Added bucket-ownership checks for Amazon S3

[kingroryg]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/18542/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/18542/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/18542/merge

Related Issues/PRs

Fix #18541

What changes are proposed in this pull request?

1. Environment Variable (mlflow/environment_variables.py)
   Added MLFLOW_S3_BUCKET_OWNER environment variable to specify the expected AWS account ID that owns the S3 bucket. This is optional and backward compatible - when not set, the system behaves as before.
2. S3 Artifact Repository (mlflow/store/artifact/s3_artifact_repo.py)
   • Added _bucket_owner attribute initialized from the environment variable
   • Updated all S3 API calls to include ExpectedBucketOwner parameter when configured:
     • upload_file (single file uploads)
     • download_file (file downloads)
     • list_objects_v2 (listing artifacts)
     • delete_objects (deleting artifacts)
     • create_multipart_upload (multipart upload initiation)
     • complete_multipart_upload (multipart upload completion)
     • abort_multipart_upload (multipart upload abortion)
     • generate_presigned_url (presigned URL generation)
3. Optimized S3 Artifact Repository (mlflow/store/artifact/optimized_s3_artifact_repo.py)
   • Applied the same bucket ownership checks to all S3 operations
   • Updated head_bucket, upload_file, download_file, list_objects_v2, delete_objects, multipart upload operations, and presigned URL generation
4. Tests (tests/store/artifact/test_s3_artifact_repo.py)
   • Bucket ownership verification with environment variable set
   • Backward compatibility when environment variable is not set
   • Bucket takeover scenario simulation
   • List artifacts with bucket owner
   • Multipart upload with bucket owner
   • Delete artifacts with bucket owner

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• [] No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

@kingroryg Thank you for the contribution! Could you fix the following issue(s)?

⚠ DCO check

The DCO check failed. Please sign off your commit(s) by following the instructions here. See https://github.com/mlflow/mlflow/blob/master/CONTRIBUTING.md#sign-your-work for more details.

[serena-ruan]

Thanks for this fix, looks solid! Could you address comments?

[kingroryg]

@serena-ruan The requested changes have been pushed. Thanks for the prompt review!

[kingroryg]

@serena-ruan Pushed the requested changes. Apologies for being remiss about the imports. Thanks.

[serena-ruan]

LGTM! Thanks for the contribution!! Let's fix the doc format (https://github.com/mlflow/mlflow/actions/runs/18916054315/job/54040568892?pr=18542) and we're good to go!

[kingroryg]

Done, thx! @serena-ruan

[harupy]

/review

[github-actions]

Documentation preview for 5c5b2bb is available at:

• https://pr-18542--mlflow-docs-preview.netlify.app/docs/latest/

Changed Pages (1)

• self-hosting/architecture/artifact-store

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[kingroryg]

Thanks @harupy. I've pushed all the changes except this: #18542 (comment)

[Copilot]

Pull Request Overview

This PR adds S3 bucket ownership verification to protect against bucket takeover attacks. It introduces a new environment variable MLFLOW_S3_EXPECTED_BUCKET_OWNER that, when set, includes the ExpectedBucketOwner parameter in all S3 API calls to verify that the bucket is owned by the expected AWS account.

Key changes:

• Added MLFLOW_S3_EXPECTED_BUCKET_OWNER environment variable
• Updated S3 artifact repository classes to include bucket owner verification in all S3 operations
• Added comprehensive test coverage for the bucket ownership verification feature

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
mlflow/environment_variables.py	Defines the new MLFLOW_S3_EXPECTED_BUCKET_OWNER environment variable
mlflow/store/artifact/s3_artifact_repo.py	Implements bucket owner verification in S3ArtifactRepository by adding _bucket_owner_params to all S3 API calls
mlflow/store/artifact/optimized_s3_artifact_repo.py	Implements bucket owner verification in OptimizedS3ArtifactRepository by adding _bucket_owner_params to all S3 API calls
tests/store/artifact/test_s3_artifact_repo.py	Adds comprehensive tests for bucket ownership verification including upload, download, list, delete, and multipart upload operations
docs/docs/self-hosting/architecture/artifact-store.mdx	Documents the new bucket ownership verification feature with usage examples and security context

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.