search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.37k stars 2.71k forks source link

Error 403 when using Azure guest account to access MLFlow #31429

Open NDISTyson opened 11 months ago

NDISTyson commented 11 months ago

Describe the bug Error 403 when trying to access a tenant's Azure Machine Learning Studio MLFlow instance with an external guest user account. The exact error is:

mlflow.exceptions.MlflowException: API request to endpoint /api/2.0/mlflow/experiments/get-by-name failed with error code 403 != 200. Response body: ''

To Reproduce

import mlflow
from azure.ai.ml import MLClient
from azure.identity import DefaultAzureCredential

cred = DefaultAzureCredential(exclude_interactive_browser_credential=False, interactive_browser_tenant_id='********-****-****-****-************')
ml_client = MLClient(
    credential = cred,
    subscription_id = '********-****-****-****-************',
    resource_group_name = 'resource-group-name',
    workspace_name = 'workspace-name',
    )
mlflow_tracking_uri = ml_client.workspaces.get(ml_client.workspace_name).mlflow_tracking_uri
mlflow.set_tracking_uri(mlflow_tracking_uri)
mlflow.set_experiment(project_name) 
experiment = mlflow.get_experiment_by_name(project_name)

Expected behavior Using an Azure guest account to get an MLFlow experiment without an error occuring.

Additional context The above script, minus adding the interactive_browser_tenant_id parameter, runs smoothly when this script is used with an Azure tenant member account. When trying this with an azure tenant external guest account, without adding interactive_browser_tenant_id, running the script gives me the following error:

azure.core.exceptions.ClientAuthenticationError: (InvalidAuthenticationTokenTenant) The access token is from the wrong issuer 'https://sts.windows.net/****----****/'. It must match the tenant 'https://sts.windows.net/****----****/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/****----****' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later. Code: InvalidAuthenticationTokenTenant

I am able to use the guest account to access Azure Machine Learning Studio via the web portal, so I don't believe there is a permissions issue.

There is a similar issue here: https://github.com/Azure/azure-sdk-for-python/issues/29572 However, it might not be the same. I can access MLFlow with a member account. I can't access it with a guest account.

github-actions[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @simorenoh @gahl-levy @bambriz @azureml-github @Azure/azure-ml-sdk.

catalinaperalta commented 11 months ago

Thanks for reaching out @NDISTyson! Looping in @luigiw to help out on this issue.

NDISTyson commented 8 months ago

Has there been any updates regarding this?

lnkirkham-datasparq commented 2 months ago

Also looking for any update on this please 🙏