skypilot-nightly 1.0.0.dev20250604__py3-none-any.whl → 1.0.0.dev20250605__py3-none-any.whl

sky/server/server.py

@@ -49,6 +49,7 @@ from sky.server.requests import preconditions
 from sky.server.requests import requests as requests_lib
 from sky.skylet import constants
 from sky.usage import usage_lib
+from sky.users import server as users_rest
 from sky.utils import admin_policy_utils
 from sky.utils import common as common_lib
 from sky.utils import common_utils
@@ -100,6 +101,27 @@ logger = sky_logging.init_logger(__name__)
 # response will block other requests from being processed.
 
 
+class RBACMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
+    """Middleware to handle RBAC."""
+
+    async def dispatch(self, request: fastapi.Request, call_next):
+        if request.url.path.startswith('/dashboard/'):
+            return await call_next(request)
+
+        auth_user = _get_auth_user_header(request)
+        if auth_user is None:
+            return await call_next(request)
+
+        permission_service = users_rest.permission_service
+        # Check the role permission
+        if permission_service.check_permission(auth_user.id, request.url.path,
+                                               request.method):
+            return fastapi.responses.JSONResponse(
+                status_code=403, content={'detail': 'Forbidden'})
+
+        return await call_next(request)
+
+
 class RequestIDMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
     """Middleware to add a request ID to each request."""
 
@@ -130,7 +152,10 @@ class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
 
         # Add user to database if auth_user is present
         if auth_user is not None:
-            global_user_state.add_or_update_user(auth_user)
+            newly_added = global_user_state.add_or_update_user(auth_user)
+            if newly_added:
+                users_rest.permission_service.add_user_if_not_exists(
+                    auth_user.id)
 
         body = await request.body()
         if auth_user and body:
@@ -244,11 +269,13 @@ class PathCleanMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
             parent = pathlib.Path('/dashboard')
             request_path = pathlib.Path(posixpath.normpath(request.url.path))
             if not _is_relative_to(request_path, parent):
-                raise fastapi.HTTPException(status_code=403, detail='Forbidden')
+                return fastapi.responses.JSONResponse(
+                    status_code=403, content={'detail': 'Forbidden'})
         return await call_next(request)
 
 
 app = fastapi.FastAPI(prefix='/api/v1', debug=True, lifespan=lifespan)
+app.add_middleware(RBACMiddleware)
 app.add_middleware(InternalDashboardPrefixMiddleware)
 app.add_middleware(PathCleanMiddleware)
 app.add_middleware(CacheControlStaticMiddleware)
@@ -266,6 +293,7 @@ app.add_middleware(AuthProxyMiddleware)
 app.add_middleware(RequestIDMiddleware)
 app.include_router(jobs_rest.router, prefix='/jobs', tags=['jobs'])
 app.include_router(serve_rest.router, prefix='/serve', tags=['serve'])
+app.include_router(users_rest.router, prefix='/users', tags=['users'])
 app.include_router(workspaces_rest.router,
                    prefix='/workspaces',
                    tags=['workspaces'])
@@ -835,13 +863,6 @@ async def logs(
     )
 
 
-@app.get('/users')
-async def users() -> List[Dict[str, Any]]:
-    """Gets all users."""
-    user_list = global_user_state.get_all_users()
-    return [user.to_dict() for user in user_list]
-
-
 @app.post('/download_logs')
 async def download_logs(
         request: fastapi.Request,

sky/setup_files/MANIFEST.in

@@ -16,3 +16,4 @@ include sky/templates/*
 include sky/utils/kubernetes/*
 include sky/server/html/*
 recursive-include sky/dashboard/out *
+include sky/users/*.conf

sky/setup_files/dependencies.py

@@ -58,6 +58,8 @@ install_requires = [
     'setproctitle',
     'sqlalchemy',
     'psycopg2-binary',
+    'casbin',
+    'sqlalchemy_adapter',
 ]
 
 local_ray = [

sky/skylet/constants.py

@@ -379,7 +379,7 @@ OVERRIDEABLE_CONFIG_KEYS_IN_TASK: List[Tuple[str, ...]] = [
 SKIPPED_CLIENT_OVERRIDE_KEYS: List[Tuple[str, ...]] = [('admin_policy',),
                                                        ('api_server',),
                                                        ('allowed_clouds',),
-                                                       ('workspaces',)]
+                                                       ('workspaces',), ('db',)]
 
 # Constants for Azure blob storage
 WAIT_FOR_STORAGE_ACCOUNT_CREATION = 60
@@ -409,6 +409,12 @@ ENV_VAR_IS_SKYPILOT_SERVER = 'IS_SKYPILOT_SERVER'
 
 SKYPILOT_DEFAULT_WORKSPACE = 'default'
 
-# Experimental - may be deprecated in the future without notice.
-SKYPILOT_API_SERVER_DB_URL_ENV_VAR: str = (
-    f'{SKYPILOT_ENV_VAR_PREFIX}API_SERVER_DB_URL')
+# BEGIN constants used for service catalog.
+HOSTED_CATALOG_DIR_URL = 'https://raw.githubusercontent.com/skypilot-org/skypilot-catalog/master/catalogs'  # pylint: disable=line-too-long
+HOSTED_CATALOG_DIR_URL_S3_MIRROR = 'https://skypilot-catalog.s3.us-east-1.amazonaws.com/catalogs'  # pylint: disable=line-too-long
+CATALOG_SCHEMA_VERSION = 'v7'
+CATALOG_DIR = '~/.sky/catalogs'
+ALL_CLOUDS = ('aws', 'azure', 'gcp', 'ibm', 'lambda', 'scp', 'oci',
+              'kubernetes', 'runpod', 'vast', 'vsphere', 'cudo', 'fluidstack',
+              'paperspace', 'do', 'nebius', 'ssh')
+# END constants used for service catalog.

sky/skypilot_config.py

@@ -756,13 +756,15 @@ def apply_cli_config(cli_config: Optional[List[str]]) -> Dict[str, Any]:
     return parsed_config
 
 
-def update_config_no_lock(config: config_utils.Config) -> None:
+def update_api_server_config_no_lock(config: config_utils.Config) -> None:
     """Dumps the new config to a file and syncs to ConfigMap if in Kubernetes.
 
     Args:
         config: The config to save and sync.
     """
-    global_config_path = os.path.expanduser(get_user_config_path())
+    global_config_path = _resolve_server_config_path()
+    if global_config_path is None:
+        global_config_path = get_user_config_path()
 
     # Always save to the local file (PVC in Kubernetes, local file otherwise)
     common_utils.dump_yaml(global_config_path, dict(config))

sky/templates/websocket_proxy.py

@@ -21,11 +21,21 @@ from websockets.asyncio.client import connect
 
 BUFFER_SIZE = 2**16  # 64KB
 
+# Environment variable for a file path to the API cookie file.
+# Keep in sync with server/constants.py
+API_COOKIE_FILE_ENV_VAR = 'SKYPILOT_API_COOKIE_FILE'
+# Default file if unset.
+# Keep in sync with server/constants.py
+API_COOKIE_FILE_DEFAULT_LOCATION = '~/.sky/cookies.txt'
+
 
 def _get_cookie_header(url: str) -> Dict[str, str]:
     """Extract Cookie header value from a cookie jar for a specific URL"""
-    cookie_path = os.environ.get('SKYPILOT_API_COOKIE_FILE')
+    cookie_path = os.environ.get(API_COOKIE_FILE_ENV_VAR)
     if cookie_path is None:
+        cookie_path = API_COOKIE_FILE_DEFAULT_LOCATION
+    cookie_path = os.path.expanduser(cookie_path)
+    if not os.path.exists(cookie_path):
         return {}
 
     request = Request(url)

sky/users/model.conf

@@ -0,0 +1,15 @@
+# rbac_model.conf
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

sky/users/permission.py

@@ -0,0 +1,178 @@
+"""Permission service for SkyPilot API Server."""
+import contextlib
+import logging
+import os
+import threading
+from typing import List
+
+import casbin
+import filelock
+import sqlalchemy_adapter
+
+from sky import global_user_state
+from sky import sky_logging
+from sky.users import rbac
+
+logger = sky_logging.init_logger(__name__)
+
+# Filelocks for the policy update.
+POLICY_UPDATE_LOCK_PATH = os.path.expanduser('~/.sky/.policy_update.lock')
+POLICY_UPDATE_LOCK_TIMEOUT_SECONDS = 20
+
+_enforcer_instance = None
+_lock = threading.Lock()
+
+
+class PermissionService:
+    """Permission service for SkyPilot API Server."""
+
+    def __init__(self):
+        global _enforcer_instance
+        if _enforcer_instance is None:
+            # For different threads, we share the same enforcer instance.
+            with _lock:
+                if _enforcer_instance is None:
+                    _enforcer_instance = self
+                    engine = global_user_state.SQLALCHEMY_ENGINE
+                    adapter = sqlalchemy_adapter.Adapter(engine)
+                    model_path = os.path.join(os.path.dirname(__file__),
+                                              'model.conf')
+                    enforcer = casbin.Enforcer(model_path, adapter)
+                    logging.getLogger('casbin.policy').setLevel(
+                        sky_logging.ERROR)
+                    logging.getLogger('casbin.role').setLevel(sky_logging.ERROR)
+                    self.enforcer = enforcer
+        else:
+            self.enforcer = _enforcer_instance.enforcer
+        self._maybe_initialize_policies()
+
+    def _maybe_initialize_policies(self):
+        """Initialize policies if they don't already exist."""
+        logger.debug(f'Initializing policies in process: {os.getpid()}')
+
+        # Check if policies are already initialized by looking for existing
+        # permission policies in the enforcer
+        existing_policies = self.enforcer.get_policy()
+
+        # If we already have policies for the expected roles, skip
+        # initialization
+        role_permissions = rbac.get_role_permissions()
+        expected_policies = []
+        for role, permissions in role_permissions.items():
+            if permissions['permissions'] and 'blocklist' in permissions[
+                    'permissions']:
+                blocklist = permissions['permissions']['blocklist']
+                for item in blocklist:
+                    expected_policies.append(
+                        [role, item['path'], item['method']])
+
+        # Check if all expected policies already exist
+        policies_exist = all(
+            any(policy == expected
+                for policy in existing_policies)
+            for expected in expected_policies)
+
+        if not policies_exist:
+            # Only clear and reinitialize if policies don't exist or are
+            # incomplete
+            logger.debug('Policies not found or incomplete, initializing...')
+            # Only clear p policies (permission policies),
+            # keep g policies (role policies)
+            self.enforcer.remove_filtered_policy(0)
+            for role, permissions in role_permissions.items():
+                if permissions['permissions'] and 'blocklist' in permissions[
+                        'permissions']:
+                    blocklist = permissions['permissions']['blocklist']
+                    for item in blocklist:
+                        path = item['path']
+                        method = item['method']
+                        self.enforcer.add_policy(role, path, method)
+            self.enforcer.save_policy()
+        else:
+            logger.debug('Policies already exist, skipping initialization')
+
+        # Always ensure users have default roles (this is idempotent)
+        all_users = global_user_state.get_all_users()
+        for user in all_users:
+            self.add_user_if_not_exists(user.id)
+
+    def add_user_if_not_exists(self, user: str) -> None:
+        """Add user role relationship."""
+        with _policy_lock():
+            user_roles = self.enforcer.get_roles_for_user(user)
+            if not user_roles:
+                logger.info(f'User {user} has no roles, adding'
+                            f' default role {rbac.get_default_role()}')
+                self.enforcer.add_grouping_policy(user, rbac.get_default_role())
+                self.enforcer.save_policy()
+
+    def update_role(self, user: str, new_role: str):
+        """Update user role relationship."""
+        with _policy_lock():
+            # Get current roles
+            self._load_policy_no_lock()
+            # Avoid calling get_user_roles, as it will require the lock.
+            current_roles = self.enforcer.get_roles_for_user(user)
+            if not current_roles:
+                logger.warning(f'User {user} has no roles')
+            else:
+                # TODO(hailong): how to handle multiple roles?
+                current_role = current_roles[0]
+                if current_role == new_role:
+                    logger.info(f'User {user} already has role {new_role}')
+                    return
+                self.enforcer.remove_grouping_policy(user, current_role)
+
+            # Update user role
+            self.enforcer.add_grouping_policy(user, new_role)
+            self.enforcer.save_policy()
+
+    def get_user_roles(self, user: str) -> List[str]:
+        """Get all roles for a user.
+
+        This method returns all roles that the user has, including inherited
+        roles. For example, if a user has role 'admin' and 'admin' inherits
+        from 'user', this method will return ['admin', 'user'].
+
+        Args:
+            user: The user ID to get roles for.
+
+        Returns:
+            A list of role names that the user has.
+        """
+        self._load_policy()
+        return self.enforcer.get_roles_for_user(user)
+
+    def check_permission(self, user: str, path: str, method: str) -> bool:
+        """Check permission."""
+        # We intentionally don't load the policy here, as it is a hot path, and
+        # we don't support updating the policy.
+        # We don't hold the lock for checking permission, as it is read only and
+        # it is a hot path in every request. It is ok to have a stale policy,
+        # as long as it is eventually consistent.
+        # self._load_policy_no_lock()
+        return self.enforcer.enforce(user, path, method)
+
+    def _load_policy_no_lock(self):
+        """Load policy from storage."""
+        self.enforcer.load_policy()
+
+    def _load_policy(self):
+        """Load policy from storage with lock."""
+        with _policy_lock():
+            self._load_policy_no_lock()
+
+
+@contextlib.contextmanager
+def _policy_lock():
+    """Context manager for policy update lock."""
+    try:
+        with filelock.FileLock(POLICY_UPDATE_LOCK_PATH,
+                               POLICY_UPDATE_LOCK_TIMEOUT_SECONDS):
+            yield
+    except filelock.Timeout as e:
+        raise RuntimeError(f'Failed to load policy due to a timeout '
+                           f'when trying to acquire the lock at '
+                           f'{POLICY_UPDATE_LOCK_PATH}. '
+                           'Please try again or manually remove the lock '
+                           f'file if you believe it is stale.') from e

sky/users/rbac.py

@@ -0,0 +1,86 @@
+"""RBAC (Role-Based Access Control) functionality for SkyPilot API Server."""
+
+import enum
+from typing import Dict, List
+
+from sky import sky_logging
+from sky import skypilot_config
+
+logger = sky_logging.init_logger(__name__)
+
+# Default user blocklist for user role
+# Cannot access workspace CUD operations
+_DEFAULT_USER_BLOCKLIST = [{
+    'path': '/workspaces/config',
+    'method': 'POST'
+}, {
+    'path': '/workspaces/update',
+    'method': 'POST'
+}, {
+    'path': '/workspaces/create',
+    'method': 'POST'
+}, {
+    'path': '/workspaces/delete',
+    'method': 'POST'
+}, {
+    'path': '/users/update',
+    'method': 'POST'
+}]
+
+
+# Define roles
+class RoleName(str, enum.Enum):
+    ADMIN = 'admin'
+    USER = 'user'
+
+
+def get_supported_roles() -> List[str]:
+    return [role_name.value for role_name in RoleName]
+
+
+def get_default_role() -> str:
+    return skypilot_config.get_nested(('rbac', 'default_role'),
+                                      default_value=RoleName.ADMIN.value)
+
+
+def get_role_permissions(
+) -> Dict[str, Dict[str, Dict[str, List[Dict[str, str]]]]]:
+    """Get all role permissions from config.
+
+    Returns:
+        Dictionary containing all roles and their permissions configuration.
+        Example:
+        {
+            'admin': {
+                'permissions': {
+                    'blocklist': []
+                }
+            },
+            'user': {
+                'permissions': {
+                    'blocklist': [
+                        {'path': '/workspaces/config', 'method': 'POST'},
+                        {'path': '/workspaces/update', 'method': 'POST'}
+                    ]
+                }
+            }
+        }
+    """
+    # Get all roles from the config
+    config_permissions = skypilot_config.get_nested(('rbac', 'roles'),
+                                                    default_value={})
+    supported_roles = get_supported_roles()
+    for role, permissions in config_permissions.items():
+        role_name = role.lower()
+        if role_name not in supported_roles:
+            logger.warning(f'Invalid role: {role_name}')
+            continue
+        config_permissions[role_name] = permissions
+    # Add default roles if not present
+    if 'user' not in config_permissions:
+        config_permissions['user'] = {
+            'permissions': {
+                'blocklist': _DEFAULT_USER_BLOCKLIST
+            }
+        }
+    return config_permissions

sky/users/server.py

@@ -0,0 +1,66 @@
+"""REST API for workspace management."""
+
+import hashlib
+from typing import Any, Dict, List
+
+import fastapi
+
+from sky import global_user_state
+from sky import sky_logging
+from sky.server.requests import payloads
+from sky.users import permission
+from sky.users import rbac
+from sky.utils import common_utils
+
+logger = sky_logging.init_logger(__name__)
+
+router = fastapi.APIRouter()
+
+permission_service = permission.PermissionService()
+
+
+@router.get('')
+async def users() -> List[Dict[str, Any]]:
+    """Gets all users."""
+    all_users = []
+    user_list = global_user_state.get_all_users()
+    for user in user_list:
+        user_roles = permission_service.get_user_roles(user.id)
+        all_users.append({
+            'id': user.id,
+            'name': user.name,
+            'role': user_roles[0] if user_roles else ''
+        })
+    return all_users
+
+
+@router.get('/role')
+async def get_current_user_role(request: fastapi.Request):
+    """Get current user's role."""
+    # TODO(hailong): is there a reliable way to get the user
+    # hash for the request without 'X-Auth-Request-Email' header?
+    if 'X-Auth-Request-Email' not in request.headers:
+        return {'name': '', 'role': rbac.RoleName.ADMIN.value}
+    user_name = request.headers['X-Auth-Request-Email']
+    user_hash = hashlib.md5(
+        user_name.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH]
+    user_roles = permission_service.get_user_roles(user_hash)
+    return {'name': user_name, 'role': user_roles[0] if user_roles else ''}
+
+
+@router.post('/update')
+async def user_update(user_update_body: payloads.UserUpdateBody) -> None:
+    """Updates the user role."""
+    user_id = user_update_body.user_id
+    role = user_update_body.role
+    supported_roles = rbac.get_supported_roles()
+    if role not in supported_roles:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail=f'Invalid role: {role}')
+    user_info = global_user_state.get_user(user_id)
+    if not user_info.name:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail=f'User {user_id} does not exist')
+
+    # Update user role in casbin policy
+    permission_service.update_role(user_id, role)

sky/utils/schemas.py

@@ -6,7 +6,6 @@ https://json-schema.org/
 import enum
 from typing import Any, Dict, List, Tuple
 
-from sky.catalog import constants as service_catalog_constants
 from sky.skylet import constants
 
 
@@ -70,7 +69,7 @@ def _get_single_resources_schema():
     # Building the regex pattern for the infra field
     # Format: cloud[/region[/zone]] or wildcards or kubernetes context
     # Match any cloud name (case insensitive)
-    all_clouds = list(service_catalog_constants.ALL_CLOUDS)
+    all_clouds = list(constants.ALL_CLOUDS)
     all_clouds.remove('kubernetes')
     cloud_pattern = f'(?i:({"|".join(all_clouds)}))'
 
@@ -107,8 +106,7 @@ def _get_single_resources_schema():
         'properties': {
             'cloud': {
                 'type': 'string',
-                'case_insensitive_enum': list(
-                    service_catalog_constants.ALL_CLOUDS)
+                'case_insensitive_enum': list(constants.ALL_CLOUDS)
             },
             'region': {
                 'type': 'string',
@@ -1162,7 +1160,7 @@ def get_config_schema():
         'items': {
             'type': 'string',
             'case_insensitive_enum':
-                (list(service_catalog_constants.ALL_CLOUDS) + ['cloudflare'])
+                (list(constants.ALL_CLOUDS) + ['cloudflare'])
         }
     }
 
@@ -1207,10 +1205,21 @@ def get_config_schema():
         }
     }
 
+    rbac_schema = {
+        'type': 'object',
+        'required': [],
+        'additionalProperties': False,
+        'properties': {
+            'default_role': {
+                'type': 'string',
+                'case_insensitive_enum': ['admin', 'user']
+            },
+        },
+    }
+
     workspace_schema = {'type': 'string'}
 
-    allowed_workspace_cloud_names = list(
-        service_catalog_constants.ALL_CLOUDS) + ['cloudflare']
+    allowed_workspace_cloud_names = list(constants.ALL_CLOUDS) + ['cloudflare']
     # Create pattern for not supported clouds, i.e.
     # all clouds except gcp, kubernetes, ssh
     not_supported_clouds = [
@@ -1334,6 +1343,9 @@ def get_config_schema():
             'workspace': {
                 'type': 'string',
             },
+            'db': {
+                'type': 'string',
+            },
             'jobs': controller_resources_schema,
             'serve': controller_resources_schema,
             'allowed_clouds': allowed_clouds,
@@ -1344,6 +1356,7 @@ def get_config_schema():
             'active_workspace': workspace_schema,
             'workspaces': workspaces_schema,
             'provision': provision_configs,
+            'rbac': rbac_schema,
             **cloud_configs,
         },
     }

sky/workspaces/core.py

@@ -66,7 +66,7 @@ def _update_workspaces_config(
             current_config['workspaces'] = current_workspaces
 
             # Write the configuration back to the file
-            skypilot_config.update_config_no_lock(current_config)
+            skypilot_config.update_api_server_config_no_lock(current_config)
 
             return current_workspaces
     except filelock.Timeout as e:
@@ -411,7 +411,7 @@ def update_config(config: Dict[str, Any]) -> Dict[str, Any]:
                                _WORKSPACE_CONFIG_LOCK_TIMEOUT_SECONDS):
             # Convert to config_utils.Config and save
             config_obj = config_utils.Config.from_dict(config)
-            skypilot_config.update_config_no_lock(config_obj)
+            skypilot_config.update_api_server_config_no_lock(config_obj)
     except filelock.Timeout as e:
         raise RuntimeError(
             f'Failed to update configuration due to a timeout '

{skypilot_nightly-1.0.0.dev20250604.dist-info → skypilot_nightly-1.0.0.dev20250605.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skypilot-nightly
-Version: 1.0.0.dev20250604
+Version: 1.0.0.dev20250605
 Summary: SkyPilot: Run AI on Any Infra — Unified, Faster, Cheaper.
 Author: SkyPilot Team
 License: Apache 2.0
@@ -49,6 +49,8 @@ Requires-Dist: httpx
 Requires-Dist: setproctitle
 Requires-Dist: sqlalchemy
 Requires-Dist: psycopg2-binary
+Requires-Dist: casbin
+Requires-Dist: sqlalchemy_adapter
 Provides-Extra: aws
 Requires-Dist: awscli>=1.27.10; extra == "aws"
 Requires-Dist: botocore>=1.29.10; extra == "aws"