[Endpoints] [2/x] Add cryptography implementation for secrets storage#19003
[Endpoints] [2/x] Add cryptography implementation for secrets storage#19003BenWilson2 wants to merge 1 commit intomlflow:masterfrom
Conversation
|
Documentation preview for 1da3509 is available at: More info
|
1775fa6 to
bbb7755
Compare
bbb7755 to
edb2277
Compare
e663668 to
272cf2d
Compare
489066d to
79cefae
Compare
Signed-off-by: Ben Wilson <benjamin.wilson@databricks.com>
79cefae to
1da3509
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds a comprehensive cryptography implementation for secure secrets storage in MLflow, including encryption/decryption using envelope encryption (KEK/DEK pattern) and a CLI tool for KEK rotation operations.
Key Changes:
- Implements AES-256-GCM encryption with PBKDF2-derived KEK for secrets management
- Adds envelope encryption pattern where each secret has a unique DEK wrapped by a master KEK
- Provides CLI command
mlflow crypto rotate-kekfor secure KEK passphrase rotation
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
mlflow/utils/cryptography.py |
Core cryptography module implementing KEK management, encryption/decryption functions, key wrapping/unwrapping, and secret masking utilities |
mlflow/cli/cryptography.py |
CLI commands for cryptographic operations including KEK rotation with database transaction support |
mlflow/cli/__init__.py |
Integrates cryptography CLI commands with optional import handling |
tests/utils/test_cryptography.py |
Comprehensive test suite covering encryption, decryption, key rotation, and edge cases |
tests/cli/test_cryptography.py |
CLI-specific tests including rotation workflows, error handling, and user interaction scenarios |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @click.group("crypto", help="Commands for managing MLflow's cryptographic passphrase.") | ||
| def commands(): | ||
| """ | ||
| MLflow cryptopgraphic management CLI. Allows for the management of the envelope |
There was a problem hiding this comment.
Spelling error: "cryptopgraphic" should be "cryptographic"
| MLflow cryptopgraphic management CLI. Allows for the management of the envelope | |
| MLflow cryptographic management CLI. Allows for the management of the envelope |
| click.echo( | ||
| f"\n✓ Successfully rotated {rotated_count} encryption keys " |
There was a problem hiding this comment.
Grammar issue with pluralization: when rotated_count is 1, the message will say "Successfully rotated 1 encryption keys" which is grammatically incorrect. Consider using singular/plural form based on count:
key_word = "key" if rotated_count == 1 else "keys"
click.echo(
f"\n✓ Successfully rotated {rotated_count} encryption {key_word} "
f"from KEK v{old_version} to v{new_version}\n"
)| click.echo( | |
| f"\n✓ Successfully rotated {rotated_count} encryption keys " | |
| key_word = "key" if rotated_count == 1 else "keys" | |
| click.echo( | |
| f"\n✓ Successfully rotated {rotated_count} encryption {key_word} " |
| # Step 6: Restart server | ||
| $ systemctl start mlflow-server | ||
| """ | ||
| old_passphrase = os.getenv("MLFLOW_CRYPTO_KEK_PASSPHRASE") |
There was a problem hiding this comment.
q: we don't define this env var in mlflow.environment_variables because it's not used in the tracking server logic?
There was a problem hiding this comment.
It's not used client-side at all (that would be dangerous). This passphrase must only reside server-side :)
| click.echo( | ||
| f"\n✗ Failed to rotate encryption key {secret.secret_id}: {e}", err=True | ||
| ) | ||
| session.rollback() |
There was a problem hiding this comment.
Isn't rollback handled by ManagedSessionMaker?
| "No changes were made. Fix the issue and re-run the command." | ||
| ) from e | ||
|
|
||
| session.commit() |
|
|
||
| return result | ||
|
|
||
| if not isinstance(secret_value, str): |
There was a problem hiding this comment.
What type falls into this branch? The type hint only expects str or dict.
| return json.loads(plaintext) | ||
| except json.JSONDecodeError: | ||
| return plaintext | ||
|
|
| new_wrapped_dek = wrap_dek(dek, new_kek) | ||
|
|
||
| return RotatedSecret(encrypted_value=encrypted_value, wrapped_dek=new_wrapped_dek) | ||
|
|
| ) | ||
|
|
||
|
|
||
| def decrypt_secret( |
There was a problem hiding this comment.
| def decrypt_secret( | |
| def _decrypt_secret( |
| return f"{prefix}...{suffix}" | ||
|
|
||
|
|
||
| def encrypt_secret( |
There was a problem hiding this comment.
| def encrypt_secret( | |
| def _encrypt_secret( |
| return aad_str.encode("utf-8") | ||
|
|
||
|
|
||
| def mask_secret_value(secret_value: str | dict[str, Any]) -> str: |
There was a problem hiding this comment.
| def mask_secret_value(secret_value: str | dict[str, Any]) -> str: | |
| def _mask_secret_value( |
| ) from e | ||
|
|
||
|
|
||
| def create_aad(secret_id: str, secret_name: str) -> bytes: |
There was a problem hiding this comment.
| def create_aad(secret_id: str, secret_name: str) -> bytes: | |
| def _create_aad(secret_id: str, secret_name: str) -> bytes: |
| return self._kek_version | ||
|
|
||
|
|
||
| def generate_dek() -> bytes: |
There was a problem hiding this comment.
Shall we make this private? Same for other methods not used by other files
| def generate_dek() -> bytes: | |
| def _generate_dek() -> bytes: |
| def _check_cryptography_available(): | ||
| """Check if cryptography is installed and raise helpful error if not.""" | ||
| try: | ||
| import cryptography # noqa: F401 |
There was a problem hiding this comment.
Can we use importlib.util.find_spec?
|
Overall looks great, left some style comments |
🥞 Stacked PR
Use this link to review incremental changes.
Related Issues/PRs
#xxxWhat changes are proposed in this pull request?
Adds the encryption / decryption layer for secrets management for endpoints
How is this PR tested?
Does this PR require documentation update?
Release Notes
Is this a user-facing change?
What component(s), interfaces, languages, and integrations does this PR affect?
Components
area/tracking: Tracking Service, tracking client APIs, autologgingarea/models: MLmodel format, model serialization/deserialization, flavorsarea/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registryarea/scoring: MLflow Model server, model deployment tools, Spark UDFsarea/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflowsarea/gateway: MLflow AI Gateway client APIs, server, and third-party integrationsarea/prompts: MLflow prompt engineering features, prompt templates, and prompt managementarea/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionalityarea/projects: MLproject format, project running backendsarea/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev serverarea/build: Build and test infrastructure for MLflowarea/docs: MLflow documentation pagesHow should the PR be classified in the release notes? Choose one:
rn/none- No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" sectionrn/breaking-change- The PR will be mentioned in the "Breaking Changes" sectionrn/feature- A new user-facing feature worth mentioning in the release notesrn/bug-fix- A user-facing bug fix worth mentioning in the release notesrn/documentation- A user-facing documentation change worth mentioning in the release notesShould this PR be included in the next patch release?
Yesshould be selected for bug fixes, documentation updates, and other small changes.Noshould be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.What is a minor/patch release?
Bug fixes, doc updates and new features usually go into minor releases.
Bug fixes and doc updates usually go into patch releases.