skypilot-nightly 1.0.0.dev20250607__py3-none-any.whl → 1.0.0.dev20250609__py3-none-any.whl

sky/jobs/server/server.py

@@ -1,12 +1,9 @@
 """REST API for managed jobs."""
-import os
 
 import fastapi
-import httpx
 
 from sky import sky_logging
 from sky.jobs.server import core
-from sky.jobs.server import dashboard_utils
 from sky.server import common as server_common
 from sky.server import stream_utils
 from sky.server.requests import executor
@@ -14,7 +11,6 @@ from sky.server.requests import payloads
 from sky.server.requests import requests as api_requests
 from sky.skylet import constants
 from sky.utils import common
-from sky.utils import common_utils
 
 logger = sky_logging.init_logger(__name__)
 
@@ -110,94 +106,3 @@ async def download_logs(
         if jobs_download_logs_body.refresh else api_requests.ScheduleType.SHORT,
         request_cluster_name=common.JOB_CONTROLLER_NAME,
     )
-
-
-@router.get('/dashboard')
-async def dashboard(request: fastapi.Request,
-                    user_hash: str) -> fastapi.Response:
-    # TODO(cooperc): Support showing only jobs for a specific user.
-
-    # FIX(zhwu/cooperc/eric): Fix log downloading (assumes global
-    # /download_log/xx route)
-
-    # Note: before #4717, each user had their own controller, and thus their own
-    # dashboard. Now, all users share the same controller, so this isn't really
-    # necessary. TODO(cooperc): clean up.
-
-    # TODO: Put this in an executor to avoid blocking the main server thread.
-    # It can take a long time if it needs to check the controller status.
-
-    # Find the port for the dashboard of the user
-    os.environ[constants.USER_ID_ENV_VAR] = user_hash
-    server_common.reload_for_new_request(client_entrypoint=None,
-                                         client_command=None,
-                                         using_remote_api_server=False)
-    logger.info(f'Starting dashboard for user hash: {user_hash}')
-
-    with dashboard_utils.get_dashboard_lock_for_user(user_hash):
-        max_retries = 3
-        for attempt in range(max_retries):
-            port, pid = dashboard_utils.get_dashboard_session(user_hash)
-            if port == 0 or attempt > 0:
-                # Let the client know that we are waiting for starting the
-                # dashboard.
-                try:
-                    port, pid = core.start_dashboard_forwarding()
-                except Exception as e:  # pylint: disable=broad-except
-                    # We catch all exceptions to gracefully handle unknown
-                    # errors and raise an HTTPException to the client.
-                    msg = (
-                        'Dashboard failed to start: '
-                        f'{common_utils.format_exception(e, use_bracket=True)}')
-                    logger.error(msg)
-                    raise fastapi.HTTPException(status_code=503, detail=msg)
-                dashboard_utils.add_dashboard_session(user_hash, port, pid)
-
-            # Assuming the dashboard is forwarded to localhost on the API server
-            dashboard_url = f'http://localhost:{port}'
-            try:
-                # Ping the dashboard to check if it's still running
-                async with httpx.AsyncClient() as client:
-                    response = await client.request('GET',
-                                                    dashboard_url,
-                                                    timeout=5)
-                if response.is_success:
-                    break  # Connection successful, proceed with the request
-                # Raise an HTTPException here which will be caught by the
-                # following except block to retry with new connection
-                response.raise_for_status()
-            except Exception as e:  # pylint: disable=broad-except
-                # We catch all exceptions to gracefully handle unknown
-                # errors and retry or raise an HTTPException to the client.
-                # Assume an exception indicates that the dashboard connection
-                # is stale - remove it so that a new one is created.
-                dashboard_utils.remove_dashboard_session(user_hash)
-                msg = (
-                    f'Dashboard connection attempt {attempt + 1} failed with '
-                    f'{common_utils.format_exception(e, use_bracket=True)}')
-                logger.info(msg)
-                if attempt == max_retries - 1:
-                    raise fastapi.HTTPException(status_code=503, detail=msg)
-
-    # Create a client session to forward the request
-    try:
-        async with httpx.AsyncClient() as client:
-            # Make the request and get the response
-            response = await client.request(
-                method='GET',
-                url=f'{dashboard_url}',
-                headers=request.headers.raw,
-            )
-
-            # Create a new response with the content already read
-            content = await response.aread()
-            return fastapi.Response(
-                content=content,
-                status_code=response.status_code,
-                headers=dict(response.headers),
-                media_type=response.headers.get('content-type'))
-    except Exception as e:
-        msg = (f'Failed to forward request to dashboard: '
-               f'{common_utils.format_exception(e, use_bracket=True)}')
-        logger.error(msg)
-        raise fastapi.HTTPException(status_code=502, detail=msg)

sky/jobs/utils.py

@@ -1025,7 +1025,8 @@ def load_managed_job_queue(payload: str) -> List[Dict[str, Any]]:
         if 'user_hash' in job and job['user_hash'] is not None:
             # Skip jobs that do not have user_hash info.
             # TODO(cooperc): Remove check before 0.12.0.
-            job['user_name'] = global_user_state.get_user(job['user_hash']).name
+            user = global_user_state.get_user(job['user_hash'])
+            job['user_name'] = user.name if user is not None else None
     return jobs
 
 

sky/models.py

@@ -2,8 +2,13 @@
 
 import collections
 import dataclasses
+import getpass
+import os
 from typing import Any, Dict, Optional
 
+from sky.skylet import constants
+from sky.utils import common_utils
+
 
 @dataclasses.dataclass
 class User:
@@ -16,6 +21,19 @@ class User:
     def to_dict(self) -> Dict[str, Any]:
         return {'id': self.id, 'name': self.name}
 
+    def to_env_vars(self) -> Dict[str, Any]:
+        return {
+            constants.USER_ID_ENV_VAR: self.id,
+            constants.USER_ENV_VAR: self.name,
+        }
+
+    @classmethod
+    def get_current_user(cls) -> 'User':
+        """Returns the current user."""
+        user_name = os.getenv(constants.USER_ENV_VAR, getpass.getuser())
+        user_hash = common_utils.get_user_hash()
+        return User(id=user_hash, name=user_name)
+
 
 RealtimeGpuAvailability = collections.namedtuple(
     'RealtimeGpuAvailability', ['gpu', 'counts', 'capacity', 'available'])

sky/serve/server/core.py

@@ -221,7 +221,7 @@ def up(
         # for the first time; otherwise it is a name conflict.
         # Since the controller may be shared among multiple users, launch the
         # controller with the API server's user hash.
-        with common.with_server_user_hash():
+        with common.with_server_user():
             with skypilot_config.local_active_workspace_ctx(
                     constants.SKYPILOT_DEFAULT_WORKSPACE):
                 controller_job_id, controller_handle = execution.launch(

sky/server/common.py

@@ -39,6 +39,7 @@ if typing.TYPE_CHECKING:
     import requests
 
     from sky import dag as dag_lib
+    from sky import models
 else:
     pydantic = adaptors_common.LazyImport('pydantic')
     requests = adaptors_common.LazyImport('requests')
@@ -710,7 +711,7 @@ def request_body_to_params(body: 'pydantic.BaseModel') -> Dict[str, Any]:
 
 def reload_for_new_request(client_entrypoint: Optional[str],
                            client_command: Optional[str],
-                           using_remote_api_server: bool):
+                           using_remote_api_server: bool, user: 'models.User'):
     """Reload modules, global variables, and usage message for a new request."""
     # This should be called first to make sure the logger is up-to-date.
     sky_logging.reload_logger()
@@ -719,10 +720,11 @@ def reload_for_new_request(client_entrypoint: Optional[str],
     skypilot_config.safe_reload_config()
 
     # Reset the client entrypoint and command for the usage message.
-    common_utils.set_client_status(
+    common_utils.set_request_context(
         client_entrypoint=client_entrypoint,
         client_command=client_command,
         using_remote_api_server=using_remote_api_server,
+        user=user,
     )
 
     # Clear cache should be called before reload_logger and usage reset,

sky/server/constants.py

@@ -11,8 +11,6 @@ API_VERSION = '9'
 
 # Prefix for API request names.
 REQUEST_NAME_PREFIX = 'sky.'
-# The user ID of the SkyPilot system.
-SKYPILOT_SYSTEM_USER_ID = 'skypilot-system'
 # The memory (GB) that SkyPilot tries to not use to prevent OOM.
 MIN_AVAIL_MEM_GB = 2
 # Default encoder/decoder handler name.

sky/server/requests/executor.py

@@ -53,6 +53,7 @@ from sky.utils import context
 from sky.utils import context_utils
 from sky.utils import subprocess_utils
 from sky.utils import timeline
+from sky.workspaces import core as workspaces_core
 
 if typing.TYPE_CHECKING:
     import types
@@ -229,6 +230,9 @@ def override_request_env_and_config(
     original_env = os.environ.copy()
     os.environ.update(request_body.env_vars)
     # Note: may be overridden by AuthProxyMiddleware.
+    # TODO(zhwu): we need to make the entire request a context available to the
+    # entire request execution, so that we can access info like user through
+    # the execution.
     user = models.User(id=request_body.env_vars[constants.USER_ID_ENV_VAR],
                        name=request_body.env_vars[constants.USER_ENV_VAR])
     global_user_state.add_or_update_user(user)
@@ -237,13 +241,17 @@ def override_request_env_and_config(
     server_common.reload_for_new_request(
         client_entrypoint=request_body.entrypoint,
         client_command=request_body.entrypoint_command,
-        using_remote_api_server=request_body.using_remote_api_server)
+        using_remote_api_server=request_body.using_remote_api_server,
+        user=user)
     try:
         logger.debug(
             f'override path: {request_body.override_skypilot_config_path}')
         with skypilot_config.override_skypilot_config(
                 request_body.override_skypilot_config,
                 request_body.override_skypilot_config_path):
+            # Rejecting requests to workspaces that the user does not have
+            # permission to access.
+            workspaces_core.reject_request_for_unauthorized_workspace(user)
             yield
     finally:
         # We need to call the save_timeline() since atexit will not be
@@ -433,7 +441,7 @@ def prepare_request(
     """Prepare a request for execution."""
     user_id = request_body.env_vars[constants.USER_ID_ENV_VAR]
     if is_skypilot_system:
-        user_id = server_constants.SKYPILOT_SYSTEM_USER_ID
+        user_id = constants.SKYPILOT_SYSTEM_USER_ID
         global_user_state.add_or_update_user(
             models.User(id=user_id, name=user_id))
     request = api_requests.Request(request_id=request_id,

sky/server/requests/requests.py

@@ -11,7 +11,7 @@ import signal
 import sqlite3
 import time
 import traceback
-from typing import Any, Callable, Dict, List, Optional, Tuple
+from typing import Any, Callable, Dict, Generator, List, Optional, Tuple
 
 import colorama
 import filelock
@@ -204,7 +204,8 @@ class Request:
         """
         assert isinstance(self.request_body,
                           payloads.RequestBody), (self.name, self.request_body)
-        user_name = global_user_state.get_user(self.user_id).name
+        user = global_user_state.get_user(self.user_id)
+        user_name = user.name if user is not None else None
         return RequestPayload(
             request_id=self.request_id,
             name=self.name,
@@ -464,7 +465,7 @@ def request_lock_path(request_id: str) -> str:
 
 @contextlib.contextmanager
 @init_db
-def update_request(request_id: str):
+def update_request(request_id: str) -> Generator[Optional[Request], None, None]:
     """Get a SkyPilot API request."""
     request = _get_request_no_lock(request_id)
     yield request

sky/server/server.py

@@ -49,6 +49,7 @@ from sky.server.requests import preconditions
 from sky.server.requests import requests as requests_lib
 from sky.skylet import constants
 from sky.usage import usage_lib
+from sky.users import permission
 from sky.users import server as users_rest
 from sky.utils import admin_policy_utils
 from sky.utils import common as common_lib
@@ -105,17 +106,21 @@ class RBACMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
     """Middleware to handle RBAC."""
 
     async def dispatch(self, request: fastapi.Request, call_next):
-        if request.url.path.startswith('/dashboard/'):
+        # TODO(hailong): should have a list of paths
+        # that are not checked for RBAC
+        if (request.url.path.startswith('/dashboard/') or
+                request.url.path.startswith('/api/')):
             return await call_next(request)
 
         auth_user = _get_auth_user_header(request)
         if auth_user is None:
             return await call_next(request)
 
-        permission_service = users_rest.permission_service
+        permission_service = permission.permission_service
         # Check the role permission
-        if permission_service.check_permission(auth_user.id, request.url.path,
-                                               request.method):
+        if permission_service.check_endpoint_permission(auth_user.id,
+                                                        request.url.path,
+                                                        request.method):
             return fastapi.responses.JSONResponse(
                 status_code=403, content={'detail': 'Forbidden'})
 
@@ -154,9 +159,15 @@ class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
         if auth_user is not None:
             newly_added = global_user_state.add_or_update_user(auth_user)
             if newly_added:
-                users_rest.permission_service.add_user_if_not_exists(
+                permission.permission_service.add_user_if_not_exists(
                     auth_user.id)
 
+        # Store user info in request.state for access by GET endpoints
+        if auth_user is not None:
+            request.state.auth_user = auth_user
+        else:
+            request.state.auth_user = None
+
         body = await request.body()
         if auth_user and body:
             try:
@@ -177,6 +188,12 @@ class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
                             f'"env_vars" in request body is not a dictionary '
                             f'for request {request.state.request_id}. '
                             'Skipping user info injection into body.')
+                else:
+                    original_json['env_vars'] = {}
+                    original_json['env_vars'][
+                        constants.USER_ID_ENV_VAR] = auth_user.id
+                    original_json['env_vars'][
+                        constants.USER_ENV_VAR] = auth_user.name
                 request._body = json.dumps(original_json).encode('utf-8')  # pylint: disable=protected-access
         return await call_next(request)
 

sky/skylet/constants.py

@@ -419,3 +419,6 @@ ALL_CLOUDS = ('aws', 'azure', 'gcp', 'ibm', 'lambda', 'scp', 'oci',
               'kubernetes', 'runpod', 'vast', 'vsphere', 'cudo', 'fluidstack',
               'paperspace', 'do', 'nebius', 'ssh')
 # END constants used for service catalog.
+
+# The user ID of the SkyPilot system.
+SKYPILOT_SYSTEM_USER_ID = 'skypilot-system'

sky/skylet/job_lib.py

@@ -794,7 +794,8 @@ def load_job_queue(payload: str) -> List[Dict[str, Any]]:
     for job in jobs:
         job['status'] = JobStatus(job['status'])
         job['user_hash'] = job['username']
-        job['username'] = global_user_state.get_user(job['user_hash']).name
+        user = global_user_state.get_user(job['user_hash'])
+        job['username'] = user.name if user is not None else None
     return jobs
 
 

sky/skypilot_config.py

@@ -765,6 +765,15 @@ def update_api_server_config_no_lock(config: config_utils.Config) -> None:
     Args:
         config: The config to save and sync.
     """
+
+    def is_running_pytest() -> bool:
+        return 'PYTEST_CURRENT_TEST' in os.environ
+
+    # Only allow this function to be called by the API Server in production.
+    if not is_running_pytest() and os.environ.get(
+            constants.ENV_VAR_IS_SKYPILOT_SERVER) is None:
+        raise ValueError('This function can only be called by the API Server.')
+
     global_config_path = _resolve_server_config_path()
     if global_config_path is None:
         global_config_path = get_user_config_path()

sky/users/model.conf

@@ -12,4 +12,4 @@ g = _, _
 e = some(where (p.eft == allow))
 
 [matchers]
-m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
+m = (g(r.sub, p.sub)|| p.sub == '*') && r.obj == p.obj && r.act == p.act

sky/users/permission.py

@@ -3,7 +3,7 @@ import contextlib
 import logging
 import os
 import threading
-from typing import List
+from typing import Generator, List
 
 import casbin
 import filelock
@@ -11,8 +11,11 @@ import sqlalchemy_adapter
 
 from sky import global_user_state
 from sky import sky_logging
+from sky.skylet import constants
 from sky.users import rbac
 
+logging.getLogger('casbin.policy').setLevel(sky_logging.ERROR)
+logging.getLogger('casbin.role').setLevel(sky_logging.ERROR)
 logger = sky_logging.init_logger(__name__)
 
 # Filelocks for the policy update.
@@ -38,17 +41,19 @@ class PermissionService:
                     model_path = os.path.join(os.path.dirname(__file__),
                                               'model.conf')
                     enforcer = casbin.Enforcer(model_path, adapter)
-                    logging.getLogger('casbin.policy').setLevel(
-                        sky_logging.ERROR)
-                    logging.getLogger('casbin.role').setLevel(sky_logging.ERROR)
                     self.enforcer = enforcer
         else:
             self.enforcer = _enforcer_instance.enforcer
-        self._maybe_initialize_policies()
+        with _policy_lock():
+            self._maybe_initialize_policies()
 
-    def _maybe_initialize_policies(self):
+    def _maybe_initialize_policies(self) -> None:
         """Initialize policies if they don't already exist."""
+        # TODO(zhwu): we should avoid running this on client side.
         logger.debug(f'Initializing policies in process: {os.getpid()}')
+        self._load_policy_no_lock()
+
+        policy_updated = False
 
         # Check if policies are already initialized by looking for existing
         # permission policies in the enforcer
@@ -66,6 +71,17 @@ class PermissionService:
                     expected_policies.append(
                         [role, item['path'], item['method']])
 
+        # Add workspace policy
+        workspace_policy_permissions = rbac.get_workspace_policy_permissions()
+        logger.debug(f'Workspace policy permissions from config: '
+                     f'{workspace_policy_permissions}')
+
+        for workspace_name, users in workspace_policy_permissions.items():
+            for user in users:
+                expected_policies.append([user, workspace_name, '*'])
+                logger.debug(f'Expected workspace policy: user={user}, '
+                             f'workspace={workspace_name}')
+
         # Check if all expected policies already exist
         policies_exist = all(
             any(policy == expected
@@ -86,48 +102,71 @@ class PermissionService:
                     for item in blocklist:
                         path = item['path']
                         method = item['method']
+                        logger.debug(f'Adding role policy: role={role}, '
+                                     f'path={path}, method={method}')
                         self.enforcer.add_policy(role, path, method)
-            self.enforcer.save_policy()
+                        policy_updated = True
+
+            for workspace_name, users in workspace_policy_permissions.items():
+                for user in users:
+                    logger.debug(f'Initializing workspace policy: user={user}, '
+                                 f'workspace={workspace_name}')
+                    self.enforcer.add_policy(user, workspace_name, '*')
+                    policy_updated = True
+            logger.debug('Policies initialized successfully')
         else:
             logger.debug('Policies already exist, skipping initialization')
 
         # Always ensure users have default roles (this is idempotent)
         all_users = global_user_state.get_all_users()
-        for user in all_users:
-            self.add_user_if_not_exists(user.id)
+        for existing_user in all_users:
+            user_added = self._add_user_if_not_exists_no_lock(existing_user.id)
+            policy_updated = policy_updated or user_added
+
+        if policy_updated:
+            self.enforcer.save_policy()
 
-    def add_user_if_not_exists(self, user: str) -> None:
+    def add_user_if_not_exists(self, user_id: str) -> None:
         """Add user role relationship."""
         with _policy_lock():
-            user_roles = self.enforcer.get_roles_for_user(user)
-            if not user_roles:
-                logger.info(f'User {user} has no roles, adding'
-                            f' default role {rbac.get_default_role()}')
-                self.enforcer.add_grouping_policy(user, rbac.get_default_role())
-                self.enforcer.save_policy()
-
-    def update_role(self, user: str, new_role: str):
+            self._add_user_if_not_exists_no_lock(user_id)
+
+    def _add_user_if_not_exists_no_lock(self, user_id: str) -> bool:
+        """Add user role relationship without lock.
+
+        Returns:
+            True if the user was added, False otherwise.
+        """
+        user_roles = self.enforcer.get_roles_for_user(user_id)
+        if not user_roles:
+            logger.info(f'User {user_id} has no roles, adding'
+                        f' default role {rbac.get_default_role()}')
+            self.enforcer.add_grouping_policy(user_id, rbac.get_default_role())
+            return True
+        return False
+
+    def update_role(self, user_id: str, new_role: str) -> None:
         """Update user role relationship."""
         with _policy_lock():
             # Get current roles
             self._load_policy_no_lock()
             # Avoid calling get_user_roles, as it will require the lock.
-            current_roles = self.enforcer.get_roles_for_user(user)
+            current_roles = self.enforcer.get_roles_for_user(user_id)
             if not current_roles:
-                logger.warning(f'User {user} has no roles')
+                logger.warning(f'User {user_id} has no roles')
             else:
                 # TODO(hailong): how to handle multiple roles?
                 current_role = current_roles[0]
                 if current_role == new_role:
-                    logger.info(f'User {user} already has role {new_role}')
+                    logger.info(f'User {user_id} already has role {new_role}')
                     return
-                self.enforcer.remove_grouping_policy(user, current_role)
+                self.enforcer.remove_grouping_policy(user_id, current_role)
 
             # Update user role
-            self.enforcer.add_grouping_policy(user, new_role)
+            self.enforcer.add_grouping_policy(user_id, new_role)
             self.enforcer.save_policy()
 
-    def get_user_roles(self, user: str) -> List[str]:
+    def get_user_roles(self, user_id: str) -> List[str]:
         """Get all roles for a user.
 
         This method returns all roles that the user has, including inherited
@@ -140,10 +179,11 @@ class PermissionService:
         Returns:
             A list of role names that the user has.
         """
-        self._load_policy()
-        return self.enforcer.get_roles_for_user(user)
+        self._load_policy_no_lock()
+        return self.enforcer.get_roles_for_user(user_id)
 
-    def check_permission(self, user: str, path: str, method: str) -> bool:
+    def check_endpoint_permission(self, user_id: str, path: str,
+                                  method: str) -> bool:
         """Check permission."""
         # We intentionally don't load the policy here, as it is a hot path, and
         # we don't support updating the policy.
@@ -151,28 +191,105 @@ class PermissionService:
         # it is a hot path in every request. It is ok to have a stale policy,
         # as long as it is eventually consistent.
         # self._load_policy_no_lock()
-        return self.enforcer.enforce(user, path, method)
+        return self.enforcer.enforce(user_id, path, method)
 
     def _load_policy_no_lock(self):
         """Load policy from storage."""
         self.enforcer.load_policy()
 
-    def _load_policy(self):
+    def load_policy(self):
         """Load policy from storage with lock."""
         with _policy_lock():
             self._load_policy_no_lock()
 
+    def check_workspace_permission(self, user_id: str,
+                                   workspace_name: str) -> bool:
+        """Check workspace permission.
+
+        This method checks if a user has permission to access a specific
+        workspace.
+
+        For private workspaces, the user must have explicit permission.
+
+        For public workspaces, the permission is granted via a wildcard policy
+        ('*').
+        """
+        if os.getenv(constants.ENV_VAR_IS_SKYPILOT_SERVER) is None:
+            # When it is not on API server, we allow all users to access all
+            # workspaces, as the workspace check has been done on API server.
+            return True
+        role = self.get_user_roles(user_id)
+        if rbac.RoleName.ADMIN.value in role:
+            return True
+        # The Casbin model matcher already handles the wildcard '*' case:
+        # m = (g(r.sub, p.sub)|| p.sub == '*') && r.obj == p.obj &&
+        # r.act == p.act
+        # This means if there's a policy ('*', workspace_name, '*'), it will
+        # match any user
+        result = self.enforcer.enforce(user_id, workspace_name, '*')
+        logger.debug(f'Workspace permission check: user={user_id}, '
+                     f'workspace={workspace_name}, result={result}')
+        return result
+
+    def add_workspace_policy(self, workspace_name: str,
+                             users: List[str]) -> None:
+        """Add workspace policy.
+
+        Args:
+            workspace_name: Name of the workspace
+            users: List of user IDs that should have access.
+                   For public workspaces, this should be ['*'].
+                   For private workspaces, this should be specific user IDs.
+        """
+        with _policy_lock():
+            for user in users:
+                logger.debug(f'Adding workspace policy: user={user}, '
+                             f'workspace={workspace_name}')
+                self.enforcer.add_policy(user, workspace_name, '*')
+            self.enforcer.save_policy()
+
+    def update_workspace_policy(self, workspace_name: str,
+                                users: List[str]) -> None:
+        """Update workspace policy.
+
+        Args:
+            workspace_name: Name of the workspace
+            users: List of user IDs that should have access.
+                   For public workspaces, this should be ['*'].
+                   For private workspaces, this should be specific user IDs.
+        """
+        with _policy_lock():
+            self._load_policy_no_lock()
+            # Remove all existing policies for this workspace
+            self.enforcer.remove_filtered_policy(1, workspace_name)
+            # Add new policies
+            for user in users:
+                logger.debug(f'Updating workspace policy: user={user}, '
+                             f'workspace={workspace_name}')
+                self.enforcer.add_policy(user, workspace_name, '*')
+            self.enforcer.save_policy()
+
+    def remove_workspace_policy(self, workspace_name: str) -> None:
+        """Remove workspace policy."""
+        with _policy_lock():
+            self.enforcer.remove_filtered_policy(1, workspace_name)
+            self.enforcer.save_policy()
+
 
 @contextlib.contextmanager
-def _policy_lock():
+def _policy_lock() -> Generator[None, None, None]:
     """Context manager for policy update lock."""
     try:
         with filelock.FileLock(POLICY_UPDATE_LOCK_PATH,
                                POLICY_UPDATE_LOCK_TIMEOUT_SECONDS):
             yield
     except filelock.Timeout as e:
-        raise RuntimeError(f'Failed to load policy due to a timeout '
+        raise RuntimeError(f'Failed to reload policy due to a timeout '
                            f'when trying to acquire the lock at '
                            f'{POLICY_UPDATE_LOCK_PATH}. '
                            'Please try again or manually remove the lock '
                            f'file if you believe it is stale.') from e
+
+
+# Singleton instance of PermissionService for other modules to use.
+permission_service = PermissionService()