Search code examples
nginxbasic-authenticationmlflow

How to run authentication on a mlFlow server?

As I am logging my entire models and params into mlflow I thought it will be a good idea to have it protected under a user name and password.

I use the following code to run the mlflow server

mlflow server --host 0.0.0.0 --port 11111 works perfect,in mybrowser i type myip:11111 and i see everything (which eventually is the problem)

If I understood the documentation and the following https://groups.google.com/forum/#!topic/mlflow-users/E9QW4HdS8a8 link here correct, I should use nginx to create the authentication.

I installed nginx open sourcre and apache2-utils

created sudo htpasswd -c /etc/apache2/.htpasswd user1 user and passwords.

I edited my /etc/nginx/nginx.conf to the following:

server {
        listen 80;
        listen 443 ssl;

        server_name my_ip;
        root NOT_SURE_WHICH_PATH_TO_PUT_HERE, THE VENV?;
        location / {
            proxy_pass                      my_ip:11111/;
            auth_basic                      "Restricted Content";
            auth_basic_user_file /home/path to the password file/.htpasswd;
        }
    }

but no authentication appears.

if I change the conf to listen to listen 11111 I get an error that the port is already in use ( of course, by the mlflow server....)

my wish is to have a authentication window before anyone can enter by the mlflow with a browser.

would be happy to hear any suggestions.

Solution

  • the problem here is that both mlflow and nginx are trying to run on the same port...

    1. first lets deal with nginx:

      1.1 in /etc/nginx/sites-enable make a new file sudo nano mlflow and delete the exist default.

      1.2 in mlflow file:

    server {
    listen YOUR_PORT;
    server_name YOUR_IP_OR_DOMAIN;
    auth_basic           “Administrator’s Area”;
    auth_basic_user_file /etc/apache2/.htpasswd; #read the link below how to set username and pwd in nginx

    location / {
        proxy_pass http://localhost:8000;
        include /etc/nginx/proxy_params;
        proxy_redirect off;
    }
}

    1.3. restart nginx sudo systemctl restart nginx

    1. on your server run mlflow mlflow server --host localhost --port 8000

    Now if you try access the YOUR_IP_OR_DOMAIN:YOUR_PORT within your browser an auth popup should appear, enter your host and pass and now you in mlflow

    1. now there are 2 options to tell the mlflow server about it:

      3.1 set username and pwd as environment variable export MLFLOW_TRACKING_USERNAME=user export MLFLOW_TRACKING_PASSWORD=pwd

      3.2 edit in your /venv/lib/python3.6/site-packages/mlflowpackages/mlflow/tracking/_tracking_service/utils.py the function 

    def _get_rest_store(store_uri, **_):
    def get_default_host_creds():
        return rest_utils.MlflowHostCreds(
            host=store_uri,
            username=replace with nginx user
            password=replace with nginx pwd
            token=os.environ.get(_TRACKING_TOKEN_ENV_VAR),
            ignore_tls_verification=os.environ.get(_TRACKING_INSECURE_TLS_ENV_VAR) == 'true',
        )

    in your .py file where you work with mlflow:

    import mlflow
remote_server_uri = "YOUR_IP_OR_DOMAIN:YOUR_PORT" # set to your server URI
mlflow.set_tracking_uri(remote_server_uri)
mlflow.set_experiment("/my-experiment")
with mlflow.start_run():
    mlflow.log_param("a", 1)
    mlflow.log_metric("b", 2)

    A link to nginx authentication doc https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/