Add default passphrase support

[BenWilson2]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19360/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/19360/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/19360/merge

Related Issues/PRs

#xxx

What changes are proposed in this pull request?

This PR adds a default KEK (Key Encryption Key) passphrase for the gateway secrets feature and exposes this information via an ajax server-side-only API endpoint so the frontend can warn users when they're using the default passphrase.
This allows for a non-disruptive getting started scenario or for a single-user to utilize AI Gateway if high security is not a major concern. The addition of the flag to the endpoint will be used for notifications in the UI (fetched during main landing page load).

GET /ajax-api/3.0/mlflow/secrets/config

  {
    "secrets_available": true/false,
    "using_default_passphrase": true|false
  }

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[Copilot]

Pull request overview

This PR adds default KEK (Key Encryption Key) passphrase support for the MLflow gateway secrets feature, enabling a non-disruptive getting started experience for development and single-user scenarios. The default passphrase is automatically used when MLFLOW_CRYPTO_KEK_PASSPHRASE is not set, and a new API endpoint exposes whether the server is using the default passphrase to allow the UI to display appropriate warnings.

Key changes:

• Introduces a default passphrase constant for development/testing environments with comprehensive security warnings
• Adds a using_default_passphrase property to KEKManager to track passphrase source
• Exposes passphrase status via new /ajax-api/3.0/mlflow/secrets/config endpoint returning JSON with secrets_available and using_default_passphrase flags

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
mlflow/utils/crypto.py	Implements default passphrase fallback in KEKManager, adds using_default_passphrase property, and improves decryption error messages to help users diagnose passphrase mismatches
mlflow/server/handlers.py	Adds new _get_secrets_config endpoint handler and registers it in gateway endpoints list
tests/utils/test_crypto.py	Updates tests to verify default passphrase behavior instead of expecting exceptions, adds test for custom passphrase flag
tests/tracking/test_rest_tracking.py	Adds integration tests for the new secrets config endpoint covering both custom and default passphrase scenarios

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Documentation preview for d626d6e is available at:

• https://pr-19360--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[TomeHirata]

Shall we explicitly tell what kind of case is risky? Here I think development/testing refers to localhost tracking server and production refer to remove tracking server (or tracking server with public hostname), correct? Even for users who share a remote tracking server among multiple team members for agent development, we want them to set MLFLOW_CRYPTO_KEK_PASSPHRASE

[BenWilson2]

Great call out! I'll add additional details to specify where this is a security flaw and where it doesn't really matter.

[TomeHirata]

requests is imported on the top of this file

[TomeHirata]

can we import packages on the module level where possible?

[TomeHirata]

Overall looks good to me, left some comments on warning message and test style

[BenWilson2]

GenAI test failure is being addressed in #19407; windows failure is unrelated.