-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate Mlflow API request to databricks sdk authentication way and support OAuth #12011
Migrate Mlflow API request to databricks sdk authentication way and support OAuth #12011
Conversation
Documentation preview for 038911c will be available when this CircleCI job More info
|
Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
I like the fallback approaches :) Let's make sure that we test the SDK functionality in serverless and Jobs to make sure that everything is working in those runtime variants. |
raw=True, | ||
**extra_kwargs, | ||
) | ||
return raw_response["contents"]._response |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accessing _response
seems scary. why do we need it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for getting original requests.Response
object. The reason is, in MLFlow deployment, because we support LLM streaming, it calls requests.Response.iterlines
method, so return the original requests.Response
object avoids modifying MLFlow deployment streaming prediction code.
I checked databricks-sdk code, _response
attribute exists in all versions >= 0.20, we can ask databricks-sdk
team to make it as a public attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
databricks-sdk code, _response attribute exists in all versions >= 0.20
This doesn't mean we can use it. The _
prefix means It's private. Don't touch it
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait do we need to use databricks_workspace_client.api_client
for oauth to work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
databricks_workspace_client.api_client
is not the only way, however, it should be the simplest way.
I saw sql team set up oauth by writing some code by themselves: https://github.com/databricks/databricks-sql-python/blob/main/src/databricks/sql/auth/authenticators.py but this way we have to maintain more code and it is error-prone.
On the other hand, databricks-sdk supports many other authentication ways besides OAuth, if we can make mlflow authentication using databricks-sdk, the other authentication ways we don't need extra effort to support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. databricks-sdk design goal is to automatically pick optimal value for these configs
can you elaborate on "automatically"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to check databricks-sdk source code for details and then get back to you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
databricks-sdk
exposes a config retry_timeout_seconds
, official doc:
(Integer) Number of seconds to keep retrying HTTP requests. Default is 300 (5 minutes). (from https://github.com/databricks/databricks-sdk-py)
For other HTTP controlling params, they are not exposed, internally, the logic for retry backoff is somewhat coarse. Retryable errors are defined in ApiClient._is_retriable , and the retry respects the Retry-After header if present in a 429 or 503 response. The backoff is linear, starting at 1 second and increasing by 1 second up to 10 seconds. Jitter of between 0-1 second is added for each retry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Proposal:
Add a environmental var config DATABRICKS_ENDPOINT_HTTP_RETRY_TIMEOUT_SECONDS
, for databricks endpoint (which requests are invoked by databricks-sdk)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Config DATABRICKS_ENDPOINT_HTTP_RETRY_TIMEOUT_SECONDS
was added.
Does this Ray import |
Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
can you elaborate on this? |
oh, it means you can't get credential token value by invoking Databricks-SDK API. i.e., Databricks-SDK doesn't provide API to expose credential token , because its design goal is to support various authentication ways and hide internal details. |
|
||
insecure = hasattr(config, "insecure") and config.insecure | ||
from databricks.sdk import WorkspaceClient |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our test requirements specify version 0.20.0, which is only installed in 15.x runtime, and this SDK was introduced into DBR in 13.x (with version 0.1.6).
Older runtimes will exhibit a breaking change here with authentication in runtime if a user installs MLflow 2.14.0.
Can we wrap this import in a try catch and if the import fails, utilize the fallback logic that is preserved here?
Please test an install of this branch on both MLR 10LTS and 13LTS to ensure that auth functions correctly for:
- databricks-sdk is not in the runtime environment
- databricks-sdk < version 0.20.0
To verify that fallback logic for these older runtimes functions without any breaking changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(The main condition that I'd like to verify is if databricks-sdk being upgraded to 0.20.0 in these older runtimes causes any issues, since installing MLflow will force upgrade or simply install the package). I'm not sure if the runtime environment exposes everything needed to make the SDK function correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Confirmed:
(1) when installing MLflow or MLflow skinny , the databricks-sdk >= 0.20 is forcily installed dependency. So it wouldn't cause importing error.
(2) I tested in databricks runtime 9.3 / 10.3 / 13.3 , databricks-sdk >= 0.20 is compatible with them. sdk team will ensure compatibility for runtime versions in lifecycle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once #12011 (comment) is addressed / confirmed. Thanks @WeichenXu123 !!
9de139b
to
038911c
Compare
@@ -29,6 +29,8 @@ dependencies = [ | |||
"cachetools<6,>=5.0.0", | |||
"click<9,>=7.0", | |||
"cloudpickle<4", | |||
"databricks-sdk<1,>=0.20.0", | |||
"databricks-sdk<1,>=0.20.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
duplicate dependencies
@WeichenXu123 is this intended?
ws_client = WorkspaceClient(profile=host_creds.databricks_auth_profile, config=config) | ||
|
||
try: | ||
if method == "GET": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should remove this if statement. params
is valid for POST as well
**extra_kwargs, | ||
) | ||
return raw_response["contents"]._response | ||
except DatabricksError as e: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does DatabricksError contain raw request and response?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't .
@@ -36,7 +36,7 @@ jobs: | |||
run: | | |||
pip install --no-dependencies tests/resources/mlflow-test-plugin | |||
pip install .[gateway] \ | |||
pytest pytest-timeout pytest-asyncio httpx psutil sentence-transformers transformers | |||
pytest pytest-timeout pytest-asyncio httpx psutil sentence-transformers transformers databricks-sdk |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this still necessary?
@@ -29,6 +29,8 @@ dependencies = [ | |||
"cachetools<6,>=5.0.0", | |||
"click<9,>=7.0", | |||
"cloudpickle<4", | |||
"databricks-sdk<1,>=0.20.0", | |||
"databricks-sdk<1,>=0.20.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why >= 0.20.0?
🛠 DevTools 🛠
Install mlflow from this PR
Checkout with GitHub CLI
Related Issues/PRs
#xxxWhat changes are proposed in this pull request?
get_databricks_env_vars
andMlflowCredentialContext
requires reading token value, I also keep relevant code of reading credential tokens, and made some refactoring. Note thatget_databricks_env_vars
has been used in some customer code such as Ray-on-Spark to set up MLflow authentication in remote Ray tasks, so we still need to support it.Note that ecause of (2) and (3), in current stage we still have to keep some of legacy databricks-cli python module code.
How is this PR tested?
Manual test with OAuth
a): Set 3 environmental variables: DATABRICKS_HOST + DATABRICKS_CLIENT_ID + DATABRICKS_CLIENT_SECRET
b): Edit
~/.databrickscfg
file, adding a section for specific profile like:In MLflow application (assuming you are running it in your local machine and it needs to log data to databricks shard), you need to set mlflow tracking URI to either
"databricks"
or"databricks://<your-profile-name>"
, if no profile name in tracking URI,DEFAULT
profile is used when reading~/.databrickscfg
file.then you can run MLflow testing code like:
Does this PR require documentation update?
Release Notes
Is this a user-facing change?
What component(s), interfaces, languages, and integrations does this PR affect?
Components
area/artifacts
: Artifact stores and artifact loggingarea/build
: Build and test infrastructure for MLflowarea/deployments
: MLflow Deployments client APIs, server, and third-party Deployments integrationsarea/docs
: MLflow documentation pagesarea/examples
: Example codearea/model-registry
: Model Registry service, APIs, and the fluent client calls for Model Registryarea/models
: MLmodel format, model serialization/deserialization, flavorsarea/recipes
: Recipes, Recipe APIs, Recipe configs, Recipe Templatesarea/projects
: MLproject format, project running backendsarea/scoring
: MLflow Model server, model deployment tools, Spark UDFsarea/server-infra
: MLflow Tracking server backendarea/tracking
: Tracking Service, tracking client APIs, autologgingInterface
area/uiux
: Front-end, user experience, plotting, JavaScript, JavaScript dev serverarea/docker
: Docker use across MLflow's components, such as MLflow Projects and MLflow Modelsarea/sqlalchemy
: Use of SQLAlchemy in the Tracking Service or Model Registryarea/windows
: Windows supportLanguage
language/r
: R APIs and clientslanguage/java
: Java APIs and clientslanguage/new
: Proposals for new client languagesIntegrations
integrations/azure
: Azure and Azure ML integrationsintegrations/sagemaker
: SageMaker integrationsintegrations/databricks
: Databricks integrationsHow should the PR be classified in the release notes? Choose one:
rn/none
- No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" sectionrn/breaking-change
- The PR will be mentioned in the "Breaking Changes" sectionrn/feature
- A new user-facing feature worth mentioning in the release notesrn/bug-fix
- A user-facing bug fix worth mentioning in the release notesrn/documentation
- A user-facing documentation change worth mentioning in the release notesShould this PR be included in the next patch release?
Yes
should be selected for bug fixes, documentation updates, and other small changes.No
should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.What is a minor/patch release?
Bug fixes, doc updates and new features usually go into minor releases.
Bug fixes and doc updates usually go into patch releases.