security setup - username/password experiment level
5,293 views
Skip to first unread message
Maheshwar Dattatri
Nov 15, 2018, 12:55:19 AM11/15/18
to mlflow-users
Hi
Currently the way mlflow works is that we can set an experiment ID for a MLFLOW tracker server URL and call it using our training model code. We would like to see if we can add security to this - say setup username/password and also assign users with permissions for certain experiments/projects. Is it possible to do that?
Matei Zaharia
Nov 20, 2018, 9:46:46 PM11/20/18
to Maheshwar Dattatri, mlflow-users
Hi Maheshwar,
Currently, we recommend adding authentication in front of your MLflow server using a HTTP proxy such as nginx. You can configure this to use some other internal authentication mechanism, such as verifying whether the user is part of a group. This won’t isolate things per user, but you could run a separate tracking server for each team using ML for example.
Matei
> On Nov 14, 2018, at 9:55 PM, Maheshwar Dattatri <mahes...@gmail.com> wrote:
>
>
> Hi
>
> Currently the way mlflow works is that we can set an experiment ID for a MLFLOW tracker server URL and call it using our training model code. We would like to see if we can add security to this - say setup username/password and also assign users with permissions for certain experiments/projects. Is it possible to do that?
>
> --
> You received this message because you are subscribed to the Google Groups "mlflow-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mlflow-users...@googlegroups.com.
> To post to this group, send email to mlflow...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mlflow-users/de8d707f-fee9-4450-b906-89142f5d9827%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Currently, we recommend adding authentication in front of your MLflow server using a HTTP proxy such as nginx. You can configure this to use some other internal authentication mechanism, such as verifying whether the user is part of a group. This won’t isolate things per user, but you could run a separate tracking server for each team using ML for example.
Matei
> On Nov 14, 2018, at 9:55 PM, Maheshwar Dattatri <mahes...@gmail.com> wrote:
>
>
> Hi
>
> Currently the way mlflow works is that we can set an experiment ID for a MLFLOW tracker server URL and call it using our training model code. We would like to see if we can add security to this - say setup username/password and also assign users with permissions for certain experiments/projects. Is it possible to do that?
>
> You received this message because you are subscribed to the Google Groups "mlflow-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mlflow-users...@googlegroups.com.
> To post to this group, send email to mlflow...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mlflow-users/de8d707f-fee9-4450-b906-89142f5d9827%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Triết Nguyễn
Nov 22, 2018, 3:28:48 AM11/22/18
to mlflow-users
Hi Matei
In "rest_utils.py" , there is "http_request" function, which receives host_creds (include username, password) to make http request for authentication
https://github.com/mlflow/mlflow/blob/master/mlflow/utils/rest_utils.py#L20
The "http_request" fucntion is also used in "databricks.py"
The "http_request" fucntion is also used in "databricks.py"
Could we use this function to make authentication for MLflow?
Does MLflow support authentication for next versions ?
Triet Nguyen
Matei Zaharia
Nov 22, 2018, 6:50:09 PM11/22/18
to Triết Nguyễn, mlflow-users
Yes, you can actually pass these already using the environment variables MLFLOW_TRACKING_USERNAME and MLFLOW_TRACKING_PASSWORD or MLFLOW_TRACKING_TOKEN (see https://github.com/mlflow/mlflow/blob/master/mlflow/tracking/utils.py). These will be used with all HTTP requests to the tracking server. You can run the server behind a proxy such as nginx to perform authentication before passing requests through (the goal here is to make it possible for people to integrate it with their own company’s auth systems instead of baking one into our server).
Matei
> To view this discussion on the web visit https://groups.google.com/d/msgid/mlflow-users/a25a55cb-9d64-438d-9e84-4f5061b59aed%40googlegroups.com.
Matei
Haroune Mohammedi
Nov 29, 2021, 10:21:54 AM11/29/21
to mlflow-users
Hello, this is an old question but we tried the solution suggested by @matei and we hit a dead end because of the following reasons
- Nginx `auth_request` erases the data before sending `/authorize` requests and MLFlow sends the `experiment_id`/`run_id` in the data of `POST` and `UPDATE` requests instead of the URL (`POST /tracking/experiments/1`), this makes it impossible to authorize such requests, we are denying all them right now.
- We can't filter out the list of the experiments a user can see, we can only allow them to do a request or not. If we don't allow them to see the list of experiments, the front page of MLFlow will broken.
- We can't filter out the list of the experiments a user can see, we can only allow them to do a request or not. If we don't allow them to see the list of experiments, the front page of MLFlow will broken.
I think access control mechanics over MLFlow resources should implemented in MLFlow itself or in an MLFlow plugin or at least think about how third party application can do that and makes it possible for them, that way we'll have access to the database, the UI and everything we need to implement such features.
Reply all
Reply to author
Forward
0 new messages