mlrun 1.10.0rc40__py3-none-any.whl → 1.11.0rc16__py3-none-any.whl

mlrun/auth/utils.py

@@ -0,0 +1,415 @@
+# Copyright 2025 Iguazio
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+import time
+import typing
+
+import jwt
+import yaml
+
+import mlrun.common.constants
+import mlrun.common.schemas
+import mlrun.utils.helpers
+from mlrun.config import config as mlconf
+
+if typing.TYPE_CHECKING:
+    import mlrun.db
+
+
+class Claims:
+    """
+    JWT Claims constants.
+    """
+
+    SUBJECT = "sub"
+    EXPIRATION = "exp"
+
+
+def load_offline_token(raise_on_error=True) -> typing.Optional[str]:
+    """
+    Load the offline token from the environment variable or YAML file.
+
+    The function first attempts to retrieve the offline token from the environment variable.
+    If not found, it tries to load the token from a YAML file. If both methods fail, it either
+    raises an error or logs a warning based on the `raise_on_error` parameter.
+
+    :param raise_on_error: If True, raises an error when the offline token cannot be resolved.
+                           If False, logs a warning instead.
+    :return: The offline token if found, otherwise None.
+    """
+    if token_env := get_offline_token_from_env():
+        return token_env
+    return get_offline_token_from_file(raise_on_error=raise_on_error)
+
+
+def get_offline_token_from_file(raise_on_error: bool = True) -> typing.Optional[str]:
+    """
+    Retrieve the offline token from a configured file.
+
+    This function reads the token file specified in the configuration, parses its content,
+    and extracts the offline token. If the file does not exist or cannot be parsed, it either
+    raises an error or logs a warning based on the `raise_on_error` parameter.
+
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The offline token if found, otherwise None.
+    """
+    tokens = load_secret_tokens_from_file(raise_on_error=raise_on_error)
+    if not tokens:
+        return None
+    return parse_offline_token_data(tokens=tokens, raise_on_error=raise_on_error)
+
+
+def load_secret_tokens_from_file(
+    raise_on_error: bool = True,
+) -> list[dict]:
+    """
+    Load and parse secret tokens from a configured file.
+
+    This function reads the secret tokens file (specified in
+    ``mlrun.mlconf.auth_with_oauth_token.token_file``) and returns the raw list
+    of token dictionaries under the ``secretTokens`` key. It does NOT validate
+    the tokens.
+
+    If the file is missing, empty, or malformed, the behavior depends on
+    ``raise_on_error``. In such cases, the function will either raise/log an
+    error and return an empty list.
+
+    :param raise_on_error: Whether to raise exceptions on read/parse failure.
+    :return: List of token dictionaries from ``secretTokens``.
+             Returns an empty list if parsing fails or no tokens exist.
+    :rtype: list[dict[str, Any]]
+    """
+    token_file = os.path.expanduser(mlconf.auth_with_oauth_token.token_file)
+    data = read_secret_tokens_file(raise_on_error=raise_on_error)
+    if not data:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Token file is empty or could not be parsed: {token_file}",
+            raise_on_error,
+        )
+        return []
+
+    tokens_list = data.get("secretTokens")
+    if not isinstance(tokens_list, list) or not tokens_list:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Invalid token file: 'secretTokens' must be a non-empty list in {token_file}",
+            raise_on_error,
+        )
+        return []
+
+    return tokens_list
+
+
+def read_secret_tokens_file(
+    raise_on_error: bool = True,
+) -> typing.Optional[dict[str, typing.Any]]:
+    """
+    Read and parse the secret tokens file.
+
+    This function attempts to read the token file specified in the configuration and parse its content as YAML.
+    If the file does not exist or cannot be parsed, it either raises an error or logs a warning based on the
+    `raise_on_error` parameter.
+
+    - The configured path may use ``~`` to represent the user’s home directory, which
+      will be expanded automatically.
+
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The parsed content of the token file as a dictionary, or None if an error occurs.
+    """
+    token_file = os.path.expanduser(mlconf.auth_with_oauth_token.token_file)
+
+    if not os.path.exists(token_file):
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Configured token file not found: {token_file}", raise_on_error
+        )
+        return None
+
+    try:
+        with open(token_file) as token_file_io:
+            data = yaml.safe_load(token_file_io)
+        if not data:
+            mlrun.utils.helpers.raise_or_log_error(
+                f"Token file {token_file} is empty or invalid",
+                raise_on_error,
+            )
+            return None
+        if not isinstance(data, dict):
+            mlrun.utils.helpers.raise_or_log_error(
+                f"Token file {token_file} must contain a YAML mapping (dictionary)",
+                raise_on_error,
+            )
+            return None
+        return data
+    except yaml.YAMLError as exc:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Failed to parse token file {token_file}: {exc}", raise_on_error
+        )
+        return None
+
+
+def parse_offline_token_data(
+    tokens: list[dict[str, typing.Any]], raise_on_error: bool = True
+) -> typing.Optional[str]:
+    """
+    Extract the correct offline token entry from the parsed tokens list.
+
+    Logic:
+    1. Identify the target token entry using `mlrun.mlconf.auth_with_oauth_token.token_name`:
+       - If the value is set (non-empty):
+         - Look for an entry where `name == <TOKEN_NAME>`.
+         - If no match is found, resolution fails.
+       - If the value is not set (empty string):
+         - Look for an entry named "default".
+         - If not found, fall back to the first token in the list.
+         - If no entries exist, resolution fails.
+    2. Validate the matched entry:
+       - Ensure the `token` field exists and is a valid, non-empty string.
+       - If valid, use the token as the resolved Offline Token.
+    3. If any of the above steps fail, raise a detailed configuration error or log a warning.
+
+
+    :param tokens: List of token dictionaries loaded from the YAML file.
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The resolved offline token, or None if resolution fails.
+    """
+    if not isinstance(tokens, list) or not tokens:
+        mlrun.utils.helpers.raise_or_log_error(
+            "Invalid token file: 'secretTokens' must be a non-empty list",
+            raise_on_error,
+        )
+        return None
+
+    name = mlconf.auth_with_oauth_token.token_name or "default"
+    matches = [t for t in tokens if t.get("name") == name] or (
+        [tokens[0]] if not mlconf.auth_with_oauth_token.token_name else []
+    )
+
+    if len(matches) != 1:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Failed to resolve a unique token. Found {len(matches)} entries for name '{name}'",
+            raise_on_error,
+        )
+        return None
+
+    token_value = matches[0].get("token")
+    if not token_value:
+        mlrun.utils.helpers.raise_or_log_error(
+            "Resolved token entry missing 'token' field",
+            raise_on_error,
+        )
+        return None
+
+    return token_value
+
+
+def get_offline_token_from_env() -> typing.Optional[str]:
+    """
+    Retrieve the offline token from the environment variable.
+
+    This function checks the environment for the `MLRUN_AUTH_OFFLINE_TOKEN` variable
+    and returns its value if set.
+
+    :return: The offline token if found in the environment, otherwise None.
+    """
+    return mlrun.secrets.get_secret_or_env("MLRUN_AUTH_OFFLINE_TOKEN")
+
+
+def load_and_prepare_secret_tokens(
+    auth_user_id: str | None = None,
+    raise_on_error: bool = True,
+) -> list[mlrun.common.schemas.SecretToken]:
+    """
+    Load, validate, and translate secret tokens from a file into SecretToken objects.
+
+    Steps performed:
+      1. Load the secret tokens from the configured file.
+      2. Validate each token for required fields and uniqueness.
+      3. Translate validated token dictionaries into SecretToken objects.
+
+    :param auth_user_id: The user ID to filter the tokens by.
+    :param raise_on_error: Whether to raise exceptions or log warnings on failure
+                           in any of the steps (loading, validation, translation).
+    :return: List of SecretToken objects.
+    :rtype: list[mlrun.common.schemas.SecretToken]
+    """
+    tokens_list = load_secret_tokens_from_file(raise_on_error=raise_on_error)
+    validated_tokens = extract_and_validate_tokens_info(
+        secret_tokens=[
+            mlrun.common.schemas.SecretToken(
+                name=token["name"],
+                token=token["token"],
+            )
+            for token in tokens_list
+        ],
+        authenticated_id=auth_user_id,
+        filter_by_authenticated_id=True,
+    )
+    secret_tokens = _translate_secret_tokens(
+        validated_tokens, raise_on_error=raise_on_error
+    )
+    return secret_tokens
+
+
+def extract_and_validate_tokens_info(
+    secret_tokens: list[mlrun.common.schemas.SecretToken],
+    authenticated_id: str,
+    filter_by_authenticated_id: bool = False,
+) -> dict[str, dict[str, typing.Any]]:
+    """
+    Extract and validate tokens info from a list of SecretToken objects.
+
+    :param secret_tokens: List of SecretToken objects.
+    :param authenticated_id: The authenticated user ID.
+    :return: Dictionary of token info with the token name as the key and the token as the value.
+    """
+    token_values = {}
+    for secret_token in secret_tokens:
+        token_name = secret_token.name
+
+        # Validate name is provided and not duplicate
+        if secret_token.name and secret_token.name not in token_values:
+            # The token is expected to be a refresh token which we cannot verify ourselves, we verify it separately
+            # via orca when exchanging it for an access token. We decode it here without verification to extract its
+            # claims.
+            decoded_token = _decode_token_unverified(secret_token.token)
+
+            # Validate token expiration existence
+            if not decoded_token.get(Claims.EXPIRATION):
+                raise mlrun.errors.MLRunInvalidArgumentError(
+                    f"Offline token '{token_name}' is missing the 'exp' (expiration) claim"
+                )
+            # Validate token subject existence
+            if not decoded_token.get(Claims.SUBJECT):
+                raise mlrun.errors.MLRunInvalidArgumentError(
+                    f"Offline token '{token_name}' is missing the 'sub' (subject) claim"
+                )
+
+            # Validate token belongs to the authenticated user
+            token_sub = decoded_token.get(Claims.SUBJECT)
+            if token_sub != authenticated_id:
+                # just ignore the token as it doesn't belong to the authenticated user
+                if filter_by_authenticated_id:
+                    continue
+                mlrun.utils.logger.warning(
+                    "Offline token subject does not match the authenticated user",
+                    token_name=token_name,
+                    token_sub=token_sub,
+                    user_id=authenticated_id,
+                )
+                raise mlrun.errors.MLRunInvalidArgumentError(
+                    f"Offline token '{token_name}' does not match the authenticated user ID. "
+                    "Stored tokens can only belong to the authenticated user."
+                )
+
+            # Store token info
+            token_values[secret_token.name] = {
+                "token_exp": decoded_token.get(Claims.EXPIRATION),
+                "token": secret_token.token,
+            }
+        else:
+            raise mlrun.errors.MLRunInvalidArgumentError(
+                f"Invalid or duplicate token name '{secret_token.name}' found in request payload"
+            )
+    return token_values
+
+
+def resolve_jwt_subject(
+    token: str, raise_on_error: bool = True
+) -> typing.Optional[str]:
+    """
+    Extract the 'sub' (subject/user ID) claim from a JWT token.
+
+    The token is decoded without signature verification since it has already
+    been verified earlier during the authentication process.
+
+    :param token: The JWT token string.
+    :param raise_on_error: Whether to raise an error or log a warning on failure.
+    :return: The 'sub' claim value, or None if extraction fails.
+    """
+    try:
+        # This method is used from the client side after receiving this token from the server, there's no need or
+        # ability to verify its signature here.
+        return _decode_token_unverified(token).get(Claims.SUBJECT)
+    except jwt.PyJWTError as exc:
+        mlrun.utils.helpers.raise_or_log_error(
+            f"Failed to decode JWT token: {exc}", raise_on_error
+        )
+        return None
+
+
+def is_token_expired(token: str, buffer_seconds: int = 0) -> bool:
+    """
+    Check if a JWT token is expired based on its 'exp' claim.
+
+    :param token: The JWT token string.
+    :param buffer_seconds: Number of seconds to subtract from the expiration time
+    :return: True if the token is expired, False otherwise.
+    """
+
+    # This method is used for caching and/or extra validation purposes in addition to the main verification flow,
+    # so we decode without signature verification here.
+    decoded_token = _decode_token_unverified(token)
+    expiration = decoded_token.get(Claims.EXPIRATION)
+    if not expiration:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "Token is missing the 'exp' (expiration) claim"
+        )
+    now = time.time()
+    return now >= expiration - buffer_seconds
+
+
+def _decode_token_unverified(token: str) -> dict:
+    try:
+        return jwt.decode(token, options={"verify_signature": False})
+    except jwt.DecodeError as exc:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "Failed to decode offline token"
+        ) from exc
+    except Exception as exc:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "Unexpected error decoding token"
+        ) from exc
+
+
+def _translate_secret_tokens(
+    tokens_dict: dict[str, dict[str, typing.Any]], raise_on_error: bool = True
+) -> list[mlrun.common.schemas.SecretToken]:
+    """
+    Translate a dictionary of validated token data into SecretToken objects.
+
+    The dictionary is keyed by token name, with values containing token data
+    (including the token string). If an entry fails to translate, behavior depends
+    on ``raise_on_error``: raise an exception or log a warning.
+
+    :param tokens_dict: Dictionary of validated token data, keyed by token name.
+    :param raise_on_error: Whether to raise exceptions on translation errors.
+    :return: List of SecretToken objects created from the input dictionary.
+    :rtype: list[mlrun.common.schemas.SecretToken]
+    """
+    token_file = os.path.expanduser(mlconf.auth_with_oauth_token.token_file)
+    tokens = []
+    for token_name, token_data in tokens_dict.items():
+        try:
+            tokens.append(
+                mlrun.common.schemas.SecretToken(
+                    name=token_name,
+                    token=token_data["token"],
+                )
+            )
+        except Exception as exc:
+            mlrun.utils.helpers.raise_or_log_error(
+                f"Failed to create SecretToken from entry in {token_file}: {exc}",
+                raise_on_error,
+            )
+    return tokens

mlrun/common/constants.py

@@ -38,6 +38,10 @@ JOB_TYPE_PROJECT_LOADER = "project-loader"
 JOB_TYPE_RERUN_WORKFLOW_RUNNER = "rerun-workflow-runner"
 MLRUN_ACTIVE_PROJECT = "MLRUN_ACTIVE_PROJECT"
 
+MLRUN_JOB_AUTH_SECRET_PATH = "/var/mlrun-secrets/auth"
+MLRUN_JOB_AUTH_SECRET_FILE = ".igz.yml"
+MLRUN_RUNTIME_AUTH_DEFAULT_TOKEN_NAME = "default"
+
 
 class MLRunInternalLabels:
     ### dask
@@ -99,6 +103,9 @@ class MLRunInternalLabels:
     workflow = "workflow"
     feature_vector = "feature-vector"
 
+    auth_username = f"{MLRUN_LABEL_PREFIX}user"
+    auth_token_name = f"{MLRUN_LABEL_PREFIX}token"
+
     @classmethod
     def all(cls):
         return [

mlrun/common/model_monitoring/helpers.py

@@ -52,6 +52,44 @@ def get_kafka_topic(project: str, function_name: typing.Optional[str] = None) ->
     )
 
 
+# Constants for TimescaleDB database naming
+TIMESCALEDB_DEFAULT_DB_PREFIX = "mlrun_mm"
+
+
+def get_tsdb_database_name(profile_database: str) -> str:
+    """
+    Determine the TimescaleDB database name based on configuration.
+
+    When auto_create_database is enabled (default), generates a database name
+    using the system_id: 'mlrun_mm_{system_id}'.
+    When disabled, uses the database from the profile as-is.
+
+    This function is used by both TimescaleDBConnector (API server side) and
+    TimescaleDBStoreyTarget (stream side) to ensure consistent database naming.
+
+    :param profile_database: The database name from the PostgreSQL profile.
+    :return: The database name to use for TimescaleDB connections.
+    :raises MLRunInvalidArgumentError: If auto_create_database is enabled but
+                                       system_id is not set.
+    """
+    auto_create = mlrun.mlconf.model_endpoint_monitoring.tsdb.auto_create_database
+
+    if not auto_create:
+        return profile_database
+
+    # Auto-create mode: generate database name using system_id
+    if not mlrun.mlconf.system_id:
+        raise mlrun.errors.MLRunInvalidArgumentError(
+            "system_id is not set in mlrun.mlconf. "
+            "TimescaleDB requires system_id for auto-generating database name "
+            "when auto_create_database is enabled. "
+            "Either set system_id in MLRun configuration or disable auto_create_database "
+            "and provide an explicit database in the PostgreSQL connection string."
+        )
+
+    return f"{TIMESCALEDB_DEFAULT_DB_PREFIX}_{mlrun.mlconf.system_id}"
+
+
 def _get_counts(hist: Histogram) -> BinCounts:
     """Return the histogram counts"""
     return BinCounts(hist[0])
@@ -118,13 +156,12 @@ def get_model_endpoints_creation_task_status(
             task_name=server.model_endpoint_creation_task_name,
         )
     if background_task is None:
-        model_endpoints = mlrun.get_run_db().list_model_endpoints(
+        if model_endpoints := mlrun.get_run_db().list_model_endpoints(
             project=server.project,
             function_name=server.function_name,
             function_tag=server.function_tag,
             tsdb_metrics=False,
-        )
-        if model_endpoints:
+        ):
             model_endpoint_uids = {
                 endpoint.metadata.uid for endpoint in model_endpoints.endpoints
             }
@@ -170,6 +207,6 @@ def log_background_task_state(
             f"Model endpoint creation task is still in progress with the current state: "
             f"{background_task_state}. Events will not be monitored for the next "
             f"{mlrun.mlconf.model_endpoint_monitoring.model_endpoint_creation_check_period} seconds",
-            function_name=server.function.name,
+            function_name=server.function_name,
             background_task_check_timestamp=background_task_check_timestamp.isoformat(),
         )

mlrun/common/runtimes/constants.py

@@ -16,6 +16,7 @@ import typing
 
 import mlrun.common.constants as mlrun_constants
 import mlrun_pipelines.common.models
+from mlrun.common.types import StrEnum
 
 
 class PodPhases:
@@ -365,3 +366,30 @@ class NuclioIngressAddTemplatedIngressModes:
 class FunctionEnvironmentVariables:
     _env_prefix = "MLRUN_"
     auth_session = f"{_env_prefix}AUTH_SESSION"
+
+
+# Kubernetes probe types
+class ProbeType(StrEnum):
+    READINESS = "readiness"
+    LIVENESS = "liveness"
+    STARTUP = "startup"
+
+    @property
+    def key(self):
+        return f"{self.value}Probe"
+
+    @classmethod
+    def is_valid(cls, value: str, raise_on_error: bool = False) -> bool:
+        valid_value = value in cls._value2member_map_
+        if not valid_value and raise_on_error:
+            raise ValueError(
+                f"Invalid probe type: {value}. Must be one of: {[p.value for p in ProbeType]}"
+            )
+        return valid_value
+
+
+class ProbeTimeConfig(StrEnum):
+    INITIAL_DELAY_SECONDS = "initialDelaySeconds"
+    PERIOD_SECONDS = "periodSeconds"
+    TIMEOUT_SECONDS = "timeoutSeconds"
+    FAILURE_THRESHOLD = "failureThreshold"

mlrun/common/schemas/__init__.py

@@ -43,6 +43,7 @@ from .artifact import (
 from .auth import (
     AuthInfo,
     AuthorizationAction,
+    AuthorizationResourceNamespace,
     AuthorizationResourceTypes,
     AuthorizationVerificationInput,
     Credentials,
@@ -65,7 +66,9 @@ from .common import ImageBuilder
 from .constants import (
     APIStates,
     ArtifactPartitionByField,
+    AuthorizationHeaderPrefixes,
     ClusterizationRole,
+    CookieNames,
     DeletionStrategy,
     FeatureStorePartitionByField,
     HeaderNames,
@@ -111,14 +114,18 @@ from .feature_store import (
 )
 from .frontend_spec import (
     ArtifactLimits,
-    AuthenticationFeatureFlag,
     FeatureFlags,
     FrontendSpec,
     NuclioStreamsFeatureFlag,
     PreemptionNodesFeatureFlag,
     ProjectMembershipFeatureFlag,
 )
-from .function import FunctionState, PreemptionModes, SecurityContextEnrichmentModes
+from .function import (
+    BatchingSpec,
+    FunctionState,
+    PreemptionModes,
+    SecurityContextEnrichmentModes,
+)
 from .http import HTTPSessionRetryMode
 from .hub import (
     HubCatalog,
@@ -212,10 +219,13 @@ from .schedule import (
 )
 from .secret import (
     AuthSecretData,
+    ListSecretTokensResponse,
     SecretKeysData,
     SecretProviderName,
     SecretsData,
-    UserSecretCreationRequest,
+    SecretToken,
+    SecretTokenInfo,
+    StoreSecretTokensResponse,
 )
 from .serving import ModelRunnerStepData, ModelsData, MonitoringData
 from .tag import Tag, TagObjects

mlrun/common/schemas/alert.py

@@ -13,9 +13,9 @@
 # limitations under the License.
 
 from collections import defaultdict
-from collections.abc import Iterator
+from collections.abc import Callable, Iterator
 from datetime import datetime
-from typing import Annotated, Any, Callable, Optional, Union
+from typing import Annotated, Any, Optional, Union
 
 import pydantic.v1
 

mlrun/common/schemas/api_gateway.py

@@ -27,6 +27,7 @@ class APIGatewayAuthenticationMode(mlrun.common.types.StrEnum):
     basic = "basicAuth"
     none = "none"
     access_key = "accessKey"
+    iguazio = "iguazio"
 
     @classmethod
     def from_str(cls, authentication_mode: str):
@@ -36,6 +37,8 @@ class APIGatewayAuthenticationMode(mlrun.common.types.StrEnum):
             return cls.basic
         elif authentication_mode == "accessKey":
             return cls.access_key
+        elif authentication_mode == "iguazio":
+            return cls.iguazio
         else:
             raise mlrun.errors.MLRunInvalidArgumentError(
                 f"Authentication mode `{authentication_mode}` is not supported",

mlrun/common/schemas/auth.py

@@ -15,8 +15,6 @@
 import typing
 
 import pydantic.v1
-from nuclio.auth import AuthInfo as NuclioAuthInfo
-from nuclio.auth import AuthKinds as NuclioAuthKinds
 
 import mlrun.common.types
 
@@ -39,8 +37,14 @@ class AuthorizationAction(mlrun.common.types.StrEnum):
     store = "store"
 
 
+class AuthorizationResourceNamespace(mlrun.common.types.StrEnum):
+    resources = "resources"
+    mgmt = "mgmt"
+
+
 class AuthorizationResourceTypes(mlrun.common.types.StrEnum):
     project = "project"
+    project_global = "project-global"
     log = "log"
     runtime_resource = "runtime-resource"
     function = "function"
@@ -75,6 +79,7 @@ class AuthorizationResourceTypes(mlrun.common.types.StrEnum):
         return {
             # project is the resource itself, so no need for both resource_name and project_name
             AuthorizationResourceTypes.project: "/projects/{project_name}",
+            AuthorizationResourceTypes.project_global: "/projects",
             AuthorizationResourceTypes.project_summaries: "/projects/{project_name}/project-summaries/{resource_name}",
             AuthorizationResourceTypes.function: "/projects/{project_name}/functions/{resource_name}",
             AuthorizationResourceTypes.artifact: "/projects/{project_name}/artifacts/{resource_name}",
@@ -101,9 +106,7 @@ class AuthorizationResourceTypes(mlrun.common.types.StrEnum):
             AuthorizationResourceTypes.pipeline: "/projects/{project_name}/pipelines/{resource_name}",
             AuthorizationResourceTypes.datastore_profile: "/projects/{project_name}/datastore_profiles",
             # Hub sources are not project-scoped, and auth is globally on the sources endpoint.
-            # TODO - this was reverted to /marketplace since MLRun needs to be able to run with old igz versions. Once
-            #  we only have support for igz versions that support /hub (>=3.5.4), change this to "/hub/sources".
-            AuthorizationResourceTypes.hub_source: "/marketplace/sources",
+            AuthorizationResourceTypes.hub_source: "/hub/sources",
             # workflow define how to run a pipeline and can be considered as the specification of a pipeline.
             AuthorizationResourceTypes.workflow: "/projects/{project_name}/workflows/{resource_name}",
             AuthorizationResourceTypes.api_gateway: "/projects/{project_name}/api-gateways/{resource_name}",
@@ -134,15 +137,12 @@ class AuthInfo(pydantic.v1.BaseModel):
     projects_role: typing.Optional[ProjectsRole] = None
     planes: list[str] = []
 
-    def to_nuclio_auth_info(self):
-        if self.session != "":
-            return NuclioAuthInfo(password=self.session, mode=NuclioAuthKinds.iguazio)
-        return None
-
     def get_member_ids(self) -> list[str]:
         member_ids = []
         if self.user_id:
             member_ids.append(self.user_id)
+        if self.username:
+            member_ids.append(self.username)
         if self.user_group_ids:
             member_ids.extend(self.user_group_ids)
         return member_ids