[Endpoints] [8/x] Add credential cache

[BenWilson2]

🥞 Stacked PR

Use this link to review incremental changes.

• stack/endpoints/cache [Files changed]
  • stack/endpoints/litellm [Files changed]
    • stack/endpoints/ui-apis [Files changed]
      • stack/endpoints/ui-create-endpoint [Files changed]
        • stack/endpoints/ui-tabs [Files changed]
          • stack/endpoints/key-management [Files changed]
            • stack/endpoints/passphrase [Files changed]

---

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

Add the credential cache layer to protect the DB against high-volume server requests

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

Documentation preview for 5187652 is available at:

• https://pr-19014--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[TomeHirata]

nit: can we add "_" prefix for these internal consts?

[TomeHirata]

It is expected for users configure these variables, so technically these variables are not "internal", correct? Then shall we remove "_" from the env var name?

[TomeHirata]

Do we want to invalidate all cached records every time? What is the downside of per-key invalidation?

[BenWilson2]

Mostly complexity. Handling per-record TTL and invalidation only for the mutated key just simply adds complexity for an action that is (hopefully) so infrequent that it doesn't really make sense to add that complexity.

[TomeHirata]

Make sense, let's start with the complete invalidation and then revisit if we hit performance issues

[TomeHirata]

[sorry if I misunderstand the time-bucketed ephemeral encryption flow]
With the current secret derivation I wonder if it's not ensured that secrets in time-bucketed cache are "permanently unrecoverable after a short time window even if an attacker gains access to the base key via a memory dump".
Let's say a secret is stored in the cache at 00:00:00 and ttl_seconds=60, and then attackers dump the memory at 00:05:00. Attackers figure out the base key and encrypted secret strings at 00:10:00. They can compute bucket key by trying the time bucket number one by one (10 -> 9 -> ... -> 0) and find the time bucket key that can decrypt the secrets relatively efficiently:

enc = EphemeralCacheEncryption()
enc._base_key='extracted_base_key'
time_bucket = enc._get_time_bucket()
while (True):
  try:
    secret = enc.decrypt('extracted_encrypted_bytes', time_bucket)
    return secret
  catch Exception:
     time_bucket -= 1

If my statement above is true, probably we should generate a time bucket key in a way that cannot be computed from base_key and time bucket, and then have a separate thread to remove the time bucket secret from memory if it's expired.

[BenWilson2]

This is a good point on the ease of cracking. While we definitely can't make this completely iron-clad (the only way to do this is through hardware-based encryption where the key is generated and decrypted external to memory such that the CPU never receives or processes the decryption), we can make this an order of magnitude harder to crack by using a random value that is purged in a separate process when the TTL triggers.
I'm going to go with that approach and also list out the limitations of what we're doing here (for what it's worth, other OSS implementations use even lower security grades to the time window encryption; going with the random encryption value upgrades this to well beyond anything else that I can find).
The case now is, at worst, with someone who has root access to the tracking server, they could theoretically get cached keys that are present in the cache within the time window iff they find them in the memory dump AND they can figure out which bytearray represents the random decryption key. This now effectively becomes finding the right two needles in a stack of needles (not impossible, but highly implausible that anyone would want to spend weeks going through bytearray permutations to find 2 bytearrays in a sea of bytearrays to satisfy decryption).
This satisfies the defense in depth requirements for Mitre's posting (reference included in the docstrings).

[TomeHirata]

Shouldn't we have a separate thread that continuously clean up the expired bucket keys? Otherwise expired keys stay on memory until encrypt or decrypt is called again (probably not a huge blocker, but just wondered).

[BenWilson2]

Totally - sorry for not including the separate thread on the last push (I forgot to push the stack early last night which had this change included - it's critical to have the timed daemon thread in case the cache isn't hit after n time period (otherwise the cache could stay warm far past the TTL).

[TomeHirata]

nit: If we store up to one bucket key, we can have active_bucket: int and active_bucket_key: bytes separately instead of dict[int, bytes]

[BenWilson2]

great call - I'll create the typed entries since we only have 4 values by design.

[TomeHirata]

Left a suggestion on a potential risky case, otherwise LGTM