search

data-platform-hq / mlflow-oidc-auth

MLFlow Tracking Server OIDC Auth plugin
https://pypi.org/project/mlflow-oidc-auth/
Apache License 2.0
22 stars 8 forks source link
mlflow mlflow-tracking-server oauth2 oidc

readme

mlflow-oidc-auth

Mlflow auth plugin to use OpenID Connect (OIDC) as authentication and authorization provider

Installation

To get full version (with entire MLFlow and all dependencies) run:

python3 -m pip install mlflow-oidc-auth[full]

To get skinny version run:

python3 -m pip install mlflow-oidc-auth

Configuration

The plugin required the following environment variables but also supported .env file

Application configuration

Parameter Description
OIDC_REDIRECT_URI Application redirect/callback url (https://example.com/callback)
OIDC_DISCOVERY_URL OIDC Discovery URL
OIDC_CLIENT_SECRET OIDC Client Secret
OIDC_CLIENT_ID OIDC Client ID
OIDC_GROUP_DETECTION_PLUGIN OIDC plugin to detect groups
OIDC_PROVIDER_DISPLAY_NAME any text to display
OIDC_SCOPE OIDC scope
OIDC_GROUP_NAME User group name to be allowed login to MLFlow, currently supported groups in OIDC claims and Microsoft Entra ID groups
OIDC_ADMIN_GROUP_NAME User group name to be allowed login to MLFlow manage and define permissions, currently supported groups in OIDC claims and Microsoft Entra ID groups
OIDC_AUTHORIZATION_URL OIDC Auth URL (if discovery URL is not defined)
OIDC_TOKEN_URL OIDC Token URL (if discovery URL is not defined)
OIDC_USER_URL OIDC User info URL (if discovery URL is not defined)
SECRET_KEY Key to perform cookie encryption
OAUTHLIB_INSECURE_TRANSPORT Development only. Allow to use insecure endpoints for OIDC
LOG_LEVEL Application log level
OIDC_USERS_DB_URI Database connection string

Application session storage configuration

Parameter Description Default
SESSION_TYPE Flask session type (filesystem or redis supported) filesystem
SESSION_FILE_DIR The directory where session files are stored flask_session
SESSION_PERMANENT Whether use permanent session or not False
PERMANENT_SESSION_LIFETIME Server-side session expiration time (in seconds) 86400
SESSION_KEY_PREFIX A prefix that is added before all session keys mlflow_oidc:
REDIS_HOST Redis hostname localhost
REDIS_PORT Redis port 6379
REDIS_DB Redis DB number 0
REDIS_USERNAME Redis username None
REDIS_PASSWORD Redis password None
REDIS_SSL Use SSL false

Configuration examples

Okta

OIDC_DISCOVERY_URL = 'https://<your_domain>.okta.com/.well-known/openid-configuration'
OIDC_CLIENT_SECRET ='<super_secret>'
OIDC_CLIENT_ID ='<client_id>'
OIDC_PROVIDER_DISPLAY_NAME = "Login with Okta"
OIDC_SCOPE = "openid,profile,email,groups"
OIDC_GROUP_NAME = "mlflow-users-group-name"
OIDC_ADMIN_GROUP_NAME = "mlflow-admin-group-name"

Microsoft Entra ID

OIDC_DISCOVERY_URL = 'https://login.microsoftonline.com/<tenant_id>/v2.0/.well-known/openid-configuration'
OIDC_CLIENT_SECRET = '<super_secret>'
OIDC_CLIENT_ID = '<client_id>'
OIDC_PROVIDER_DISPLAY_NAME = "Login with Microsoft"
OIDC_GROUP_DETECTION_PLUGIN = 'mlflow_oidc_auth.plugins.group_detection_microsoft_entra_id'
OIDC_SCOPE = "openid,profile,email"
OIDC_GROUP_NAME = "mlflow_users_group_name"
OIDC_ADMIN_GROUP_NAME = "mlflow_admins_group_name"

please note, that for getting group membership information, the application should have "GroupMember.Read.All" permission

Development

Preconditions:

The following tools should be installed for local development:

git clone https://github.com/data-platform-hq/mlflow-oidc-auth
cd mlflow-oidc-auth
./scripts/run-dev-server.sh

License

Apache 2 Licensed. For more information please see LICENSE

Based on MLFlow basic-auth plugin

https://github.com/mlflow/mlflow/tree/master/mlflow/server/auth