How to run authentication on a mlFlow server?

the problem here is that both mlflow and nginx are trying to run on the same port...

1. first lets deal with nginx:

   1.1 in /etc/nginx/sites-enable make a new file sudo nano mlflow and delete the exist default.

   1.2 in mlflow file:

server {    listen YOUR_PORT;    server_name YOUR_IP_OR_DOMAIN;    auth_basic           “Administrator’s Area”;    auth_basic_user_file /etc/apache2/.htpasswd; #read the link below how to set username and pwd in nginx    location / {        proxy_pass http://localhost:8000;        include /etc/nginx/proxy_params;        proxy_redirect off;    }}

1.3. restart nginx sudo systemctl restart nginx

2. on your server run mlflow mlflow server --host localhost --port 8000

Now if you try access the YOUR_IP_OR_DOMAIN:YOUR_PORT within your browser an auth popup should appear, enter your host and pass and now you in mlflow

3. now there are 2 options to tell the mlflow server about it:

   3.1 set username and pwd as environment variable export MLFLOW_TRACKING_USERNAME=user export MLFLOW_TRACKING_PASSWORD=pwd

   3.2 edit in your /venv/lib/python3.6/site-packages/mlflowpackages/mlflow/tracking/_tracking_service/utils.py the function

def _get_rest_store(store_uri, **_):    def get_default_host_creds():        return rest_utils.MlflowHostCreds(            host=store_uri,            username=replace with nginx user            password=replace with nginx pwd            token=os.environ.get(_TRACKING_TOKEN_ENV_VAR),            ignore_tls_verification=os.environ.get(_TRACKING_INSECURE_TLS_ENV_VAR) == 'true',        )

in your .py file where you work with mlflow:

import mlflowremote_server_uri = "YOUR_IP_OR_DOMAIN:YOUR_PORT" # set to your server URImlflow.set_tracking_uri(remote_server_uri)mlflow.set_experiment("/my-experiment")with mlflow.start_run():    mlflow.log_param("a", 1)    mlflow.log_metric("b", 2)

A link to nginx authentication doc https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

If you just want MLFlow installed with some basic authentication you can use mlflow-easyauth to get a Docker container with HTTP basic auth (username/password) setup integrated. It uses Nginx under the hood. Authentication details are configured using environment variables.

Disclaimer: I am the maintainer of that project

In order for you to setup authentication for mlflow Tracking Server using nginx, you essentially need to do the following;

1. should be nginx/nginx plus (but nginx will serve this purpose)
2. you need two ports to be opened one for tracking server to run by default(11111 in your case) other one to run airflow with password protection(say 8080 and it could be any port which has to be opened by firewall)
3. create a auth file by using htpasswd utility under the /etc/nginx directory by using the command sudo htpasswd -c /etc/nginx/.htpasswd user_name and enter the password when it prompted.
4. Make sure you have changed the permission to 644 to this file, otherwise your proxy redirection will work, but you might hit the 500 error after you enter the username and password, this is because of auth file is not accessible by the service.

Now, you can go to sudo nano /etc/nginx/sites-enabled/default file comment everything inside the file and create a separate server block and put down the below configuration, you wonder why you need to edit this file alone? then i highly recommend to check this out this discussion Difference between sites-enabled and sites-available? After you made the change, your configuration file typically looks like this

server {    listen 8080;    location / {        proxy_pass http://localhost:11111;        auth_basic           "Administrator’s Area";        auth_basic_user_file /etc/nginx/.htpasswd;    }}

Once you finished the above, you can check the diagnosis of the configuration then you need to restart the nginx server

sudo nginx -tsudo service nginx restart

Now, you can check with your new port which is 8080 in your case, hopefully it should work.

You have to also set the environment variables for mlflow to use the updated credentials while you run your training jobs.In your code add the below lines,

import os# Set username and password when authentication was addedos.environ['MLFLOW_TRACKING_USERNAME'] = <MLFLOW_TRACKING_USERNAME>os.environ['MLFLOW_TRACKING_PASSWORD'] = <MLFLOW_TRACKING_PASSWORD> 

Additional Tip:

1. You can also add ssl in the configuration, so that you can use https protocal instead of http, assume you have certificates. If you don't have you can create self signed one or use some of the free tools like certibot, etc..

Then your configuration would be similar like this, you have to add this certificates beneath port listening part;

listen 8080 ssl;#server_name YOUR_IP_OR_DOMAIN;ssl_certificate /etc/nginx/certificate/certificate.crt;ssl_certificate_key /etc/nginx/certificate/certificate.key;

2. Sometimes, though you did everything as per the procedure, but authentication might not reflect. In such case, you need to change the owner of the auth file to 'www-data user' from root.

Hope this post will helps while setting up first time and in debugging.

Thank you.