config

mlflow_secrets_auth.config

Configuration utilities for MLflow secrets auth providers.

This module centralizes environment-driven configuration and safe redaction helpers.

Key env vars

• MLFLOW_SECRETS_ALLOWED_HOSTS: Comma-separated host allowlist.
• MLFLOW_AUTH_HEADER_NAME: Custom header for auth (defaults to "Authorization").
• MLFLOW_SECRETS_LOG_LEVEL: Logging level (defaults to "INFO").
• MLFLOW_SECRETS_AUTH_ENABLE: Comma-separated list of enabled providers.
• MLFLOW_SECRETS_AUTH_ENABLE_: Per-provider boolean toggle (e.g., AWS_SECRETS_MANAGER).

get_allowed_hosts()

Return the host allowlist from MLFLOW_SECRETS_ALLOWED_HOSTS.

Supports both exact hostnames and wildcard patterns using shell-style globbing.

Examples:

MLFLOW_SECRETS_ALLOWED_HOSTS="mlflow.example.com,.corp.example.com" MLFLOW_SECRETS_ALLOWED_HOSTS="api.prod.com,.staging.com,localhost"

Wildcard patterns

• "*.corp.example.com" matches any subdomain of corp.example.com
• "mlflow.*.com" matches mlflow with any middle component
• "api-*" matches hostnames starting with "api-"

Returns:

Type	Description
list[str] | None	A list of hostname patterns, or None if not configured.

Source code in src/mlflow_secrets_auth/config.py

def get_allowed_hosts() -> list[str] | None:
    """Return the host allowlist from MLFLOW_SECRETS_ALLOWED_HOSTS.

    Supports both exact hostnames and wildcard patterns using shell-style globbing.

    Examples:
        MLFLOW_SECRETS_ALLOWED_HOSTS="mlflow.example.com,*.corp.example.com"
        MLFLOW_SECRETS_ALLOWED_HOSTS="api.prod.com,*.staging.com,localhost"

    Wildcard patterns:
        - "*.corp.example.com" matches any subdomain of corp.example.com
        - "mlflow.*.com" matches mlflow with any middle component
        - "api-*" matches hostnames starting with "api-"

    Returns:
        A list of hostname patterns, or None if not configured.

    """
    hosts_str = get_env_var(ENV_ALLOWED_HOSTS)
    if not hosts_str:
        return None
    hosts = [h.strip() for h in hosts_str.split(",") if h.strip()]
    return hosts or None

get_auth_header_name()

Return the configured auth header name.

Defaults to "Authorization" when MLFLOW_AUTH_HEADER_NAME is unset.

Returns:

Type	Description
str	Header name as a string.

Source code in src/mlflow_secrets_auth/config.py

def get_auth_header_name() -> str:
    """Return the configured auth header name.

    Defaults to "Authorization" when MLFLOW_AUTH_HEADER_NAME is unset.

    Returns:
        Header name as a string.

    """
    return get_env_var(ENV_AUTH_HEADER_NAME, DEFAULT_AUTH_HEADER) or DEFAULT_AUTH_HEADER

get_env_bool(name, default=False)

Return an environment variable parsed as a boolean.

Recognized truthy values (case-insensitive): {"1", "true", "yes", "on"}.

Parameters:

Name	Type	Description	Default
name	str	Environment variable name.	required
default	bool	Fallback when the variable is unset.	False

Returns:

Type	Description
bool	Parsed boolean value.

Source code in src/mlflow_secrets_auth/config.py

def get_env_bool(name: str, default: bool = False) -> bool:
    """Return an environment variable parsed as a boolean.

    Recognized truthy values (case-insensitive): {"1", "true", "yes", "on"}.

    Args:
        name: Environment variable name.
        default: Fallback when the variable is unset.

    Returns:
        Parsed boolean value.

    """
    value = get_env_var(name)
    if value is None:
        return default
    return value.strip().lower() in TRUTHY_VALUES

get_env_int(name, default)

Return an environment variable parsed as int.

On parsing error or if unset, returns default.

Parameters:

Name	Type	Description	Default
name	str	Environment variable name.	required
default	int	Fallback value.	required

Returns:

Type	Description
int	Parsed integer or default.

Source code in src/mlflow_secrets_auth/config.py

def get_env_int(name: str, default: int) -> int:
    """Return an environment variable parsed as int.

    On parsing error or if unset, returns `default`.

    Args:
        name: Environment variable name.
        default: Fallback value.

    Returns:
        Parsed integer or `default`.

    """
    value = get_env_var(name)
    if value is None:
        return default
    try:
        return int(value.strip())
    except (TypeError, ValueError):
        return default

get_env_var(name, default=None)

Return an environment variable or a default.

Parameters:

Name	Type	Description	Default
name	str	Environment variable name.	required
default	str | None	Value to return if not set.	None

Returns:

Type	Description
str | None	The environment value as a string, or default when unset.

Source code in src/mlflow_secrets_auth/config.py

def get_env_var(name: str, default: str | None = None) -> str | None:
    """Return an environment variable or a default.

    Args:
        name: Environment variable name.
        default: Value to return if not set.

    Returns:
        The environment value as a string, or `default` when unset.

    """
    return os.environ.get(name, default)

get_log_level()

Return the configured log level for secrets auth.

Defaults to "INFO" and uppercases the value for consistency.

Returns:

Type	Description
str	Uppercased logging level string (e.g., "INFO", "DEBUG").

Source code in src/mlflow_secrets_auth/config.py

def get_log_level() -> str:
    """Return the configured log level for secrets auth.

    Defaults to "INFO" and uppercases the value for consistency.

    Returns:
        Uppercased logging level string (e.g., "INFO", "DEBUG").

    """
    return (get_env_var(ENV_LOG_LEVEL, DEFAULT_LOG_LEVEL) or DEFAULT_LOG_LEVEL).upper()

is_provider_enabled(provider_name)

Return whether a specific provider is enabled.

Two mechanisms

1) Global list: MLFLOW_SECRETS_AUTH_ENABLE="vault,aws-secrets-manager,azure-key-vault" 2) Per-provider boolean: MLFLOW_SECRETS_AUTH_ENABLE_=true e.g. MLFLOW_SECRETS_AUTH_ENABLE_AWS_SECRETS_MANAGER=true

Parameters:

Name	Type	Description	Default
provider_name	str	Provider slug (case-insensitive), e.g. "vault".	required

Returns:

Type	Description
bool	True if enabled via either mechanism, False otherwise.

Source code in src/mlflow_secrets_auth/config.py

def is_provider_enabled(provider_name: str) -> bool:
    """Return whether a specific provider is enabled.

    Two mechanisms:
      1) Global list: MLFLOW_SECRETS_AUTH_ENABLE="vault,aws-secrets-manager,azure-key-vault"
      2) Per-provider boolean: MLFLOW_SECRETS_AUTH_ENABLE_<PROVIDER>=true
         e.g. MLFLOW_SECRETS_AUTH_ENABLE_AWS_SECRETS_MANAGER=true

    Args:
        provider_name: Provider slug (case-insensitive), e.g. "vault".

    Returns:
        True if enabled via either mechanism, False otherwise.

    """
    # Global list
    global_enable = get_env_var(ENV_AUTH_ENABLE, "") or ""
    enabled = {p.strip().lower() for p in global_enable.split(",") if p.strip()}
    if provider_name.strip().lower() in enabled:
        return True

    # Provider-specific toggle
    env_key = f"{ENV_AUTH_ENABLE_PREFIX}{provider_name.upper().replace('-', '_')}"
    return get_env_bool(env_key, False)

mask_secret(value, mask_char=DEFAULT_MASK_CHAR, show_chars=DEFAULT_SHOW_CHARS)

Mask a secret value for safe logging.

Examples:

>>> mask_secret("abcd1234")
'abcd********1234'
>>> mask_secret("ab")
'***'

Parameters:

Name	Type	Description	Default
value	str	Secret value to mask.	required
mask_char	str	Masking character (default '*').	DEFAULT_MASK_CHAR
show_chars	int	Number of leading and trailing chars to keep (default 4).	DEFAULT_SHOW_CHARS

Returns:

Type	Description
str	Masked representation with the center portion obfuscated.

Source code in src/mlflow_secrets_auth/config.py

def mask_secret(value: str, mask_char: str = DEFAULT_MASK_CHAR, show_chars: int = DEFAULT_SHOW_CHARS) -> str:
    """Mask a secret value for safe logging.

    Examples:
        >>> mask_secret("abcd1234")
        'abcd********1234'
        >>> mask_secret("ab")
        '***'

    Args:
        value: Secret value to mask.
        mask_char: Masking character (default '*').
        show_chars: Number of leading and trailing chars to keep (default 4).

    Returns:
        Masked representation with the center portion obfuscated.

    """
    if not value:
        return mask_char * 8

    # Guard against non-positive show_chars
    show = max(0, int(show_chars))

    if len(value) <= show:
        return mask_char * max(3, len(value))
    if len(value) <= show * 2:
        # Keep a small preview while masking the middle
        keep = min(2, len(value))
        return f"{value[:keep]}{mask_char * 4}{value[-keep:]}"
    return f"{value[:show]}{mask_char * 8}{value[-show:]}"

redact_sensitive_data(text)

Redact common credential patterns from text.

Safely handles patterns with different group counts. Intended for logs and messages.

Parameters:

Name	Type	Description	Default
text	str	Input string possibly containing sensitive material.	required

Returns:

Type	Description
str	Redacted string with secrets masked.

Source code in src/mlflow_secrets_auth/config.py

def redact_sensitive_data(text: str) -> str:
    """Redact common credential patterns from text.

    Safely handles patterns with different group counts. Intended for logs and messages.

    Args:
        text: Input string possibly containing sensitive material.

    Returns:
        Redacted string with secrets masked.

    """
    if not text:
        return text

    def _sub(m: re.Match[str]) -> str:
        groups = m.groups()
        # One-group pattern: mask entire match
        if len(groups) == 1:
            return mask_secret(groups[0])
        # Two/three-group patterns: mask the middle secret
        if len(groups) >= 2:
            prefix = groups[0]
            secret = groups[1]
            suffix = groups[2] if len(groups) >= 3 else ""
            return f"{prefix}{mask_secret(secret)}{suffix}"
        # Fallback to original text (should not happen with defined patterns)
        return m.group(0)

    result = text
    for pattern in _REDACT_PATTERNS:
        result = pattern.sub(_sub, result)
    return result