Projects, Groups and Roles

Important

This functionality is available only if you enable Projects and Authorization while installing the root stack

Concepts

The notion of Projects is implicit in InfinStor MLflow. Project creation must be followed by calls to the set_tag_groups api for setting group permissions.

REST API

set_tag_groups

URL: https://your_server/api/2.0/mlflow/infinstor/set_tag_groups

Method: POST

Input:

  • key: Tag key name, i.e. projectid
  • value: Take name, i.e. the name of the project
  • groups: Array of group names
  • role: reader, editor or manager

Example:

Input: key=projectid, value=proj1, groups=['mlops-admins', 'superadmins'], role='manager'

In the above example, the groups mlops-admins and superadmins are provided manager permissions for any experiment or model created under the project proj1

get_tag_groups

URL: https://your_server/api/2.0/mlflow/infinstor/get_tag_groups

Method: GET

Input:

  • key: Tag key name, i.e. projectid
  • value: Take name, i.e. the name of the project

Output:

JSON formatted dictionary of mapping from group names to roles.

Example:

Input: key=projectid, value=proj1

Output:
{
  'datascientists': 'editor',
  'mlops-admins': 'manager',
  'interns': 'reader'
}

In the above example, for the project named proj1, the group named datascientists has editor permissions, the group named mlops-admins has manager permissions and the group named interns has reader permissions

remove_tag_group

URL: https://your_server/api/2.0/mlflow/infinstor/remove_tag_group

Method: DELETE

Input:

  • key: Tag key name, i.e. projectid
  • value: Take name, i.e. the name of the project

Example:

Input: key=projectid, value=proj1

In the above example, all group entries for the project named proj1 will be removed

add_experiment_authorization

URL: https://your_server/api/2.0/mlflow/infinstor/add_experiment_authorization

Method: POST

Input:

  • experiment_id: id of experiment
  • principal_type: user|group
  • principal_name: name of user or group
  • role: reader|editor|manager|no-perms

Example 1:

Input: experiment_id=1, principal_type=group, value=interns, role=reader

In the above example, reader permissions for experiment_id 1 are added for the group named interns

Example 2:

Input: experiment_id=1, principal_type=group, value=interns, role=no-perms

In the above example, all permissions for experiment_id 1 are removed for the group named interns

add_model_authorization

URL: https://your_server/api/2.0/mlflow/infinstor/add_model_authorization

Method: POST

Input:

  • name: name of model
  • experiment_id: id of experiment
  • principal_type: user|group
  • principal_name: name of user or group
  • role: reader|editor|manager|no-perms

Example 1:

Input: name=xgboost-model, principal_type=group, value=interns, role=reader

In the above example, reader permissions for model xgboost-model are added for the group named interns

Example 2:

Input: name=xgboost-model, principal_type=group, value=interns, role=no-perms

In the above example, all permissions for model xgboost-model are removed for the group named interns

Sample Code

In the following example, let's say that a user called userxyz is authenticated and creates a project named proj1. Further, the user wants to assign editor permissions to groups group-a and group-b and reader permission to group-c. userxyz must make the following two calls to set_tag_groups

Call 1: Add editor role to group-a and group-b

key: projectid
value: proj1
groups: ['group-a', 'group-b']
role: editor

Call 2: Add reader role to group-c

key: projectid
value: proj1
groups: ['group-c']
role: reader

Note that following the first call that references a project, a permissions entry is added such that the user named userxyz has manager permissions for the project

Python Sample

Here is a sample python script that can perform this REST api call.

import mlflow
import sys
from os import system, remove
from uuid import uuid4
from subprocess import PIPE, Popen
import requests
from requests.exceptions import HTTPError

if (len(sys.argv) < 6):
    print("Usage: set_tag_group hostname token tagname tagvalue groupname role")
    print("Example: set_tag_group hostname token projectid proj1 datascientists editor")
    sys.exit(255)

try:
    url = 'https://' + sys.argv[1] + '/api/2.0/mlflow/infinstor/set_tag_groups'
    print("url=" + url)
    dtp = {'key': sys.argv[3], 'value': sys.argv[4], 'groups': [sys.argv[5]], 'role': sys.argv[6]}
    resp = requests.post(url, headers={'Authorization': 'Bearer ' + sys.argv[2]}, json=dtp)
except HTTPError as http_error:
    print("Http error " + str(http_error))
    sys.exit(255)
except Exception as err:
    print("Non http error " + str(err))
    sys.exit(255)
else:
    print(str(resp))
    rj = resp.json()
    print(str(rj))
sys.exit(0)