Flower Federations with Authentication π§ͺΒΆ
[!NOTE] π§ͺ = This example covers experimental features that might change in future versions of Flower. Please consult the regular PyTorch examples (quickstart, advanced) to learn how to use Flower with PyTorch.
The following steps describe how to start a long-running Flower server (SuperLink) and a long-running Flower clients (SuperNode) with authentication enabled. The task is to train a simple CNN for image classification using PyTorch.
[!TIP] Follow this how-to guide to learn more about Flowerβs Deployment Engine, how setting up secure TLS-enabled communications and SuperNode authentication works. If you are already familiar with how the Deployment Engine works, you may want to learn how to run this same example using Docker. Check out the Flower with Docker documentation.
Project SetupΒΆ
Start by cloning the example project. We prepared a single-line command that you can copy into your shell which will checkout the example for you:
git clone --depth=1 https://github.com/adap/flower.git _tmp \
&& mv _tmp/examples/flower-authentication . \
&& rm -rf _tmp && cd flower-authentication
This will create a new directory called flower-authentication with the following project structure:
flower-authentication
βββ authexample
β βββ __init__.py
β βββ client_app.py # Defines your ClientApp
β βββ server_app.py # Defines your ServerApp
β βββ task.py # Defines your model, training and data loading
βββ pyproject.toml # Project metadata like dependencies and configs
βββ certificate.conf # Configuration for OpenSSL
βββ generate.sh # Generate certificates and keys
βββ prepare_dataset.py # Generate datasets for each SuperNode to use
βββ README.md
Install dependencies and projectΒΆ
Install the dependencies defined in pyproject.toml as well as the authexample package.
pip install -e .
Generate TLS certificatesΒΆ
The generate_cert.sh script generates certificates for creating a secure TLS connection between the SuperLink and SuperNodes, as well as between the flwr CLI (user) and the SuperLink.
[!NOTE] Note that this script should only be used for development purposes and not for creating production key pairs.
./generate_cert.sh
Generate public and private keys for SuperNode authenticationΒΆ
The generate_auth_keys.sh script generates three private and public key pairs. One pair for the SuperLink and two pairs for the two SuperNodes.
[!NOTE] Note that this script should only be used for development purposes and not for creating production key pairs.
./generate_auth_keys.sh
You can generate more keys by specifying the number of client credentials that you wish to generate. The script also generates a CSV file that includes each of the generated (client) public keys.
./generate_auth_keys.sh {your_number_of_clients}
Start the long-running Flower server (SuperLink)ΒΆ
Starting long-running Flower server component (SuperLink) and enable authentication is very easy; all you need to do is type
--auth-list-public-keys containing file path to the known client_public_keys.csv. Notice that you can only enable authentication with a secure TLS connection.
Letβs first launch the SuperLink:
flower-superlink \
--ssl-ca-certfile certificates/ca.crt \
--ssl-certfile certificates/server.pem \
--ssl-keyfile certificates/server.key \
--auth-list-public-keys keys/client_public_keys.csv
At this point your server-side is idling. Next, letβs connect two SuperNodes, and then weβll start a run.
Start the long-running Flower client (SuperNode)ΒΆ
[!NOTE] Typically each
SuperNoderuns in a different entity/organization which has access to a dataset. In this example we are going to artificially create N dataset splits and saved them into a new directory calleddatasets/. Then, eachSuperNodewill be pointed to the dataset it should load via the--node-configargument. We provide a script that does the download, partition and saving of CIFAR-10.
python prepare_dataset.py
In a new terminal window, start the first long-running Flower client (SuperNode):
flower-supernode \
--root-certificates certificates/ca.crt \
--auth-supernode-private-key keys/client_credentials_1 \
--auth-supernode-public-key keys/client_credentials_1.pub \
--node-config 'dataset-path="datasets/cifar10_part_1"' \
--clientappio-api-address="0.0.0.0:9094"
In yet another new terminal window, start the second long-running Flower client:
flower-supernode \
--root-certificates certificates/ca.crt \
--auth-supernode-private-key keys/client_credentials_2 \
--auth-supernode-public-key keys/client_credentials_2.pub \
--node-config 'dataset-path="datasets/cifar10_part_2"' \
--clientappio-api-address="0.0.0.0:9095"
If you generated more than 2 client credentials, you can add more clients by opening new terminal windows and running the command above. Donβt forget to specify the correct client private and public keys for each client instance you created.
[!TIP] Note the
--node-configpassed when spawning theSuperNodeis accessible to theClientAppvia the context. In this example, theclient_fn()uses it to load the dataset and then proceed with the training of the model.def client_fn(context: Context): # retrieve the passed `--node-config` dataset_path = context.node_config["dataset-path"] # then load the dataset
Run the Flower AppΒΆ
With both the long-running server (SuperLink) and two SuperNodes up and running, we can now start the run. Note that the command below points to a federation named my-federation. Its entry point is defined in the pyproject.toml.
flwr run . my-federation