tests/server/test_workspace_handlers.py (5)

41-55: Consider consistent type hints in test doubles.

The DummyTrackingStore uses type hints for created_names and _experiments but not for method signatures. For better maintainability, consider adding type hints to all methods or removing them entirely from the test double.

---

82-108: Reduce duplication by extracting common test fixtures.

The DummyWorkspaceStore and DummyTrackingStore implementations are repeated across multiple tests with only minor variations. Consider extracting these into reusable fixtures with configurable behavior to improve maintainability.

For example, create a configurable fixture that accepts parameters for different behaviors:

@pytest.fixture
def dummy_workspace_store():
    class DummyWorkspaceStore:
        def __init__(self):
            self.deleted = False
            self.created = []
        
        def create_workspace(self, workspace):
            self.created.append(workspace.name)
            return workspace
        
        def delete_workspace(self, workspace_name):
            self.deleted = True
    
    return DummyWorkspaceStore()

Also applies to: 154-186, 208-239

---

172-174: Fragile filter string parsing in test doubles.

The substring check "name !=" in filter_string is brittle and implicit. Consider explicitly checking for the expected filter string value or documenting the assumption to make test expectations clearer.

For example:

-        if filter_string and "name !=" in filter_string:
+        # Filter out default experiment when searching for non-default experiments
+        if filter_string == f"name != '{Experiment.DEFAULT_EXPERIMENT_NAME}'":
             return []

Also applies to: 226-228

---

31-31: Consider extracting environment setup to a fixture.

The MLFLOW_ENABLE_WORKSPACES environment variable is set identically in all tests. Consider extracting this to a shared fixture to reduce duplication:

@pytest.fixture
def enable_workspaces(monkeypatch):
    monkeypatch.setenv(MLFLOW_ENABLE_WORKSPACES.name, "true")

Then use it in tests: def test_create_workspace_handler_creates_default_experiment(monkeypatch, enable_workspaces):

Also applies to: 80-80, 128-128, 152-152, 206-206, 256-256

---

145-148: Consider verifying workspace context cleanup after teardown.

The test calls workspace_teardown_request_handler but doesn't verify that the workspace context is properly cleared. Consider adding an assertion after teardown to ensure cleanup occurred:

         handlers.workspace_teardown_request_handler(None)
+        assert workspace_context.get_current_workspace() is None

mlflow/server/auth/config.py (1)

14-14: LGTM! Secure default will be applied.

The new boolean field is correctly typed and positioned. The secure default of False (applied in the reading logic below) follows the deny-by-default principle for access control.

Consider adding a docstring to the AuthConfig class or an inline comment explaining what this configuration option controls, for example:

 class AuthConfig(NamedTuple):
     default_permission: str
     database_uri: str
     admin_username: str
     admin_password: str
     authorization_function: str
+    # Controls whether users are automatically granted access to the default workspace
     grant_default_workspace_access: bool

tests/tracking/test_rest_tracking.py (3)

1672-1873: Extended non-local model version source coverage looks correct

The extended test_create_model_version_with_non_local_source:

• Exercises a broad set of valid mlflow-artifacts: forms (various trailing slashes, host variants, multi-dot paths),
• Asserts appropriate 400s for path-traversal-like and encoded traversal attempts across multiple schemes,
• Adds store_type == "sqlalchemy" coverage for logged-model–based model_id sources vs disallowed file:// sources.

The structure and expectations are consistent with the intended security model for model version sources; no issues spotted. If duplication ever becomes a concern, you could factor the repeated requests.post + assertion patterns into small helpers, but that’s non-essential.

---

3429-3451: URL logging workspace behavior is well-covered (minor brittleness on private attribute)

The two new tests correctly distinguish:

• Legacy /#/experiments/{exp_id} URLs when no workspace context is set, even if _supports_workspaces is True.
• Workspace URLs including /#/workspaces/{workspace}/experiments/{exp_id} when a WorkspaceContext is active.

The only minor brittleness is relying on the private _supports_workspaces attribute; if that internal flag is renamed or removed, these tests will break even if external behavior is unchanged. That’s acceptable for internal tests but something to keep in mind.

---

4107-4591: REST workspace CRUD, scoping, and legacy endpoint tests are thorough; consider broadening caught exceptions

The new suite of REST workspace tests (CRUD, tracking, runs, artifacts, logged models, registry, default workspace, and legacy endpoints) provides very strong coverage of isolation semantics between workspaces and the default context. The patterns of:

• Creating resources under multiple workspaces,
• Asserting cross-workspace visibility failures (via exceptions or empty lists),
• Verifying state in the original workspace after attempted cross-workspace operations,

are all sound and align with expected multi-tenant behavior.

One small robustness tweak:

• In test_rest_run_operations_are_workspace_scoped, _call_safely only catches MlflowException, but the underlying client calls may raise RestException (or another exception type) on cross-workspace access, depending on how the client wraps errors. If you intend these calls to be treated as “expected failures” regardless of the precise exception subtype, it would be safer to broaden the catch:

-        def _call_safely(fn):
-            try:
-                fn()
-            except MlflowException:
-                pass
+        def _call_safely(fn):
+            try:
+                fn()
+            except (MlflowException, RestException):
+                # Cross-workspace access should fail; ignore the exact error shape
+                pass

This keeps the negative tests focused on state invariants without being sensitive to the exact exception class.

docs/api_reference/source/rest-api.rst (1)

62-67: Align error code formatting with rest of docs

The new guidance for workspaces under artifact_location looks good. For consistency with the rest of this page (e.g., RESOURCE_ALREADY_EXISTS), consider formatting the error code as an inline literal:

server uses the workspace's default artifact location and returns ``INVALID_PARAMETER_VALUE`` if provided.

mlflow/utils/rest_utils.py (1)

23-24: Workspace header resolution and injection are well-structured; consider minor hardening

The _resolve_active_workspace helper cleanly prefers the tracking workspace context and falls back to MLFLOW_WORKSPACE, trimming empty strings to avoid sending meaningless headers. _should_include_workspace_header’s path check to skip /mlflow/workspaces admin endpoints makes sense, and using headers.setdefault(WORKSPACE_HEADER_NAME, workspace) correctly preserves any explicitly provided workspace header (e.g., in extra_headers). One small hardening you might consider is explicitly asserting or coercing non‑string workspace values (should get_current_workspace() ever evolve to return something structured) to avoid accidentally sending non‑string objects as header values.

Also applies to: 44-45, 62-93, 157-160

tests/store/tracking/test_sqlalchemy_store.py (1)

7791-7807: Consider also asserting deleted model remains non‑retrievable after tagging

The test correctly verifies that tags written after delete_logged_model are persisted at the SqlLoggedModelTag level. For symmetry with test_log_logged_model_params_on_deleted_model, you might also assert that store.get_logged_model(model.model_id) still raises (i.e., tagging does not resurrect the model). This would tighten the contract without changing behavior.

For example:

with pytest.raises(MlflowException, match="not found"):
    store.get_logged_model(model.model_id)

mlflow/entities/evaluation_dataset.py (1)

326-347: Harden to_df error-code matching for dataset-not-found cases

to_df currently interprets a missing dataset by checking:

error_code = getattr(e, "error_code", None)
if error_code == ErrorCode.Name(RESOURCE_DOES_NOT_EXIST):
    ...

This assumes e.error_code is always the string name "RESOURCE_DOES_NOT_EXIST". If any store surfaces the numeric enum value instead, this branch would be skipped and the exception re-raised.

To tolerate both representations, consider:

-        except MlflowException as e:
-            error_code = getattr(e, "error_code", None)
-            if error_code == ErrorCode.Name(RESOURCE_DOES_NOT_EXIST):
+        except MlflowException as e:
+            error_code = getattr(e, "error_code", None)
+            not_found_codes = {
+                RESOURCE_DOES_NOT_EXIST,
+                ErrorCode.Name(RESOURCE_DOES_NOT_EXIST),
+            }
+            if error_code in not_found_codes:
                 # Cache the empty records list to avoid repeated store lookups
                 self._records = []
                 records = []
             else:
                 raise

This keeps behavior unchanged where the string is used, but also handles numeric codes if any backend returns them.

mlflow/store/workspace/abstract_store.py (1)

64-76: Abstract workspace store and name validation are well-structured (minor DRY opportunity)

The AbstractStore interface plus resolve_artifact_root default (default_artifact_root, True) give providers a clear extension point without forcing per-workspace customization. WorkspaceNameValidator correctly enforces length, pattern, and reserved-name checks with good error messages.

If you want to reduce maintenance overhead, you could have is_valid() delegate to validate() and catch MlflowException, so that future rule changes only need to be updated in one place. Not critical, but it avoids the two methods drifting apart.

Also applies to: 79-128

mlflow/server/handlers.py (1)

2935-2963: Workspace‑scoped artifact paths: behavior is sound

The _workspace_scoped_repo_path helper and its use in download/upload/list/delete and multipart endpoints correctly:

• Leave paths untouched when no active workspace.
• Prefix with workspaces/<workspace> when a workspace is active, isolating proxied artifacts per tenant.
• Avoid double‑prefixing when callers already pass workspaces/….

One edge case to consider:

• For artifact_path == "workspaces" (without a trailing /), normalized.startswith("workspaces/") is false, so you'll end up with workspaces/<ws>/workspaces. If that path is ever used externally, normalize this case:

-    if normalized.startswith("workspaces/"):
+    if normalized == "workspaces" or normalized.startswith("workspaces/"):
         return normalized or posixpath.join("workspaces", workspace)

The multipart upload methods already accept the artifact_path parameter, so passing repo_path uses the existing interface correctly—no signature extension needed.

Also applies to: 2984-2999, 3010-3016, 3033-3038

tests/tracking/test_workspace_registry.py (1)

22-27: Consider using a public cleanup method.

Line 27 accesses the private _engine attribute for cleanup. While this works for testing, it couples the test to implementation details. Consider adding a public dispose() or close() method to SqlAlchemyStore if one doesn't already exist.

tests/tracking/test_workspace_utils.py (1)

1-38: Workspace URI resolution tests cover key precedence rules

The autouse fixture correctly cleans both in-memory and env state, and the tests clearly exercise explicit, configured, env, and tracking-default resolution paths. The redundancy of resetting state both before and after is harmless and keeps isolation explicit.

tests/entities/model_registry/test_model_version.py (1)

7-44: ModelVersion workspace tests are thorough; avoid hardcoding the default name

The extended _check helper and new round-trip test give good coverage of workspace across construction, dict/proto conversions, and __str__. In test_string_repr, consider using DEFAULT_WORKSPACE_NAME instead of the literal 'default' so the test stays aligned if the default workspace name ever changes:

-        "status='PENDING_REGISTRATION', status_message='Copying!', tags={}, user_id='user one', "
-        "version='43', workspace='default'>"
+        "status='PENDING_REGISTRATION', status_message='Copying!', tags={}, user_id='user one', "
+        f"version='43', workspace='{DEFAULT_WORKSPACE_NAME}'>"

Also applies to: 88-108, 159-185, 188-214

mlflow/tracking/default_experiment/registry.py (1)

63-71: Return type annotation may limit supported Python versions

get_experiment_id is annotated as -> str | None, which relies on PEP 604 union syntax and only parses on Python 3.10+. If this branch still targets Python 3.8/3.9, this will be a syntax error. In that case, prefer the older spelling:

-from typing import Optional
-
-def get_experiment_id() -> str | None:
+from typing import Optional
+
+def get_experiment_id() -> Optional[str]:

If you have already dropped support for <3.10, this is fine as-is, but it’s worth confirming against your supported Python matrix.

tests/helpers/db_mocks.py (1)

7-22: Session maker mock matches expected pattern; optional room for richer query mocks

This helper cleanly mimics a managed session maker and produces chainable query.filter().order_by().first() calls that return None, which should be sufficient for the current tests.

If future tests need additional query behaviors (e.g., filter_by, all, or configurable first() values), consider extending _mock_query accordingly or parameterizing the mock, but it’s not necessary for this PR.

tests/entities/model_registry/test_registered_model.py (1)

5-6: Workspace coverage for RegisteredModel is solid; consider reusing the default constant in repr assertion

The additions to _check, the as_dict fixtures, and the new test_registered_model_non_default_workspace_round_trip give good coverage that the workspace field is preserved across construction, dict(rmd), from_dictionary, and __str__.

One minor polish point: in test_string_repr, the expected string currently hard-codes workspace='default'. To avoid drifting from DEFAULT_WORKSPACE_NAME if that constant ever changes, you could build the expected string with the constant, e.g. using an f-string:

-from mlflow.utils.workspace_utils import DEFAULT_WORKSPACE_NAME
+from mlflow.utils.workspace_utils import DEFAULT_WORKSPACE_NAME
@@
-    assert (
-        str(rmd) == "<RegisteredModel: aliases={}, creation_timestamp=1000, "
-        "deployment_job_id=None, deployment_job_state=None, description='something about a model',"
-        " last_updated_timestamp=2002, "
-        "latest_versions=['1', '2', '3'], name='myname', tags={}, workspace='default'>"
-    )
+    expected = (
+        "<RegisteredModel: aliases={}, creation_timestamp=1000, "
+        "deployment_job_id=None, deployment_job_state=None, "
+        "description='something about a model', last_updated_timestamp=2002, "
+        "latest_versions=['1', '2', '3'], name='myname', tags={}, "
+        f"workspace='{DEFAULT_WORKSPACE_NAME}'>"
+    )
+    assert str(rmd) == expected

Not required for correctness, but it keeps tests aligned with the shared constant.

Also applies to: 19-20, 30-31, 39-50, 93-104, 125-136, 152-163, 174-189, 192-212

docs/docs/self-hosting/workspaces/index.mdx (1)

1-152: Workspace docs are clear; please confirm they exactly match the current implementation

The page gives a good, structured explanation of workspaces, isolation, artifact layout, and migration behavior, and it aligns conceptually with the code changes (e.g., default workspace name, workspaces/<workspace-name> artifact prefix).

Given this is a WIP, I’d recommend a quick pass to verify that:

• The enablement mechanisms and names (MLFLOW_ENABLE_WORKSPACES, --enable-workspaces, MLFLOW_WORKSPACE) match the actual flags / environment variables in the server code.
• The “Workspace Resolution” order matches the combined behavior of mlflow.set_workspace, MLFLOW_WORKSPACE, and any get_default_workspace() usage (e.g., via resolve_entity_workspace_name and get_default_workspace_optional).

This is just to avoid subtle drift between docs and behavior.

mlflow/store/artifact/http_artifact_repo.py (2)

39-59: Workspace parsing hook is consistent but currently unused; consider tightening the API

The new _get_workspace_scoped_artifact_uri correctly detects a /mlflow-artifacts/artifacts/workspaces/<workspace>/… segment without changing existing behavior, and _host_creds still uses the original artifact_uri, so there’s no regression.

Right now, though, the parsed workspace_component isn’t used and _get_artifacts_endpoint_prefix(_workspace_component) ignores its argument. To keep things simpler until you actually need workspace-specific endpoint prefixes, you might either:

• Drop the parameter on _get_artifacts_endpoint_prefix for now, or
• Thread workspace_component through and implement a distinct prefix when/if the server API requires it.

Not a blocker, but it will make the intent clearer to future readers.

---

101-105: List and multipart endpoints preserve workspace-scoped paths; small refactor opportunity

The updated list_artifacts and _construct_mpu_uri_and_path both derive the base URL and “root” path by splitting on the artifacts endpoint prefix. That continues to work for both:

• Legacy URIs: /mlflow-artifacts/artifacts/<root>
• Workspace URIs: /mlflow-artifacts/artifacts/workspaces/<workspace>/<root>

since the tail (and thus root) simply includes the workspaces/<workspace>/… path segment.

If you want to reduce duplication and future-proof this, consider centralizing the split logic into a helper that returns (base_url, root_path, workspace_component) and reuse it in both list_artifacts and _construct_mpu_uri_and_path. This would also make it easier to change the underlying endpoint layout later in one place.

Also applies to: 136-140

tests/store/model_registry/test_rest_store.py (1)

161-175: Workspace not-supported error path test looks solid but is tightly coupled to internals

The test correctly exercises the failure path when _workspace_support is False and a non-empty workspace is resolved, including checking the exception message. It does, however, depend on private details (store._workspace_support and base_rest_store.rest_utils._resolve_active_workspace), so it may become brittle if internal wiring changes. If the underlying implementation ever exposes a public way to simulate “no workspace support”, consider switching to that to reduce coupling.

docs/docs/self-hosting/workspaces/workspace-providers.mdx (1)

1-137: Docs clearly describe workspace providers; consider aligning snippets with actual APIs

The overall explanation of provider architecture, discovery, default SQL provider behavior, artifact for_workspace() hooks, and Flask context usage is clear and useful. To avoid confusion for users, it’s worth double-checking that:

• The AbstractStore and ArtifactRepository.for_workspace() signatures in the snippets match the actual implementations.
• The Workspace import path in the example (from mlflow.entities import Workspace) aligns with the public API you expect users to use (tests here import Workspace from mlflow.entities.workspace).

If they differ, updating the examples to mirror the real interfaces will keep the docs from drifting.

tests/store/tracking/test_rest_store.py (1)

2862-2880: log_spans version checking and caching tests are comprehensive but one subtest is brittle

Pros:

• test_log_spans_with_version_check exercises:
  • failure to retrieve version,
  • version < 3.4 rejecting,
  • 3.4 / 3.5 success paths.
• test_server_version_check_caching confirms _get_server_version is invoked once per host and that later log_spans calls reuse the cached version (even across RestStore instances).

Concern:

• The “real timeout test” (Test 5 within test_log_spans_with_version_check) relies on an actual connection attempt to https://host5 and asserts elapsed time < 5s. This can become flaky under slow DNS or unusual network conditions.

Consider stubbing rest_utils.http_request with a time.sleep to simulate timeout instead of performing a real network call; behavior would be deterministic while still validating timeout semantics.

Also applies to: 2882-2947, 2949-3021

mlflow/store/workspace/rest_store.py (1)

16-18: REST workspace store CRUD looks correct; consider calling super().__init__()

• Endpoints and methods (GET/POST/PATCH/DELETE /api/2.0/mlflow/workspaces[...]) and the use of verify_rest_response are consistent and correct.
• create_workspace explicitly maps 400/409 + RESOURCE_ALREADY_EXISTS into MlflowException(..., RESOURCE_ALREADY_EXISTS), which matches MLflow’s error semantics.
• Handling of empty response bodies by falling back to the request values is pragmatic and avoids extra server requirements.
• get_default_workspace explicitly raising an invalid-parameter exception is clear about this provider’s capabilities.

One small robustness improvement:

 class RestWorkspaceStore(AbstractStore):
     """REST-backed workspace store implementation."""

     def __init__(self, get_host_creds):
-        self.get_host_creds = get_host_creds
+        super().__init__()
+        self.get_host_creds = get_host_creds

Calling super().__init__() future-proofs the class if AbstractStore later adds initialization logic.

Also applies to: 19-106

mlflow/server/auth/db/models.py (1)

104-125: New SqlWorkspacePermission model is straightforward; consider optional FK to users

• Composite primary key on (workspace, username, resource_type) plus indices on username and workspace should support common lookup patterns efficiently.
• to_mlflow_entity() correctly populates WorkspacePermission.

Depending on how strictly you want to enforce referential integrity between workspace_permissions.username and users.username, you might optionally add a ForeignKey("users.username") and/or a relationship on SqlUser. If usernames can be non-user principals, the current design is fine as is.

mlflow/server/otel_api.py (1)

1-11: Update module docstring to reflect non-placeholder implementation

The docstring still describes this as a minimal placeholder and implies span ingestion is not fully implemented, which is no longer accurate given the concrete ingestion and conversion logic below. Consider updating it to describe the actual behavior and workspace-aware handling to avoid confusion.

mlflow/cli/__init__.py (1)

587-597: Avoid duplicating workspace env setup via both os.environ and EnvironmentVariable.set

You’re setting workspace-related env in two ways:

• Directly via os.environ[...] = ... above.
• Via MLFLOW_ENABLE_WORKSPACES.set(enable_workspaces) and MLFLOW_WORKSPACE_URI.set(...) here.

Since the EnvironmentVariable helpers already write to os.environ, maintaining both paths adds redundancy and a chance for drift if behavior changes in one place. Consider consolidating on the EnvironmentVariable helpers for all writes and keeping the logging/echo behavior here.

mlflow/server/auth/entities.py (2)

148-151: RegisteredModelPermission workspace handling looks sound; consider explicit type-level docs

The added workspace parameter defaults to None, is normalized via resolve_entity_workspace_name, and is round-tripped through to_json / from_json with a backward-compatible dictionary.get("workspace"). That keeps existing JSON payloads and positional call sites working while making workspace explicit. It might be worth documenting (in a docstring or higher-level docs) that omitting workspace in JSON will resolve to the default workspace so callers understand the behavior, but the implementation itself is solid.

Also applies to: 155-157, 175-181, 184-190

---

244-288: Align WorkspacePermission workspace normalization and validation with other entities

WorkspacePermission currently stores workspace as passed and validates required fields using if not all([...]). For consistency and to avoid surprising falsy-value behavior:

• Consider normalizing workspace via resolve_entity_workspace_name (and possibly reusing WorkspaceNameValidator) so this entity behaves like RegisteredModelPermission.
• Prefer explicit is None checks over all([...]) so that values like "0" or numeric permission codes don't get rejected purely because they may be falsy in future.

This keeps workspace semantics and validation consistent across auth entities.

mlflow/store/workspace/sqlalchemy_store.py (1)

49-65: create_workspace behavior and error mapping look correct; consider trimming DB error detail

create_workspace validates the name, persists via a managed session, and maps IntegrityError to MlflowException with RESOURCE_ALREADY_EXISTS, which matches the tests and MLflow patterns. The message currently appends the raw DB exception (Error: {exc}); if you care about not exposing backend details to API consumers, you might drop that suffix and rely on logs instead, but functionally this is fine.

tests/server/test_workspace_endpoints.py (1)

59-72: Strengthen endpoint tests by asserting store call arguments

The endpoint tests currently verify status codes and response payloads and only assert that create_workspace, update_workspace, and delete_workspace were called once. To better lock in the handler contract, consider asserting the arguments as well, for example:

• For create: inspect mock_workspace_store.create_workspace.call_args and assert the Workspace passed has the expected name and description.
• For update: similarly validate the Workspace argument (or separate name/description parameters if you change the store signature).
• For delete: you already assert "team-e" is passed, which is good; mirroring this pattern for create/update would improve coverage.

This would catch regressions where request JSON isn’t correctly mapped into the workspace entity.

Also applies to: 85-97, 100-105

mlflow/tracking/_workspace/fluent.py (1)

36-50: set_workspace behavior is reasonable; consider marking it experimental like other public APIs

The set_workspace implementation is thread-safe, correctly handles None by clearing both in-process context and MLFLOW_WORKSPACE, and validates non-default names with WorkspaceNameValidator. The CRUD helpers are consistently funneled through _workspace_client_call and apply name validation except for the reserved default, which aligns with store semantics.

One minor consistency point: set_workspace is exported via __all__ but is not annotated with @experimental(version="3.7.0") like the other public functions in this module. If the intention is for all newly introduced workspace APIs to be experimental, you may want to add the decorator to set_workspace as well; otherwise, it effectively appears more stable than the others.

Also applies to: 52-94, 96-104

tests/store/model_registry/test_sqlalchemy_store_workspace.py (1)

36-105: Consider asserting error codes for all cross‑workspace failure paths

For many cross‑workspace operations you assert both the error message and error_code == "RESOURCE_DOES_NOT_EXIST", but a few (e.g., rename_registered_model / delete_registered_model in the "team-b" context, and some metadata operations) only assert on the message. For long‑term stability, you may want to assert the error code in those places as well so behavior remains consistent even if messages change.

Also applies to: 141-173, 228-252

mlflow/tracking/client.py (1)

1872-1885: Optional: enforce artifact_location restriction when workspaces are enabled

The create_experiment docstring now states that artifact_location cannot be specified when workspaces are enabled because a workspace‑scoped default is always used, but the method still passes the argument through unconditionally to the tracking store. If you want failures to be more immediate and client‑side, consider adding a guard like:

     def create_experiment(
         self,
         name: str,
         artifact_location: str | None = None,
         tags: dict[str, Any] | None = None,
     ) -> str:
@@
-        """
-        Create an experiment.
+        """
+        Create an experiment.
@@
-        """
-        return self._tracking_client.create_experiment(name, artifact_location, tags)
+        """
+        # When workspaces are enabled, artifact locations are determined by the workspace.
+        if workspace_utils.workspaces_enabled() and artifact_location is not None:
+            raise MlflowException(
+                "artifact_location cannot be specified when workspaces are enabled; "
+                "a workspace-scoped default artifact location is always used.",
+                error_code=INVALID_PARAMETER_VALUE,
+            )
+        return self._tracking_client.create_experiment(name, artifact_location, tags)

(Adjust helper / error code usage to match workspace_utils and existing validation utilities.) If you prefer to keep this server‑side only, the current implementation is still consistent with the updated documentation.

Also applies to: 1924-1925

mlflow/tracking/_workspace/registry.py (1)

37-47: Optional: consider broadening entrypoint error handling or logging detail

register_entrypoints() currently catches only AttributeError and ImportError when loading workspace provider plugins, emitting a warning. If a provider raises another exception type during load (e.g., misconfiguration), initialization will fail hard. Depending on how defensive you want plugin loading to be, you might consider catching Exception here and including provider name and exception type in the warning to avoid taking down the process due to a single bad plugin.

mlflow/store/tracking/sqlalchemy_store.py (8)

449-527: Artifact location derivation and isolation checks are well thought out

_get_artifact_location now parameterizes on workspace and correctly:

• Uses the provider’s resolved root when workspaces are enabled, with an optional /workspaces/<name> prefix when should_append is True.
• Falls back to artifact_root_uri when the provider doesn’t implement resolution or returns None.

_validate_artifact_isolation_constraints and the reserved prefix checks around /workspaces are a sensible guardrail to prevent enabling workspaces on top of conflicting pre-existing artifact layouts. The startup scan also skips heavy checks when non-default workspaces already exist, which is a nice optimization for already-migrated installs.

---

528-548: Single-tenant guard _ensure_no_non_default_workspace_experiments is correct but message could mention workspace flag

The method properly fails fast if any experiment has workspace != DEFAULT_WORKSPACE_NAME, preventing silently running in single-tenant mode on a DB that already has multi-workspace data. You might consider explicitly mentioning the MLFLOW_ENABLE_WORKSPACES (or equivalent) flag in the error message to make remediation clearer to operators, but the current wording is already actionable.

---

891-921: _get_run_inputs workspace scoping is sound but always uses the active workspace

Joining through SqlExperiment and filtering SqlExperiment.workspace == workspace in _get_run_inputs ensures dataset inputs on runs in other workspaces are not exposed. Note that this uses self._get_active_workspace() rather than the workspace bound to any outer _workspace_session. That’s okay today (workspace context is global), but if you ever introduce cross-workspace administrative views, you might want to thread an explicit workspace argument instead of re-reading global context.

---

1424-1458: Bulk metric history properly filters run_ids by workspace when enabled

In get_metric_history_bulk, the allowed_run_ids derivation via _runs_query under _workspaces_enabled() ensures that only runs in the active workspace contribute metrics. The early return when allowed_run_ids is empty is correct and avoids unnecessary work. This does add an extra query in workspace mode, but it’s acceptable given the isolation requirements.

---

1976-2109: _log_inputs_impl enforces dataset/run workspace consistency but has a minor key inconsistency

Using workspace = self._get_active_workspace() up front and then:

• Joining SqlDataset → SqlExperiment and filtering SqlExperiment.workspace == workspace to detect existing datasets.
• Storing new SqlDataset rows with the calling experiment_id.
• Creating SqlInput edges without workspace columns (since dataset_id and run_id are already scoped)

is a solid pattern for multi-tenancy.

Minor nit: input_uuids is keyed as (source_id, destination_id) for existing inputs but uses (dataset_input.dataset.name, dataset_input.dataset.digest) when populating new entries. Since membership checks later use (dataset_uuid, run_id), the keys for new entries are never read and are effectively dead bookkeeping. It doesn’t break correctness (datasets are already deduped by (name,digest)), but aligning the key shape would improve clarity.

-            for existing_input in existing_inputs:
-                input_uuids[(existing_input.source_id, existing_input.destination_id)] = (
-                    existing_input.input_uuid
-                )
+            for existing_input in existing_inputs:
+                input_uuids[(existing_input.source_id, existing_input.destination_id)] = (
+                    existing_input.input_uuid
+                )
 ...
-                if (dataset_uuid, run_id) not in input_uuids:
+                if (dataset_uuid, run_id) not in input_uuids:
                     new_input_uuid = uuid.uuid4().hex
-                    input_uuids[(dataset_input.dataset.name, dataset_input.dataset.digest)] = (
-                        new_input_uuid
-                    )
+                    input_uuids[(dataset_uuid, run_id)] = new_input_uuid

---

2127-2208: Model input/output helpers correctly adopt workspace-aware run filtering

_get_model_inputs and _get_model_outputs_bulk both:

• Reuse _runs_query under _workspaces_enabled() when deriving allowed run_ids.
• Fall back to identity mappings for missing run_ids to preserve API shape.

The recursion in _get_model_inputs when session is None is simple and safe, but if you ever extend the method, consider splitting the internal implementation into a non-recursive private helper (e.g. _get_model_inputs_in_session) for clarity.

---

4575-4657: upsert_dataset_records correctly reuses dataset.workspace in the final update

After using _get_dataset_record to fetch dataset within the correct workspace, the final update on SqlEvaluationDataset includes both dataset_id and dataset.workspace in the filter. While dataset_id is already globally unique (UUID-derived), this extra predicate is harmless and future-proofs against any accidental reuse patterns. The schema/profile recomputation is entirely local to this dataset.

---

4671-4687: get_dataset_experiment_ids is workspace-safe but could optionally filter experiments

When workspaces are enabled, the upfront _get_dataset_record call inside a managed session is a good guard; returning [] when it fails avoids leaking associations for datasets that belong to other workspaces. The subsequent search_entities_by_source call is global, but because dataset_id is globally unique and associations are only created for experiments validated in the same workspace, this is effectively safe. If you ever relax those invariants, consider adding a join to SqlExperiment with a workspace filter here as well.

mlflow/server/auth/sqlalchemy_store.py (2)

35-47: _WORKSPACE_RESOURCE_TYPES and validation guard against unsupported resource types

Defining _WORKSPACE_RESOURCE_TYPES = {"*", "experiments", "registered_models"} and enforcing it in _validate_workspace_resource_type() ensures you don’t accidentally persist or reason about undefined resource types. The error message enumerating valid types should be very helpful at API boundaries.

---

389-407: list_accessible_workspace_names correctly aggregates readable workspaces via wildcard support

Given a username:

• It pulls all SqlWorkspacePermission rows for [username, "*"].
• Validates each permission and uses get_permission(permission).can_read to decide whether the workspace is accessible.
• Returns a deduplicated set[str] of workspace names.

This honors wildcard-user permissions and any resource type (since any readable resource implies the workspace is “accessible”), which is a reasonable definition for workspace listing.

mlflow/server/auth/__init__.py (4)

185-195: AuthContext helper is simple and safe; consider documenting expected attributes

Using AuthContext as a thin wrapper over Authorization is fine and makes later code cleaner. Since you depend on auth.username and sometimes auth.is_admin, a short docstring on AuthContext (and/or on the expected shape of Authorization) would help future custom auth implementations know which attributes they must provide.

Please double-check any custom authorization_function you may have configured still returns an object exposing a username attribute, as previously assumed.

---

505-613: Experiment / run / model / scorer permission getters correctly pass workspace fallbacks

The updated _get_permission_from_* helpers now:

• Authenticate once per call and derive AuthContext.
• Call _get_permission_from_store_or_default with a workspace_fallback pointing at the appropriate _workspace_permission_for_* helper.
  That wiring looks consistent across experiments, runs, logged models, registered models, and scorers.

To avoid repeated authenticate_request() calls and redundant AuthContext construction across these helpers, consider a small internal helper that takes (experiment_id | model_name, resource_type) and returns (auth, auth_ctx) plus a bound workspace_fallback.

Please re-run the auth regression tests for all affected endpoints (experiment / run / logged model / registered model / scorer) to validate there are no behavioral differences when MLFLOW_ENABLE_WORKSPACES is unset.

---

711-748: Creation of experiments and registered models is now workspace-scoped

validate_can_create_experiment / validate_can_create_registered_model:

• Preserve the historical “always allowed” behavior when workspaces are disabled.
• In workspace mode, require either admin or MANAGE permission in the current workspace.
• Return False when no active workspace is set.
  This is a good tightening of semantics for multi-tenant deployments.

You might want to log a debug-level message when workspace_name is None in workspace mode, to make misconfigured clients (not setting a workspace) easier to diagnose.

Please ensure client-side workspace selection helpers (e.g., mlflow.set_workspace / MlflowClient.set_workspace) are documented as required before calling creation APIs in workspace mode.

---

1410-1465: filter_list_workspaces safely handles malformed responses and enforces per-user visibility

The response filter:

• Short-circuits for admins.
• Gracefully handles JSON decoding failures and malformed workspaces payloads by returning an empty list instead of erroring.
• Uses list_accessible_workspace_names plus grant_default_workspace_access and default workspace resolution to compute allowed names.
• Never exposes workspaces if the auth store claims to support workspaces but lacks permission data (logs a warning and returns none).
  This is a good defense-in-depth design.

You might consider logging the total number of filtered-out workspaces at debug level to aid troubleshooting in multi-tenant environments.

Please verify that list_accessible_workspace_names is efficient enough to be called on every list-workspaces response, especially in environments with many workspaces.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro