Skip to content

1. InfinStor Authentication Flow

The InfinStor Service authentication system uses Amazon Cognito. This single sign on is used for authentication to

  • InfinStor Service Dashboard, available at https://service.infinstor.com for the SaaS service or https://service.<domain_for_infinstor_service> for your private hosted service
  • The InfinStor MLFlow UI available at https://mlflowui.infinstor.com for the SaaS service or https://mlflowui.<domain_for_infinstor_service> for your private hosted service
  • and Mlflow CLI

1.1. Generation of a token file

The token received from Cognito user authentication is usually stored in the file ~/.infinstor/token but can also be stored elsewhere. See section Place of the token file below for details. This token file is created by one of the methods below

1.1.1. Service Dashboard

The InfinStor Service Dashboard is available at https://service.infinstor.com for the SaaS service or https://service.<domain_for_infinstor_service> for your private hosted service.

Click on Configuration -> Manage Token in the sidebar and click on 'Create Token File'. A new tab will open in your browser and you will be required to login again. A file named token will be created and downloaded after you log in. Copy this file to the subdirectory .infinstor in your home directory (this has been tested with Windows, MacOS and Linux).

1.1.2. Command Line Login

  1. Install infinstor-mlflow-plugin as described here
  2. Configure your MLFLOW_TRACKING_URI using the steps described above.
  3. login_infinstor
    • This will prompt for your credentials and will automatically create the tokenfile in ~/.infinstor/token if authentiation is successful

1.1.3. API based login

A programmatic/API based login can be performed by invoking the login() API of infinstor-mlflow-plugin. Install infinstor-mlflow-plugin as described here.

Shown below is the sample code to perform a login using INFINSTOR_REFRESH_TOKEN method (which determines where the created token file is stored). For other available methods for placing the token file, see the section Placement of the token file below

Assign the right values for the following variables in the code below, and then run it.

  • mlflow_tracking_uri variable with your MLFLOW_TRACKING_URI
  • username variable with the username for which the token needs to be generated.
  • password variable with the password for the username
import pytest
import os
import infinstor_mlflow_plugin.login
import infinstor_mlflow_plugin.tokenfile
import logging

logging.basicConfig(level=logging.INFO, format="%(asctime)s - %(process)d - %(name)s - %(levelname)s - %(message)s", datefmt="%m/%d/%y %H:%M:%S %Z", force=True)
logger:logging.Logger = logging.getLogger(__name__)

mlflow_tracking_uri:str='<your_mlflow_tracking_uri>'
username:str='<your_username>'
password:str='<password>'

# for logging in using this mode, set them to empty values.  With these set, the token file is not written to disk but to an in-memory file.
os.environ['INFINSTOR_COGNITO_CLIENTD'] = ''
os.environ['INFINSTOR_REFRESH_TOKEN'] = ''
os.environ['MLFLOW_TRACKING_URI'] = mlflow_tracking_uri

# perform a login
cognito_client_id:str; refresh_token:str
cognito_client_id, refresh_token = infinstor_mlflow_plugin.login.login(username, password)
logger.info(f"Login complete: cognito_client_id={cognito_client_id}; refresh_token={refresh_token}\n")

# now dump the contents of the in-memory token file
access_token:str; refresh_token:str; token_time:int; client_id:str; service:str; token_type:str; id_token:str
access_token, refresh_token, token_time, client_id, service, token_type, id_token = infinstor_mlflow_plugin.tokenfile.read_token_file()
logger.info(f"Dumping token file details: \naccess_token={access_token}\n\nrefresh_token={refresh_token}\n\ntoken_time={token_time}\nclient_id={client_id}\nservice={service}\ntoken_type={token_type}\nid_token={id_token}\n")

1.2. Placement of the token file

1.2.1. Token file in ~/.infinstor/token

The token file generated using the steps above can be placed in ~/.infinstor/token.

Note that the cli login and API based login procedures above will place the token in ~/.infinstor/token, if the environment variables specified in the sections below are not set.

1.2.2. Token in INFINSTOR_REFRESH_TOKEN and INFINSTOR_COGNITO_CLIENTID environment variables

The token generated using the steps above , can be stored in the environment variables below, instead of placing it in ~/.infinstor/token file

  • INFINSTOR_REFRESH_TOKEN
  • INFINSTOR_COGNITO_CLIENTID

infinstor-mlflow-plugin uses the above environment variables to authenticate with the infinstor mlflow server. This is an alternative to placing the token file in ~/.infinstor/token

1.2.3. Token file in a directory specified by INFINSTOR_TOKEN_FILE_DIR environment variable

The token file generated using the steps above can be placed in an alternate directory, instead of ~/.infinstor. This alternate directory can be specified using the environment variable INFINSTOR_TOKEN_FILE_DIR.

infinstor-mlflow-plugin will use this alternate directory to read the token file from and use this token to authenticate with the infinstor mlflow server.

1.3. Use Infinstor MLFlow server

See Infinstor MLFlow Quickstart for steps to use the Infinstor MLFlow Server