arize-phoenix 8.28.1__py3-none-any.whl → 8.30.0__py3-none-any.whl

{arize_phoenix-8.28.1.dist-info → arize_phoenix-8.30.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: arize-phoenix
-Version: 8.28.1
+Version: 8.30.0
 Summary: AI Observability and Evaluation
 Project-URL: Documentation, https://docs.arize.com/phoenix/
 Project-URL: Issues, https://github.com/Arize-ai/phoenix/issues

{arize_phoenix-8.28.1.dist-info → arize_phoenix-8.30.0.dist-info}/RECORD

@@ -1,12 +1,12 @@
 phoenix/__init__.py,sha256=X3eUEwd2rG8KKWWYVNNDJoqo08ihfjgHhlP29dcdNJE,5481
 phoenix/auth.py,sha256=VVMHrWN31tln3Zo4z6ofecrV4daiqJjLd8r85mqlxek,10939
-phoenix/config.py,sha256=NrZKYKtUFyQetptVpcgtiQwky8fx3ZOBTUz3--ln0p4,40049
+phoenix/config.py,sha256=p6uh69Tk0t1orLqrWrSoQ42xt6ceJyuR2BYSBYMlme0,51117
 phoenix/datetime_utils.py,sha256=iJzNG6YJ6V7_u8B2iA7P2Z26FyxYbOPtx0dhJ7kNDHA,3398
 phoenix/exceptions.py,sha256=n2L2KKuecrdflB9MsCdAYCiSEvGJptIsfRkXMoJle7A,169
 phoenix/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
 phoenix/services.py,sha256=ngkyKGVatX3cO2WJdo2hKdaVKP-xJCMvqthvga6kJss,5196
 phoenix/settings.py,sha256=x87BX7hWGQQZbrW_vrYqFR_izCGfO9gFc--JXUG4Tdk,754
-phoenix/version.py,sha256=gsPW9piraEXxZqmMeTmM62F-5-fa2a-qU5TOrQPD4Gs,23
+phoenix/version.py,sha256=638ZRUG4tJUhIoPEqobGe8ch91ac1hVzQMqfk59uxtY,23
 phoenix/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/core/embedding_dimension.py,sha256=zKGbcvwOXgLf-yrJBpQyKtd-LEOPRKHnUToyAU8Owis,87
 phoenix/core/model.py,sha256=qBFraOtmwCCnWJltKNP18DDG0mULXigytlFsa6YOz6k,4837
@@ -81,12 +81,13 @@ phoenix/pointcloud/projectors.py,sha256=TQgwc9cJDjJkin1WZyZzgl3HsYrLLiyWD7Czy4jN
 phoenix/pointcloud/umap_parameters.py,sha256=db_WEPoamuWtopZx7tQfAXPnoE0MS8FkAV0_ThjEx_Q,1735
 phoenix/server/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/server/app.py,sha256=1lPHzZwWlTpwzEaO6jmgO18Ib4ssBxoLO9fwbfT_ois,39053
+phoenix/server/authorization.py,sha256=fofeRwuoodCUB3DQYPCuAgIyeiwopXW0tkH_KZvU0Rg,1848
 phoenix/server/bearer_auth.py,sha256=9AY0-aOSHm-B7OYB-20jFA7bETAA6S1_W1za42A8Yt8,6804
 phoenix/server/dml_event.py,sha256=MjJmVEKytq75chBOSyvYDusUnEbg1pHpIjR3pZkUaJA,2838
 phoenix/server/dml_event_handler.py,sha256=EZLXmCvx4pJrCkz29gxwKwmvmUkTtPCHw6klR-XM8qE,8258
-phoenix/server/grpc_server.py,sha256=SknR-iLIUqU9swiAyLhbCUREA1obOM6w49xgdK1AQDs,3839
+phoenix/server/grpc_server.py,sha256=dod29zE_Zlir7NyLcdVM8GH3P8sy-9ykzfaBfVifyE4,4656
 phoenix/server/jwt_store.py,sha256=asxzY4_ZBM2FWAMstHvhvnKUP_0AA3v3xPTL2IOgNqY,16831
-phoenix/server/main.py,sha256=EuaVqpdrSgtszLK7ov_KkMMQbY2bDV_JTSf73olLKow,16374
+phoenix/server/main.py,sha256=Twpig08FSHIwICMr-2qGNLNoCrgk6EjyHrrxiBwS_VU,18029
 phoenix/server/oauth2.py,sha256=EV4wcCwG0N7cJRcfGNURdP5rZgRVCeRDvXyle19A27Y,2064
 phoenix/server/prometheus.py,sha256=1KjvSfjSa2-BPjDybVMM_Kag316CsN-Zwt64YNr_snc,7825
 phoenix/server/rate_limiters.py,sha256=cFc73D2NaxqNZZDbwfIDw4So-fRVOJPBtqxOZ8Qky_s,7155
@@ -146,7 +147,7 @@ phoenix/server/api/helpers/dataset_helpers.py,sha256=DoMBTg-qXTnC_K4Evx1WKpCCYgR
 phoenix/server/api/helpers/experiment_run_filters.py,sha256=DOnVwrmn39eAkk2mwuZP8kIcAnR5jrOgllEwWSjsw94,29893
 phoenix/server/api/helpers/playground_clients.py,sha256=tHwW-HbnoxU-EXXVvmY_1lbYh3Mv7QKw-e9KnREc7m4,41814
 phoenix/server/api/helpers/playground_registry.py,sha256=CPLMziFB2wmr-dfbx7VbzO2f8YIG_k5RftzvGXYGQ1w,2570
-phoenix/server/api/helpers/playground_spans.py,sha256=PjGNDc7cpqn5lmRM6TO_J1eVRGlgsNdQ8IT--5JVz0o,16881
+phoenix/server/api/helpers/playground_spans.py,sha256=ObAhvV_yNwEQDkjzgU5G73wfIisc8q4cpB0OFH5cd24,16974
 phoenix/server/api/helpers/prompts/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/server/api/helpers/prompts/models.py,sha256=zwWBA5GQvEHT4xyZwP-_kr1rJZ7SHnguATsQwsFw5aw,19519
 phoenix/server/api/helpers/prompts/conversions/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -318,10 +319,10 @@ phoenix/server/static/apple-touch-icon-76x76.png,sha256=CT_xT12I0u2i0WU8JzBZBuOQ
 phoenix/server/static/apple-touch-icon.png,sha256=fOfpjqGpWYbJ0eAurKsyoZP1EAs6ZVooBJ_SGk2ZkDs,3801
 phoenix/server/static/favicon.ico,sha256=bY0vvCKRftemZfPShwZtE93DiiQdaYaozkPGwNFr6H8,34494
 phoenix/server/static/modernizr.js,sha256=mvK-XtkNqjOral-QvzoqsyOMECXIMu5BQwSVN_wcU9c,2564
-phoenix/server/static/.vite/manifest.json,sha256=6QTURnF280ofNocGEl8gB6sl5MV89eY-ud75tIEL_9s,2165
-phoenix/server/static/assets/components-DepxScNF.js,sha256=carDtPUQBqqHy_r-R915p_M-9nTJg-AL2Wbc2dAK3GQ,456419
-phoenix/server/static/assets/index-DUj7q3Q4.js,sha256=c5CoeDmjEu__Js2Je0WtUH-_94J2_IOARtC8tF37Kf4,60460
-phoenix/server/static/assets/pages-CJUakDKi.js,sha256=7z0F3KAcyUcdXrMrBorbSmOYJDlG7olc3hrATdEfnJA,864692
+phoenix/server/static/.vite/manifest.json,sha256=LT4zk-ACfPJOdvtfdMat3RKSRZf8dq9HnPMdrnLmLsU,2165
+phoenix/server/static/assets/components-BypB0fGT.js,sha256=AYnKnOwh7u_OwervE0AmQ7myFDgYIiwCyjrfoL8OAJg,456419
+phoenix/server/static/assets/index-Ccebc6-h.js,sha256=lHdYZrNRbUI4kVqQcji9pKK9ofB_y0v8D7f73NJX7gI,60460
+phoenix/server/static/assets/pages-DGdjQlsy.js,sha256=AaD6DdUBqgt7rAHyo-aiewoNp5CWNKFQ5NkeJL0Cdnc,864937
 phoenix/server/static/assets/vendor-BfhM_F1u.js,sha256=S90L1KRZOw_NX6C9FENfLs6bSuEzf7zVDAqjZAZJZgE,2514280
 phoenix/server/static/assets/vendor-Cg6lcjUC.css,sha256=nZrkr0u6NNElFGvpWHk9GTHeGoibCXCli1bE7mXZGZg,1816
 phoenix/server/static/assets/vendor-arizeai-CxXYQNUl.js,sha256=V0umBNhH2psKhzwNKvLylYrqVfHu4I6NDSqejmR2OIU,193248
@@ -332,7 +333,7 @@ phoenix/server/static/assets/vendor-three-C5WAXd5r.js,sha256=ELkg06u70N7h8oFmvqd
 phoenix/server/templates/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/server/templates/index.html,sha256=e8_jdi7Eo19SK7DI_gglkTW094D17E0VAegoMmmmvIc,4330
 phoenix/session/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-phoenix/session/client.py,sha256=nXSn2Zmf9wTxgSe11Y9kKSLClkG8pNEAJgfEmy4mPm8,35234
+phoenix/session/client.py,sha256=51UCIZ_k4Wd4b8f4Yi888MOie6nhF8E_5in41eBTUVU,35234
 phoenix/session/data_extractor.py,sha256=Y0RzYFaNy9fQj8PEIeQ76TBZ90_E1FW7bXu3K5x0EZY,2782
 phoenix/session/evaluation.py,sha256=Q3fOMNELvqkk-b6a6PKc8pDJdsNQ0ZbTpseUSA2NKqs,5300
 phoenix/session/session.py,sha256=twE8tld8knShmTpZp6R80CUt2jau3RmfdfZAQCLSTKU,27621
@@ -368,9 +369,9 @@ phoenix/utilities/project.py,sha256=auVpARXkDb-JgeX5f2aStyFIkeKvGwN9l7qrFeJMVxI,
 phoenix/utilities/re.py,sha256=6YyUWIkv0zc2SigsxfOWIHzdpjKA_TZo2iqKq7zJKvw,2081
 phoenix/utilities/span_store.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/utilities/template_formatters.py,sha256=gh9PJD6WEGw7TEYXfSst1UR4pWWwmjxMLrDVQ_CkpkQ,2779
-arize_phoenix-8.28.1.dist-info/METADATA,sha256=piSQBdxjMSPCEXL3HRfFaSsgivBPxTHLu4yeSq-FxB8,24478
-arize_phoenix-8.28.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-arize_phoenix-8.28.1.dist-info/entry_points.txt,sha256=Pgpn8Upxx9P8z8joPXZWl2LlnAlGc3gcQoVchb06X1Q,94
-arize_phoenix-8.28.1.dist-info/licenses/IP_NOTICE,sha256=JBqyyCYYxGDfzQ0TtsQgjts41IJoa-hiwDrBjCb9gHM,469
-arize_phoenix-8.28.1.dist-info/licenses/LICENSE,sha256=HFkW9REuMOkvKRACuwLPT0hRydHb3zNg-fdFt94td18,3794
-arize_phoenix-8.28.1.dist-info/RECORD,,
+arize_phoenix-8.30.0.dist-info/METADATA,sha256=5Q2XR0ZPn6hBnWkTNeQ5Ajdr4paRK-agq2gBwWccXHA,24478
+arize_phoenix-8.30.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+arize_phoenix-8.30.0.dist-info/entry_points.txt,sha256=Pgpn8Upxx9P8z8joPXZWl2LlnAlGc3gcQoVchb06X1Q,94
+arize_phoenix-8.30.0.dist-info/licenses/IP_NOTICE,sha256=JBqyyCYYxGDfzQ0TtsQgjts41IJoa-hiwDrBjCb9gHM,469
+arize_phoenix-8.30.0.dist-info/licenses/LICENSE,sha256=HFkW9REuMOkvKRACuwLPT0hRydHb3zNg-fdFt94td18,3794
+arize_phoenix-8.30.0.dist-info/RECORD,,

phoenix/config.py

@@ -2,7 +2,7 @@ import logging
 import os
 import re
 import tempfile
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 from datetime import timedelta
 from enum import Enum
 from importlib.metadata import version
@@ -240,6 +240,268 @@ ENV_PHOENIX_FASTAPI_MIDDLEWARE_PATHS = "PHOENIX_FASTAPI_MIDDLEWARE_PATHS"
 ENV_PHOENIX_GQL_EXTENSION_PATHS = "PHOENIX_GQL_EXTENSION_PATHS"
 ENV_PHOENIX_GRPC_INTERCEPTOR_PATHS = "PHOENIX_GRPC_INTERCEPTOR_PATHS"
 
+ENV_PHOENIX_TLS_ENABLED = "PHOENIX_TLS_ENABLED"
+"""
+Whether to enable TLS for Phoenix HTTP and gRPC servers.
+"""
+ENV_PHOENIX_TLS_ENABLED_FOR_HTTP = "PHOENIX_TLS_ENABLED_FOR_HTTP"
+"""
+Whether to enable TLS for Phoenix HTTP server. Overrides PHOENIX_TLS_ENABLED.
+"""
+ENV_PHOENIX_TLS_ENABLED_FOR_GRPC = "PHOENIX_TLS_ENABLED_FOR_GRPC"
+"""
+Whether to enable TLS for Phoenix gRPC server. Overrides PHOENIX_TLS_ENABLED.
+"""
+ENV_PHOENIX_TLS_CERT_FILE = "PHOENIX_TLS_CERT_FILE"
+"""
+Path to the TLS certificate file for HTTPS connections.
+When set, Phoenix will use HTTPS instead of HTTP for all connections.
+"""
+ENV_PHOENIX_TLS_KEY_FILE = "PHOENIX_TLS_KEY_FILE"
+"""
+Path to the TLS private key file for HTTPS connections.
+Required when PHOENIX_TLS_CERT_FILE is set.
+"""
+ENV_PHOENIX_TLS_KEY_FILE_PASSWORD = "PHOENIX_TLS_KEY_FILE_PASSWORD"
+"""
+Password for the TLS private key file if it's encrypted.
+Only needed if the private key file requires a password.
+"""
+ENV_PHOENIX_TLS_CA_FILE = "PHOENIX_TLS_CA_FILE"
+"""
+Path to the Certificate Authority (CA) file for client certificate verification.
+Used when PHOENIX_TLS_VERIFY_CLIENT is set to true.
+"""
+ENV_PHOENIX_TLS_VERIFY_CLIENT = "PHOENIX_TLS_VERIFY_CLIENT"
+"""
+Whether to verify client certificates for mutual TLS (mTLS) authentication.
+When set to true, clients must provide valid certificates signed by the CA specified in
+PHOENIX_TLS_CA_FILE.
+"""
+
+
+@dataclass(frozen=True)
+class TLSConfig:
+    """Configuration for TLS (Transport Layer Security) connections.
+
+    This class manages TLS certificates and private keys for secure connections.
+    It handles reading certificate and key files, and decrypting private keys
+    if they are password-protected.
+
+    Attributes:
+        cert_file: Path to the TLS certificate file
+        key_file: Path to the TLS private key file
+        key_file_password: Optional password for decrypting the private key
+        _cert_data: Cached certificate data (internal use)
+        _key_data: Cached decrypted key data (internal use)
+        _decrypted_key_data: Cached decrypted key data (internal use)
+    """
+
+    cert_file: Path
+    key_file: Path
+    key_file_password: Optional[str]
+    _cert_data: bytes = field(default=b"", init=False, repr=False)
+    _key_data: bytes = field(default=b"", init=False, repr=False)
+    _decrypted_key_data: Optional[bytes] = field(default=None, init=False, repr=False)
+
+    @property
+    def cert_data(self) -> bytes:
+        """Get the certificate data, reading from file if not cached.
+
+        Returns:
+            bytes: The certificate data in PEM format
+        """
+        if not self._cert_data:
+            with open(self.cert_file, "rb") as f:
+                object.__setattr__(self, "_cert_data", f.read())
+        return self._cert_data
+
+    @property
+    def key_data(self) -> bytes:
+        """Get the decrypted key data, reading from file if not cached.
+
+        This property reads the private key file and decrypts it if a password
+        is provided. The decrypted key is cached for subsequent accesses.
+
+        Returns:
+            bytes: The decrypted private key data in PEM format
+
+        Raises:
+            ValueError: If the cryptography library is not installed or if
+                decryption fails
+        """
+        if not self._key_data:
+            self._read_and_cache_key_data()
+        return self._key_data
+
+    def _read_and_cache_key_data(self) -> None:
+        """Read and decrypt the private key file, then cache the result.
+
+        This method reads the private key file, decrypts it if a password
+        is provided, and stores the decrypted key in the _key_data attribute.
+
+        Raises:
+            ValueError: If the cryptography library is not installed or if
+                decryption fails
+        """
+        try:
+            from cryptography.hazmat.backends import default_backend
+            from cryptography.hazmat.primitives.serialization import (
+                Encoding,
+                NoEncryption,
+                PrivateFormat,
+                load_pem_private_key,
+            )
+        except ImportError:
+            raise ValueError(
+                "The cryptography library is needed to read private keys for "
+                "TLS configuration. Please install it with: pip install cryptography"
+            )
+
+        # First read the key file
+        with open(self.key_file, "rb") as f:
+            key_data = f.read()
+
+        try:
+            # Convert password to bytes if it exists
+            password_bytes = self.key_file_password.encode() if self.key_file_password else None
+
+            # Load the key (decrypting if password is provided)
+            private_key = load_pem_private_key(
+                key_data,
+                password=password_bytes,
+                backend=default_backend(),
+            )
+
+            # Convert to PEM format without encryption
+            decrypted_pem = private_key.private_bytes(
+                encoding=Encoding.PEM,
+                format=PrivateFormat.PKCS8,
+                encryption_algorithm=NoEncryption(),
+            )
+        except Exception as e:
+            raise ValueError(f"Failed to decrypt private key: {e}")
+        object.__setattr__(self, "_key_data", decrypted_pem)
+
+
+@dataclass(frozen=True)
+class TLSConfigVerifyClient(TLSConfig):
+    """TLS configuration with client verification enabled."""
+
+    ca_file: Path
+    _ca_data: bytes = field(default=b"", init=False, repr=False)
+
+    @property
+    def ca_data(self) -> bytes:
+        """Get the CA certificate data, reading from file if not cached."""
+        if not self._ca_data:
+            with open(self.ca_file, "rb") as f:
+                object.__setattr__(self, "_ca_data", f.read())
+        return self._ca_data
+
+
+def get_env_tls_enabled_for_http() -> bool:
+    """
+    Gets whether TLS is enabled for the HTTP server.
+
+    This function checks both PHOENIX_TLS_ENABLED_FOR_HTTP and PHOENIX_TLS_ENABLED environment variables.
+    If PHOENIX_TLS_ENABLED_FOR_HTTP is set, it takes precedence over PHOENIX_TLS_ENABLED.
+
+    Returns:
+        bool: True if TLS is enabled for HTTP server, False otherwise. Defaults to False if neither
+        environment variable is set.
+    """  # noqa: E501
+    return _bool_val(ENV_PHOENIX_TLS_ENABLED_FOR_HTTP, _bool_val(ENV_PHOENIX_TLS_ENABLED, False))
+
+
+def get_env_tls_enabled_for_grpc() -> bool:
+    """
+    Gets whether TLS is enabled for the gRPC server.
+
+    This function checks both PHOENIX_TLS_ENABLED_FOR_GRPC and PHOENIX_TLS_ENABLED environment variables.
+    If PHOENIX_TLS_ENABLED_FOR_GRPC is set, it takes precedence over PHOENIX_TLS_ENABLED.
+
+    Returns:
+        bool: True if TLS is enabled for gRPC server, False otherwise. Defaults to False if neither
+        environment variable is set.
+    """  # noqa: E501
+    return _bool_val(ENV_PHOENIX_TLS_ENABLED_FOR_GRPC, _bool_val(ENV_PHOENIX_TLS_ENABLED, False))
+
+
+def get_env_tls_verify_client() -> bool:
+    """
+    Gets the value of the PHOENIX_TLS_VERIFY_CLIENT environment variable.
+
+    Returns:
+        bool: True if client certificate verification is enabled, False otherwise. Defaults to False
+        if the environment variable is not set.
+    """  # noqa: E501
+    return _bool_val(ENV_PHOENIX_TLS_VERIFY_CLIENT, False)
+
+
+def get_env_tls_config() -> Optional[TLSConfig]:
+    """
+    Retrieves and validates TLS configuration from environment variables.
+
+    Returns:
+        Optional[TLSConfig]: A configuration object containing TLS settings, or None if TLS is disabled.
+        If client verification is enabled, returns TLSConfigVerifyClient instead.
+
+    The function reads the following environment variables:
+    - PHOENIX_TLS_ENABLED: Whether TLS is enabled (defaults to False)
+    - PHOENIX_TLS_CERT_FILE: Path to the TLS certificate file
+    - PHOENIX_TLS_KEY_FILE: Path to the TLS private key file
+    - PHOENIX_TLS_KEY_FILE_PASSWORD: Password for the TLS private key file
+    - PHOENIX_TLS_CA_FILE: Path to the Certificate Authority file (required for client verification)
+    - PHOENIX_TLS_VERIFY_CLIENT: Whether to verify client certificates
+
+    Raises:
+        ValueError: If required files are missing or don't exist when TLS is enabled
+    """  # noqa: E501
+    # Check if TLS is enabled
+    if not (get_env_tls_enabled_for_http() or get_env_tls_enabled_for_grpc()):
+        return None
+
+    # Get certificate file path if specified
+    if not (cert_file_str := getenv(ENV_PHOENIX_TLS_CERT_FILE)):
+        raise ValueError("PHOENIX_TLS_CERT_FILE must be set when PHOENIX_TLS_ENABLED is true")
+    cert_file = Path(cert_file_str)
+
+    # Get private key file path if specified
+    if not (key_file_str := getenv(ENV_PHOENIX_TLS_KEY_FILE)):
+        raise ValueError("PHOENIX_TLS_KEY_FILE must be set when PHOENIX_TLS_ENABLED is true")
+    key_file = Path(key_file_str)
+
+    # Get private key password if specified
+    key_file_password = getenv(ENV_PHOENIX_TLS_KEY_FILE_PASSWORD)
+
+    # Validate certificate and key files
+    _validate_file_exists_and_is_readable(cert_file, "certificate")
+    _validate_file_exists_and_is_readable(key_file, "key")
+
+    # If client verification is enabled, validate CA file and return TLSConfigVerifyClient
+    if get_env_tls_verify_client():
+        if not (ca_file_str := getenv(ENV_PHOENIX_TLS_CA_FILE)):
+            raise ValueError(
+                "PHOENIX_TLS_CA_FILE must be set when PHOENIX_TLS_VERIFY_CLIENT is true"
+            )
+
+        ca_file = Path(ca_file_str)
+        _validate_file_exists_and_is_readable(ca_file, "CA")
+
+        return TLSConfigVerifyClient(
+            cert_file=cert_file,
+            key_file=key_file,
+            key_file_password=key_file_password,
+            ca_file=ca_file,
+        )
+
+    return TLSConfig(
+        cert_file=cert_file,
+        key_file=key_file,
+        key_file_password=key_file_password,
+    )
+
 
 def server_instrumentation_is_enabled() -> bool:
     return bool(
@@ -956,7 +1218,8 @@ def get_env_root_url() -> URL:
     host = get_env_host()
     if host == "0.0.0.0":
         host = "127.0.0.1"
-    return URL(urljoin(f"http://{host}:{get_env_port()}", get_env_host_root_path()))
+    scheme = "https" if get_env_tls_enabled_for_http() else "http"
+    return URL(urljoin(f"{scheme}://{host}:{get_env_port()}", get_env_host_root_path()))
 
 
 def get_base_url() -> str:
@@ -964,7 +1227,8 @@ def get_base_url() -> str:
     host = get_env_host()
     if host == "0.0.0.0":
         host = "127.0.0.1"
-    base_url = get_env_collector_endpoint() or f"http://{host}:{get_env_port()}"
+    scheme = "https" if get_env_tls_enabled_for_http() else "http"
+    base_url = get_env_collector_endpoint() or f"{scheme}://{host}:{get_env_port()}"
     return base_url if base_url.endswith("/") else base_url + "/"
 
 
@@ -1159,3 +1423,30 @@ When the PHOENIX_ADMIN_SECRET is used as a bearer token in API requests, the
 request is authenticated as the system user with the user_id set to this
 SYSTEM_USER_ID value (only if this variable is not None).
 """
+
+
+def _validate_file_exists_and_is_readable(
+    file_path: Path,
+    description: str,
+    check_non_empty: bool = True,
+) -> None:
+    """
+    Validate that a file exists, is readable, and optionally has non-zero size.
+
+    Args:
+        file_path: Path to the file to validate
+        description: Description of the file for error messages (e.g., "certificate", "key", "CA")
+        check_non_empty: Whether to check if the file has non-zero size. Defaults to True.
+
+    Raises:
+        ValueError: If the path is not a file, isn't readable, or has zero size (if check_non_empty is True)
+    """  # noqa: E501
+    if not file_path.is_file():
+        raise ValueError(f"{description} path is not a file: {file_path}")
+    if check_non_empty and file_path.stat().st_size == 0:
+        raise ValueError(f"{description} file is empty: {file_path}")
+    try:
+        with open(file_path, "rb") as f:
+            f.read(1)  # Read just one byte to verify readability
+    except Exception as e:
+        raise ValueError(f"{description} file is not readable: {e}")

phoenix/server/api/helpers/playground_spans.py

@@ -1,4 +1,5 @@
 import json
+import logging
 from collections import defaultdict
 from collections.abc import Mapping
 from dataclasses import asdict
@@ -54,6 +55,8 @@ ChatCompletionMessage: TypeAlias = tuple[
 ]
 ToolCallID: TypeAlias = str
 
+logger = logging.getLogger(__name__)
+
 
 class streaming_llm_span:
     """
@@ -117,6 +120,7 @@ class streaming_llm_span:
                     exception_stacktrace=format_exc(),
                 )
             )
+            logger.exception(exc_value)
         if self._text_chunks or self._tool_call_chunks:
             self._attributes.update(
                 chain(

phoenix/server/authorization.py

@@ -0,0 +1,53 @@
+"""
+Authorization dependencies for FastAPI routes.
+
+Usage:
+    Use the provided dependencies (e.g., require_admin) with FastAPI's Depends to restrict access to
+    certain routes.
+
+    These dependencies will raise HTTP 403 if the user is not authorized.
+
+    Example:
+
+        from fastapi import APIRouter, Depends
+        from phoenix.server.authorization import require_admin
+
+        router = APIRouter()
+
+        @router.post("/dangerous-thing", dependencies=[Depends(require_admin)])
+        async def dangerous_thing(...):
+            ...
+
+    The require_admin dependency allows only admin or system users to access the route.
+    It expects authentication to be enabled and the request.user to be set by the authentication.
+"""
+
+from fastapi import HTTPException, Request
+from fastapi import status as fastapi_status
+
+from phoenix.server.bearer_auth import PhoenixUser
+
+
+def require_admin(request: Request) -> None:
+    """
+    FastAPI dependency to restrict access to admin or system users only.
+
+    Usage:
+        Add as a dependency to any route that should only be accessible by admin or system users:
+
+            @router.post("/dangerous-thing", dependencies=[Depends(require_admin)])
+            async def dangerous_thing(...):
+                ...
+
+    Behavior:
+        - Allows access if the authenticated user is an admin or a system user.
+        - Raises HTTP 403 Forbidden if the user is not authorized.
+        - Expects authentication to be enabled and request.user to be set by the authentication.
+    """
+    user = getattr(request, "user", None)
+    # System users have all privileges
+    if not (isinstance(user, PhoenixUser) and user.is_admin):
+        raise HTTPException(
+            status_code=fastapi_status.HTTP_403_FORBIDDEN,
+            detail="Only admin or system users can perform this action.",
+        )

phoenix/server/grpc_server.py

@@ -14,7 +14,12 @@ from opentelemetry.proto.collector.trace.v1.trace_service_pb2_grpc import (
 from typing_extensions import TypeAlias
 
 from phoenix.auth import CanReadToken
-from phoenix.config import get_env_grpc_port
+from phoenix.config import (
+    TLSConfigVerifyClient,
+    get_env_grpc_port,
+    get_env_tls_config,
+    get_env_tls_enabled_for_grpc,
+)
 from phoenix.server.bearer_auth import ApiKeyInterceptor
 from phoenix.trace.otel import decode_otlp_span
 from phoenix.trace.schemas import Span
@@ -86,7 +91,21 @@ class GrpcServer:
             options=(("grpc.so_reuseport", 0),),
             interceptors=interceptors,
         )
-        server.add_insecure_port(f"[::]:{get_env_grpc_port()}")
+        if get_env_tls_enabled_for_grpc():
+            assert (tls_config := get_env_tls_config())
+            private_key_certificate_chain_pairs = [(tls_config.key_data, tls_config.cert_data)]
+            server_credentials = (
+                grpc.ssl_server_credentials(
+                    private_key_certificate_chain_pairs,
+                    root_certificates=tls_config.ca_data,
+                    require_client_auth=True,
+                )
+                if isinstance(tls_config, TLSConfigVerifyClient)
+                else grpc.ssl_server_credentials(private_key_certificate_chain_pairs)
+            )
+            server.add_secure_port(f"[::]:{get_env_grpc_port()}", server_credentials)
+        else:
+            server.add_insecure_port(f"[::]:{get_env_grpc_port()}")
         add_TraceServiceServicer_to_server(Servicer(self._callback), server)  # type: ignore[no-untyped-call,unused-ignore]
         await server.start()
         self._server = server

phoenix/server/main.py

@@ -4,6 +4,7 @@ import os
 import sys
 from argparse import SUPPRESS, ArgumentParser
 from pathlib import Path
+from ssl import CERT_REQUIRED
 from threading import Thread
 from time import sleep, time
 from typing import Optional
@@ -15,6 +16,7 @@ from uvicorn import Config, Server
 import phoenix.trace.v1 as pb
 from phoenix.config import (
     EXPORT_DIR,
+    TLSConfigVerifyClient,
     get_env_access_token_expiry,
     get_env_allowed_origins,
     get_env_auth_settings,
@@ -39,6 +41,9 @@ from phoenix.config import (
     get_env_smtp_port,
     get_env_smtp_username,
     get_env_smtp_validate_certs,
+    get_env_tls_config,
+    get_env_tls_enabled_for_grpc,
+    get_env_tls_enabled_for_http,
     get_pids_path,
 )
 from phoenix.core.model_schema_adapter import create_model_from_inferences
@@ -98,15 +103,27 @@ _WELCOME_MESSAGE = Environment(loader=BaseLoader()).from_string("""
 |  🚀 Phoenix Server 🚀
 |  Phoenix UI: {{ ui_path }}
 |  Authentication: {{ auth_enabled }}
-|  Websockets: {{ websockets_enabled }}
-{%- if allowed_origins %}\n|  Allowed Origins: {{ allowed_origins }}{% endif %}
+{%- if auth_enabled_for_http or auth_enabled_for_grpc %}
+{%- if tls_enabled_for_http %}
+|  TLS: Enabled for HTTP
+{%- endif %}
+{%- if tls_enabled_for_grpc %}
+|  TLS: Enabled for gRPC
+{%- endif %}
+{%- if tls_verify_client %}
+|  TLS Client Verification: Enabled
+{%- endif %}
+{%- endif %}
+{%- if allowed_origins %}
+|  Allowed Origins: {{ allowed_origins }}
+{%- endif %}
 |  Log traces:
 |    - gRPC: {{ grpc_path }}
 |    - HTTP: {{ http_path }}
 |  Storage: {{ storage }}
-{% if schema -%}
+{%- if schema %}
 |    - Schema: {{ schema }}
-{% endif -%}
+{%- endif %}
 """)
 
 
@@ -356,16 +373,27 @@ def main() -> None:
 
     allowed_origins = get_env_allowed_origins()
 
+    # Get TLS configuration
+    tls_enabled_for_http = get_env_tls_enabled_for_http()
+    tls_enabled_for_grpc = get_env_tls_enabled_for_grpc()
+    tls_config = get_env_tls_config()
+    tls_verify_client = tls_config is not None and isinstance(tls_config, TLSConfigVerifyClient)
+
     # Print information about the server
-    root_path = urljoin(f"http://{host}:{port}", host_root_path)
+    http_scheme = "https" if tls_enabled_for_http else "http"
+    grpc_scheme = "https" if tls_enabled_for_grpc else "http"
+    root_path = urljoin(f"{http_scheme}://{host}:{port}", host_root_path)
     msg = _WELCOME_MESSAGE.render(
         version=phoenix_version,
         ui_path=root_path,
-        grpc_path=f"http://{host}:{get_env_grpc_port()}",
+        grpc_path=f"{grpc_scheme}://{host}:{get_env_grpc_port()}",
         http_path=urljoin(root_path, "v1/traces"),
         storage=get_printable_db_url(db_connection_str),
         schema=get_env_database_schema(),
         auth_enabled=authentication_enabled,
+        tls_enabled_for_http=tls_enabled_for_http,
+        tls_enabled_for_grpc=tls_enabled_for_grpc,
+        tls_verify_client=tls_verify_client,
         allowed_origins=allowed_origins,
     )
     if sys.platform.startswith("win"):
@@ -417,7 +445,28 @@ def main() -> None:
         oauth2_client_configs=get_env_oauth2_settings(),
         allowed_origins=allowed_origins,
     )
-    server = Server(config=Config(app, host=host, port=port, root_path=host_root_path))  # type: ignore
+
+    # Configure server with TLS if enabled
+    server_config = Config(
+        app=app,
+        host=host,  # type: ignore[arg-type]
+        port=port,
+        root_path=host_root_path,
+    )
+
+    if tls_enabled_for_http:
+        assert tls_config
+        # Configure SSL context with certificate and key
+        server_config.ssl_keyfile = str(tls_config.key_file)
+        server_config.ssl_keyfile_password = tls_config.key_file_password
+        server_config.ssl_certfile = str(tls_config.cert_file)
+
+        # If CA file is provided and client verification is enabled
+        if isinstance(tls_config, TLSConfigVerifyClient):
+            server_config.ssl_ca_certs = str(tls_config.ca_file)
+            server_config.ssl_cert_reqs = CERT_REQUIRED
+
+    server = Server(config=server_config)
     Thread(target=_write_pid_file_when_ready, args=(server,), daemon=True).start()
 
     try: