[Endpoints] [7/x] Add rest store implementation

[BenWilson2]

🥞 Stacked PR

Use this link to review incremental changes.

• stack/endpoints/rest-2 [Files changed]
  • stack/endpoints/cache [Files changed]
    • stack/endpoints/litellm [Files changed]
      • stack/endpoints/ui-apis [Files changed]
        • stack/endpoints/ui-create-endpoint [Files changed]
          • stack/endpoints/ui-tabs [Files changed]
            • stack/endpoints/key-management [Files changed]
              • stack/endpoints/passphrase [Files changed]

---

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Adds the rest store implementation and e2e backend tests

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

Documentation preview for 03c364d is available at:

• https://pr-19008--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[TomeHirata]

Since AbstractStore inherits GatewayStoreMixin, RestGatewayStoreMixin needs to be passed first, correct? Depending on the order of parent classes seems risky, can we add a comment for the future reminder?

[TomeHirata]

Should we implement get_resource_endpoint_configs as well?

[BenWilson2]

Ah, we can't create any REST endpoints for that API (that would allow any user to get any decrypted key). In order to make sure that we don't ever accidentally add that as a feature, I removed this API from the standard store mixins and put it in store/tracking/gateway with some NB notes and guidance about how dangerous use of this API outside of the tracking server is.

[TomeHirata]

Understood, where did you make the change to remove get_resource_endpoint_configs from the general store mixin?

[BenWilson2]

Ah it was for the feedback in sql-store that @B-Step62 mentioned... it's the right call to separate this out for future dev security.

[TomeHirata]

Shall we add proto for get_resource_endpoint_configs?

[BenWilson2]

^ same answer as preceding question

[TomeHirata]

Do we need else branch? We only expect GatewayResourceType in this field.

[TomeHirata]

LGTM

[B-Step62]

These assertion logic seems to print the value directly in the error message. Even if it does not, these are pretty generic utils so we can accidentally add display logic. Should we have a special validation logic to avoid the risk of such leakage?

Also worth checking the other general logic like message_to_json does not expose unencrypted values to the rest error or the server logs.

[BenWilson2]

Good catch - we need a separate validation handler that is only used for the APIs interfacing with plaintext API Keys to guard against any potential future log leakage. Updated

[B-Step62]

Is secret value required? Shall we allow users to update auth config only?

[BenWilson2]

Good idea - this definitely makes the 4 providers that have complex configs a bit more flexible. We can handle single-key missing value entries guarded in the UI (do not allow editing a key that only has API KEY to set an empty string).

[B-Step62]

Shouldn't this be float?

[BenWilson2]

yep - missed updating that!