stackoom
  简体   繁体   中英

Mlflow authorization with spnego

 原文  2022-08-11 13:44:58       authentication/ kerberos/ mlflow/ spnego

Question

I saw this topic about Kerberos authntication - https://github.com/mlflow/mlflow/issues/2678 . It was in 2020. Our team trying to do authentication with kerberos by spnego. We did spnego on nginx server and it is fine - and get code 200 when we do curl to mlflow http uri. BUT we can't do it with mlflow environment variable.

The question is - Does mlflow has some feature to make authentication with spnego or not? Or it has just these environment variables for authentication and such methods:

  • MLFLOW_TRACKING_USERNAME and MLFLOW_TRACKING_PASSWORD - username and password to use with HTTP Basic authentication. To use Basic authentication, you must set both environment variables.
  • MLFLOW_TRACKING_TOKEN - token to use with HTTP Bearer authentication. Basic authentication takes precedence if set.
  • MLFLOW_TRACKING_INSECURE_TLS - If set to the literal true, MLflow does not verify the TLS connection, meaning it does not validate certificates or hostnames for https:// tracking URIs. This flag is not recommended for production environments. If this is set to true then MLFLOW_TRACKING_SERVER_CERT_PATH must not be set.
  • MLFLOW_TRACKING_SERVER_CERT_PATH - Path to a CA bundle to use. Sets the verify param of the requests.request function (see https://requests.readthedocs.io/en/master/api/ ). When you use a self-signed server certificate you can use this to verify it on client side. If this is set MLFLOW_TRACKING_INSECURE_TLS must not be set (false).
  • MLFLOW_TRACKING_CLIENT_CERT_PATH - Path to ssl client cert file (.pem). Sets the cert param of the requests.request function (see https://requests.readthedocs.io/en/master/api/ ). This can be used to use a (self-signed) client certificate.

1 answers

solution1
 0  2022-08-12 11:43:53

I looked at the source code. No, the mlflow.utils.rest_utils.http_request function doesn't support SPNEGO in any way – it can only send HTTP 'Basic' or 'Bearer' authorization headers.

However, it should be relatively easy to change it to generate a 'Negotiate' header using pyspnego , or even to use requests-gssapi given that it already uses Requests internally:

# For Linux:
import requests_gssapi
# For Windows:
#import requests_negotiate_sspi

def http_request(...):
    ...
    if not auth_str:
        # For Linux:
        kwargs["auth"] = requests_gssapi.HTTPSPNEGOAuth()
        # For Windows:
        #kwargs["auth"] = requests_negotiate_sspi.HttpNegotiateAuth()
    ...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What is an spnego Token? Tomcat 8 SPNEGO single sign on not working CXF - How to properly configure Spnego with CXF 3.2.6 Is SPNEGO support a pre-requisite for NTLM support? How to get LDAP user attributes with SPNEGO and CAS? Spring Security/SPNEGO authentication issue: Checksum failed Auto-login using SPNEGO Web SSO Difference between sourceforge SPNEGO vs WAFFLE Running SPNEGO Kerberos in parallel with username/password authentication Curl on windows using Http/2 and windows authentication ( SPNEGO, Kerberos, Negotiate)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM