yocto-gl icon indicating copy to clipboard operation
yocto-gl copied to clipboard

Published 20 hours ago verified publisher icon xelatihy

Fix: Privilege Escalation in MLflow when using spark_udf

Open WeichenXu123 opened this issue 1 year ago • 2 comments

🛠 DevTools 🛠

Open in GitHub Codespaces

Install mlflow from this PR

pip install git+https://github.com/mlflow/mlflow.git@refs/pull/10874/merge

Checkout with GitHub CLI

gh pr checkout 10874

Related Issues/PRs

#xxx

https://github.com/mlflow/mlflow/issues/10869

What changes are proposed in this pull request?

Fix Privilege Escalation in MLflow when using spark_udf

How is this PR tested?

  • [x] Existing unit/integration tests
  • [ ] New unit/integration tests
  • [ ] Manual tests

Does this PR require documentation update?

  • [x] No. You can skip the rest of this section.
  • [ ] Yes. I've updated:
    • [ ] Examples
    • [ ] API references
    • [ ] Instructions

Release Notes

Is this a user-facing change?

  • [x] No. You can skip the rest of this section.
  • [ ] Yes. Give a description of this change to be included in the release notes for MLflow users.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

  • [ ] area/artifacts: Artifact stores and artifact logging
  • [ ] area/build: Build and test infrastructure for MLflow
  • [ ] area/deployments: MLflow Deployments client APIs, server, and third-party Deployments integrations
  • [ ] area/docs: MLflow documentation pages
  • [ ] area/examples: Example code
  • [ ] area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
  • [ ] area/models: MLmodel format, model serialization/deserialization, flavors
  • [ ] area/recipes: Recipes, Recipe APIs, Recipe configs, Recipe Templates
  • [ ] area/projects: MLproject format, project running backends
  • [x] area/scoring: MLflow Model server, model deployment tools, Spark UDFs
  • [ ] area/server-infra: MLflow Tracking server backend
  • [ ] area/tracking: Tracking Service, tracking client APIs, autologging

Interface

  • [ ] area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
  • [ ] area/docker: Docker use across MLflow's components, such as MLflow Projects and MLflow Models
  • [ ] area/sqlalchemy: Use of SQLAlchemy in the Tracking Service or Model Registry
  • [ ] area/windows: Windows support

Language

  • [ ] language/r: R APIs and clients
  • [ ] language/java: Java APIs and clients
  • [ ] language/new: Proposals for new client languages

Integrations

  • [ ] integrations/azure: Azure and Azure ML integrations
  • [ ] integrations/sagemaker: SageMaker integrations
  • [ ] integrations/databricks: Databricks integrations

How should the PR be classified in the release notes? Choose one:

  • [x] rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
  • [ ] rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
  • [ ] rn/feature - A new user-facing feature worth mentioning in the release notes
  • [ ] rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
  • [ ] rn/documentation - A user-facing documentation change worth mentioning in the release notes

WeichenXu123 avatar Jan 23 '24 07:01 WeichenXu123

Documentation preview for 001cc178a1442b488da41853c497adc5285a284d will be available when this CircleCI job completes successfully.

More info
  • Ignore this comment if this PR does not change the documentation.
  • It takes a few minutes for the preview to be available.
  • The preview is updated when a new commit is pushed to this PR.
  • This comment was created by https://github.com/mlflow/mlflow/actions/runs/10057979898.

github-actions[bot] avatar Jan 23 '24 07:01 github-actions[bot]

I remember previously we have permission issue on databricks NFS which also relates to this directory permission setting, Let me test this on databricks NFS too.

WeichenXu123 avatar Jan 25 '24 12:01 WeichenXu123

Hey there! Is there a reason that this is not merged yet? We would appreciate this issue being fixed since it is listed as a critical vulnerability.

efabgp avatar May 28 '24 17:05 efabgp

@serena-ruan Are there additional steps that need to be done in order for this to be merged? It's been half a year.

WilliamRoyNelson avatar Jul 19 '24 17:07 WilliamRoyNelson

@serena-ruan Are there additional steps that need to be done in order for this to be merged? It's been half a year.

Oh sorry for the delay, I am searching the old cases and verify them. Will complete it next few days.

WeichenXu123 avatar Jul 22 '24 14:07 WeichenXu123