blog » self-hosted » services » mlflow

Self-Hosting MLflow Guest User

As of Junuary 2026, MLflow does not support anonymous or guest users. Using the MLflow basic auth, it is possible to create a user with "read" priviledge, which might look like we can create a user call guest with read-only access and call it a day. But it is not the case. The MLflow privileges only reflects what a user can do with the models of other users. That is, a user with read priviledge can see the models of other users but cannot edit it. However, they can create their own models! This is not what we want.

In this blog post, we will see how to create a Guest user using Traefik IngressRoute Rules only. This is a quick and simple solution, but it is a little hacky. It does come with security risks. A real production-grade solution would be to fork MLflow and implement correctly the Guest (and/or Anonymous) user and, optionaly, contribute to MLflow.

Ingress Rules

Basic auth is very simple. When a website requires basic auth, your browsers prompt you for your username and password and then sends it has a Header for each request. The website validate the credential before responding. Has a consequence, any upstream proxy can "see" the username givin any request. Which means it is possible to implement simple RBAC rules at the proxy level.

Proxy-level RBAC:

• If the username in the Autherization header "guest" block non-GET methods.
• Foward traffic to MLflow as usual.

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: mlflow-admin
  namespace: mlflow
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host('mlflow.mathieuduchesneau.ca') && !Header(<!--CODE_BLOCK_157-->, <!--CODE_BLOCK_158-->)
    kind: Rule
    services:
    - name: mlflow
      port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: mlflow-guest-authorized
  namespace: mlflow
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(<!--CODE_BLOCK_159-->) && Header(<!--CODE_BLOCK_160-->, <!--CODE_BLOCK_161-->) && Method(<!--CODE_BLOCK_162-->)
    kind: Rule
    services:
    - name: mlflow
      port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: mlflow-guest-authorized-post
  namespace: mlflow
spec:
  entryPoints:
  - websecure
  routes:
  - match: |
      Host(<!--CODE_BLOCK_163-->) &&
      Header(<!--CODE_BLOCK_164-->, <!--CODE_BLOCK_165-->) &&
      Method(<!--CODE_BLOCK_166-->) && (
        Path(<!--CODE_BLOCK_167-->) ||
        PathPrefix(<!--CODE_BLOCK_168-->) ||
        PathPrefix(<!--CODE_BLOCK_169-->) ||
        PathPrefix(<!--CODE_BLOCK_170-->) ||
        PathPrefix(<!--CODE_BLOCK_171-->))
    kind: Rule
    services:
    - name: mlflow
      port: 80