flwr-nightly 1.9.0.dev20240520__py3-none-any.whl → 1.10.0.dev20240612__py3-none-any.whl

flwr/server/app.py

@@ -15,17 +15,17 @@
 """Flower server app."""
 
 import argparse
-import asyncio
 import csv
 import importlib.util
 import sys
 import threading
-from logging import ERROR, INFO, WARN
+from logging import INFO, WARN
 from os.path import isfile
 from pathlib import Path
-from typing import List, Optional, Sequence, Set, Tuple
+from typing import Optional, Sequence, Set, Tuple
 
 import grpc
+from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.serialization import (
     load_ssh_private_key,
@@ -38,14 +38,12 @@ from flwr.common.constant import (
     MISSING_EXTRA_REST,
     TRANSPORT_TYPE_GRPC_RERE,
     TRANSPORT_TYPE_REST,
-    TRANSPORT_TYPE_VCE,
 )
 from flwr.common.exit_handlers import register_exit_handlers
-from flwr.common.logger import log, warn_deprecated_feature
+from flwr.common.logger import log
 from flwr.common.secure_aggregation.crypto.symmetric_encryption import (
     private_key_to_bytes,
     public_key_to_bytes,
-    ssh_types_to_elliptic_curve,
 )
 from flwr.proto.fleet_pb2_grpc import (  # pylint: disable=E0611
     add_FleetServicer_to_server,
@@ -63,7 +61,6 @@ from .superlink.fleet.grpc_bidi.grpc_server import (
 )
 from .superlink.fleet.grpc_rere.fleet_servicer import FleetServicer
 from .superlink.fleet.grpc_rere.server_interceptor import AuthenticateServerInterceptor
-from .superlink.fleet.vce import start_vce
 from .superlink.state import StateFactory
 
 ADDRESS_DRIVER_API = "0.0.0.0:9091"
@@ -193,120 +190,6 @@ def start_server(  # pylint: disable=too-many-arguments,too-many-locals
     return hist
 
 
-def run_driver_api() -> None:
-    """Run Flower server (Driver API)."""
-    log(INFO, "Starting Flower server (Driver API)")
-    # Running `flower-driver-api` is deprecated
-    warn_deprecated_feature("flower-driver-api")
-    log(WARN, "Use `flower-superlink` instead")
-    event(EventType.RUN_DRIVER_API_ENTER)
-    args = _parse_args_run_driver_api().parse_args()
-
-    # Parse IP address
-    parsed_address = parse_address(args.driver_api_address)
-    if not parsed_address:
-        sys.exit(f"Driver IP address ({args.driver_api_address}) cannot be parsed.")
-    host, port, is_v6 = parsed_address
-    address = f"[{host}]:{port}" if is_v6 else f"{host}:{port}"
-
-    # Obtain certificates
-    certificates = _try_obtain_certificates(args)
-
-    # Initialize StateFactory
-    state_factory = StateFactory(args.database)
-
-    # Start server
-    grpc_server: grpc.Server = run_driver_api_grpc(
-        address=address,
-        state_factory=state_factory,
-        certificates=certificates,
-    )
-
-    # Graceful shutdown
-    register_exit_handlers(
-        event_type=EventType.RUN_DRIVER_API_LEAVE,
-        grpc_servers=[grpc_server],
-        bckg_threads=[],
-    )
-
-    # Block
-    grpc_server.wait_for_termination()
-
-
-def run_fleet_api() -> None:
-    """Run Flower server (Fleet API)."""
-    log(INFO, "Starting Flower server (Fleet API)")
-    # Running `flower-fleet-api` is deprecated
-    warn_deprecated_feature("flower-fleet-api")
-    log(WARN, "Use `flower-superlink` instead")
-    event(EventType.RUN_FLEET_API_ENTER)
-    args = _parse_args_run_fleet_api().parse_args()
-
-    # Obtain certificates
-    certificates = _try_obtain_certificates(args)
-
-    # Initialize StateFactory
-    state_factory = StateFactory(args.database)
-
-    grpc_servers = []
-    bckg_threads = []
-
-    # Start Fleet API
-    if args.fleet_api_type == TRANSPORT_TYPE_REST:
-        if (
-            importlib.util.find_spec("requests")
-            and importlib.util.find_spec("starlette")
-            and importlib.util.find_spec("uvicorn")
-        ) is None:
-            sys.exit(MISSING_EXTRA_REST)
-        address_arg = args.rest_fleet_api_address
-        parsed_address = parse_address(address_arg)
-        if not parsed_address:
-            sys.exit(f"Fleet IP address ({address_arg}) cannot be parsed.")
-        host, port, _ = parsed_address
-        fleet_thread = threading.Thread(
-            target=_run_fleet_api_rest,
-            args=(
-                host,
-                port,
-                args.ssl_keyfile,
-                args.ssl_certfile,
-                state_factory,
-                args.rest_fleet_api_workers,
-            ),
-        )
-        fleet_thread.start()
-        bckg_threads.append(fleet_thread)
-    elif args.fleet_api_type == TRANSPORT_TYPE_GRPC_RERE:
-        address_arg = args.grpc_rere_fleet_api_address
-        parsed_address = parse_address(address_arg)
-        if not parsed_address:
-            sys.exit(f"Fleet IP address ({address_arg}) cannot be parsed.")
-        host, port, is_v6 = parsed_address
-        address = f"[{host}]:{port}" if is_v6 else f"{host}:{port}"
-        fleet_server = _run_fleet_api_grpc_rere(
-            address=address,
-            state_factory=state_factory,
-            certificates=certificates,
-        )
-        grpc_servers.append(fleet_server)
-    else:
-        raise ValueError(f"Unknown fleet_api_type: {args.fleet_api_type}")
-
-    # Graceful shutdown
-    register_exit_handlers(
-        event_type=EventType.RUN_FLEET_API_LEAVE,
-        grpc_servers=grpc_servers,
-        bckg_threads=bckg_threads,
-    )
-
-    # Block
-    if len(grpc_servers) > 0:
-        grpc_servers[0].wait_for_termination()
-    elif len(bckg_threads) > 0:
-        bckg_threads[0].join()
-
-
 # pylint: disable=too-many-branches, too-many-locals, too-many-statements
 def run_superlink() -> None:
     """Run Flower SuperLink (Driver API and Fleet API)."""
@@ -317,11 +200,15 @@ def run_superlink() -> None:
     args = _parse_args_run_superlink().parse_args()
 
     # Parse IP address
-    parsed_address = parse_address(args.driver_api_address)
-    if not parsed_address:
+    parsed_driver_address = parse_address(args.driver_api_address)
+    if not parsed_driver_address:
         sys.exit(f"Driver IP address ({args.driver_api_address}) cannot be parsed.")
-    host, port, is_v6 = parsed_address
-    address = f"[{host}]:{port}" if is_v6 else f"{host}:{port}"
+    driver_host, driver_port, driver_is_v6 = parsed_driver_address
+    driver_address = (
+        f"[{driver_host}]:{driver_port}"
+        if driver_is_v6
+        else f"{driver_host}:{driver_port}"
+    )
 
     # Obtain certificates
     certificates = _try_obtain_certificates(args)
@@ -331,13 +218,38 @@ def run_superlink() -> None:
 
     # Start Driver API
     driver_server: grpc.Server = run_driver_api_grpc(
-        address=address,
+        address=driver_address,
         state_factory=state_factory,
         certificates=certificates,
     )
 
     grpc_servers = [driver_server]
     bckg_threads = []
+    if not args.fleet_api_address:
+        args.fleet_api_address = (
+            ADDRESS_FLEET_API_GRPC_RERE
+            if args.fleet_api_type == TRANSPORT_TYPE_GRPC_RERE
+            else ADDRESS_FLEET_API_REST
+        )
+    parsed_fleet_address = parse_address(args.fleet_api_address)
+    if not parsed_fleet_address:
+        sys.exit(f"Fleet IP address ({args.fleet_api_address}) cannot be parsed.")
+    fleet_host, fleet_port, fleet_is_v6 = parsed_fleet_address
+    fleet_address = (
+        f"[{fleet_host}]:{fleet_port}" if fleet_is_v6 else f"{fleet_host}:{fleet_port}"
+    )
+
+    num_workers = args.fleet_api_num_workers
+    if num_workers != 1:
+        log(
+            WARN,
+            "The Fleet API currently supports only 1 worker. "
+            "You have specified %d workers. "
+            "Support for multiple workers will be added in future releases. "
+            "Proceeding with a single worker.",
+            args.fleet_api_num_workers,
+        )
+        num_workers = 1
 
     # Start Fleet API
     if args.fleet_api_type == TRANSPORT_TYPE_REST:
@@ -347,32 +259,25 @@ def run_superlink() -> None:
             and importlib.util.find_spec("uvicorn")
         ) is None:
             sys.exit(MISSING_EXTRA_REST)
-        address_arg = args.rest_fleet_api_address
-        parsed_address = parse_address(address_arg)
-        if not parsed_address:
-            sys.exit(f"Fleet IP address ({address_arg}) cannot be parsed.")
-        host, port, _ = parsed_address
+
+        _, ssl_certfile, ssl_keyfile = (
+            certificates if certificates is not None else (None, None, None)
+        )
+
         fleet_thread = threading.Thread(
             target=_run_fleet_api_rest,
             args=(
-                host,
-                port,
-                args.ssl_keyfile,
-                args.ssl_certfile,
+                fleet_host,
+                fleet_port,
+                ssl_keyfile,
+                ssl_certfile,
                 state_factory,
-                args.rest_fleet_api_workers,
+                num_workers,
             ),
         )
         fleet_thread.start()
         bckg_threads.append(fleet_thread)
     elif args.fleet_api_type == TRANSPORT_TYPE_GRPC_RERE:
-        address_arg = args.grpc_rere_fleet_api_address
-        parsed_address = parse_address(address_arg)
-        if not parsed_address:
-            sys.exit(f"Fleet IP address ({address_arg}) cannot be parsed.")
-        host, port, is_v6 = parsed_address
-        address = f"[{host}]:{port}" if is_v6 else f"{host}:{port}"
-
         maybe_keys = _try_setup_client_authentication(args, certificates)
         interceptors: Optional[Sequence[grpc.ServerInterceptor]] = None
         if maybe_keys is not None:
@@ -395,23 +300,12 @@ def run_superlink() -> None:
             interceptors = [AuthenticateServerInterceptor(state)]
 
         fleet_server = _run_fleet_api_grpc_rere(
-            address=address,
+            address=fleet_address,
             state_factory=state_factory,
             certificates=certificates,
             interceptors=interceptors,
         )
         grpc_servers.append(fleet_server)
-    elif args.fleet_api_type == TRANSPORT_TYPE_VCE:
-        f_stop = asyncio.Event()  # Does nothing
-        _run_fleet_api_vce(
-            num_supernodes=args.num_supernodes,
-            client_app_attr=args.client_app,
-            backend_name=args.backend,
-            backend_config_json_stream=args.backend_config,
-            app_dir=args.app_dir,
-            state_factory=state_factory,
-            f_stop=f_stop,
-        )
     else:
         raise ValueError(f"Unknown fleet_api_type: {args.fleet_api_type}")
 
@@ -435,44 +329,69 @@ def _try_setup_client_authentication(
     args: argparse.Namespace,
     certificates: Optional[Tuple[bytes, bytes, bytes]],
 ) -> Optional[Tuple[Set[bytes], ec.EllipticCurvePrivateKey, ec.EllipticCurvePublicKey]]:
-    if not args.require_client_authentication:
+    if (
+        not args.auth_list_public_keys
+        and not args.auth_superlink_private_key
+        and not args.auth_superlink_public_key
+    ):
         return None
 
+    if (
+        not args.auth_list_public_keys
+        or not args.auth_superlink_private_key
+        or not args.auth_superlink_public_key
+    ):
+        sys.exit(
+            "Authentication requires providing file paths for "
+            "'--auth-list-public-keys', '--auth-superlink-private-key' and "
+            "'--auth-superlink-public-key'. Provide all three to enable authentication."
+        )
+
     if certificates is None:
         sys.exit(
-            "Client authentication only works over secure connections. "
-            "Please provide certificate paths using '--certificates' when "
-            "enabling '--require-client-authentication'."
+            "Authentication requires secure connections. "
+            "Please provide certificate paths to `--ssl-certfile`, "
+            "`--ssl-keyfile`, and `—-ssl-ca-certfile` and try again."
         )
 
-    client_keys_file_path = Path(args.require_client_authentication[0])
+    client_keys_file_path = Path(args.auth_list_public_keys)
     if not client_keys_file_path.exists():
         sys.exit(
-            "The provided path to the client public keys CSV file does not exist: "
+            "The provided path to the known public keys CSV file does not exist: "
             f"{client_keys_file_path}. "
-            "Please provide the CSV file path containing known client public keys "
-            "to '--require-client-authentication'."
+            "Please provide the CSV file path containing known public keys "
+            "to '--auth-list-public-keys'."
         )
 
     client_public_keys: Set[bytes] = set()
-    ssh_private_key = load_ssh_private_key(
-        Path(args.require_client_authentication[1]).read_bytes(),
-        None,
-    )
-    ssh_public_key = load_ssh_public_key(
-        Path(args.require_client_authentication[2]).read_bytes()
-    )
 
     try:
-        server_private_key, server_public_key = ssh_types_to_elliptic_curve(
-            ssh_private_key, ssh_public_key
+        ssh_private_key = load_ssh_private_key(
+            Path(args.auth_superlink_private_key).read_bytes(),
+            None,
+        )
+        if not isinstance(ssh_private_key, ec.EllipticCurvePrivateKey):
+            raise ValueError()
+    except (ValueError, UnsupportedAlgorithm):
+        sys.exit(
+            "Error: Unable to parse the private key file in "
+            "'--auth-superlink-private-key'. Authentication requires elliptic "
+            "curve private and public key pair. Please ensure that the file "
+            "path points to a valid private key file and try again."
+        )
+
+    try:
+        ssh_public_key = load_ssh_public_key(
+            Path(args.auth_superlink_public_key).read_bytes()
         )
-    except TypeError:
+        if not isinstance(ssh_public_key, ec.EllipticCurvePublicKey):
+            raise ValueError()
+    except (ValueError, UnsupportedAlgorithm):
         sys.exit(
-            "The file paths provided could not be read as a private and public "
-            "key pair. Client authentication requires an elliptic curve public and "
-            "private key pair. Please provide the file paths containing elliptic "
-            "curve private and public keys to '--require-client-authentication'."
+            "Error: Unable to parse the public key file in "
+            "'--auth-superlink-public-key'. Authentication requires elliptic "
+            "curve private and public key pair. Please ensure that the file "
+            "path points to a valid public key file and try again."
         )
 
     with open(client_keys_file_path, newline="", encoding="utf-8") as csvfile:
@@ -484,14 +403,14 @@ def _try_setup_client_authentication(
                     client_public_keys.add(public_key_to_bytes(public_key))
                 else:
                     sys.exit(
-                        "Error: Unable to parse the public keys in the .csv "
-                        "file. Please ensure that the .csv file contains valid "
-                        "SSH public keys and try again."
+                        "Error: Unable to parse the public keys in the CSV "
+                        "file. Please ensure that the CSV file path points to a valid "
+                        "known SSH public keys files and try again."
                     )
         return (
             client_public_keys,
-            server_private_key,
-            server_public_key,
+            ssh_private_key,
+            ssh_public_key,
         )
 
 
@@ -501,21 +420,52 @@ def _try_obtain_certificates(
     # Obtain certificates
     if args.insecure:
         log(WARN, "Option `--insecure` was set. Starting insecure HTTP server.")
-        certificates = None
+        return None
     # Check if certificates are provided
-    elif args.certificates:
-        certificates = (
-            Path(args.certificates[0]).read_bytes(),  # CA certificate
-            Path(args.certificates[1]).read_bytes(),  # server certificate
-            Path(args.certificates[2]).read_bytes(),  # server private key
-        )
-    else:
-        sys.exit(
-            "Certificates are required unless running in insecure mode. "
-            "Please provide certificate paths with '--certificates' or run the server "
-            "in insecure mode using '--insecure' if you understand the risks."
-        )
-    return certificates
+    if args.fleet_api_type == TRANSPORT_TYPE_GRPC_RERE:
+        if args.ssl_certfile and args.ssl_keyfile and args.ssl_ca_certfile:
+            if not isfile(args.ssl_ca_certfile):
+                sys.exit("Path argument `--ssl-ca-certfile` does not point to a file.")
+            if not isfile(args.ssl_certfile):
+                sys.exit("Path argument `--ssl-certfile` does not point to a file.")
+            if not isfile(args.ssl_keyfile):
+                sys.exit("Path argument `--ssl-keyfile` does not point to a file.")
+            certificates = (
+                Path(args.ssl_ca_certfile).read_bytes(),  # CA certificate
+                Path(args.ssl_certfile).read_bytes(),  # server certificate
+                Path(args.ssl_keyfile).read_bytes(),  # server private key
+            )
+            return certificates
+        if args.ssl_certfile or args.ssl_keyfile or args.ssl_ca_certfile:
+            sys.exit(
+                "You need to provide valid file paths to `--ssl-certfile`, "
+                "`--ssl-keyfile`, and `—-ssl-ca-certfile` to create a secure "
+                "connection in Fleet API server (gRPC-rere)."
+            )
+    if args.fleet_api_type == TRANSPORT_TYPE_REST:
+        if args.ssl_certfile and args.ssl_keyfile:
+            if not isfile(args.ssl_certfile):
+                sys.exit("Path argument `--ssl-certfile` does not point to a file.")
+            if not isfile(args.ssl_keyfile):
+                sys.exit("Path argument `--ssl-keyfile` does not point to a file.")
+            certificates = (
+                b"",
+                Path(args.ssl_certfile).read_bytes(),  # server certificate
+                Path(args.ssl_keyfile).read_bytes(),  # server private key
+            )
+            return certificates
+        if args.ssl_certfile or args.ssl_keyfile:
+            sys.exit(
+                "You need to provide valid file paths to `--ssl-certfile` "
+                "and `--ssl-keyfile` to create a secure connection "
+                "in Fleet API server (REST, experimental)."
+            )
+    sys.exit(
+        "Certificates are required unless running in insecure mode. "
+        "Please provide certificate paths to `--ssl-certfile`, "
+        "`--ssl-keyfile`, and `—-ssl-ca-certfile` or run the server "
+        "in insecure mode using '--insecure' if you understand the risks."
+    )
 
 
 def _run_fleet_api_grpc_rere(
@@ -544,29 +494,6 @@ def _run_fleet_api_grpc_rere(
     return fleet_grpc_server
 
 
-# pylint: disable=too-many-arguments
-def _run_fleet_api_vce(
-    num_supernodes: int,
-    client_app_attr: str,
-    backend_name: str,
-    backend_config_json_stream: str,
-    app_dir: str,
-    state_factory: StateFactory,
-    f_stop: asyncio.Event,
-) -> None:
-    log(INFO, "Flower VCE: Starting Fleet API (VirtualClientEngine)")
-
-    start_vce(
-        num_supernodes=num_supernodes,
-        client_app_attr=client_app_attr,
-        backend_name=backend_name,
-        backend_config_json_stream=backend_config_json_stream,
-        state_factory=state_factory,
-        app_dir=app_dir,
-        f_stop=f_stop,
-    )
-
-
 # pylint: disable=import-outside-toplevel,too-many-arguments
 def _run_fleet_api_rest(
     host: str,
@@ -574,7 +501,7 @@ def _run_fleet_api_rest(
     ssl_keyfile: Optional[str],
     ssl_certfile: Optional[str],
     state_factory: StateFactory,
-    workers: int,
+    num_workers: int,
 ) -> None:
     """Run Driver API (REST-based)."""
     try:
@@ -583,25 +510,12 @@ def _run_fleet_api_rest(
         from flwr.server.superlink.fleet.rest_rere.rest_api import app as fast_api_app
     except ModuleNotFoundError:
         sys.exit(MISSING_EXTRA_REST)
-    if workers != 1:
-        raise ValueError(
-            f"The supported number of workers for the Fleet API (REST server) is "
-            f"1. Instead given {workers}. The functionality of >1 workers will be "
-            f"added in the future releases."
-        )
+
     log(INFO, "Starting Flower REST server")
 
     # See: https://www.starlette.io/applications/#accessing-the-app-instance
     fast_api_app.state.STATE_FACTORY = state_factory
 
-    validation_exceptions = _validate_ssl_files(
-        ssl_certfile=ssl_certfile, ssl_keyfile=ssl_keyfile
-    )
-    if any(validation_exceptions):
-        # Starting with 3.11 we can use ExceptionGroup but for now
-        # this seems to be the reasonable approach.
-        raise ValueError(validation_exceptions)
-
     uvicorn.run(
         app="flwr.server.superlink.fleet.rest_rere.rest_api:app",
         port=port,
@@ -610,70 +524,10 @@ def _run_fleet_api_rest(
         access_log=True,
         ssl_keyfile=ssl_keyfile,
         ssl_certfile=ssl_certfile,
-        workers=workers,
+        workers=num_workers,
     )
 
 
-def _validate_ssl_files(
-    ssl_keyfile: Optional[str], ssl_certfile: Optional[str]
-) -> List[ValueError]:
-    validation_exceptions = []
-
-    if ssl_keyfile is not None and not isfile(ssl_keyfile):
-        msg = "Path argument `--ssl-keyfile` does not point to a file."
-        log(ERROR, msg)
-        validation_exceptions.append(ValueError(msg))
-
-    if ssl_certfile is not None and not isfile(ssl_certfile):
-        msg = "Path argument `--ssl-certfile` does not point to a file."
-        log(ERROR, msg)
-        validation_exceptions.append(ValueError(msg))
-
-    if not bool(ssl_keyfile) == bool(ssl_certfile):
-        msg = (
-            "When setting one of `--ssl-keyfile` and "
-            "`--ssl-certfile`, both have to be used."
-        )
-        log(ERROR, msg)
-        validation_exceptions.append(ValueError(msg))
-
-    return validation_exceptions
-
-
-def _parse_args_run_driver_api() -> argparse.ArgumentParser:
-    """Parse command line arguments for Driver API."""
-    parser = argparse.ArgumentParser(
-        description="Start a Flower Driver API server. "
-        "This server will be responsible for "
-        "receiving TaskIns from the Driver script and "
-        "sending them to the Fleet API. Once the client nodes "
-        "are done, they will send the TaskRes back to this Driver API server (through"
-        " the Fleet API) which will then send them back to the Driver script.",
-    )
-
-    _add_args_common(parser=parser)
-    _add_args_driver_api(parser=parser)
-
-    return parser
-
-
-def _parse_args_run_fleet_api() -> argparse.ArgumentParser:
-    """Parse command line arguments for Fleet API."""
-    parser = argparse.ArgumentParser(
-        description="Start a Flower Fleet API server."
-        "This server will be responsible for "
-        "sending TaskIns (received from the Driver API) to the client nodes "
-        "and of receiving TaskRes sent back from those same client nodes once "
-        "they are done. Then, this Fleet API server can send those "
-        "TaskRes back to the Driver API.",
-    )
-
-    _add_args_common(parser=parser)
-    _add_args_fleet_api(parser=parser)
-
-    return parser
-
-
 def _parse_args_run_superlink() -> argparse.ArgumentParser:
     """Parse command line arguments for both Driver API and Fleet API."""
     parser = argparse.ArgumentParser(
@@ -696,13 +550,23 @@ def _add_args_common(parser: argparse.ArgumentParser) -> None:
         "Use this flag only if you understand the risks.",
     )
     parser.add_argument(
-        "--certificates",
-        nargs=3,
-        metavar=("CA_CERT", "SERVER_CERT", "PRIVATE_KEY"),
+        "--ssl-certfile",
+        help="Fleet API server SSL certificate file (as a path str) "
+        "to create a secure connection.",
+        type=str,
+        default=None,
+    )
+    parser.add_argument(
+        "--ssl-keyfile",
+        help="Fleet API server SSL private key file (as a path str) "
+        "to create a secure connection.",
+        type=str,
+    )
+    parser.add_argument(
+        "--ssl-ca-certfile",
+        help="Fleet API server SSL CA certificate file (as a path str) "
+        "to create a secure connection.",
         type=str,
-        help="Paths to the CA certificate, server certificate, and server private "
-        "key, in that order. Note: The server can only be started without "
-        "certificates by enabling the `--insecure` flag.",
     )
     parser.add_argument(
         "--database",
@@ -714,116 +578,47 @@ def _add_args_common(parser: argparse.ArgumentParser) -> None:
         default=DATABASE,
     )
     parser.add_argument(
-        "--require-client-authentication",
-        nargs=3,
-        metavar=("CLIENT_KEYS", "SERVER_PRIVATE_KEY", "SERVER_PUBLIC_KEY"),
+        "--auth-list-public-keys",
         type=str,
-        help="Provide three file paths: (1) a .csv file containing a list of "
-        "known client public keys for authentication, (2) the server's private "
-        "key file, and (3) the server's public key file.",
+        help="A CSV file (as a path str) containing a list of known public "
+        "keys to enable authentication.",
+    )
+    parser.add_argument(
+        "--auth-superlink-private-key",
+        type=str,
+        help="The SuperLink's private key (as a path str) to enable authentication.",
+    )
+    parser.add_argument(
+        "--auth-superlink-public-key",
+        type=str,
+        help="The SuperLink's public key (as a path str) to enable authentication.",
     )
 
 
 def _add_args_driver_api(parser: argparse.ArgumentParser) -> None:
     parser.add_argument(
         "--driver-api-address",
-        help="Driver API (gRPC) server address (IPv4, IPv6, or a domain name)",
+        help="Driver API (gRPC) server address (IPv4, IPv6, or a domain name).",
         default=ADDRESS_DRIVER_API,
     )
 
 
 def _add_args_fleet_api(parser: argparse.ArgumentParser) -> None:
     # Fleet API transport layer type
-    ex_group = parser.add_mutually_exclusive_group()
-    ex_group.add_argument(
-        "--grpc-rere",
-        action="store_const",
-        dest="fleet_api_type",
-        const=TRANSPORT_TYPE_GRPC_RERE,
+    parser.add_argument(
+        "--fleet-api-type",
         default=TRANSPORT_TYPE_GRPC_RERE,
-        help="Start a Fleet API server (gRPC-rere)",
-    )
-    ex_group.add_argument(
-        "--rest",
-        action="store_const",
-        dest="fleet_api_type",
-        const=TRANSPORT_TYPE_REST,
-        help="Start a Fleet API server (REST, experimental)",
-    )
-
-    ex_group.add_argument(
-        "--vce",
-        action="store_const",
-        dest="fleet_api_type",
-        const=TRANSPORT_TYPE_VCE,
-        help="Start a Fleet API server (VirtualClientEngine)",
-    )
-
-    # Fleet API gRPC-rere options
-    grpc_rere_group = parser.add_argument_group(
-        "Fleet API (gRPC-rere) server options", ""
-    )
-    grpc_rere_group.add_argument(
-        "--grpc-rere-fleet-api-address",
-        help="Fleet API (gRPC-rere) server address (IPv4, IPv6, or a domain name)",
-        default=ADDRESS_FLEET_API_GRPC_RERE,
-    )
-
-    # Fleet API REST options
-    rest_group = parser.add_argument_group("Fleet API (REST) server options", "")
-    rest_group.add_argument(
-        "--rest-fleet-api-address",
-        help="Fleet API (REST) server address (IPv4, IPv6, or a domain name)",
-        default=ADDRESS_FLEET_API_REST,
-    )
-    rest_group.add_argument(
-        "--ssl-certfile",
-        help="Fleet API (REST) server SSL certificate file (as a path str), "
-        "needed for using 'https'.",
-        default=None,
-    )
-    rest_group.add_argument(
-        "--ssl-keyfile",
-        help="Fleet API (REST) server SSL private key file (as a path str), "
-        "needed for using 'https'.",
-        default=None,
-    )
-    rest_group.add_argument(
-        "--rest-fleet-api-workers",
-        help="Set the number of concurrent workers for the Fleet API REST server.",
-        type=int,
-        default=1,
-    )
-
-    # Fleet API VCE options
-    vce_group = parser.add_argument_group("Fleet API (VCE) server options", "")
-    vce_group.add_argument(
-        "--client-app",
-        help="For example: `client:app` or `project.package.module:wrapper.app`.",
-    )
-    vce_group.add_argument(
-        "--num-supernodes",
-        type=int,
-        help="Number of simulated SuperNodes.",
-    )
-    vce_group.add_argument(
-        "--backend",
-        default="ray",
         type=str,
-        help="Simulation backend that executes the ClientApp.",
+        choices=[TRANSPORT_TYPE_GRPC_RERE, TRANSPORT_TYPE_REST],
+        help="Start a gRPC-rere or REST (experimental) Fleet API server.",
     )
-    vce_group.add_argument(
-        "--backend-config",
-        type=str,
-        default='{"client_resources": {"num_cpus":1, "num_gpus":0.0}, "tensorflow": 0}',
-        help='A JSON formatted stream, e.g \'{"<keyA>":<value>, "<keyB>":<value>}\' to '
-        "configure a backend. Values supported in <value> are those included by "
-        "`flwr.common.typing.ConfigsRecordValues`. ",
+    parser.add_argument(
+        "--fleet-api-address",
+        help="Fleet API server address (IPv4, IPv6, or a domain name).",
     )
     parser.add_argument(
-        "--app-dir",
-        default="",
-        help="Add specified directory to the PYTHONPATH and load"
-        "ClientApp from there."
-        " Default: current working directory.",
+        "--fleet-api-num-workers",
+        default=1,
+        type=int,
+        help="Set the number of concurrent workers for the Fleet API server.",
     )