mlrun 1.10.0rc18__py3-none-any.whl → 1.11.0rc16__py3-none-any.whl

mlrun/auth/utils.py

@@ -0,0 +1,415 @@
+# Copyright 2025 Iguazio
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import time
+import typing
+
+import jwt
+import yaml
+
+import mlrun.common.constants
+import mlrun.common.schemas
+import mlrun.utils.helpers
+from mlrun.config import config as mlconf
+
+if typing.TYPE_CHECKING:
+    import mlrun.db
+
+
+class Claims:
+    """
+    JWT Claims constants.
+    """
+
+    SUBJECT = "sub"
+    EXPIRATION = "exp"
+
+
+def load_offline_token(raise_on_error=True) -> typing.Optional[str]:
+    """
+    Load the offline token from the environment variable or YAML file.
+
+    The function first attempts to retrieve the offline token from the environment variable.
+    If not found, it tries to load the token from a YAML file. If both methods fail, it either
+    raises an error or logs a warning based on the `raise_on_error` parameter.
+
+    :param raise_on_error: If True, raises an error when the offline token cannot be resolved.
+                           If False, logs a warning instead.
+    :return: The offline token if found, otherwise None.
+    """
+    if token_env := get_offline_token_from_env():
+        return token_env
+    return get_offline_token_from_file(raise_on_error=raise_on_error)
+
+
+def get_offline_token_from_file(raise_on_error: bool = True) -> typing.Optional[str]:
+    """
+    Retrieve the offline token from a configured file.
+
+    This function reads the token file specified in the configuration, parses its content,
+    and extracts the offline token. If the file does not exist or cannot be parsed, it either
+    raises an error or logs a warning based on the `raise_on_error` parameter.
+
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The offline token if found, otherwise None.
+    """
+    tokens = load_secret_tokens_from_file(raise_on_error=raise_on_error)
+    if not tokens:
+        return None
+    return parse_offline_token_data(tokens=tokens, raise_on_error=raise_on_error)
+
+
+def load_secret_tokens_from_file(
+    raise_on_error: bool = True,
+) -> list[dict]:
+    """
+    Load and parse secret tokens from a configured file.
+
+    This function reads the secret tokens file (specified in
+    ``mlrun.mlconf.auth_with_oauth_token.token_file``) and returns the raw list
+    of token dictionaries under the ``secretTokens`` key. It does NOT validate
+    the tokens.
+
+    If the file is missing, empty, or malformed, the behavior depends on
+    ``raise_on_error``. In such cases, the function will either raise/log an
+    error and return an empty list.
+
+    :param raise_on_error: Whether to raise exceptions on read/parse failure.
+    :return: List of token dictionaries from ``secretTokens``.
+             Returns an empty list if parsing fails or no tokens exist.
+    :rtype: list[dict[str, Any]]
+    """
+    token_file = os.path.expanduser(mlconf.auth_with_oauth_token.token_file)
+    data = read_secret_tokens_file(raise_on_error=raise_on_error)
+    if not data:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Token file is empty or could not be parsed: {token_file}",
+            raise_on_error,
+        )
+        return []
+
+    tokens_list = data.get("secretTokens")
+    if not isinstance(tokens_list, list) or not tokens_list:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Invalid token file: 'secretTokens' must be a non-empty list in {token_file}",
+            raise_on_error,
+        )
+        return []
+
+    return tokens_list
+
+
+def read_secret_tokens_file(
+    raise_on_error: bool = True,
+) -> typing.Optional[dict[str, typing.Any]]:
+    """
+    Read and parse the secret tokens file.
+
+    This function attempts to read the token file specified in the configuration and parse its content as YAML.
+    If the file does not exist or cannot be parsed, it either raises an error or logs a warning based on the
+    `raise_on_error` parameter.
+
+    - The configured path may use ``~`` to represent the user’s home directory, which
+      will be expanded automatically.
+
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The parsed content of the token file as a dictionary, or None if an error occurs.
+    """
+    token_file = os.path.expanduser(mlconf.auth_with_oauth_token.token_file)
+
+    if not os.path.exists(token_file):
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Configured token file not found: {token_file}", raise_on_error
+        )
+        return None
+
+    try:
+        with open(token_file) as token_file_io:
+            data = yaml.safe_load(token_file_io)
+        if not data:
+            mlrun.utils.helpers.raise_or_log_error(
+                f"Token file {token_file} is empty or invalid",
+                raise_on_error,
+            )
+            return None
+        if not isinstance(data, dict):
+            mlrun.utils.helpers.raise_or_log_error(
+                f"Token file {token_file} must contain a YAML mapping (dictionary)",
+                raise_on_error,
+            )
+            return None
+        return data
+    except yaml.YAMLError as exc:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Failed to parse token file {token_file}: {exc}", raise_on_error
+        )
+        return None
+
+
+def parse_offline_token_data(
+    tokens: list[dict[str, typing.Any]], raise_on_error: bool = True
+) -> typing.Optional[str]:
+    """
+    Extract the correct offline token entry from the parsed tokens list.
+
+    Logic:
+    1. Identify the target token entry using `mlrun.mlconf.auth_with_oauth_token.token_name`:
+       - If the value is set (non-empty):
+         - Look for an entry where `name == <TOKEN_NAME>`.
+         - If no match is found, resolution fails.
+       - If the value is not set (empty string):
+         - Look for an entry named "default".
+         - If not found, fall back to the first token in the list.
+         - If no entries exist, resolution fails.
+    2. Validate the matched entry:
+       - Ensure the `token` field exists and is a valid, non-empty string.
+       - If valid, use the token as the resolved Offline Token.
+    3. If any of the above steps fail, raise a detailed configuration error or log a warning.
+
+
+    :param tokens: List of token dictionaries loaded from the YAML file.
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The resolved offline token, or None if resolution fails.
+    """
+    if not isinstance(tokens, list) or not tokens:
+        mlrun.utils.helpers.raise_or_log_error(
+            "Invalid token file: 'secretTokens' must be a non-empty list",
+            raise_on_error,
+        )
+        return None
+
+    name = mlconf.auth_with_oauth_token.token_name or "default"
+    matches = [t for t in tokens if t.get("name") == name] or (
+        [tokens[0]] if not mlconf.auth_with_oauth_token.token_name else []
+    )
+
+    if len(matches) != 1:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Failed to resolve a unique token. Found {len(matches)} entries for name '{name}'",
+            raise_on_error,
+        )
+        return None
+
+    token_value = matches[0].get("token")
+    if not token_value:
+        mlrun.utils.helpers.raise_or_log_error(
+            "Resolved token entry missing 'token' field",
+            raise_on_error,
+        )
+        return None
+
+    return token_value
+
+
+def get_offline_token_from_env() -> typing.Optional[str]:
+    """
+    Retrieve the offline token from the environment variable.
+
+    This function checks the environment for the `MLRUN_AUTH_OFFLINE_TOKEN` variable
+    and returns its value if set.
+
+    :return: The offline token if found in the environment, otherwise None.
+    """
+    return mlrun.secrets.get_secret_or_env("MLRUN_AUTH_OFFLINE_TOKEN")
+
+
+def load_and_prepare_secret_tokens(
+    auth_user_id: str | None = None,
+    raise_on_error: bool = True,
+) -> list[mlrun.common.schemas.SecretToken]:
+    """
+    Load, validate, and translate secret tokens from a file into SecretToken objects.
+
+    Steps performed:
+      1. Load the secret tokens from the configured file.
+      2. Validate each token for required fields and uniqueness.
+      3. Translate validated token dictionaries into SecretToken objects.
+
+    :param auth_user_id: The user ID to filter the tokens by.
+    :param raise_on_error: Whether to raise exceptions or log warnings on failure
+                           in any of the steps (loading, validation, translation).
+    :return: List of SecretToken objects.
+    :rtype: list[mlrun.common.schemas.SecretToken]
+    """
+    tokens_list = load_secret_tokens_from_file(raise_on_error=raise_on_error)
+    validated_tokens = extract_and_validate_tokens_info(
+        secret_tokens=[
+            mlrun.common.schemas.SecretToken(
+                name=token["name"],
+                token=token["token"],
+            )
+            for token in tokens_list
+        ],
+        authenticated_id=auth_user_id,
+        filter_by_authenticated_id=True,
+    )
+    secret_tokens = _translate_secret_tokens(
+        validated_tokens, raise_on_error=raise_on_error
+    )
+    return secret_tokens
+
+
+def extract_and_validate_tokens_info(
+    secret_tokens: list[mlrun.common.schemas.SecretToken],
+    authenticated_id: str,
+    filter_by_authenticated_id: bool = False,
+) -> dict[str, dict[str, typing.Any]]:
+    """
+    Extract and validate tokens info from a list of SecretToken objects.
+
+    :param secret_tokens: List of SecretToken objects.
+    :param authenticated_id: The authenticated user ID.
+    :return: Dictionary of token info with the token name as the key and the token as the value.
+    """
+    token_values = {}
+    for secret_token in secret_tokens:
+        token_name = secret_token.name
+
+        # Validate name is provided and not duplicate
+        if secret_token.name and secret_token.name not in token_values:
+            # The token is expected to be a refresh token which we cannot verify ourselves, we verify it separately
+            # via orca when exchanging it for an access token. We decode it here without verification to extract its
+            # claims.
+            decoded_token = _decode_token_unverified(secret_token.token)
+
+            # Validate token expiration existence
+            if not decoded_token.get(Claims.EXPIRATION):
+                raise mlrun.errors.MLRunInvalidArgumentError(
+                    f"Offline token '{token_name}' is missing the 'exp' (expiration) claim"
+                )
+            # Validate token subject existence
+            if not decoded_token.get(Claims.SUBJECT):
+                raise mlrun.errors.MLRunInvalidArgumentError(
+                    f"Offline token '{token_name}' is missing the 'sub' (subject) claim"
+                )
+
+            # Validate token belongs to the authenticated user
+            token_sub = decoded_token.get(Claims.SUBJECT)
+            if token_sub != authenticated_id:
+                # just ignore the token as it doesn't belong to the authenticated user
+                if filter_by_authenticated_id:
+                    continue
+                mlrun.utils.logger.warning(
+                    "Offline token subject does not match the authenticated user",
+                    token_name=token_name,
+                    token_sub=token_sub,
+                    user_id=authenticated_id,
+                )
+                raise mlrun.errors.MLRunInvalidArgumentError(
+                    f"Offline token '{token_name}' does not match the authenticated user ID. "
+                    "Stored tokens can only belong to the authenticated user."
+                )
+
+            # Store token info
+            token_values[secret_token.name] = {
+                "token_exp": decoded_token.get(Claims.EXPIRATION),
+                "token": secret_token.token,
+            }
+        else:
+            raise mlrun.errors.MLRunInvalidArgumentError(
+                f"Invalid or duplicate token name '{secret_token.name}' found in request payload"
+            )
+    return token_values
+
+
+def resolve_jwt_subject(
+    token: str, raise_on_error: bool = True
+) -> typing.Optional[str]:
+    """
+    Extract the 'sub' (subject/user ID) claim from a JWT token.
+
+    The token is decoded without signature verification since it has already
+    been verified earlier during the authentication process.
+
+    :param token: The JWT token string.
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The 'sub' claim value, or None if extraction fails.
+    """
+    try:
+        # This method is used from the client side after receiving this token from the server, there's no need or
+        # ability to verify its signature here.
+        return _decode_token_unverified(token).get(Claims.SUBJECT)
+    except jwt.PyJWTError as exc:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Failed to decode JWT token: {exc}", raise_on_error
+        )
+        return None
+
+
+def is_token_expired(token: str, buffer_seconds: int = 0) -> bool:
+    """
+    Check if a JWT token is expired based on its 'exp' claim.
+
+    :param token: The JWT token string.
+    :param buffer_seconds: Number of seconds to subtract from the expiration time
+    :return: True if the token is expired, False otherwise.
+    """
+
+    # This method is used for caching and/or extra validation purposes in addition to the main verification flow,
+    # so we decode without signature verification here.
+    decoded_token = _decode_token_unverified(token)
+    expiration = decoded_token.get(Claims.EXPIRATION)
+    if not expiration:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "Token is missing the 'exp' (expiration) claim"
+        )
+    now = time.time()
+    return now >= expiration - buffer_seconds
+
+
+def _decode_token_unverified(token: str) -> dict:
+    try:
+        return jwt.decode(token, options={"verify_signature": False})
+    except jwt.DecodeError as exc:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "Failed to decode offline token"
+        ) from exc
+    except Exception as exc:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "Unexpected error decoding token"
+        ) from exc
+
+
+def _translate_secret_tokens(
+    tokens_dict: dict[str, dict[str, typing.Any]], raise_on_error: bool = True
+) -> list[mlrun.common.schemas.SecretToken]:
+    """
+    Translate a dictionary of validated token data into SecretToken objects.
+
+    The dictionary is keyed by token name, with values containing token data
+    (including the token string). If an entry fails to translate, behavior depends
+    on ``raise_on_error``: raise an exception or log a warning.
+
+    :param tokens_dict: Dictionary of validated token data, keyed by token name.
+    :param raise_on_error: Whether to raise exceptions on translation errors.
+    :return: List of SecretToken objects created from the input dictionary.
+    :rtype: list[mlrun.common.schemas.SecretToken]
+    """
+    token_file = os.path.expanduser(mlconf.auth_with_oauth_token.token_file)
+    tokens = []
+    for token_name, token_data in tokens_dict.items():
+        try:
+            tokens.append(
+                mlrun.common.schemas.SecretToken(
+                    name=token_name,
+                    token=token_data["token"],
+                )
+            )
+        except Exception as exc:
+            mlrun.utils.helpers.raise_or_log_error(
+                f"Failed to create SecretToken from entry in {token_file}: {exc}",
+                raise_on_error,
+            )
+    return tokens

mlrun/common/constants.py

@@ -27,9 +27,20 @@ DASK_LABEL_PREFIX = "dask.org/"
 NUCLIO_LABEL_PREFIX = "nuclio.io/"
 RESERVED_TAG_NAME_LATEST = "latest"
 
+# Kubernetes DNS-1123 label name length limit
+K8S_DNS_1123_LABEL_MAX_LENGTH = 63
+
+
+RESERVED_BATCH_JOB_SUFFIX = "-batch"
+
 JOB_TYPE_WORKFLOW_RUNNER = "workflow-runner"
 JOB_TYPE_PROJECT_LOADER = "project-loader"
 JOB_TYPE_RERUN_WORKFLOW_RUNNER = "rerun-workflow-runner"
+MLRUN_ACTIVE_PROJECT = "MLRUN_ACTIVE_PROJECT"
+
+MLRUN_JOB_AUTH_SECRET_PATH = "/var/mlrun-secrets/auth"
+MLRUN_JOB_AUTH_SECRET_FILE = ".igz.yml"
+MLRUN_RUNTIME_AUTH_DEFAULT_TOKEN_NAME = "default"
 
 
 class MLRunInternalLabels:
@@ -92,6 +103,9 @@ class MLRunInternalLabels:
     workflow = "workflow"
     feature_vector = "feature-vector"
 
+    auth_username = f"{MLRUN_LABEL_PREFIX}user"
+    auth_token_name = f"{MLRUN_LABEL_PREFIX}token"
+
     @classmethod
     def all(cls):
         return [

mlrun/common/model_monitoring/helpers.py

@@ -14,6 +14,7 @@
 
 import sys
 import typing
+from datetime import datetime
 
 import mlrun.common
 import mlrun.common.schemas.model_monitoring.constants as mm_constants
@@ -24,6 +25,7 @@ BinCounts = typing.NewType("BinCounts", list[int])
 BinEdges = typing.NewType("BinEdges", list[float])
 
 _MAX_FLOAT = sys.float_info.max
+logger = mlrun.utils.create_logger(level="info", name="mm_helpers")
 
 
 def parse_model_endpoint_project_prefix(path: str, project_name: str):
@@ -50,6 +52,44 @@ def get_kafka_topic(project: str, function_name: typing.Optional[str] = None) ->
     )
 
 
+# Constants for TimescaleDB database naming
+TIMESCALEDB_DEFAULT_DB_PREFIX = "mlrun_mm"
+
+
+def get_tsdb_database_name(profile_database: str) -> str:
+    """
+    Determine the TimescaleDB database name based on configuration.
+
+    When auto_create_database is enabled (default), generates a database name
+    using the system_id: 'mlrun_mm_{system_id}'.
+    When disabled, uses the database from the profile as-is.
+
+    This function is used by both TimescaleDBConnector (API server side) and
+    TimescaleDBStoreyTarget (stream side) to ensure consistent database naming.
+
+    :param profile_database: The database name from the PostgreSQL profile.
+    :return: The database name to use for TimescaleDB connections.
+    :raises MLRunInvalidArgumentError: If auto_create_database is enabled but
+                                       system_id is not set.
+    """
+    auto_create = mlrun.mlconf.model_endpoint_monitoring.tsdb.auto_create_database
+
+    if not auto_create:
+        return profile_database
+
+    # Auto-create mode: generate database name using system_id
+    if not mlrun.mlconf.system_id:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "system_id is not set in mlrun.mlconf. "
+            "TimescaleDB requires system_id for auto-generating database name "
+            "when auto_create_database is enabled. "
+            "Either set system_id in MLRun configuration or disable auto_create_database "
+            "and provide an explicit database in the PostgreSQL connection string."
+        )
+
+    return f"{TIMESCALEDB_DEFAULT_DB_PREFIX}_{mlrun.mlconf.system_id}"
+
+
 def _get_counts(hist: Histogram) -> BinCounts:
     """Return the histogram counts"""
     return BinCounts(hist[0])
@@ -87,3 +127,86 @@ def pad_features_hist(feature_stats: FeatureStats) -> None:
     for feature in feature_stats.values():
         if hist_key in feature:
             pad_hist(Histogram(feature[hist_key]))
+
+
+def get_model_endpoints_creation_task_status(
+    server,
+) -> tuple[
+    mlrun.common.schemas.BackgroundTaskState,
+    typing.Optional[datetime],
+    typing.Optional[set[str]],
+]:
+    background_task = None
+    background_task_state = mlrun.common.schemas.BackgroundTaskState.running
+    background_task_check_timestamp = None
+    model_endpoint_uids = None
+    try:
+        background_task = mlrun.get_run_db().get_project_background_task(
+            server.project, server.model_endpoint_creation_task_name
+        )
+        background_task_check_timestamp = mlrun.utils.now_date()
+        log_background_task_state(
+            server, background_task.status.state, background_task_check_timestamp
+        )
+        background_task_state = background_task.status.state
+    except mlrun.errors.MLRunNotFoundError:
+        logger.warning(
+            "Model endpoint creation task not found listing model endpoints",
+            project=server.project,
+            task_name=server.model_endpoint_creation_task_name,
+        )
+    if background_task is None:
+        if model_endpoints := mlrun.get_run_db().list_model_endpoints(
+            project=server.project,
+            function_name=server.function_name,
+            function_tag=server.function_tag,
+            tsdb_metrics=False,
+        ):
+            model_endpoint_uids = {
+                endpoint.metadata.uid for endpoint in model_endpoints.endpoints
+            }
+            logger.info(
+                "Model endpoints found after background task not found, model monitoring will monitor "
+                "events",
+                project=server.project,
+                function_name=server.function_name,
+                function_tag=server.function_tag,
+                uids=model_endpoint_uids,
+            )
+            background_task_state = mlrun.common.schemas.BackgroundTaskState.succeeded
+        else:
+            logger.warning(
+                "Model endpoints not found after background task not found, model monitoring will not "
+                "monitor events",
+                project=server.project,
+                function_name=server.function_name,
+                function_tag=server.function_tag,
+            )
+            background_task_state = mlrun.common.schemas.BackgroundTaskState.failed
+    return background_task_state, background_task_check_timestamp, model_endpoint_uids
+
+
+def log_background_task_state(
+    server,
+    background_task_state: mlrun.common.schemas.BackgroundTaskState,
+    background_task_check_timestamp: typing.Optional[datetime],
+):
+    logger.info(
+        "Checking model endpoint creation task status",
+        task_name=server.model_endpoint_creation_task_name,
+    )
+    if (
+        background_task_state
+        in mlrun.common.schemas.BackgroundTaskState.terminal_states()
+    ):
+        logger.info(
+            f"Model endpoint creation task completed with state {background_task_state}"
+        )
+    else:  # in progress
+        logger.info(
+            f"Model endpoint creation task is still in progress with the current state: "
+            f"{background_task_state}. Events will not be monitored for the next "
+            f"{mlrun.mlconf.model_endpoint_monitoring.model_endpoint_creation_check_period} seconds",
+            function_name=server.function_name,
+            background_task_check_timestamp=background_task_check_timestamp.isoformat(),
+        )

mlrun/common/runtimes/constants.py

@@ -16,6 +16,7 @@ import typing
 
 import mlrun.common.constants as mlrun_constants
 import mlrun_pipelines.common.models
+from mlrun.common.types import StrEnum
 
 
 class PodPhases:
@@ -365,3 +366,30 @@ class NuclioIngressAddTemplatedIngressModes:
 class FunctionEnvironmentVariables:
     _env_prefix = "MLRUN_"
     auth_session = f"{_env_prefix}AUTH_SESSION"
+
+
+# Kubernetes probe types
+class ProbeType(StrEnum):
+    READINESS = "readiness"
+    LIVENESS = "liveness"
+    STARTUP = "startup"
+
+    @property
+    def key(self):
+        return f"{self.value}Probe"
+
+    @classmethod
+    def is_valid(cls, value: str, raise_on_error: bool = False) -> bool:
+        valid_value = value in cls._value2member_map_
+        if not valid_value and raise_on_error:
+            raise ValueError(
+                f"Invalid probe type: {value}. Must be one of: {[p.value for p in ProbeType]}"
+            )
+        return valid_value
+
+
+class ProbeTimeConfig(StrEnum):
+    INITIAL_DELAY_SECONDS = "initialDelaySeconds"
+    PERIOD_SECONDS = "periodSeconds"
+    TIMEOUT_SECONDS = "timeoutSeconds"
+    FAILURE_THRESHOLD = "failureThreshold"

mlrun/common/schemas/__init__.py

@@ -43,6 +43,7 @@ from .artifact import (
 from .auth import (
     AuthInfo,
     AuthorizationAction,
+    AuthorizationResourceNamespace,
     AuthorizationResourceTypes,
     AuthorizationVerificationInput,
     Credentials,
@@ -65,7 +66,9 @@ from .common import ImageBuilder
 from .constants import (
     APIStates,
     ArtifactPartitionByField,
+    AuthorizationHeaderPrefixes,
     ClusterizationRole,
+    CookieNames,
     DeletionStrategy,
     FeatureStorePartitionByField,
     HeaderNames,
@@ -111,14 +114,18 @@ from .feature_store import (
 )
 from .frontend_spec import (
     ArtifactLimits,
-    AuthenticationFeatureFlag,
     FeatureFlags,
     FrontendSpec,
     NuclioStreamsFeatureFlag,
     PreemptionNodesFeatureFlag,
     ProjectMembershipFeatureFlag,
 )
-from .function import FunctionState, PreemptionModes, SecurityContextEnrichmentModes
+from .function import (
+    BatchingSpec,
+    FunctionState,
+    PreemptionModes,
+    SecurityContextEnrichmentModes,
+)
 from .http import HTTPSessionRetryMode
 from .hub import (
     HubCatalog,
@@ -154,6 +161,7 @@ from .model_monitoring import (
     ModelEndpointSchema,
     ModelEndpointSpec,
     ModelEndpointStatus,
+    ModelMonitoringInfraLabel,
     ModelMonitoringMode,
     MonitoringFunctionNames,
     TSDBTarget,
@@ -211,10 +219,13 @@ from .schedule import (
 )
 from .secret import (
     AuthSecretData,
+    ListSecretTokensResponse,
     SecretKeysData,
     SecretProviderName,
     SecretsData,
-    UserSecretCreationRequest,
+    SecretToken,
+    SecretTokenInfo,
+    StoreSecretTokensResponse,
 )
 from .serving import ModelRunnerStepData, ModelsData, MonitoringData
 from .tag import Tag, TagObjects