skypilot-nightly 1.0.0.dev20250606__py3-none-any.whl → 1.0.0.dev20250609__py3-none-any.whl

sky/skylet/constants.py

@@ -367,6 +367,7 @@ RCLONE_CACHE_REFRESH_INTERVAL = 10
 OVERRIDEABLE_CONFIG_KEYS_IN_TASK: List[Tuple[str, ...]] = [
     ('docker', 'run_options'),
     ('nvidia_gpus', 'disable_ecc'),
+    ('ssh', 'pod_config'),
     ('kubernetes', 'pod_config'),
     ('kubernetes', 'provision_timeout'),
     ('gcp', 'managed_instance_group'),
@@ -418,3 +419,6 @@ ALL_CLOUDS = ('aws', 'azure', 'gcp', 'ibm', 'lambda', 'scp', 'oci',
               'kubernetes', 'runpod', 'vast', 'vsphere', 'cudo', 'fluidstack',
               'paperspace', 'do', 'nebius', 'ssh')
 # END constants used for service catalog.
+
+# The user ID of the SkyPilot system.
+SKYPILOT_SYSTEM_USER_ID = 'skypilot-system'

sky/skylet/job_lib.py

@@ -794,7 +794,8 @@ def load_job_queue(payload: str) -> List[Dict[str, Any]]:
     for job in jobs:
         job['status'] = JobStatus(job['status'])
         job['user_hash'] = job['username']
-        job['username'] = global_user_state.get_user(job['user_hash']).name
+        user = global_user_state.get_user(job['user_hash'])
+        job['username'] = user.name if user is not None else None
     return jobs
 
 

sky/skypilot_config.py

@@ -167,7 +167,10 @@ def _get_loaded_config_path() -> List[Optional[str]]:
     serialized = _get_config_context().config_path
     if not serialized:
         return []
-    return json.loads(serialized)
+    config_paths = json.loads(serialized)
+    if config_paths is None:
+        return []
+    return config_paths
 
 
 def _set_loaded_config_path(
@@ -762,6 +765,15 @@ def update_api_server_config_no_lock(config: config_utils.Config) -> None:
     Args:
         config: The config to save and sync.
     """
+
+    def is_running_pytest() -> bool:
+        return 'PYTEST_CURRENT_TEST' in os.environ
+
+    # Only allow this function to be called by the API Server in production.
+    if not is_running_pytest() and os.environ.get(
+            constants.ENV_VAR_IS_SKYPILOT_SERVER) is None:
+        raise ValueError('This function can only be called by the API Server.')
+
     global_config_path = _resolve_server_config_path()
     if global_config_path is None:
         global_config_path = get_user_config_path()

sky/templates/jobs-controller.yaml.j2

@@ -3,6 +3,7 @@
 name: {{dag_name}}
 
 file_mounts:
+  {{remote_original_user_yaml_path}}: {{original_user_dag_path}}
   {{remote_user_yaml_path}}: {{user_yaml_path}}
   {%- if local_user_config_path is not none %}
   {{remote_user_config_path}}: {{local_user_config_path}}
@@ -28,7 +29,7 @@ setup: |
   grep -q 'export SKYPILOT_DEV=' ~/.bashrc || echo 'export SKYPILOT_DEV=1' >> ~/.bashrc
   grep -q 'alias sky-env=' ~/.bashrc || echo 'alias sky-env="{{ sky_activate_python_env }}"' >> ~/.bashrc
   {% endif %}
-
+  
   # Create systemd service file
   mkdir -p ~/.config/systemd/user/
 
@@ -65,6 +66,7 @@ run: |
   # CloudVmRayBackend._exec_code_on_head() calls
   # managed_job_codegen.set_pending() before we get here.
   python -u -m sky.jobs.scheduler {{remote_user_yaml_path}} \
+    --user-yaml-path {{remote_original_user_yaml_path}} \
     --job-id $SKYPILOT_INTERNAL_JOB_ID \
     --env-file {{remote_env_file_path}} \
     --priority {{priority}}

sky/templates/nebius-ray.yml.j2

@@ -46,6 +46,7 @@ available_node_types:
       InstanceType: {{instance_type}}
       ImageId: {{image_id}}
       DiskSize: {{disk_size}}
+      network_tier: {{network_tier}}
       filesystems:
         {%- for fs in filesystems %}
         - filesystem_id: {{ fs.filesystem_id }}
@@ -152,6 +153,11 @@ setup_commands:
     mkdir -p ~/.ssh; touch ~/.ssh/config;
     {{ conda_installation_commands }}
     {{ ray_skypilot_installation_commands }}
+  {%- if env_vars is defined %}
+    {%- for env_var, env_value in env_vars.items() %}
+    echo '{{env_var}}={{env_value}}' | sudo tee -a /etc/environment;
+    {%- endfor %}
+  {%- endif %}
     sudo bash -c 'rm -rf /etc/security/limits.d; echo "* soft nofile 1048576" >> /etc/security/limits.conf; echo "* hard nofile 1048576" >> /etc/security/limits.conf';
     sudo grep -e '^DefaultTasksMax' /etc/systemd/system.conf || (sudo bash -c 'echo "DefaultTasksMax=infinity" >> /etc/systemd/system.conf'); sudo systemctl set-property user-$(id -u $(whoami)).slice TasksMax=infinity; sudo systemctl daemon-reload;
     mkdir -p ~/.ssh; (grep -Pzo -q "Host \*\n  StrictHostKeyChecking no\n  IdentityFile ~/.ssh/sky-cluster-key\n  IdentityFile ~/.ssh/id_rsa" ~/.ssh/config) || printf "Host *\n  StrictHostKeyChecking no\n  IdentityFile ~/.ssh/sky-cluster-key\n  IdentityFile ~/.ssh/id_rsa\n" >> ~/.ssh/config;

sky/users/model.conf

@@ -12,4 +12,4 @@ g = _, _
 e = some(where (p.eft == allow))
 
 [matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
+m = (g(r.sub, p.sub)|| p.sub == '*') && r.obj == p.obj && r.act == p.act

sky/users/permission.py

@@ -3,7 +3,7 @@ import contextlib
 import logging
 import os
 import threading
-from typing import List
+from typing import Generator, List
 
 import casbin
 import filelock
@@ -11,8 +11,11 @@ import sqlalchemy_adapter
 
 from sky import global_user_state
 from sky import sky_logging
+from sky.skylet import constants
 from sky.users import rbac
 
+logging.getLogger('casbin.policy').setLevel(sky_logging.ERROR)
+logging.getLogger('casbin.role').setLevel(sky_logging.ERROR)
 logger = sky_logging.init_logger(__name__)
 
 # Filelocks for the policy update.
@@ -38,17 +41,19 @@ class PermissionService:
                     model_path = os.path.join(os.path.dirname(__file__),
                                               'model.conf')
                     enforcer = casbin.Enforcer(model_path, adapter)
-                    logging.getLogger('casbin.policy').setLevel(
-                        sky_logging.ERROR)
-                    logging.getLogger('casbin.role').setLevel(sky_logging.ERROR)
                     self.enforcer = enforcer
         else:
             self.enforcer = _enforcer_instance.enforcer
-        self._maybe_initialize_policies()
+        with _policy_lock():
+            self._maybe_initialize_policies()
 
-    def _maybe_initialize_policies(self):
+    def _maybe_initialize_policies(self) -> None:
         """Initialize policies if they don't already exist."""
+        # TODO(zhwu): we should avoid running this on client side.
         logger.debug(f'Initializing policies in process: {os.getpid()}')
+        self._load_policy_no_lock()
+
+        policy_updated = False
 
         # Check if policies are already initialized by looking for existing
         # permission policies in the enforcer
@@ -66,6 +71,17 @@ class PermissionService:
                     expected_policies.append(
                         [role, item['path'], item['method']])
 
+        # Add workspace policy
+        workspace_policy_permissions = rbac.get_workspace_policy_permissions()
+        logger.debug(f'Workspace policy permissions from config: '
+                     f'{workspace_policy_permissions}')
+
+        for workspace_name, users in workspace_policy_permissions.items():
+            for user in users:
+                expected_policies.append([user, workspace_name, '*'])
+                logger.debug(f'Expected workspace policy: user={user}, '
+                             f'workspace={workspace_name}')
+
         # Check if all expected policies already exist
         policies_exist = all(
             any(policy == expected
@@ -86,48 +102,71 @@ class PermissionService:
                     for item in blocklist:
                         path = item['path']
                         method = item['method']
+                        logger.debug(f'Adding role policy: role={role}, '
+                                     f'path={path}, method={method}')
                         self.enforcer.add_policy(role, path, method)
-            self.enforcer.save_policy()
+                        policy_updated = True
+
+            for workspace_name, users in workspace_policy_permissions.items():
+                for user in users:
+                    logger.debug(f'Initializing workspace policy: user={user}, '
+                                 f'workspace={workspace_name}')
+                    self.enforcer.add_policy(user, workspace_name, '*')
+                    policy_updated = True
+            logger.debug('Policies initialized successfully')
         else:
             logger.debug('Policies already exist, skipping initialization')
 
         # Always ensure users have default roles (this is idempotent)
         all_users = global_user_state.get_all_users()
-        for user in all_users:
-            self.add_user_if_not_exists(user.id)
+        for existing_user in all_users:
+            user_added = self._add_user_if_not_exists_no_lock(existing_user.id)
+            policy_updated = policy_updated or user_added
+
+        if policy_updated:
+            self.enforcer.save_policy()
 
-    def add_user_if_not_exists(self, user: str) -> None:
+    def add_user_if_not_exists(self, user_id: str) -> None:
         """Add user role relationship."""
         with _policy_lock():
-            user_roles = self.enforcer.get_roles_for_user(user)
-            if not user_roles:
-                logger.info(f'User {user} has no roles, adding'
-                            f' default role {rbac.get_default_role()}')
-                self.enforcer.add_grouping_policy(user, rbac.get_default_role())
-                self.enforcer.save_policy()
-
-    def update_role(self, user: str, new_role: str):
+            self._add_user_if_not_exists_no_lock(user_id)
+
+    def _add_user_if_not_exists_no_lock(self, user_id: str) -> bool:
+        """Add user role relationship without lock.
+
+        Returns:
+            True if the user was added, False otherwise.
+        """
+        user_roles = self.enforcer.get_roles_for_user(user_id)
+        if not user_roles:
+            logger.info(f'User {user_id} has no roles, adding'
+                        f' default role {rbac.get_default_role()}')
+            self.enforcer.add_grouping_policy(user_id, rbac.get_default_role())
+            return True
+        return False
+
+    def update_role(self, user_id: str, new_role: str) -> None:
         """Update user role relationship."""
         with _policy_lock():
             # Get current roles
             self._load_policy_no_lock()
             # Avoid calling get_user_roles, as it will require the lock.
-            current_roles = self.enforcer.get_roles_for_user(user)
+            current_roles = self.enforcer.get_roles_for_user(user_id)
             if not current_roles:
-                logger.warning(f'User {user} has no roles')
+                logger.warning(f'User {user_id} has no roles')
             else:
                 # TODO(hailong): how to handle multiple roles?
                 current_role = current_roles[0]
                 if current_role == new_role:
-                    logger.info(f'User {user} already has role {new_role}')
+                    logger.info(f'User {user_id} already has role {new_role}')
                     return
-                self.enforcer.remove_grouping_policy(user, current_role)
+                self.enforcer.remove_grouping_policy(user_id, current_role)
 
             # Update user role
-            self.enforcer.add_grouping_policy(user, new_role)
+            self.enforcer.add_grouping_policy(user_id, new_role)
             self.enforcer.save_policy()
 
-    def get_user_roles(self, user: str) -> List[str]:
+    def get_user_roles(self, user_id: str) -> List[str]:
         """Get all roles for a user.
 
         This method returns all roles that the user has, including inherited
@@ -140,10 +179,11 @@ class PermissionService:
         Returns:
             A list of role names that the user has.
         """
-        self._load_policy()
-        return self.enforcer.get_roles_for_user(user)
+        self._load_policy_no_lock()
+        return self.enforcer.get_roles_for_user(user_id)
 
-    def check_permission(self, user: str, path: str, method: str) -> bool:
+    def check_endpoint_permission(self, user_id: str, path: str,
+                                  method: str) -> bool:
         """Check permission."""
         # We intentionally don't load the policy here, as it is a hot path, and
         # we don't support updating the policy.
@@ -151,28 +191,105 @@ class PermissionService:
         # it is a hot path in every request. It is ok to have a stale policy,
         # as long as it is eventually consistent.
         # self._load_policy_no_lock()
-        return self.enforcer.enforce(user, path, method)
+        return self.enforcer.enforce(user_id, path, method)
 
     def _load_policy_no_lock(self):
         """Load policy from storage."""
         self.enforcer.load_policy()
 
-    def _load_policy(self):
+    def load_policy(self):
         """Load policy from storage with lock."""
         with _policy_lock():
             self._load_policy_no_lock()
 
+    def check_workspace_permission(self, user_id: str,
+                                   workspace_name: str) -> bool:
+        """Check workspace permission.
+
+        This method checks if a user has permission to access a specific
+        workspace.
+
+        For private workspaces, the user must have explicit permission.
+
+        For public workspaces, the permission is granted via a wildcard policy
+        ('*').
+        """
+        if os.getenv(constants.ENV_VAR_IS_SKYPILOT_SERVER) is None:
+            # When it is not on API server, we allow all users to access all
+            # workspaces, as the workspace check has been done on API server.
+            return True
+        role = self.get_user_roles(user_id)
+        if rbac.RoleName.ADMIN.value in role:
+            return True
+        # The Casbin model matcher already handles the wildcard '*' case:
+        # m = (g(r.sub, p.sub)|| p.sub == '*') && r.obj == p.obj &&
+        # r.act == p.act
+        # This means if there's a policy ('*', workspace_name, '*'), it will
+        # match any user
+        result = self.enforcer.enforce(user_id, workspace_name, '*')
+        logger.debug(f'Workspace permission check: user={user_id}, '
+                     f'workspace={workspace_name}, result={result}')
+        return result
+
+    def add_workspace_policy(self, workspace_name: str,
+                             users: List[str]) -> None:
+        """Add workspace policy.
+
+        Args:
+            workspace_name: Name of the workspace
+            users: List of user IDs that should have access.
+                   For public workspaces, this should be ['*'].
+                   For private workspaces, this should be specific user IDs.
+        """
+        with _policy_lock():
+            for user in users:
+                logger.debug(f'Adding workspace policy: user={user}, '
+                             f'workspace={workspace_name}')
+                self.enforcer.add_policy(user, workspace_name, '*')
+            self.enforcer.save_policy()
+
+    def update_workspace_policy(self, workspace_name: str,
+                                users: List[str]) -> None:
+        """Update workspace policy.
+
+        Args:
+            workspace_name: Name of the workspace
+            users: List of user IDs that should have access.
+                   For public workspaces, this should be ['*'].
+                   For private workspaces, this should be specific user IDs.
+        """
+        with _policy_lock():
+            self._load_policy_no_lock()
+            # Remove all existing policies for this workspace
+            self.enforcer.remove_filtered_policy(1, workspace_name)
+            # Add new policies
+            for user in users:
+                logger.debug(f'Updating workspace policy: user={user}, '
+                             f'workspace={workspace_name}')
+                self.enforcer.add_policy(user, workspace_name, '*')
+            self.enforcer.save_policy()
+
+    def remove_workspace_policy(self, workspace_name: str) -> None:
+        """Remove workspace policy."""
+        with _policy_lock():
+            self.enforcer.remove_filtered_policy(1, workspace_name)
+            self.enforcer.save_policy()
+
 
 @contextlib.contextmanager
-def _policy_lock():
+def _policy_lock() -> Generator[None, None, None]:
     """Context manager for policy update lock."""
     try:
         with filelock.FileLock(POLICY_UPDATE_LOCK_PATH,
                                POLICY_UPDATE_LOCK_TIMEOUT_SECONDS):
             yield
     except filelock.Timeout as e:
-        raise RuntimeError(f'Failed to load policy due to a timeout '
+        raise RuntimeError(f'Failed to reload policy due to a timeout '
                            f'when trying to acquire the lock at '
                            f'{POLICY_UPDATE_LOCK_PATH}. '
                            'Please try again or manually remove the lock '
                            f'file if you believe it is stale.') from e
+
+
+# Singleton instance of PermissionService for other modules to use.
+permission_service = PermissionService()

sky/users/rbac.py

@@ -5,6 +5,8 @@ from typing import Dict, List
 
 from sky import sky_logging
 from sky import skypilot_config
+from sky.skylet import constants
+from sky.workspaces import utils as workspaces_utils
 
 logger = sky_logging.init_logger(__name__)
 
@@ -84,3 +86,27 @@ def get_role_permissions(
             }
         }
     return config_permissions
+
+
+def get_workspace_policy_permissions() -> Dict[str, List[str]]:
+    """Get workspace policy permissions from config.
+
+    Returns:
+        A dictionary of workspace policy permissions.
+        Example:
+        {
+            'workspace1': ['user1-id', 'user2-id'],
+            'workspace2': ['user3-id', 'user4-id']
+            'default': ['*']
+        }
+    """
+    current_workspaces = skypilot_config.get_nested(('workspaces',),
+                                                    default_value={})
+    if constants.SKYPILOT_DEFAULT_WORKSPACE not in current_workspaces:
+        current_workspaces[constants.SKYPILOT_DEFAULT_WORKSPACE] = {}
+    workspaces_to_policy = {}
+    for workspace_name, workspace_config in current_workspaces.items():
+        users = workspaces_utils.get_workspace_users(workspace_config)
+        workspaces_to_policy[workspace_name] = users
+    logger.debug(f'Workspace policy permissions: {workspaces_to_policy}')
+    return workspaces_to_policy

sky/users/server.py

@@ -1,6 +1,5 @@
 """REST API for workspace management."""
 
-import hashlib
 from typing import Any, Dict, List
 
 import fastapi
@@ -8,16 +7,15 @@ import fastapi
 from sky import global_user_state
 from sky import sky_logging
 from sky.server.requests import payloads
+from sky.skylet import constants
 from sky.users import permission
 from sky.users import rbac
-from sky.utils import common_utils
+from sky.utils import common
 
 logger = sky_logging.init_logger(__name__)
 
 router = fastapi.APIRouter()
 
-permission_service = permission.PermissionService()
-
 
 @router.get('')
 async def users() -> List[Dict[str, Any]]:
@@ -25,7 +23,7 @@ async def users() -> List[Dict[str, Any]]:
     all_users = []
     user_list = global_user_state.get_all_users()
     for user in user_list:
-        user_roles = permission_service.get_user_roles(user.id)
+        user_roles = permission.permission_service.get_user_roles(user.id)
         all_users.append({
             'id': user.id,
             'name': user.name,
@@ -39,13 +37,11 @@ async def get_current_user_role(request: fastapi.Request):
     """Get current user's role."""
     # TODO(hailong): is there a reliable way to get the user
     # hash for the request without 'X-Auth-Request-Email' header?
-    if 'X-Auth-Request-Email' not in request.headers:
+    auth_user = request.state.auth_user
+    if auth_user is None:
         return {'name': '', 'role': rbac.RoleName.ADMIN.value}
-    user_name = request.headers['X-Auth-Request-Email']
-    user_hash = hashlib.md5(
-        user_name.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH]
-    user_roles = permission_service.get_user_roles(user_hash)
-    return {'name': user_name, 'role': user_roles[0] if user_roles else ''}
+    user_roles = permission.permission_service.get_user_roles(auth_user.id)
+    return {'name': auth_user.name, 'role': user_roles[0] if user_roles else ''}
 
 
 @router.post('/update')
@@ -58,9 +54,14 @@ async def user_update(user_update_body: payloads.UserUpdateBody) -> None:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'Invalid role: {role}')
     user_info = global_user_state.get_user(user_id)
-    if not user_info.name:
+    if user_info is None:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'User {user_id} does not exist')
+    # Disallow updating roles for the internal users.
+    if user_info.id in [common.SERVER_ID, constants.SKYPILOT_SYSTEM_USER_ID]:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail=f'Cannot update role for internal '
+                                    f'API server user {user_info.name}')
 
     # Update user role in casbin policy
-    permission_service.update_role(user_id, role)
+    permission.permission_service.update_role(user_info.id, role)

sky/utils/common.py

@@ -5,6 +5,7 @@ import enum
 import os
 from typing import Generator
 
+from sky import models
 from sky.skylet import constants
 from sky.utils import common_utils
 
@@ -25,10 +26,13 @@ JOB_CONTROLLER_NAME: str = f'{JOB_CONTROLLER_PREFIX}{SERVER_ID}'
 
 
 @contextlib.contextmanager
-def with_server_user_hash() -> Generator[None, None, None]:
+def with_server_user() -> Generator[None, None, None]:
     """Temporarily set the user hash to common.SERVER_ID."""
     old_env_user_hash = os.getenv(constants.USER_ID_ENV_VAR)
+    # TODO(zhwu): once we have fully moved our code to use `get_current_user()`
+    # instead of `common_utils.get_user_hash()`, we can remove the env override.
     os.environ[constants.USER_ID_ENV_VAR] = SERVER_ID
+    common_utils.set_current_user(models.User.get_current_user())
     try:
         yield
     finally:
@@ -36,6 +40,7 @@ def with_server_user_hash() -> Generator[None, None, None]:
             os.environ[constants.USER_ID_ENV_VAR] = old_env_user_hash
         else:
             os.environ.pop(constants.USER_ID_ENV_VAR)
+        common_utils.set_current_user(models.User.get_current_user())
 
 
 class StatusRefreshMode(enum.Enum):

sky/utils/common_utils.py

@@ -20,6 +20,7 @@ import uuid
 import jsonschema
 
 from sky import exceptions
+from sky import models
 from sky import sky_logging
 from sky.adaptors import common as adaptors_common
 from sky.skylet import constants
@@ -256,11 +257,13 @@ class Backoff:
 _current_command: Optional[str] = None
 _current_client_entrypoint: Optional[str] = None
 _using_remote_api_server: Optional[bool] = None
+_current_user: Optional['models.User'] = None
 
 
-def set_client_status(client_entrypoint: Optional[str],
-                      client_command: Optional[str],
-                      using_remote_api_server: bool):
+def set_request_context(client_entrypoint: Optional[str],
+                        client_command: Optional[str],
+                        using_remote_api_server: bool,
+                        user: Optional['models.User']):
     """Override the current client entrypoint and command.
 
     This is useful when we are on the SkyPilot API server side and we have a
@@ -269,9 +272,11 @@ def set_client_status(client_entrypoint: Optional[str],
     global _current_command
     global _current_client_entrypoint
     global _using_remote_api_server
+    global _current_user
     _current_command = client_command
     _current_client_entrypoint = client_entrypoint
     _using_remote_api_server = using_remote_api_server
+    _current_user = user
 
 
 def get_current_command() -> str:
@@ -286,6 +291,19 @@ def get_current_command() -> str:
     return get_pretty_entrypoint_cmd()
 
 
+def get_current_user() -> 'models.User':
+    """Returns the current user."""
+    if _current_user is not None:
+        return _current_user
+    return models.User.get_current_user()
+
+
+def set_current_user(user: 'models.User'):
+    """Sets the current user."""
+    global _current_user
+    _current_user = user
+
+
 def get_current_client_entrypoint(server_entrypoint: str) -> str:
     """Returns the current client entrypoint.
 

sky/utils/kubernetes/deploy_remote_cluster.py

@@ -723,14 +723,16 @@ def main():
                 # Do not support changing anything besides hosts for now
                 if history is not None:
                     for key in ['user', 'identity_file', 'password']:
-                        if history.get(key) != cluster_config.get(key):
+                        if not args.cleanup and history.get(
+                                key) != cluster_config.get(key):
                             raise ValueError(
                                 f'Cluster configuration has changed for field {key!r}. '
                                 f'Previous value: {history.get(key)}, '
                                 f'Current value: {cluster_config.get(key)}')
                     history_hosts_info = prepare_hosts_info(
                         cluster_name, history)
-                    if history_hosts_info[0] != hosts_info[0]:
+                    if not args.cleanup and history_hosts_info[0] != hosts_info[
+                            0]:
                         raise ValueError(
                             f'Cluster configuration has changed for master node. '
                             f'Previous value: {history_hosts_info[0]}, '
@@ -860,7 +862,7 @@ def deploy_cluster(head_node,
         use_ssh_config=head_use_ssh_config,
         # For SkySSHUpLineProcessor
         print_output=True)
-    if result is None:
+    if not cleanup and result is None:
         with ux_utils.print_exception_no_traceback():
             raise RuntimeError(
                 f'Failed to SSH to head node ({head_node}). '

sky/utils/resources_utils.py

@@ -63,7 +63,9 @@ class NetworkTier(enum.Enum):
     def cli_help_message(cls) -> str:
         return (
             f'Network tier. Could be one of {", ".join(cls.supported_tiers())}'
-            f'. Default: {cls.STANDARD.value}')
+            f'. If {cls.BEST.value} is specified, use the best network tier '
+            'available on the specified instance. '
+            f'Default: {cls.STANDARD.value}')
 
     @classmethod
     def from_str(cls, tier: str) -> 'NetworkTier':

sky/utils/schemas.py

@@ -1249,6 +1249,15 @@ def get_config_schema():
             'properties': {
                 # Explicit definition for GCP allows both project_id and
                 # disabled
+                'private': {
+                    'type': 'boolean',
+                },
+                'allowed_users': {
+                    'type': 'array',
+                    'items': {
+                        'type': 'string',
+                    },
+                },
                 'gcp': {
                     'type': 'object',
                     'properties': {