New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] MLFLow Auth is giving admin as default permissions to the new user #9669
Comments
@gabrielfu is this intended? |
The current behaviour is that user creation is unprotected and anyone can create a new user (whether the request sender is authenticated or not). So I don't think it is related to new user having admin permission. To verify, can you try calling |
Admin is false. However, only admins should be allowed to create the users? What other operations are unprotected? |
Please see the below for unprotected routes. I'm closing this issue for now as the reported bug is not found. Feel free to continue the discussion. mlflow/mlflow/server/auth/__init__.py Lines 116 to 122 in 3a1126e
|
Is there any reason to let the create user operation be executed by any user? From my point of view it does not make much sense that this does not require admin permissions. |
Correct, this shouldn't be unprotected |
That's a solid point, thanks for giving us the feedback. We are going to make user creation an admin only action |
Issues Policy acknowledgement
Willingness to contribute
Yes. I would be willing to contribute a fix for this bug with guidance from the MLflow community.
MLflow version
System information
Describe the problem
I create an user and then use new user to create another user. The new user is able to successfully create a new user. Basic authentication is supposed to be READ
Tracking information
Code to reproduce issue
Stack trace
Other info / logs
What component(s) does this bug affect?
area/artifacts
: Artifact stores and artifact loggingarea/build
: Build and test infrastructure for MLflowarea/docs
: MLflow documentation pagesarea/examples
: Example codearea/gateway
: AI Gateway service, Gateway client APIs, third-party Gateway integrationsarea/model-registry
: Model Registry service, APIs, and the fluent client calls for Model Registryarea/models
: MLmodel format, model serialization/deserialization, flavorsarea/recipes
: Recipes, Recipe APIs, Recipe configs, Recipe Templatesarea/projects
: MLproject format, project running backendsarea/scoring
: MLflow Model server, model deployment tools, Spark UDFsarea/server-infra
: MLflow Tracking server backendarea/tracking
: Tracking Service, tracking client APIs, autologgingWhat interface(s) does this bug affect?
area/uiux
: Front-end, user experience, plotting, JavaScript, JavaScript dev serverarea/docker
: Docker use across MLflow's components, such as MLflow Projects and MLflow Modelsarea/sqlalchemy
: Use of SQLAlchemy in the Tracking Service or Model Registryarea/windows
: Windows supportWhat language(s) does this bug affect?
language/r
: R APIs and clientslanguage/java
: Java APIs and clientslanguage/new
: Proposals for new client languagesWhat integration(s) does this bug affect?
integrations/azure
: Azure and Azure ML integrationsintegrations/sagemaker
: SageMaker integrationsintegrations/databricks
: Databricks integrationsThe text was updated successfully, but these errors were encountered: