MLflow Authentication Python API

mlflow.server.auth.client

class mlflow.server.auth.client.AuthServiceClient

Bases: object

Client of an MLflow Tracking Server that enabled the default basic authentication plugin. It is recommended to use mlflow.server.get_app_client() to instantiate this class. See https://mlflow.org/docs/latest/auth.html for more information.

add_role_permission(role_id: int, resource_type: str, resource_pattern: str, permission: str) → mlflow.server.auth.entities.RolePermission

assign_role(username: str, role_id: int) → mlflow.server.auth.entities.UserRoleAssignment

create_role(workspace: str, name: str, description: Optional[str] = None) → mlflow.server.auth.entities.Role

create_user(username: str, password: str)

Create a new user.

Parameters

• username – The username.

• password – The user’s password. Must not be empty string.

Raises

mlflow.exceptions.RestException – if the username is already taken.

Returns

A single mlflow.server.auth.entities.User object.

Example

from mlflow.server.auth.client import AuthServiceClient

client = AuthServiceClient("tracking_uri")
user = client.create_user("newuser", "newpassword")
print(f"user_id: {user.id}")
print(f"username: {user.username}")
print(f"password_hash: {user.password_hash}")
print(f"is_admin: {user.is_admin}")

Output

user_id: 3
username: newuser
password_hash: REDACTED
is_admin: False

delete_role(role_id: int) → None

delete_user(username: str)

Delete a specific user.

Parameters

username – The username.

Raises

mlflow.exceptions.RestException – if the user does not exist

Example

export MLFLOW_TRACKING_USERNAME=admin
export MLFLOW_TRACKING_PASSWORD=password

from mlflow.server.auth.client import AuthServiceClient

client = AuthServiceClient("tracking_uri")
client.create_user("newuser", "newpassword")

client.delete_user("newuser")

get_role(role_id: int) → mlflow.server.auth.entities.Role

get_user(username: str)

Get a user with a specific username.

Parameters

username – The username.

Raises

mlflow.exceptions.RestException – if the user does not exist

Returns

A single mlflow.server.auth.entities.User object.

Example

export MLFLOW_TRACKING_USERNAME=admin
export MLFLOW_TRACKING_PASSWORD=password

from mlflow.server.auth.client import AuthServiceClient

client = AuthServiceClient("tracking_uri")
client.create_user("newuser", "newpassword")
user = client.get_user("newuser")

print(f"user_id: {user.id}")
print(f"username: {user.username}")
print(f"password_hash: {user.password_hash}")
print(f"is_admin: {user.is_admin}")

Output

user_id: 3
username: newuser
password_hash: REDACTED
is_admin: False

get_user_permission(username: str, resource_type: str, resource_id: str) → mlflow.server.auth.entities.GetUserPermissionResult

grant_user_permission(username: str, resource_type: str, resource_id: str, permission: str) → None

list_all_roles() → list[mlflow.server.auth.entities.Role]

list_role_permissions(role_id: int) → list[mlflow.server.auth.entities.RolePermission]

list_role_users(role_id: int) → list[mlflow.server.auth.entities.UserRoleAssignment]

list_roles(workspace: str) → list[mlflow.server.auth.entities.Role]

list_user_roles(username: str) → list[mlflow.server.auth.entities.Role]

remove_role_permission(role_permission_id: int) → None

revoke_user_permission(username: str, resource_type: str, resource_id: str) → None

unassign_role(username: str, role_id: int) → None

update_role(role_id: int, name: Optional[str] = None, description: Optional[str] = None) → mlflow.server.auth.entities.Role

update_role_permission(role_permission_id: int, permission: str) → mlflow.server.auth.entities.RolePermission

update_user_admin(username: str, is_admin: bool)

Update the admin status of a specific user.

Parameters

• username – The username.

• is_admin – The new admin status.

Raises

mlflow.exceptions.RestException – if the user does not exist

Example

export MLFLOW_TRACKING_USERNAME=admin
export MLFLOW_TRACKING_PASSWORD=password

from mlflow.server.auth.client import AuthServiceClient

client = AuthServiceClient("tracking_uri")
client.create_user("newuser", "newpassword")

client.update_user_admin("newuser", True)

update_user_password(username: str, password: str, current_password: Optional[str] = None)

Update the password of a specific user.

Parameters

• username – The username.

• password – The new password.

• current_password – The user’s current password. Required when a user is changing their own password (self-service); the server rejects the request otherwise. Admins changing someone else’s password may omit this argument.

Raises

mlflow.exceptions.RestException – if the user does not exist, or if current_password is required and missing or incorrect.

Example

export MLFLOW_TRACKING_USERNAME=admin
export MLFLOW_TRACKING_PASSWORD=password

from mlflow.server.auth.client import AuthServiceClient

client = AuthServiceClient("tracking_uri")
client.create_user("newuser", "newpassword")

# Admin path — no current_password needed.
client.update_user_password("newuser", "anotherpassword")

# Self-service path — current_password required.
client.update_user_password(
    "newuser", "thirdpassword", current_password="anotherpassword"
)

mlflow.server.auth.entities

class mlflow.server.auth.entities.ExperimentPermission(experiment_id, user_id, permission)

Bases: object

property experiment_id

classmethod from_json(dictionary)

property permission

to_json()

property user_id

class mlflow.server.auth.entities.GatewayEndpointPermission(endpoint_id, user_id, permission)

Bases: object

property endpoint_id

classmethod from_json(dictionary)

property permission

to_json()

property user_id

class mlflow.server.auth.entities.GatewayModelDefinitionPermission(model_definition_id, user_id, permission)

Bases: object

classmethod from_json(dictionary)

property model_definition_id

property permission

to_json()

property user_id

class mlflow.server.auth.entities.GatewaySecretPermission(secret_id, user_id, permission)

Bases: object

classmethod from_json(dictionary)

property permission

property secret_id

to_json()

property user_id

class mlflow.server.auth.entities.GetUserPermissionResult(allowed: bool, permission: str)

Bases: object

Response shape for GET /mlflow/users/permissions/get. allowed mirrors Permission.can_use (regular access tier); permission is the resolved effective permission name.

property allowed: bool

classmethod from_json(dictionary)

property permission: str

to_json()

class mlflow.server.auth.entities.RegisteredModelPermission(name, user_id, permission, workspace=None)

Bases: object

classmethod from_json(dictionary)

property name

property permission

to_json()

property user_id

property workspace

class mlflow.server.auth.entities.Role(id_, name, workspace, description=None, permissions=None)

Bases: object

property description

classmethod from_json(dictionary)

property id

property name

property permissions

to_json()

property workspace

class mlflow.server.auth.entities.RolePermission(id_, role_id, resource_type, resource_pattern, permission)

Bases: object

classmethod from_json(dictionary)

property id

property permission

property resource_pattern

property resource_type

property role_id

to_json()

class mlflow.server.auth.entities.ScorerPermission(experiment_id, scorer_name, user_id, permission)

Bases: object

property experiment_id

classmethod from_json(dictionary)

property permission

property scorer_name

to_json()

property user_id

class mlflow.server.auth.entities.User(id_, username, password_hash, is_admin)

Bases: object

classmethod from_json(dictionary)

property id

property is_admin

property password_hash

to_json()

property username

class mlflow.server.auth.entities.UserRoleAssignment(id_, user_id, role_id)

Bases: object

classmethod from_json(dictionary)

property id

property role_id

to_json()

property user_id

class mlflow.server.auth.entities.WorkspacePermission(workspace, user_id, permission)

Bases: object

property can_use

classmethod from_json(dictionary)

property permission

to_json()

property user_id

property workspace