Files
2026-07-13 13:22:34 +08:00

80 lines
3.8 KiB
Python

"""
Constants used for internal server-to-worker communication.
These are internal environment variables (prefixed with _MLFLOW_SERVER_) used for
communication between the MLflow CLI and forked server processes (gunicorn/uvicorn workers).
They are set by the server and read by workers, and should not be set by end users.
"""
# Backend store configuration
# URI for the backend store (e.g., sqlite:///mlflow.db, postgresql://..., mysql://...)
BACKEND_STORE_URI_ENV_VAR = "_MLFLOW_SERVER_FILE_STORE"
# URI for a read-only backend store (e.g., a database read replica) used for read operations
READ_REPLICA_BACKEND_STORE_URI_ENV_VAR = "_MLFLOW_SERVER_READ_REPLICA_BACKEND_STORE"
# URI for the model registry store (defaults to same as backend store if not specified)
REGISTRY_STORE_URI_ENV_VAR = "_MLFLOW_SERVER_REGISTRY_STORE"
# Default root directory for storing run artifacts when not explicitly specified
ARTIFACT_ROOT_ENV_VAR = "_MLFLOW_SERVER_ARTIFACT_ROOT"
# Destination for proxied artifact storage operations (used with --serve-artifacts)
ARTIFACTS_DESTINATION_ENV_VAR = "_MLFLOW_SERVER_ARTIFACT_DESTINATION"
# Server features
# Whether the server should act as an artifact proxy (enabled via --serve-artifacts)
SERVE_ARTIFACTS_ENV_VAR = "_MLFLOW_SERVER_SERVE_ARTIFACTS"
# Whether to run in artifacts-only mode (no tracking server, only artifact proxy)
ARTIFACTS_ONLY_ENV_VAR = "_MLFLOW_SERVER_ARTIFACTS_ONLY"
# Flask session secret key for signing cookies and sessions
# (user-configurable via MLFLOW_FLASK_SERVER_SECRET_KEY)
FLASK_SERVER_SECRET_KEY_ENV_VAR = "MLFLOW_FLASK_SERVER_SECRET_KEY"
# Monitoring
# Directory for Prometheus multiprocess metrics collection (enabled via --expose-prometheus)
PROMETHEUS_EXPORTER_ENV_VAR = "prometheus_multiproc_dir"
# Job execution
# Directory path for Huey SQLite task queue storage (used by job execution backend)
HUEY_STORAGE_PATH_ENV_VAR = "_MLFLOW_HUEY_STORAGE_PATH"
# Unique key identifying which Huey instance to use (typically the job function fullname)
MLFLOW_HUEY_INSTANCE_KEY = "_MLFLOW_HUEY_INSTANCE_KEY"
# Timestamp (milliseconds since epoch) captured in the parent process before launching the job
# runner subprocess, used to avoid re-enqueuing jobs created after the server started.
MLFLOW_SERVER_UP_TIME = "_MLFLOW_SERVER_UP_TIME"
# Secrets management - KEK (Key Encryption Key) environment variables
# NOTE: These are duplicated in mlflow/utils/crypto.py for skinny client compatibility.
# The canonical definitions are in mlflow/utils/crypto.py to avoid Flask import dependency.
# These are kept here for documentation and backwards compatibility with server-side code.
#
# SECURITY: Server-admin-only credential. NEVER pass via CLI (visible in ps/logs).
# Set via environment variable or .env file. Users do NOT need this - only server admins.
# Must be high-entropy (32+ characters) from a secrets manager.
#
# KEK Rotation Workflow (for changing the passphrase):
# 1. Shut down the MLflow server
# 2. Set MLFLOW_CRYPTO_KEK_PASSPHRASE to the OLD passphrase
# 3. Run: mlflow crypto rotate-kek --new-passphrase "NEW_PASSPHRASE"
# 4. Update MLFLOW_CRYPTO_KEK_PASSPHRASE to NEW passphrase in deployment config
# 5. Restart the MLflow server
#
# The rotation is atomic and idempotent - safe to re-run if it fails.
CRYPTO_KEK_PASSPHRASE_ENV_VAR = "MLFLOW_CRYPTO_KEK_PASSPHRASE"
# KEK version for tracking which KEK encrypted each secret (default 1).
# Automatically tracked during rotation. See `mlflow crypto rotate-kek` for rotation workflow.
CRYPTO_KEK_VERSION_ENV_VAR = "MLFLOW_CRYPTO_KEK_VERSION"
# Secrets cache configuration
# Time-to-live for server-side secrets cache in seconds (10-300s range, default 60s)
SECRETS_CACHE_TTL_ENV_VAR = "MLFLOW_SERVER_SECRETS_CACHE_TTL"
# Maximum number of entries in server-side secrets cache (default 1000 entries)
SECRETS_CACHE_MAX_SIZE_ENV_VAR = "MLFLOW_SERVER_SECRETS_CACHE_MAX_SIZE"