Mlflow licensed version
439 views
Skip to first unread message
poozwala sajja
Mar 24, 2021, 7:02:06 PM3/24/21
to mlflow...@googlegroups.com
Hi ,
Is there a licensed version of mlflow? If not, how is everyone who is leveraging mlflow able to incorporate permissions to access the underlying models?
Thank you,
Puja
Matei Zaharia
May 2, 2021, 7:38:52 PM5/2/21
to poozwala sajja, mlflow...@googlegroups.com, ronne...@gmail.com
There are quite a few commercial products that host MLflow but integrate it with access permission models. For example, Databricks offers hosted MLflow at no charge for its customers and integrates it with the permission model on that platform (users/groups defined there or loaded from an identity provider like Okta). Other products, such as Azure ML and InfinStor, also support the MLflow API (there are probably more in the “companies using MLflow” section on https://www.mlflow.org). The open source server is currently designed so that you run a HTTP proxy in front of it to integrate permissions, because different organizations have different authentication and authorization systems.
Matei
--
You received this message because you are subscribed to the Google Groups "mlflow-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mlflow-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mlflow-users/CAOUazJB_RBCEdSrd529u7RvXVX4vTQi-SnKpLYxnKfHFpjQvJg%40mail.gmail.com.
Haroune Mohammedi
Nov 29, 2021, 10:27:34 AM11/29/21
to mlflow-users
Hello, we tried the solution suggested by @matei and we hit a dead end because of the following reasons
- Nginx `auth_request` erases the data before sending `/authorize` requests and MLFlow sends the `experiment_id`/`run_id` in the data of `POST` and `UPDATE` requests instead of the URL (`POST /tracking/experiments/1`), this makes it impossible to authorize such requests, we are denying all them right now.
- We can't filter out the list of the experiments a user can see, we can only allow them to do a request or not. If we don't allow them to see the list of experiments, the front page of MLFlow will broken.
I think access control mechanics over MLFlow resources should be implemented in MLFlow itself or in an MLFlow plugin, that way we'll have access to the database, the UI and everything we need to implement such features. Or at least think about how third party applications can do that and makes it possible for them
- Nginx `auth_request` erases the data before sending `/authorize` requests and MLFlow sends the `experiment_id`/`run_id` in the data of `POST` and `UPDATE` requests instead of the URL (`POST /tracking/experiments/1`), this makes it impossible to authorize such requests, we are denying all them right now.
- We can't filter out the list of the experiments a user can see, we can only allow them to do a request or not. If we don't allow them to see the list of experiments, the front page of MLFlow will broken.
I think access control mechanics over MLFlow resources should be implemented in MLFlow itself or in an MLFlow plugin, that way we'll have access to the database, the UI and everything we need to implement such features. Or at least think about how third party applications can do that and makes it possible for them
Reply all
Reply to author
Forward
0 new messages