InfinStor MLflow

Authorization

Streamline authorization for model management with InfinStor MLflow.

1

Restrict access to model by authorization configuration or authorization policy.

2

Build a permissions model that supports the notion of a group of data scientists.

3

Enable admin to modify the authorization configuration and policy without code updates.

Protected Resources

The resources being protected are Experiments and Models. Runs within an experiment inherit permissions from the experiment and Model versions inherit permissions from the model.
Authorization extensions are proposed by InfinStor. The MLflow REST API specs can be found here >

Hybrid Authorization System
RBAC + ABAC

We propose a hybrid RBAC and ABAC system.

Roles such as ‘Reader, Editor and Manager’ are combined with the attribute ‘Group’ to provide a flexible and powerful system.
InfinStor + MLflow Logo

Proposed Roles, Actions, and Corresponding REST API Calls

In order to simplify management, we propose the following three roles:

1. Reader Role
2. Editor Role
3. Manager Role

In the following table, the major actions that can be performed on models are listed. The column titled “REST Calls” describes the MLflow REST API calls that are used by this action.

Model Authorization Calls

  • Action

    REST Calls
    No Perms
    Read
    Edit
    Manage
  • Create Model

    registered-models/create

    Checkmark
    Checkmark
    Checkmark
    Checkmark
  • View Models and Versions

    registered-models/search

    Checkmark
    Checkmark
    Checkmark
  • View Model Details

    registered-models/get
    registered-models/list
    registered-models/get-latest-version
    model-versions/get
    model-versions/search
    model-versions/get-download-uri

    Checkmark
    Checkmark
    Checkmark
  • Add Version

    model-versions/create

    Checkmark
    Checkmark
  • Update Model, Version, Description, Tags

    registered-models/update
    registered-models/set-tag
    registered-models/delete-tag
    model-versions/update
    model-versions/set-tag
    model-versions/delete-tag

    Checkmark
    Checkmark
  • Rename Model

    registered-models/rename

    Checkmark
  • Transition Model Version between stages

    model-versions/transition-stage

    Checkmark
  • Modify Permissions

    infinstor/modify-permissions

    Checkmark
  • Delete Model and Versions

    registered-models/delete
    model-versions/delete

    Checkmark
Create Model
Any authenticated user is permitted to create models. If the user belongs to a group, the group is automatically assigned ‘reader’ role for the newly created model. 

View Model and Versions
This permission allows users to view the list of models and the versions of each model in a list, however it does not permit the user to view details of the model and model version.

View Model Details
This allows the user to view all details of the model. This permission is adequate for model deployment.

Add Version
This permission allows users to add a new version of the model.

Update Model Description, Model Versions and Tags
This permission allows users to add, modify and delete the following:

1. Model Description
2. Model Tags
3. Model Version Description
4. Model Version Tags

Rename Model
This permission allows users to rename the model.

Transition Model Version Between Stages
This permission allows users to transition a model between the various legal stages. Note that we do not believe that it is within the scope of InfinStor MLflow to manage the workflow for requesting, approving and transitioning models. InfinStor MLflow provides the capability to transition model versions between stages, however the workflow for such transitions is best managed using dedicated Enterprise Workflow Management systems.

Modify Permissions
This permission allows users to modify model permissions, e.g. add access to a user or group, remove access to a user or group, etc.

Delete Model and Versions
This permission allows users to delete model versions and entire models.

Experiment Authorization Calls

  • Action

    REST Calls
    No Perms
    Read
    Edit
    Manage
  • Create Experiment

    experiments/create

    Checkmark
    Checkmark
    Checkmark
    Checkmark
  • List Experiments

    experiments/list

    Checkmark
    Checkmark
    Checkmark
  • View Experiment Details

    experiments/get
    experiments/get-by-name

    Checkmark
    Checkmark
    Checkmark
  • View run info, search and compare runs

    runs/search

    Checkmark
    Checkmark
    Checkmark
  • View, list and download run artifacts

    artifacts/list
    runs/get
    metrics/get-history

    Checkmark
    Checkmark
    Checkmark
  • Create, Delete and Restore Runs,Log run params, metrics, tags

    runs/create
    runs/delete
    runs/restore
    runs/log-metric
    runs/log-batch
    runs/log-parameter
    runs/set-tag
    runs/delete-tag
    runs/update

    Checkmark
    Checkmark
  • Log run artifacts

    model-versions/create

    Checkmark
    Checkmark
  • Edit experiment Details

    experiments/set-experiment-tag
    experiments/update

    Checkmark
    Checkmark
  • Delete and restore experiments

    experiments/delete
    experiments/restore

    Checkmark
    Checkmark
  • Purge runs and experiments

    runs/hard-delete

    Checkmark
  • Grant Permissions

    infinstor/modify-experiment-permissions

    Checkmark
Experiment Visibility
In order for an experiment to be visible to a user, one of the following must be true:

1. The user must be the creator of the experiment
2. The user must be given explicit permission to access the experiment as reader, editor or manager
3. The user must belong to a group that has permission to access the experiment as a reader, editor or manager