MLflow Authentication
This feature is still experimental and may be enhanced in a future release without warning.
MLflow Authentication provides secure access control for experiments and registered models through HTTP basic authentication. Once enabled, users must authenticate before accessing any resources on the Tracking Server.
Quick Start
Installation & Setup
Install MLflow with authentication dependencies:
pip install mlflow[auth]
Set your server secret key and start the authenticated server:
export MLFLOW_FLASK_SERVER_SECRET_KEY="my-secret-key"
mlflow server --app-name basic-auth
The secret key must be consistent across multiple servers to prevent validation errors.
Default Admin Access
MLflow creates a default admin user on first startup:
Username | Password |
---|---|
admin | password1234 |
Update the default admin password immediately after first login using the /api/2.0/mlflow/users/update-password
endpoint.
Core Concepts
Permission Levels
MLflow uses a hierarchical permission system with four levels:
Permission | Read | Update | Delete | Manage |
---|---|---|---|---|
READ | ✅ | ❌ | ❌ | ❌ |
EDIT | ✅ | ✅ | ❌ | ❌ |
MANAGE | ✅ | ✅ | ✅ | ✅ |
NO_PERMISSIONS | ❌ | ❌ | ❌ | ❌ |
The default permission for all users is READ, configurable in the auth configuration file.
Resource Types
Permissions are granted on two main resource types:
- Experiments - Controls access to experiment data and runs
- Registered Models - Controls access to model registry operations
Authentication Methods
Interactive Login (Recommended)
Use mlflow.login()
for a guided authentication setup:
import mlflow
# Interactive login with prompts
mlflow.login()
# Login to Databricks (currently the only supported backend)
mlflow.login(backend="databricks", interactive=True)
# Non-interactive mode (requires existing credentials)
mlflow.login(backend="databricks", interactive=False)
# After login, start using MLflow normally
with mlflow.start_run():
mlflow.log_metric("accuracy", 0.95)
mlflow.login()
will prompt you for credentials if none are found and automatically save them for future use. For Databricks, it saves to ~/.databrickscfg
.
Environment Variables
Set authentication credentials in your environment:
export MLFLOW_TRACKING_USERNAME=your_username
export MLFLOW_TRACKING_PASSWORD=your_password
or
import os
os.environ["MLFLOW_TRACKING_USERNAME"] = "your_username"
os.environ["MLFLOW_TRACKING_PASSWORD"] = "your_password"
and use those to authenticate with the tracking server:
import mlflow
mlflow.set_tracking_uri("https://your-mlflow-server.com")
with mlflow.start_run():
# Your authenticated MLflow operations
mlflow.log_metric("accuracy", 0.95)
Credentials File
Store credentials in ~/.mlflow/credentials
(protected by filesystem permissions):
[mlflow]
mlflow_tracking_username = your_username
mlflow_tracking_password = your_password
Environment variables take precedence over credentials file. This allows for easy overrides in different environments.
Advanced Authentication Options
MLflow supports additional authentication methods and security configurations:
Token-based Authentication
import os
os.environ["MLFLOW_TRACKING_TOKEN"] = "your_api_token"
AWS SigV4 Authentication
import os
os.environ["MLFLOW_TRACKING_AWS_SIGV4"] = "true"
Custom Authentication Headers
import os
os.environ["MLFLOW_TRACKING_AUTH"] = "custom_auth_header_value"
TLS/SSL Configuration
import os
# Disable TLS verification (not recommended for production)
os.environ["MLFLOW_TRACKING_INSECURE_TLS"] = "true"
# Custom client certificate
os.environ["MLFLOW_TRACKING_CLIENT_CERT_PATH"] = "/path/to/client.crt"
# Custom server certificate
os.environ["MLFLOW_TRACKING_SERVER_CERT_PATH"] = "/path/to/server.crt"
Only disable TLS verification in development environments. Always use proper certificates in production.
User Management
Creating Users
Using the Web Interface
Navigate to <tracking_uri>/signup
to access the user creation form.
Using the Python Client
from mlflow.server import get_app_client
# Authenticate as admin
auth_client = get_app_client("basic-auth", tracking_uri="https://your-server.com")
user = auth_client.create_user(username="newuser", password="secure_password")
print(f"Created user: {user.username} (ID: {user.id})")
Using REST API
import requests
response = requests.post(
"https://your-server.com/api/2.0/mlflow/users/create",
json={"username": "newuser", "password": "secure_password"},
auth=("admin", "password1234"),
)
Managing Admin Status
Only existing admins can promote users to admin status:
# Promote user to admin
auth_client.update_user_admin(username="newuser", is_admin=True)
# Remove admin privileges
auth_client.update_user_admin(username="newuser", is_admin=False)
Permission Management
Experiment Permissions
Grant users specific permissions on experiments:
from mlflow import MlflowClient
# Create experiment and grant permissions
client = MlflowClient(tracking_uri="https://your-server.com")
experiment_id = client.create_experiment("my_experiment")
# Grant MANAGE permission to user
auth_client.create_experiment_permission(
experiment_id=experiment_id, username="data_scientist", permission="MANAGE"
)
# Update existing permission
auth_client.update_experiment_permission(
experiment_id=experiment_id, username="data_scientist", permission="EDIT"
)
# Check current permission
permission = auth_client.get_experiment_permission(
experiment_id=experiment_id, username="data_scientist"
)
print(f"User permission: {permission.permission}")
Registered Model Permissions
Control access to model registry operations:
# Create model with automatic MANAGE permission for creator
model = client.create_registered_model("my_model")
# Grant READ permission to another user
auth_client.create_registered_model_permission(
name="my_model", username="ml_engineer", permission="READ"
)
# Update to EDIT permission
auth_client.update_registered_model_permission(
name="my_model", username="ml_engineer", permission="EDIT"
)