skypilot-nightly 1.0.0.dev20250606__py3-none-any.whl → 1.0.0.dev20250609__py3-none-any.whl

sky/workspaces/core.py

@@ -1,20 +1,24 @@
 """Workspace management core."""
 
 import concurrent.futures
-from typing import Any, Callable, Dict
+from typing import Any, Callable, Dict, List
 
 import filelock
 
 from sky import check as sky_check
 from sky import exceptions
 from sky import global_user_state
+from sky import models
 from sky import sky_logging
 from sky import skypilot_config
 from sky.skylet import constants
 from sky.usage import usage_lib
+from sky.users import permission
+from sky.utils import annotations
 from sky.utils import common_utils
 from sky.utils import config_utils
 from sky.utils import schemas
+from sky.workspaces import utils as workspaces_utils
 
 logger = sky_logging.init_logger(__name__)
 
@@ -28,10 +32,7 @@ _WORKSPACE_CONFIG_LOCK_TIMEOUT_SECONDS = 60
 
 def get_workspaces() -> Dict[str, Any]:
     """Returns the workspace config."""
-    workspaces = skypilot_config.get_nested(('workspaces',), default_value={})
-    if constants.SKYPILOT_DEFAULT_WORKSPACE not in workspaces:
-        workspaces[constants.SKYPILOT_DEFAULT_WORKSPACE] = {}
-    return workspaces
+    return workspaces_for_user(common_utils.get_current_user().id)
 
 
 def _update_workspaces_config(
@@ -160,7 +161,7 @@ def _check_workspaces_have_no_active_resources(
                 f'{len(workspace_clusters)} active cluster(s): {cluster_list}')
 
         if workspace_active_jobs:
-            job_names = [job['job_id'] for job in workspace_active_jobs]
+            job_names = [str(job['job_id']) for job in workspace_active_jobs]
             job_list = ', '.join(job_names)
             workspace_errors.append(
                 f'{len(workspace_active_jobs)} active managed job(s): '
@@ -223,14 +224,19 @@ def update_workspace(workspace_name: str, config: Dict[str,
         FileNotFoundError: If the config file cannot be found.
         PermissionError: If the config file cannot be written.
     """
+    _validate_workspace_config(workspace_name, config)
+
     # Check for active clusters and managed jobs in the workspace
+    # TODO(zhwu): we should allow the edits that only contain changes to
+    # allowed_users or private.
     _check_workspace_has_no_active_resources(workspace_name, 'update')
 
-    _validate_workspace_config(workspace_name, config)
-
     def update_workspace_fn(workspaces: Dict[str, Any]) -> None:
         """Function to update workspace inside the lock."""
         workspaces[workspace_name] = config
+        users = workspaces_utils.get_workspace_users(config)
+        permission_service = permission.permission_service
+        permission_service.update_workspace_policy(workspace_name, users)
 
     # Use the internal helper function to save
     result = _update_workspaces_config(update_workspace_fn)
@@ -275,6 +281,10 @@ def create_workspace(workspace_name: str, config: Dict[str,
             raise ValueError(f'Workspace {workspace_name!r} already exists. '
                              'Use update instead.')
         workspaces[workspace_name] = config
+        # Add policy for the workspace and allowed users
+        users = workspaces_utils.get_workspace_users(config)
+        permission_service = permission.permission_service
+        permission_service.add_workspace_policy(workspace_name, users)
 
     # Use the internal helper function to save
     result = _update_workspaces_config(create_workspace_fn)
@@ -324,6 +334,8 @@ def delete_workspace(workspace_name: str) -> Dict[str, Any]:
         if workspace_name not in workspaces:
             raise ValueError(f'Workspace {workspace_name!r} does not exist.')
         del workspaces[workspace_name]
+        permission_service = permission.permission_service
+        permission_service.remove_workspace_policy(workspace_name)
 
     # Use the internal helper function to save
     return _update_workspaces_config(delete_workspace_fn)
@@ -369,6 +381,9 @@ def update_config(config: Dict[str, Any]) -> Dict[str, Any]:
 
     # Check for API server changes and validate them
     current_config = skypilot_config.to_dict()
+    # If there is no changes to the config, we can return early
+    if current_config == config:
+        return config
 
     current_endpoint = current_config.get('api_server', {}).get('endpoint')
     new_endpoint = config.get('api_server', {}).get('endpoint')
@@ -382,15 +397,27 @@ def update_config(config: Dict[str, Any]) -> Dict[str, Any]:
 
     # Collect all workspaces that need to be checked for active resources
     workspaces_to_check = []
+    workspaces_to_check_policy: Dict[str, Dict[str, List[str]]] = {
+        'add': {},
+        'update': {},
+        'delete': {}
+    }
 
     # Check each workspace that is being modified
     for workspace_name, new_workspace_config in new_workspaces.items():
+        if workspace_name not in current_workspaces:
+            users = workspaces_utils.get_workspace_users(new_workspace_config)
+            workspaces_to_check_policy['add'][workspace_name] = users
+            continue
+
         current_workspace_config = current_workspaces.get(workspace_name, {})
 
         # If workspace configuration is changing, validate and mark for checking
         if current_workspace_config != new_workspace_config:
             _validate_workspace_config(workspace_name, new_workspace_config)
             workspaces_to_check.append((workspace_name, 'update'))
+            users = workspaces_utils.get_workspace_users(new_workspace_config)
+            workspaces_to_check_policy['update'][workspace_name] = users
 
     # Check for workspace deletions
     for workspace_name in current_workspaces:
@@ -400,6 +427,7 @@ def update_config(config: Dict[str, Any]) -> Dict[str, Any]:
                 raise ValueError(f'Cannot delete the default workspace '
                                  f'{constants.SKYPILOT_DEFAULT_WORKSPACE!r}.')
             workspaces_to_check.append((workspace_name, 'delete'))
+            workspaces_to_check_policy['delete'][workspace_name] = ['*']
 
     # Check all workspaces for active resources in one efficient call
     _check_workspaces_have_no_active_resources(workspaces_to_check)
@@ -412,6 +440,18 @@ def update_config(config: Dict[str, Any]) -> Dict[str, Any]:
             # Convert to config_utils.Config and save
             config_obj = config_utils.Config.from_dict(config)
             skypilot_config.update_api_server_config_no_lock(config_obj)
+            permission_service = permission.permission_service
+            for operation, workspaces in workspaces_to_check_policy.items():
+                for workspace_name, users in workspaces.items():
+                    if operation == 'add':
+                        permission_service.add_workspace_policy(
+                            workspace_name, users)
+                    elif operation == 'update':
+                        permission_service.update_workspace_policy(
+                            workspace_name, users)
+                    elif operation == 'delete':
+                        permission_service.remove_workspace_policy(
+                            workspace_name)
     except filelock.Timeout as e:
         raise RuntimeError(
             f'Failed to update configuration due to a timeout '
@@ -429,3 +469,55 @@ def update_config(config: Dict[str, Any]) -> Dict[str, Any]:
         # Don't fail the update if the check fails, just warn
 
     return config
+
+
+def reject_request_for_unauthorized_workspace(user: models.User) -> None:
+    """Rejects a request that has no permission to access active workspace.
+
+    Args:
+        user: The user making the request.
+
+    Raises:
+        PermissionDeniedError: If the user does not have permission to access
+            the active workspace.
+    """
+    active_workspace = skypilot_config.get_active_workspace()
+    if not permission.permission_service.check_workspace_permission(
+            user.id, active_workspace):
+        raise exceptions.PermissionDeniedError(
+            f'User {user.name} ({user.id}) does not have '
+            f'permission to access workspace {active_workspace!r}')
+
+
+def is_workspace_private(workspace_config: Dict[str, Any]) -> bool:
+    """Check if a workspace is private.
+
+    Args:
+        workspace_config: The workspace configuration dictionary.
+
+    Returns:
+        True if the workspace is private, False if it's public.
+    """
+    return workspace_config.get('private', False)
+
+
+@annotations.lru_cache(scope='request', maxsize=1)
+def workspaces_for_user(user_id: str) -> Dict[str, Any]:
+    """Returns the workspaces that the user has access to.
+
+    Args:
+        user_id: The user id to check.
+
+    Returns:
+        A map from workspace name to workspace configuration.
+    """
+    workspaces = skypilot_config.get_nested(('workspaces',), default_value={})
+    if constants.SKYPILOT_DEFAULT_WORKSPACE not in workspaces:
+        workspaces[constants.SKYPILOT_DEFAULT_WORKSPACE] = {}
+    user_workspaces = {}
+
+    for workspace_name, workspace_config in workspaces.items():
+        if permission.permission_service.check_workspace_permission(
+                user_id, workspace_name):
+            user_workspaces[workspace_name] = workspace_config
+    return user_workspaces

sky/workspaces/server.py

@@ -14,10 +14,18 @@ router = fastapi.APIRouter()
 # pylint: disable=redefined-builtin
 async def get(request: fastapi.Request) -> None:
     """Gets workspace config on the server."""
+    # Have to manually inject user info into the request body because the
+    # request body is not available in the GET endpoint.
+    auth_user = request.state.auth_user
+    auth_user_env_vars_kwargs = {
+        'env_vars': auth_user.to_env_vars()
+    } if auth_user else {}
+    request_body = payloads.RequestBody(**auth_user_env_vars_kwargs)
+
     executor.schedule_request(
         request_id=request.state.request_id,
         request_name='workspaces.get',
-        request_body=payloads.RequestBody(),
+        request_body=request_body,
         func=core.get_workspaces,
         schedule_type=api_requests.ScheduleType.SHORT,
     )
@@ -65,10 +73,15 @@ async def delete(request: fastapi.Request,
 @router.get('/config')
 async def get_config(request: fastapi.Request) -> None:
     """Gets the entire SkyPilot configuration."""
+    auth_user = request.state.auth_user
+    auth_user_env_vars_kwargs = {
+        'env_vars': auth_user.to_env_vars()
+    } if auth_user else {}
+    get_config_body = payloads.GetConfigBody(**auth_user_env_vars_kwargs)
     executor.schedule_request(
         request_id=request.state.request_id,
         request_name='workspaces.get_config',
-        request_body=payloads.GetConfigBody(),
+        request_body=get_config_body,
         func=core.get_config,
         schedule_type=api_requests.ScheduleType.SHORT,
     )

sky/workspaces/utils.py

@@ -0,0 +1,56 @@
+"""Utils for workspaces."""
+import collections
+from typing import Any, Dict, List
+
+from sky import global_user_state
+from sky import sky_logging
+
+logger = sky_logging.init_logger(__name__)
+
+
+def get_workspace_users(workspace_config: Dict[str, Any]) -> List[str]:
+    """Get the users that should have access to a workspace.
+
+    workspace_config is a dict with the following keys:
+    - private: bool
+    - allowed_users: list of user names or IDs
+
+    This function will automatically resolve the user names to IDs.
+
+    Args:
+        workspace_config: The configuration of the workspace.
+
+    Returns:
+        List of user IDs that should have access to the workspace.
+        For private workspaces, returns specific user IDs.
+        For public workspaces, returns ['*'] to indicate all users.
+    """
+    if workspace_config.get('private', False):
+        user_ids = []
+        workspace_user_name_or_ids = workspace_config.get('allowed_users', [])
+        all_users = global_user_state.get_all_users()
+        all_user_ids = {user.id for user in all_users}
+        all_user_map = collections.defaultdict(list)
+        for user in all_users:
+            all_user_map[user.name].append(user.id)
+
+        # Resolve user names to IDs
+        for user_name_or_id in workspace_user_name_or_ids:
+            if user_name_or_id in all_user_ids:
+                user_ids.append(user_name_or_id)
+            elif user_name_or_id in all_user_map:
+                if len(all_user_map[user_name_or_id]) > 1:
+                    user_ids_str = ', '.join(all_user_map[user_name_or_id])
+                    raise ValueError(
+                        f'User {user_name_or_id!r} has multiple IDs: '
+                        f'{user_ids_str}. Please specify the user '
+                        f'ID instead.')
+                user_ids.append(all_user_map[user_name_or_id][0])
+            else:
+                logger.warning(
+                    f'User {user_name_or_id!r} not found in all users')
+                continue
+        return user_ids
+    else:
+        # Public workspace - return '*' to indicate all users should have access
+        return ['*']

{skypilot_nightly-1.0.0.dev20250606.dist-info → skypilot_nightly-1.0.0.dev20250609.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skypilot-nightly
-Version: 1.0.0.dev20250606
+Version: 1.0.0.dev20250609
 Summary: SkyPilot: Run AI on Any Infra — Unified, Faster, Cheaper.
 Author: SkyPilot Team
 License: Apache 2.0