Defining RBACs on MLflow Experiments

Describes role-based access controls (RBACs) with respect to MLflow in HPE Ezmeral Unified Analytics Software and how to define RBACs to permit access to experiments in MLflow.

Role-based access controls (RBACs) are an authorization system based on policies, user roles, and bindings between the roles and policies that protect resources. With the introduction of RBACs, HPE Ezmeral Unified Analytics Software users (admins and members) can define access controls on their experiments through the MLflow API or SDK.

User access to MLflow is granted when a user makes a request to the MLflow server. A user is automatically authenticated and granted access to MLflow based on their user role in HPE Ezmeral Unified Analytics Software, as either an admin or a member.

Admins can add users through the HPE Ezmeral Unified Analytics Software UI, as described in Adding and Removing Users and User Roles.

Admin Role

The following list describes admin access and the admin-related tasks that impact users in MLflow:
  • Admins can view and edit all experiments in MLflow regardless of the access controls set. For example, if the NO_PERMISSIONS access control is defined in an experiment, admins can still access the experiment.
  • Admins can change a user's role in HPE Ezmeral Unified Analytics Software to admin. When a user has the admin role in HPE Ezmeral Unified Analytics Software, that user can access all existing experiments in MLflow. If the admin role is removed from the user (reverted back to member), the user cannot see any experiments created by other users.
    NOTE
    By default, the MLflow default admin user is disabled to prevent any security issues, such as the plain text password being stored in open-source code.

Member Role

The following list describes MLflow access for members:
  • By default, members have full control over the experiments they create. When a member creates an experiment, the experiment has the MANAGE permission set. The MANAGE permission enables the experiment owner to grant other users access to their experiment through access controls.
  • Members cannot access experiments created by other users unless explicitly permitted to do so by the experiment owner through access controls set in the experiment.
  • If an HPE Ezmeral Unified Analytics Software admin changes a member's role to admin in the HPE Ezmeral Unified Analytics Software UI, the user is granted full access to all experiments in MLflow.

  • After deleting and re-adding a member user in the Administration->Identity & Access Management screen, previously granted MLflow experiment and model permissions remain intact for members. For example, if you previously created an MLflow experiment and granted the bob user the READ privilege, then deleted and re-added the bob user, the READ privilege for the MLflow experiment will persist for the bob user.

    HPE Ezmeral Unified Analytics Software does not delete user experiment or model permission objects associated with the user during a hard delete. Unified Analytics retains the associated permissions despite the user's deletion. For details, see MLflow Server Auth Initialization Code and MLflow Auth Service Client Documentation.

    To ensure that all user permissions are correctly removed when deleting a user, you must explicitly delete all related permissions as follows: By explicitly deleting these permissions, you can ensure that re-adding the user does not unintentionally restore their previous access privileges.
CAUTION
HPE only supports user role changes made through the HPE Ezmeral Unified Analytics Software UI. Role changes made in HPE Ezmeral Unified Analytics Software are automatically propagated to MLflow. HPE does not support role changes made directly in MLflow because the changes do not propagate back to HPE Ezmeral Unified Analytics Software, which can cause unexpected system behaviors.

Supported Access Controls

HPE Ezmeral Unified Analytics Software supports the following access controls on experiments:
Access Control Type Access Control Value Description
None NO_PERMISSIONS Only the experiment creator and admins can access the experiment. Returns an "access denied" message when unauthorized users try to access the experiment.
Manage MANAGE Default permission set on an experiment at the time of creation. Only the experiment creator and admins can access the experiment. You cannot set this access control on any existing experiments.
Read READ The experiment creator has full access to the experiment. Specified users can only view the experiment in MLflow.
Modify EDIT Experiment creator has full access to the experiment. Specified users modify the experiment in MLflow.
Delete DELETE Only admin users can use DELETE to remove permissions on an experiment.

Defining Access Controls on Users

To permit access to experiments, use the MLflow API or SDK in your MLflow experiments to define access controls on users.

MLflow provides an AuthServiceClient that implements CRUD functionality for experiment_permission and model_permission objects.

Use the following code examples as a guide to define access controls on users.
Required code to set access controls on an experiment
from mlflow.server.auth.client import AuthServiceClient
user = "<username>"
permission = "<access_control>"
exp_id = mlflow.get_experiment_by_name(experiment_name).experiment_id
client = AuthServiceClient("http://mlflow.mlflow.svc.cluster.local:5000")

Create permission
permission = "READ"
exp_permission = client.create_experiment_permission(exp_id, user, permission)

Modify permission
permission = "EDIT"
exp_permission = client.update_experiment_permission(exp_id, user, permission)

permission = "NO_PERMISSIONS"
exp_permission = client.update_experiment_permission(exp_id, user, permission)

Delete permission
exp_permission = client.delete_experiment_permission(exp_id, user, permission)
client.get_user( 'admin' )