PayLoad filter function for Mantik client to MLFlow API communication
Summary
As a Mantik user, I want the MLflow client to respect Mantik's access controls (RBAC and multi-tenancy), such that data security and privacy is ensured.
Acceptance Criteria
-
MLflow API payload for get/put/post/delete requests for managing experiment/run tracking are filtered Mantik API to obey Mantik's RBAC and multi-tenancy rules for a given user.
Given I have a Mantik account
When MLflow makes a requests to the shadowed MLflow API for managing tracking details
Then the response is filtered/denied based on my role in projects and the privacy status of the project.
Testing
-
Integration tests with mocked payload (mantik api)
Given I am a mantik user with a valid token
When I request access to a resource (experiment, run)
And I (do / do not) have mantik permissions to it
Then I (receive / don't receive) the mlflow payload
-
Implement above tests for experiments/runs -
Integration tests with mocked payload (mantik api) for list
Given I am a mantik user with a valid token
When I request access to all items of a resource (experiment, run)
And I (do / do not) have mantik permissions to specific resources
Then the payload (contains / doesn't contain) the resource
Additional Notes / Information
RBAC for the mlflow client
is already partially implemented for experiments. The logic however lies in the Tracking server, and will need to be moved to Mantik (implemented in the shadowed endpoints). Also more permissions might need to be implemented, such as RUN CRUD actions.
For this to work, the mlflow client has to submit a token to the rest api. Check/make sure that this is the case. If not, the client will have to be forked too and the token send as a header as part of every request to the tracking server.
Suggested Implementation
-
Transfer logic for experiment RBAC from tracking server to Mantik API. -
Implement filtering for runs. Check out the needed run endpoints in the mlflow docs
/cc @rico.berner