skypilot-nightly 1.0.0.dev20250606__py3-none-any.whl → 1.0.0.dev20250609__py3-none-any.whl

sky/jobs/server/core.py

@@ -37,6 +37,7 @@ from sky.utils import status_lib
 from sky.utils import subprocess_utils
 from sky.utils import timeline
 from sky.utils import ux_utils
+from sky.workspaces import core as workspaces_core
 
 if typing.TYPE_CHECKING:
     import sky
@@ -88,6 +89,9 @@ def launch(
             raise ValueError('Only single-task or chain DAG is '
                              f'allowed for job_launch. Dag: {dag}')
     dag.validate()
+
+    user_dag_str = dag_utils.dump_chain_dag_to_yaml_str(dag)
+
     dag_utils.maybe_infer_and_fill_dag_and_task_names(dag)
 
     task_names = set()
@@ -175,12 +179,20 @@ def launch(
                     controller_utils.translate_local_file_mounts_to_two_hop(
                         task_))
 
+    # Has to use `\` to avoid yapf issue.
     with tempfile.NamedTemporaryFile(prefix=f'managed-dag-{dag.name}-',
-                                     mode='w') as f:
+                                     mode='w') as f, \
+         tempfile.NamedTemporaryFile(prefix=f'managed-user-dag-{dag.name}-',
+                                     mode='w') as original_user_yaml_path:
+        original_user_yaml_path.write(user_dag_str)
+        original_user_yaml_path.flush()
+
         dag_utils.dump_chain_dag_to_yaml(dag, f.name)
         controller = controller_utils.Controllers.JOBS_CONTROLLER
         controller_name = controller.value.cluster_name
         prefix = managed_job_constants.JOBS_TASK_YAML_PREFIX
+        remote_original_user_yaml_path = (
+            f'{prefix}/{dag.name}-{dag_uuid}.original_user_yaml')
         remote_user_yaml_path = f'{prefix}/{dag.name}-{dag_uuid}.yaml'
         remote_user_config_path = f'{prefix}/{dag.name}-{dag_uuid}.config_yaml'
         remote_env_file_path = f'{prefix}/{dag.name}-{dag_uuid}.env'
@@ -189,6 +201,8 @@ def launch(
             task_resources=sum([list(t.resources) for t in dag.tasks], []))
 
         vars_to_fill = {
+            'remote_original_user_yaml_path': remote_original_user_yaml_path,
+            'original_user_dag_path': original_user_yaml_path.name,
             'remote_user_yaml_path': remote_user_yaml_path,
             'user_yaml_path': f.name,
             'local_to_controller_file_mounts': local_to_controller_file_mounts,
@@ -231,7 +245,7 @@ def launch(
 
         # Launch with the api server's user hash, so that sky status does not
         # show the owner of the controller as whatever user launched it first.
-        with common.with_server_user_hash():
+        with common.with_server_user():
             # Always launch the controller in the default workspace.
             with skypilot_config.local_active_workspace_ctx(
                     skylet_constants.SKYPILOT_DEFAULT_WORKSPACE):
@@ -442,6 +456,13 @@ def queue(refresh: bool,
 
         jobs = list(filter(user_hash_matches_or_missing, jobs))
 
+    accessible_workspaces = workspaces_core.get_workspaces()
+    jobs = list(
+        filter(
+            lambda job: job.get('workspace', skylet_constants.
+                                SKYPILOT_DEFAULT_WORKSPACE) in
+            accessible_workspaces, jobs))
+
     if skip_finished:
         # Filter out the finished jobs. If a multi-task job is partially
         # finished, we will include all its tasks.

sky/jobs/server/server.py

@@ -1,12 +1,9 @@
 """REST API for managed jobs."""
-import os
 
 import fastapi
-import httpx
 
 from sky import sky_logging
 from sky.jobs.server import core
-from sky.jobs.server import dashboard_utils
 from sky.server import common as server_common
 from sky.server import stream_utils
 from sky.server.requests import executor
@@ -14,7 +11,6 @@ from sky.server.requests import payloads
 from sky.server.requests import requests as api_requests
 from sky.skylet import constants
 from sky.utils import common
-from sky.utils import common_utils
 
 logger = sky_logging.init_logger(__name__)
 
@@ -110,94 +106,3 @@ async def download_logs(
         if jobs_download_logs_body.refresh else api_requests.ScheduleType.SHORT,
         request_cluster_name=common.JOB_CONTROLLER_NAME,
     )
-
-
-@router.get('/dashboard')
-async def dashboard(request: fastapi.Request,
-                    user_hash: str) -> fastapi.Response:
-    # TODO(cooperc): Support showing only jobs for a specific user.
-
-    # FIX(zhwu/cooperc/eric): Fix log downloading (assumes global
-    # /download_log/xx route)
-
-    # Note: before #4717, each user had their own controller, and thus their own
-    # dashboard. Now, all users share the same controller, so this isn't really
-    # necessary. TODO(cooperc): clean up.
-
-    # TODO: Put this in an executor to avoid blocking the main server thread.
-    # It can take a long time if it needs to check the controller status.
-
-    # Find the port for the dashboard of the user
-    os.environ[constants.USER_ID_ENV_VAR] = user_hash
-    server_common.reload_for_new_request(client_entrypoint=None,
-                                         client_command=None,
-                                         using_remote_api_server=False)
-    logger.info(f'Starting dashboard for user hash: {user_hash}')
-
-    with dashboard_utils.get_dashboard_lock_for_user(user_hash):
-        max_retries = 3
-        for attempt in range(max_retries):
-            port, pid = dashboard_utils.get_dashboard_session(user_hash)
-            if port == 0 or attempt > 0:
-                # Let the client know that we are waiting for starting the
-                # dashboard.
-                try:
-                    port, pid = core.start_dashboard_forwarding()
-                except Exception as e:  # pylint: disable=broad-except
-                    # We catch all exceptions to gracefully handle unknown
-                    # errors and raise an HTTPException to the client.
-                    msg = (
-                        'Dashboard failed to start: '
-                        f'{common_utils.format_exception(e, use_bracket=True)}')
-                    logger.error(msg)
-                    raise fastapi.HTTPException(status_code=503, detail=msg)
-                dashboard_utils.add_dashboard_session(user_hash, port, pid)
-
-            # Assuming the dashboard is forwarded to localhost on the API server
-            dashboard_url = f'http://localhost:{port}'
-            try:
-                # Ping the dashboard to check if it's still running
-                async with httpx.AsyncClient() as client:
-                    response = await client.request('GET',
-                                                    dashboard_url,
-                                                    timeout=5)
-                if response.is_success:
-                    break  # Connection successful, proceed with the request
-                # Raise an HTTPException here which will be caught by the
-                # following except block to retry with new connection
-                response.raise_for_status()
-            except Exception as e:  # pylint: disable=broad-except
-                # We catch all exceptions to gracefully handle unknown
-                # errors and retry or raise an HTTPException to the client.
-                # Assume an exception indicates that the dashboard connection
-                # is stale - remove it so that a new one is created.
-                dashboard_utils.remove_dashboard_session(user_hash)
-                msg = (
-                    f'Dashboard connection attempt {attempt + 1} failed with '
-                    f'{common_utils.format_exception(e, use_bracket=True)}')
-                logger.info(msg)
-                if attempt == max_retries - 1:
-                    raise fastapi.HTTPException(status_code=503, detail=msg)
-
-    # Create a client session to forward the request
-    try:
-        async with httpx.AsyncClient() as client:
-            # Make the request and get the response
-            response = await client.request(
-                method='GET',
-                url=f'{dashboard_url}',
-                headers=request.headers.raw,
-            )
-
-            # Create a new response with the content already read
-            content = await response.aread()
-            return fastapi.Response(
-                content=content,
-                status_code=response.status_code,
-                headers=dict(response.headers),
-                media_type=response.headers.get('content-type'))
-    except Exception as e:
-        msg = (f'Failed to forward request to dashboard: '
-               f'{common_utils.format_exception(e, use_bracket=True)}')
-        logger.error(msg)
-        raise fastapi.HTTPException(status_code=502, detail=msg)

sky/jobs/state.py

@@ -122,7 +122,8 @@ def create_table(cursor, conn):
         user_hash TEXT,
         workspace TEXT DEFAULT NULL,
         priority INTEGER DEFAULT 500,
-        entrypoint TEXT DEFAULT NULL)""")
+        entrypoint TEXT DEFAULT NULL,
+        original_user_yaml_path TEXT DEFAULT NULL)""")
 
     db_utils.add_column_to_table(cursor, conn, 'job_info', 'schedule_state',
                                  'TEXT')
@@ -153,6 +154,8 @@ def create_table(cursor, conn):
                                  value_to_replace_existing_entries=500)
 
     db_utils.add_column_to_table(cursor, conn, 'job_info', 'entrypoint', 'TEXT')
+    db_utils.add_column_to_table(cursor, conn, 'job_info',
+                                 'original_user_yaml_path', 'TEXT')
     conn.commit()
 
 
@@ -212,6 +215,7 @@ columns = [
     'workspace',
     'priority',
     'entrypoint',
+    'original_user_yaml_path',
 ]
 
 
@@ -1013,19 +1017,16 @@ def get_managed_jobs(job_id: Optional[int] = None) -> List[Dict[str, Any]]:
             if job_dict['job_name'] is None:
                 job_dict['job_name'] = job_dict['task_name']
 
-            # Add YAML content and command for managed jobs
-            dag_yaml_path = job_dict.get('dag_yaml_path')
-            if dag_yaml_path:
+            # Add user YAML content for managed jobs.
+            yaml_path = job_dict.get('original_user_yaml_path')
+            if yaml_path:
                 try:
-                    with open(dag_yaml_path, 'r', encoding='utf-8') as f:
-                        job_dict['dag_yaml'] = f.read()
+                    with open(yaml_path, 'r', encoding='utf-8') as f:
+                        job_dict['user_yaml'] = f.read()
                 except (FileNotFoundError, IOError, OSError):
-                    job_dict['dag_yaml'] = None
-
-                # Generate a command that could be used to launch this job
-                # Format: sky jobs launch <yaml_path>
+                    job_dict['user_yaml'] = None
             else:
-                job_dict['dag_yaml'] = None
+                job_dict['user_yaml'] = None
 
             jobs.append(job_dict)
         return jobs
@@ -1083,18 +1084,20 @@ def get_local_log_file(job_id: int, task_id: Optional[int]) -> Optional[str]:
 # scheduler lock to work correctly.
 
 
-def scheduler_set_waiting(job_id: int, dag_yaml_path: str, env_file_path: str,
+def scheduler_set_waiting(job_id: int, dag_yaml_path: str,
+                          original_user_yaml_path: str, env_file_path: str,
                           user_hash: str, priority: int) -> None:
     """Do not call without holding the scheduler lock."""
     with db_utils.safe_cursor(_DB_PATH) as cursor:
         updated_count = cursor.execute(
             'UPDATE job_info SET '
-            'schedule_state = (?), dag_yaml_path = (?), env_file_path = (?), '
+            'schedule_state = (?), dag_yaml_path = (?), '
+            'original_user_yaml_path = (?), env_file_path = (?), '
             '  user_hash = (?), priority = (?) '
             'WHERE spot_job_id = (?) AND schedule_state = (?)',
             (ManagedJobScheduleState.WAITING.value, dag_yaml_path,
-             env_file_path, user_hash, priority, job_id,
-             ManagedJobScheduleState.INACTIVE.value)).rowcount
+             original_user_yaml_path, env_file_path, user_hash, priority,
+             job_id, ManagedJobScheduleState.INACTIVE.value)).rowcount
         assert updated_count == 1, (job_id, updated_count)
 
 

sky/jobs/utils.py

@@ -1025,7 +1025,8 @@ def load_managed_job_queue(payload: str) -> List[Dict[str, Any]]:
         if 'user_hash' in job and job['user_hash'] is not None:
             # Skip jobs that do not have user_hash info.
             # TODO(cooperc): Remove check before 0.12.0.
-            job['user_name'] = global_user_state.get_user(job['user_hash']).name
+            user = global_user_state.get_user(job['user_hash'])
+            job['user_name'] = user.name if user is not None else None
     return jobs
 
 

sky/models.py

@@ -2,8 +2,13 @@
 
 import collections
 import dataclasses
+import getpass
+import os
 from typing import Any, Dict, Optional
 
+from sky.skylet import constants
+from sky.utils import common_utils
+
 
 @dataclasses.dataclass
 class User:
@@ -16,6 +21,19 @@ class User:
     def to_dict(self) -> Dict[str, Any]:
         return {'id': self.id, 'name': self.name}
 
+    def to_env_vars(self) -> Dict[str, Any]:
+        return {
+            constants.USER_ID_ENV_VAR: self.id,
+            constants.USER_ENV_VAR: self.name,
+        }
+
+    @classmethod
+    def get_current_user(cls) -> 'User':
+        """Returns the current user."""
+        user_name = os.getenv(constants.USER_ENV_VAR, getpass.getuser())
+        user_hash = common_utils.get_user_hash()
+        return User(id=user_hash, name=user_name)
+
 
 RealtimeGpuAvailability = collections.namedtuple(
     'RealtimeGpuAvailability', ['gpu', 'counts', 'capacity', 'available'])

sky/provision/kubernetes/utils.py

@@ -2342,6 +2342,7 @@ def get_endpoint_debug_message() -> str:
 def combine_pod_config_fields(
     cluster_yaml_path: str,
     cluster_config_overrides: Dict[str, Any],
+    cloud: Optional[clouds.Cloud] = None,
 ) -> None:
     """Adds or updates fields in the YAML with fields from the
     ~/.sky/config.yaml's kubernetes.pod_spec dict.
@@ -2386,11 +2387,17 @@ def combine_pod_config_fields(
     yaml_obj = yaml.safe_load(yaml_content)
     # We don't use override_configs in `skypilot_config.get_nested`, as merging
     # the pod config requires special handling.
-    kubernetes_config = skypilot_config.get_nested(('kubernetes', 'pod_config'),
-                                                   default_value={},
-                                                   override_configs={})
-    override_pod_config = (cluster_config_overrides.get('kubernetes', {}).get(
-        'pod_config', {}))
+    if isinstance(cloud, clouds.SSH):
+        kubernetes_config = skypilot_config.get_nested(('ssh', 'pod_config'),
+                                                       default_value={},
+                                                       override_configs={})
+        override_pod_config = (cluster_config_overrides.get('ssh', {}).get(
+            'pod_config', {}))
+    else:
+        kubernetes_config = skypilot_config.get_nested(
+            ('kubernetes', 'pod_config'), default_value={}, override_configs={})
+        override_pod_config = (cluster_config_overrides.get(
+            'kubernetes', {}).get('pod_config', {}))
     config_utils.merge_k8s_configs(kubernetes_config, override_pod_config)
 
     # Merge the kubernetes config into the YAML for both head and worker nodes.

sky/provision/nebius/constants.py

@@ -0,0 +1,47 @@
+"""Constants used by the Nebius provisioner."""
+
+VERSION = 'v1'
+
+# InfiniBand-capable instance platforms
+INFINIBAND_INSTANCE_PLATFORMS = [
+    'gpu-h100-sxm',
+    'gpu-h200-sxm',
+]
+
+# InfiniBand environment variables for NCCL and UCX
+INFINIBAND_ENV_VARS = {
+    'NCCL_IB_HCA': 'mlx5',
+    'UCX_NET_DEVICES': ('mlx5_0:1,mlx5_1:1,mlx5_2:1,mlx5_3:1,'
+                        'mlx5_4:1,mlx5_5:1,mlx5_6:1,mlx5_7:1')
+}
+
+# Docker run options for InfiniBand support
+INFINIBAND_DOCKER_OPTIONS = ['--device=/dev/infiniband', '--cap-add=IPC_LOCK']
+
+# InfiniBand fabric mapping by platform and region
+# Based on Nebius documentation
+INFINIBAND_FABRIC_MAPPING = {
+    # H100 platforms
+    ('gpu-h100-sxm', 'eu-north1'): [
+        'fabric-2', 'fabric-3', 'fabric-4', 'fabric-6'
+    ],
+
+    # H200 platforms
+    ('gpu-h200-sxm', 'eu-north1'): ['fabric-7'],
+    ('gpu-h200-sxm', 'eu-west1'): ['fabric-5'],
+    ('gpu-h200-sxm', 'us-central1'): ['us-central1-a'],
+}
+
+
+def get_default_fabric(platform: str, region: str) -> str:
+    """Get the default (first) fabric for a given platform and region."""
+    fabrics = INFINIBAND_FABRIC_MAPPING.get((platform, region), [])
+    if not fabrics:
+        # Select north europe region as default
+        fabrics = INFINIBAND_FABRIC_MAPPING.get(('gpu-h100-sxm', 'eu-north1'),
+                                                [])
+        if not fabrics:
+            raise ValueError(
+                f'No InfiniBand fabric available for platform {platform} '
+                f'in region {region}')
+    return fabrics[0]

sky/provision/nebius/instance.py

@@ -124,6 +124,7 @@ def run_instances(region: str, cluster_name_on_cloud: str,
         node_type = 'head' if head_instance_id is None else 'worker'
         try:
             platform, preset = config.node_config['InstanceType'].split('_')
+
             instance_id = utils.launch(
                 cluster_name_on_cloud=cluster_name_on_cloud,
                 node_type=node_type,
@@ -136,7 +137,7 @@ def run_instances(region: str, cluster_name_on_cloud: str,
                 associate_public_ip_address=(
                     not config.provider_config['use_internal_ips']),
                 filesystems=config.node_config.get('filesystems', []),
-            )
+                network_tier=config.node_config.get('network_tier'))
         except Exception as e:  # pylint: disable=broad-except
             logger.warning(f'run_instances error: {e}')
             raise

sky/provision/nebius/utils.py

@@ -1,12 +1,14 @@
 """Nebius library wrapper for SkyPilot."""
 import time
-from typing import Any, Dict, List
+from typing import Any, Dict, List, Optional
 import uuid
 
 from sky import sky_logging
 from sky import skypilot_config
 from sky.adaptors import nebius
+from sky.provision.nebius import constants as nebius_constants
 from sky.utils import common_utils
+from sky.utils import resources_utils
 
 logger = sky_logging.init_logger(__name__)
 
@@ -156,10 +158,17 @@ def start(instance_id: str) -> None:
             f' to be ready.')
 
 
-def launch(cluster_name_on_cloud: str, node_type: str, platform: str,
-           preset: str, region: str, image_family: str, disk_size: int,
-           user_data: str, associate_public_ip_address: bool,
-           filesystems: List[Dict[str, Any]]) -> str:
+def launch(cluster_name_on_cloud: str,
+           node_type: str,
+           platform: str,
+           preset: str,
+           region: str,
+           image_family: str,
+           disk_size: int,
+           user_data: str,
+           associate_public_ip_address: bool,
+           filesystems: List[Dict[str, Any]],
+           network_tier: Optional[resources_utils.NetworkTier] = None) -> str:
     # Each node must have a unique name to avoid conflicts between
     # multiple worker VMs. To ensure uniqueness,a UUID is appended
     # to the node name.
@@ -173,11 +182,23 @@ def launch(cluster_name_on_cloud: str, node_type: str, platform: str,
     # 8 GPU virtual machines can be grouped into a GPU cluster.
     # The GPU clusters are built with InfiniBand secure high-speed networking.
     # https://docs.nebius.com/compute/clusters/gpu
-    if platform in ('gpu-h100-sxm', 'gpu-h200-sxm'):
+    if platform in nebius_constants.INFINIBAND_INSTANCE_PLATFORMS:
         if preset == '8gpu-128vcpu-1600gb':
-            #  Check is there fabric in config
             fabric = skypilot_config.get_nested(('nebius', region, 'fabric'),
                                                 None)
+
+            # Auto-select fabric if network_tier=best and no fabric configured
+            if (fabric is None and
+                    str(network_tier) == str(resources_utils.NetworkTier.BEST)):
+                try:
+                    fabric = nebius_constants.get_default_fabric(
+                        platform, region)
+                    logger.info(f'Auto-selected InfiniBand fabric {fabric} '
+                                f'for {platform} in {region}')
+                except ValueError as e:
+                    logger.warning(
+                        f'InfiniBand fabric auto-selection failed: {e}')
+
             if fabric is None:
                 logger.warning(
                     f'Set up fabric for region {region} in ~/.sky/config.yaml '

sky/serve/server/core.py

@@ -221,7 +221,7 @@ def up(
         # for the first time; otherwise it is a name conflict.
         # Since the controller may be shared among multiple users, launch the
         # controller with the API server's user hash.
-        with common.with_server_user_hash():
+        with common.with_server_user():
             with skypilot_config.local_active_workspace_ctx(
                     constants.SKYPILOT_DEFAULT_WORKSPACE):
                 controller_job_id, controller_handle = execution.launch(

sky/server/common.py

@@ -39,6 +39,7 @@ if typing.TYPE_CHECKING:
     import requests
 
     from sky import dag as dag_lib
+    from sky import models
 else:
     pydantic = adaptors_common.LazyImport('pydantic')
     requests = adaptors_common.LazyImport('requests')
@@ -710,7 +711,7 @@ def request_body_to_params(body: 'pydantic.BaseModel') -> Dict[str, Any]:
 
 def reload_for_new_request(client_entrypoint: Optional[str],
                            client_command: Optional[str],
-                           using_remote_api_server: bool):
+                           using_remote_api_server: bool, user: 'models.User'):
     """Reload modules, global variables, and usage message for a new request."""
     # This should be called first to make sure the logger is up-to-date.
     sky_logging.reload_logger()
@@ -719,10 +720,11 @@ def reload_for_new_request(client_entrypoint: Optional[str],
     skypilot_config.safe_reload_config()
 
     # Reset the client entrypoint and command for the usage message.
-    common_utils.set_client_status(
+    common_utils.set_request_context(
         client_entrypoint=client_entrypoint,
         client_command=client_command,
         using_remote_api_server=using_remote_api_server,
+        user=user,
     )
 
     # Clear cache should be called before reload_logger and usage reset,

sky/server/constants.py

@@ -11,8 +11,6 @@ API_VERSION = '9'
 
 # Prefix for API request names.
 REQUEST_NAME_PREFIX = 'sky.'
-# The user ID of the SkyPilot system.
-SKYPILOT_SYSTEM_USER_ID = 'skypilot-system'
 # The memory (GB) that SkyPilot tries to not use to prevent OOM.
 MIN_AVAIL_MEM_GB = 2
 # Default encoder/decoder handler name.

sky/server/requests/executor.py

@@ -53,6 +53,7 @@ from sky.utils import context
 from sky.utils import context_utils
 from sky.utils import subprocess_utils
 from sky.utils import timeline
+from sky.workspaces import core as workspaces_core
 
 if typing.TYPE_CHECKING:
     import types
@@ -229,6 +230,9 @@ def override_request_env_and_config(
     original_env = os.environ.copy()
     os.environ.update(request_body.env_vars)
     # Note: may be overridden by AuthProxyMiddleware.
+    # TODO(zhwu): we need to make the entire request a context available to the
+    # entire request execution, so that we can access info like user through
+    # the execution.
     user = models.User(id=request_body.env_vars[constants.USER_ID_ENV_VAR],
                        name=request_body.env_vars[constants.USER_ENV_VAR])
     global_user_state.add_or_update_user(user)
@@ -237,13 +241,17 @@ def override_request_env_and_config(
     server_common.reload_for_new_request(
         client_entrypoint=request_body.entrypoint,
         client_command=request_body.entrypoint_command,
-        using_remote_api_server=request_body.using_remote_api_server)
+        using_remote_api_server=request_body.using_remote_api_server,
+        user=user)
     try:
         logger.debug(
             f'override path: {request_body.override_skypilot_config_path}')
         with skypilot_config.override_skypilot_config(
                 request_body.override_skypilot_config,
                 request_body.override_skypilot_config_path):
+            # Rejecting requests to workspaces that the user does not have
+            # permission to access.
+            workspaces_core.reject_request_for_unauthorized_workspace(user)
             yield
     finally:
         # We need to call the save_timeline() since atexit will not be
@@ -433,7 +441,7 @@ def prepare_request(
     """Prepare a request for execution."""
     user_id = request_body.env_vars[constants.USER_ID_ENV_VAR]
     if is_skypilot_system:
-        user_id = server_constants.SKYPILOT_SYSTEM_USER_ID
+        user_id = constants.SKYPILOT_SYSTEM_USER_ID
         global_user_state.add_or_update_user(
             models.User(id=user_id, name=user_id))
     request = api_requests.Request(request_id=request_id,

sky/server/requests/requests.py

@@ -11,7 +11,7 @@ import signal
 import sqlite3
 import time
 import traceback
-from typing import Any, Callable, Dict, List, Optional, Tuple
+from typing import Any, Callable, Dict, Generator, List, Optional, Tuple
 
 import colorama
 import filelock
@@ -204,7 +204,8 @@ class Request:
         """
         assert isinstance(self.request_body,
                           payloads.RequestBody), (self.name, self.request_body)
-        user_name = global_user_state.get_user(self.user_id).name
+        user = global_user_state.get_user(self.user_id)
+        user_name = user.name if user is not None else None
         return RequestPayload(
             request_id=self.request_id,
             name=self.name,
@@ -464,7 +465,7 @@ def request_lock_path(request_id: str) -> str:
 
 @contextlib.contextmanager
 @init_db
-def update_request(request_id: str):
+def update_request(request_id: str) -> Generator[Optional[Request], None, None]:
     """Get a SkyPilot API request."""
     request = _get_request_no_lock(request_id)
     yield request

sky/server/server.py

@@ -49,6 +49,7 @@ from sky.server.requests import preconditions
 from sky.server.requests import requests as requests_lib
 from sky.skylet import constants
 from sky.usage import usage_lib
+from sky.users import permission
 from sky.users import server as users_rest
 from sky.utils import admin_policy_utils
 from sky.utils import common as common_lib
@@ -105,17 +106,21 @@ class RBACMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
     """Middleware to handle RBAC."""
 
     async def dispatch(self, request: fastapi.Request, call_next):
-        if request.url.path.startswith('/dashboard/'):
+        # TODO(hailong): should have a list of paths
+        # that are not checked for RBAC
+        if (request.url.path.startswith('/dashboard/') or
+                request.url.path.startswith('/api/')):
             return await call_next(request)
 
         auth_user = _get_auth_user_header(request)
         if auth_user is None:
             return await call_next(request)
 
-        permission_service = users_rest.permission_service
+        permission_service = permission.permission_service
         # Check the role permission
-        if permission_service.check_permission(auth_user.id, request.url.path,
-                                               request.method):
+        if permission_service.check_endpoint_permission(auth_user.id,
+                                                        request.url.path,
+                                                        request.method):
             return fastapi.responses.JSONResponse(
                 status_code=403, content={'detail': 'Forbidden'})
 
@@ -154,9 +159,15 @@ class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
         if auth_user is not None:
             newly_added = global_user_state.add_or_update_user(auth_user)
             if newly_added:
-                users_rest.permission_service.add_user_if_not_exists(
+                permission.permission_service.add_user_if_not_exists(
                     auth_user.id)
 
+        # Store user info in request.state for access by GET endpoints
+        if auth_user is not None:
+            request.state.auth_user = auth_user
+        else:
+            request.state.auth_user = None
+
         body = await request.body()
         if auth_user and body:
             try:
@@ -177,6 +188,12 @@ class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
                             f'"env_vars" in request body is not a dictionary '
                             f'for request {request.state.request_id}. '
                             'Skipping user info injection into body.')
+                else:
+                    original_json['env_vars'] = {}
+                    original_json['env_vars'][
+                        constants.USER_ID_ENV_VAR] = auth_user.id
+                    original_json['env_vars'][
+                        constants.USER_ENV_VAR] = auth_user.name
                 request._body = json.dumps(original_json).encode('utf-8')  # pylint: disable=protected-access
         return await call_next(request)