those files into byte strings, which is the data type :code:`start_server` expects.
.. code-block:: bash

flower-superlink --certificates certificates/ca.crt certificates/server.pem certificates/server.key

Client
------
When providing certificates, the server expects a tuple of three certificates paths: CA certificate, server certificate and server private key.

We are now going to show how to write a client which uses the previously generated scripts:

.. code-block:: python
Client (SuperNode)
------------------

from pathlib import Path
import flwr as fl
Use the following terminal command to start a client (SuperNode) that uses the previously generated certificates:

# Define client somewhere
client = MyFlowerClient()
.. code-block:: bash

# Start client
fl.client.start_client(
"localhost:8080",
client=client.to_client(),
root_certificates=Path(".cache/certificates/ca.crt").read_bytes(),
)
flower-client-app client:app
--root-certificates certificates/ca.crt
--server 127.0.0.1:9092

When setting :code:`root_certificates`, the client expects the PEM-encoded root certificates as a byte string.
We are again using :code:`Path` to simplify reading those as byte strings.
When setting :code:`root_certificates`, the client expects a file path to PEM-encoded root certificates.


Conclusion
----------

You should now have learned how to generate self-signed certificates using the given script, start a
SSL-enabled server, and have a client establish a secure connection to it.
You should now have learned how to generate self-signed certificates using the given script, start an
SSL-enabled server and have a client establish a secure connection to it.


Additional resources
Expand Down