skypilot-nightly 1.0.0.dev20250609__py3-none-any.whl → 1.0.0.dev20250611__py3-none-any.whl

sky/skypilot_config.py

@@ -58,6 +58,11 @@ import typing
 from typing import Any, Dict, Iterator, List, Optional, Tuple, Union
 
 import filelock
+import sqlalchemy
+from sqlalchemy import orm
+from sqlalchemy.dialects import postgresql
+from sqlalchemy.dialects import sqlite
+from sqlalchemy.ext import declarative
 
 from sky import exceptions
 from sky import sky_logging
@@ -66,6 +71,7 @@ from sky.skylet import constants
 from sky.utils import common_utils
 from sky.utils import config_utils
 from sky.utils import context
+from sky.utils import db_utils
 from sky.utils import schemas
 from sky.utils import ux_utils
 from sky.utils.kubernetes import config_map_utils
@@ -110,6 +116,56 @@ ENV_VAR_PROJECT_CONFIG = f'{constants.SKYPILOT_ENV_VAR_PREFIX}PROJECT_CONFIG'
 _GLOBAL_CONFIG_PATH = '~/.sky/config.yaml'
 _PROJECT_CONFIG_PATH = '.sky.yaml'
 
+_SQLALCHEMY_ENGINE: Optional[sqlalchemy.engine.Engine] = None
+API_SERVER_CONFIG_KEY = 'api_server_config'
+
+Base = declarative.declarative_base()
+
+config_yaml_table = sqlalchemy.Table(
+    'config_yaml',
+    Base.metadata,
+    sqlalchemy.Column('key', sqlalchemy.Text, primary_key=True),
+    sqlalchemy.Column('value', sqlalchemy.Text),
+)
+
+
+def create_table():
+    # Create tables if they don't exist
+    Base.metadata.create_all(bind=_SQLALCHEMY_ENGINE)
+
+
+def _get_config_yaml_from_db(key: str) -> Optional[config_utils.Config]:
+    assert _SQLALCHEMY_ENGINE is not None
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        row = session.query(config_yaml_table).filter_by(key=key).first()
+    if row:
+        db_config = config_utils.Config(yaml.safe_load(row.value))
+        db_config.pop_nested(('db',), None)
+        return db_config
+    return None
+
+
+def _set_config_yaml_to_db(key: str, config: config_utils.Config):
+    assert _SQLALCHEMY_ENGINE is not None
+    config.pop_nested(('db',), None)
+    config_str = common_utils.dump_yaml_str(dict(config))
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        if (_SQLALCHEMY_ENGINE.dialect.name ==
+                db_utils.SQLAlchemyDialect.SQLITE.value):
+            insert_func = sqlite.insert
+        elif (_SQLALCHEMY_ENGINE.dialect.name ==
+              db_utils.SQLAlchemyDialect.POSTGRESQL.value):
+            insert_func = postgresql.insert
+        else:
+            raise ValueError('Unsupported database dialect')
+        insert_stmnt = insert_func(config_yaml_table).values(key=key,
+                                                             value=config_str)
+        do_update_stmt = insert_stmnt.on_conflict_do_update(
+            index_elements=[config_yaml_table.c.key],
+            set_={config_yaml_table.c.value: config_str})
+        session.execute(do_update_stmt)
+        session.commit()
+
 
 class ConfigContext:
 
@@ -257,11 +313,6 @@ def _resolve_project_config_path() -> Optional[str]:
     return None
 
 
-def _get_project_config() -> config_utils.Config:
-    """Returns the project config."""
-    return _get_config_from_path(_resolve_project_config_path())
-
-
 def _resolve_server_config_path() -> Optional[str]:
     # find the server config file
     server_config_path = _get_config_file_path(ENV_VAR_GLOBAL_CONFIG)
@@ -507,26 +558,35 @@ def _reload_config_from_internal_file(internal_config_path: str) -> None:
 
 
 def _reload_config_as_server() -> None:
+    global _SQLALCHEMY_ENGINE
     # Reset the global variables, to avoid using stale values.
     _set_loaded_config(config_utils.Config())
     _set_loaded_config_path(None)
 
-    overrides: List[config_utils.Config] = []
     server_config_path = _resolve_server_config_path()
     server_config = _get_config_from_path(server_config_path)
-    if server_config:
-        overrides.append(server_config)
 
-    # layer the configs on top of each other based on priority
-    overlaid_server_config: config_utils.Config = config_utils.Config()
-    for override in overrides:
-        overlaid_server_config = overlay_skypilot_config(
-            original_config=overlaid_server_config, override_configs=override)
     if sky_logging.logging_enabled(logger, sky_logging.DEBUG):
-        logger.debug(
-            f'server config: \n'
-            f'{common_utils.dump_yaml_str(dict(overlaid_server_config))}')
-    _set_loaded_config(overlaid_server_config)
+        logger.debug(f'server config: \n'
+                     f'{common_utils.dump_yaml_str(dict(server_config))}')
+
+    db_url = server_config.get_nested(('db',), None)
+    if db_url and len(server_config.keys()) > 1:
+        raise ValueError(
+            'if db config is specified, no other config is allowed')
+
+    if db_url:
+        if _SQLALCHEMY_ENGINE is None:
+            _SQLALCHEMY_ENGINE = sqlalchemy.create_engine(db_url)
+            create_table()
+        db_config = _get_config_yaml_from_db(API_SERVER_CONFIG_KEY)
+        if db_config:
+            if sky_logging.logging_enabled(logger, sky_logging.DEBUG):
+                logger.debug(f'Config loaded from db:\n'
+                             f'{common_utils.dump_yaml_str(dict(db_config))}')
+            server_config = overlay_skypilot_config(server_config, db_config)
+
+    _set_loaded_config(server_config)
     _set_loaded_config_path(server_config_path)
 
 
@@ -778,13 +838,27 @@ def update_api_server_config_no_lock(config: config_utils.Config) -> None:
     if global_config_path is None:
         global_config_path = get_user_config_path()
 
-    # Always save to the local file (PVC in Kubernetes, local file otherwise)
-    common_utils.dump_yaml(global_config_path, dict(config))
-
-    if config_map_utils.is_running_in_kubernetes():
-        # In Kubernetes, sync the PVC config to ConfigMap for user convenience
-        # PVC file is the source of truth, ConfigMap is just a mirror for easy
-        # access
-        config_map_utils.patch_configmap_with_config(config, global_config_path)
+    db_updated = False
+    if os.environ.get(constants.ENV_VAR_IS_SKYPILOT_SERVER) is not None:
+        existing_db_url = get_nested(('db',), None)
+        if existing_db_url:
+            new_db_url = config.get_nested(('db',), None)
+            if new_db_url and new_db_url != existing_db_url:
+                raise ValueError('Cannot change db url while server is running')
+            logger.debug('saving api_server config to db')
+            _set_config_yaml_to_db(API_SERVER_CONFIG_KEY, config)
+            db_updated = True
+
+    if not db_updated:
+        # save to the local file (PVC in Kubernetes, local file otherwise)
+        common_utils.dump_yaml(global_config_path, dict(config))
+
+        if config_map_utils.is_running_in_kubernetes():
+            # In Kubernetes, sync the PVC config to ConfigMap for user
+            # convenience.
+            # PVC file is the source of truth, ConfigMap is just a mirror for
+            # easy access.
+            config_map_utils.patch_configmap_with_config(
+                config, global_config_path)
 
     _reload_config()

sky/users/permission.py

@@ -30,26 +30,34 @@ class PermissionService:
     """Permission service for SkyPilot API Server."""
 
     def __init__(self):
-        global _enforcer_instance
-        if _enforcer_instance is None:
-            # For different threads, we share the same enforcer instance.
-            with _lock:
-                if _enforcer_instance is None:
-                    _enforcer_instance = self
-                    engine = global_user_state.SQLALCHEMY_ENGINE
-                    adapter = sqlalchemy_adapter.Adapter(engine)
-                    model_path = os.path.join(os.path.dirname(__file__),
-                                              'model.conf')
-                    enforcer = casbin.Enforcer(model_path, adapter)
-                    self.enforcer = enforcer
-        else:
-            self.enforcer = _enforcer_instance.enforcer
-        with _policy_lock():
-            self._maybe_initialize_policies()
+        self.enforcer = None
+        self.init_lock = threading.Lock()
+
+    def _lazy_initialize(self):
+        if self.enforcer is not None:
+            return
+        with self.init_lock:
+            if self.enforcer is not None:
+                return
+            global _enforcer_instance
+            if _enforcer_instance is None:
+                # For different threads, we share the same enforcer instance.
+                with _lock:
+                    if _enforcer_instance is None:
+                        _enforcer_instance = self
+                        engine = global_user_state.initialize_and_get_db()
+                        adapter = sqlalchemy_adapter.Adapter(engine)
+                        model_path = os.path.join(os.path.dirname(__file__),
+                                                  'model.conf')
+                        enforcer = casbin.Enforcer(model_path, adapter)
+                        self.enforcer = enforcer
+            else:
+                self.enforcer = _enforcer_instance.enforcer
+            with _policy_lock():
+                self._maybe_initialize_policies()
 
     def _maybe_initialize_policies(self) -> None:
         """Initialize policies if they don't already exist."""
-        # TODO(zhwu): we should avoid running this on client side.
         logger.debug(f'Initializing policies in process: {os.getpid()}')
         self._load_policy_no_lock()
 
@@ -128,6 +136,7 @@ class PermissionService:
 
     def add_user_if_not_exists(self, user_id: str) -> None:
         """Add user role relationship."""
+        self._lazy_initialize()
         with _policy_lock():
             self._add_user_if_not_exists_no_lock(user_id)
 
@@ -147,6 +156,7 @@ class PermissionService:
 
     def update_role(self, user_id: str, new_role: str) -> None:
         """Update user role relationship."""
+        self._lazy_initialize()
         with _policy_lock():
             # Get current roles
             self._load_policy_no_lock()
@@ -179,6 +189,7 @@ class PermissionService:
         Returns:
             A list of role names that the user has.
         """
+        self._lazy_initialize()
         self._load_policy_no_lock()
         return self.enforcer.get_roles_for_user(user_id)
 
@@ -191,6 +202,7 @@ class PermissionService:
         # it is a hot path in every request. It is ok to have a stale policy,
         # as long as it is eventually consistent.
         # self._load_policy_no_lock()
+        self._lazy_initialize()
         return self.enforcer.enforce(user_id, path, method)
 
     def _load_policy_no_lock(self):
@@ -199,6 +211,7 @@ class PermissionService:
 
     def load_policy(self):
         """Load policy from storage with lock."""
+        self._lazy_initialize()
         with _policy_lock():
             self._load_policy_no_lock()
 
@@ -214,6 +227,7 @@ class PermissionService:
         For public workspaces, the permission is granted via a wildcard policy
         ('*').
         """
+        self._lazy_initialize()
         if os.getenv(constants.ENV_VAR_IS_SKYPILOT_SERVER) is None:
             # When it is not on API server, we allow all users to access all
             # workspaces, as the workspace check has been done on API server.
@@ -241,6 +255,7 @@ class PermissionService:
                    For public workspaces, this should be ['*'].
                    For private workspaces, this should be specific user IDs.
         """
+        self._lazy_initialize()
         with _policy_lock():
             for user in users:
                 logger.debug(f'Adding workspace policy: user={user}, '
@@ -258,6 +273,7 @@ class PermissionService:
                    For public workspaces, this should be ['*'].
                    For private workspaces, this should be specific user IDs.
         """
+        self._lazy_initialize()
         with _policy_lock():
             self._load_policy_no_lock()
             # Remove all existing policies for this workspace
@@ -271,6 +287,7 @@ class PermissionService:
 
     def remove_workspace_policy(self, workspace_name: str) -> None:
         """Remove workspace policy."""
+        self._lazy_initialize()
         with _policy_lock():
             self.enforcer.remove_filtered_policy(1, workspace_name)
             self.enforcer.save_policy()

sky/utils/admin_policy_utils.py

@@ -3,6 +3,7 @@ import contextlib
 import copy
 import importlib
 from typing import Iterator, Optional, Tuple, Union
+import urllib.parse
 
 import colorama
 
@@ -19,18 +20,34 @@ from sky.utils import ux_utils
 logger = sky_logging.init_logger(__name__)
 
 
-def _get_policy_cls(
-        policy: Optional[str]) -> Optional[admin_policy.AdminPolicy]:
+def _is_url(policy_string: str) -> bool:
+    """Check if the policy string is a URL."""
+    try:
+        parsed = urllib.parse.urlparse(policy_string)
+        return parsed.scheme in ('http', 'https')
+    except Exception:  # pylint: disable=broad-except
+        return False
+
+
+def _get_policy_impl(
+        policy_location: Optional[str]
+) -> Optional[admin_policy.PolicyInterface]:
     """Gets admin-defined policy."""
-    if policy is None:
+    if policy_location is None:
         return None
+
+    if _is_url(policy_location):
+        # Use the built-in URL policy class when an URL is specified.
+        return admin_policy.RestfulAdminPolicy(policy_location)
+
+    # Handle module path format
     try:
-        module_path, class_name = policy.rsplit('.', 1)
+        module_path, class_name = policy_location.rsplit('.', 1)
         module = importlib.import_module(module_path)
     except ImportError as e:
         with ux_utils.print_exception_no_traceback():
             raise ImportError(
-                f'Failed to import policy module: {policy}. '
+                f'Failed to import policy module: {policy_location}. '
                 'Please check if the module is installed in your Python '
                 'environment.') from e
 
@@ -42,19 +59,22 @@ def _get_policy_cls(
                 f'Could not find {class_name} class in module {module_path}. '
                 'Please check with your policy admin for details.') from e
 
-    # Check if the module implements the AdminPolicy interface.
+    # Currently we only allow users to define subclass of AdminPolicy
+    # instead of inheriting from PolicyInterface or PolicyTemplate.
     if not issubclass(policy_cls, admin_policy.AdminPolicy):
         with ux_utils.print_exception_no_traceback():
             raise ValueError(
-                f'Policy class {policy!r} does not implement the AdminPolicy '
-                'interface. Please check with your policy admin for details.')
-    return policy_cls
+                f'Policy class {policy_cls!r} does not implement the '
+                'AdminPolicy interface. Please check with your policy admin '
+                'for details.')
+    return policy_cls()
 
 
 @contextlib.contextmanager
 def apply_and_use_config_in_current_request(
     entrypoint: Union['dag_lib.Dag', 'task_lib.Task'],
     request_options: Optional[admin_policy.RequestOptions] = None,
+    at_client_side: bool = False,
 ) -> Iterator['dag_lib.Dag']:
     """Applies an admin policy and override SkyPilot config for current request
 
@@ -66,7 +86,7 @@ def apply_and_use_config_in_current_request(
     Refer to `apply()` for more details.
     """
     original_config = skypilot_config.to_dict()
-    dag, mutated_config = apply(entrypoint, request_options)
+    dag, mutated_config = apply(entrypoint, request_options, at_client_side)
     if mutated_config != original_config:
         with skypilot_config.replace_skypilot_config(mutated_config):
             yield dag
@@ -77,6 +97,7 @@ def apply_and_use_config_in_current_request(
 def apply(
     entrypoint: Union['dag_lib.Dag', 'task_lib.Task'],
     request_options: Optional[admin_policy.RequestOptions] = None,
+    at_client_side: bool = False,
 ) -> Tuple['dag_lib.Dag', config_utils.Config]:
     """Applies an admin policy (if registered) to a DAG or a task.
 
@@ -100,21 +121,25 @@ def apply(
     else:
         dag = entrypoint
 
-    policy = skypilot_config.get_nested(('admin_policy',), None)
-    policy_cls = _get_policy_cls(policy)
-    if policy_cls is None:
+    policy_location = skypilot_config.get_nested(('admin_policy',), None)
+    policy = _get_policy_impl(policy_location)
+    if policy is None:
         return dag, skypilot_config.to_dict()
 
-    logger.info(f'Applying policy: {policy}')
+    if at_client_side:
+        logger.info(f'Applying client admin policy: {policy}')
+    else:
+        logger.info(f'Applying server admin policy: {policy}')
     config = copy.deepcopy(skypilot_config.to_dict())
     mutated_dag = dag_lib.Dag()
     mutated_dag.name = dag.name
 
     mutated_config = None
     for task in dag.tasks:
-        user_request = admin_policy.UserRequest(task, config, request_options)
+        user_request = admin_policy.UserRequest(task, config, request_options,
+                                                at_client_side)
         try:
-            mutated_user_request = policy_cls.validate_and_mutate(user_request)
+            mutated_user_request = policy.apply(user_request)
         except Exception as e:  # pylint: disable=broad-except
             with ux_utils.print_exception_no_traceback():
                 raise exceptions.UserRequestRejectedByPolicy(

sky/utils/context.py

@@ -4,11 +4,13 @@ import asyncio
 from collections.abc import Mapping
 from collections.abc import MutableMapping
 import contextvars
+import functools
 import os
 import pathlib
 import subprocess
 import sys
-from typing import Dict, Optional, TextIO
+import typing
+from typing import Any, Callable, Dict, Optional, TextIO, TypeVar
 
 
 class Context(object):
@@ -256,6 +258,24 @@ class Popen(subprocess.Popen):
         super().__init__(*args, env=env, **kwargs)
 
 
+F = TypeVar('F', bound=Callable[..., Any])
+
+
+def contextual(func: F) -> F:
+    """Decorator to intiailize a context before executing the function.
+
+    If a context is already initialized, this decorator will reset the context,
+    i.e. all contextual variables set previously will be cleared.
+    """
+
+    @functools.wraps(func)
+    def wrapper(*args, **kwargs):
+        initialize()
+        return func(*args, **kwargs)
+
+    return typing.cast(F, wrapper)
+
+
 def initialize():
     """Initialize the current SkyPilot context."""
     _CONTEXT.set(Context())

sky/utils/controller_utils.py

@@ -24,6 +24,7 @@ from sky.clouds import gcp
 from sky.data import data_utils
 from sky.data import storage as storage_lib
 from sky.jobs import constants as managed_job_constants
+from sky.provision.kubernetes import constants as kubernetes_constants
 from sky.serve import constants as serve_constants
 from sky.setup_files import dependencies
 from sky.skylet import constants
@@ -272,6 +273,18 @@ def _get_cloud_dependencies_installation_commands(
             step_prefix = prefix_str.replace('<step>', str(len(commands) + 1))
             commands.append(f'echo -en "\\r{step_prefix}GCP SDK{empty_str}" &&'
                             f'{gcp.GOOGLE_SDK_INSTALLATION_COMMAND}')
+            if clouds.cloud_in_iterable(clouds.Kubernetes(), enabled_clouds):
+                # Install gke-gcloud-auth-plugin used for exec-auth with GKE.
+                # We install the plugin here instead of the next elif branch
+                # because gcloud is required to install the plugin, so the order
+                # of command execution is critical.
+
+                # We install plugin here regardless of whether exec-auth is
+                # actually used as exec-auth may be used in the future.
+                # TODO (kyuds): how to implement conservative installation?
+                commands.append(
+                    '(command -v gke-gcloud-auth-plugin &>/dev/null || '
+                    '(gcloud components install gke-gcloud-auth-plugin --quiet &>/dev/null))')  # pylint: disable=line-too-long
         elif isinstance(cloud, clouds.Kubernetes):
             step_prefix = prefix_str.replace('<step>', str(len(commands) + 1))
             commands.append(
@@ -295,7 +308,9 @@ def _get_cloud_dependencies_installation_commands(
                 '(curl -s -LO "https://dl.k8s.io/release/v1.31.6'
                 '/bin/linux/$ARCH/kubectl" && '
                 'sudo install -o root -g root -m 0755 '
-                'kubectl /usr/local/bin/kubectl))')
+                'kubectl /usr/local/bin/kubectl)) && '
+                f'echo -e \'#!/bin/bash\\nexport PATH="{kubernetes_constants.SKY_K8S_EXEC_AUTH_PATH}"\\nexec "$@"\' | sudo tee /usr/local/bin/{kubernetes_constants.SKY_K8S_EXEC_AUTH_WRAPPER} > /dev/null && '  # pylint: disable=line-too-long
+                f'sudo chmod +x /usr/local/bin/{kubernetes_constants.SKY_K8S_EXEC_AUTH_WRAPPER}')  # pylint: disable=line-too-long
         elif isinstance(cloud, clouds.Cudo):
             step_prefix = prefix_str.replace('<step>', str(len(commands) + 1))
             commands.append(

sky/utils/kubernetes/exec_kubeconfig_converter.py

@@ -12,6 +12,12 @@ It assumes the target environment has the auth executable available in PATH.
 If not, you'll need to update your environment container to include the auth
 executable in PATH.
 
+When using LOCAL_CREDENTIALS (aka exec auth) with Kubernetes, though, SkyPilot
+will automatically inject a wrapper script for common exec auth providers like
+GKE and EKS. This wrapper script helps to resolve path issues that may arise
+from executables installed on non system-default paths. Thus, the kubeconfig
+file may look different on the sky jobs controller.
+
 Usage:
     python -m sky.utils.kubernetes.exec_kubeconfig_converter
 """
@@ -20,52 +26,7 @@ import os
 
 import yaml
 
-
-def strip_auth_plugin_paths(kubeconfig_path: str, output_path: str):
-    """Strip path information from exec plugin commands in a kubeconfig file.
-
-    For Nebius kubeconfigs, also changes the --profile argument to 'sky'.
-
-    Args:
-        kubeconfig_path (str): Path to the input kubeconfig file
-        output_path (str): Path where the modified kubeconfig will be saved
-    """
-    with open(kubeconfig_path, 'r', encoding='utf-8') as file:
-        config = yaml.safe_load(file)
-
-    updated = False
-    for user in config.get('users', []):
-        exec_info = user.get('user', {}).get('exec', {})
-        current_command = exec_info.get('command', '')
-
-        if current_command:
-            # Strip the path and keep only the executable name
-            executable = os.path.basename(current_command)
-            if executable != current_command:
-                exec_info['command'] = executable
-                updated = True
-
-            # Handle Nebius kubeconfigs: change --profile to 'sky'
-            if executable == 'nebius' or current_command == 'nebius':
-                args = exec_info.get('args', [])
-                if args and '--profile' in args:
-                    try:
-                        profile_index = args.index('--profile')
-                        if profile_index + 1 < len(args):
-                            old_profile = args[profile_index + 1]
-                            if old_profile != 'sky':
-                                args[profile_index + 1] = 'sky'
-                                updated = True
-                    except ValueError:
-                        pass  # --profile not found in args
-
-    if updated:
-        with open(output_path, 'w', encoding='utf-8') as file:
-            yaml.safe_dump(config, file)
-        print('Kubeconfig updated with path-less exec auth. '
-              f'Saved to {output_path}')
-    else:
-        print('No updates made. No exec-based auth commands paths found.')
+from sky.provision.kubernetes import utils as kubernetes_utils
 
 
 def main():
@@ -85,7 +46,18 @@ def main():
         help='Output kubeconfig file path (default: %(default)s)')
 
     args = parser.parse_args()
-    strip_auth_plugin_paths(args.input, args.output)
+
+    with open(args.input, 'r', encoding='utf-8') as file:
+        config = yaml.safe_load(file)
+
+    updated = kubernetes_utils.format_kubeconfig_exec_auth(
+        config, args.output, False)
+
+    if updated:
+        print('Kubeconfig updated with path-less exec auth. '
+              f'Saved to {args.output}')
+    else:
+        print('No updates made.')
 
 
 if __name__ == '__main__':

sky/utils/schemas.py

@@ -1149,9 +1149,17 @@ def get_config_schema():
 
     admin_policy_schema = {
         'type': 'string',
-        # Check regex to be a valid python module path
-        'pattern': (r'^[a-zA-Z_][a-zA-Z0-9_]*'
-                    r'(\.[a-zA-Z_][a-zA-Z0-9_]*)+$'),
+        'anyOf': [
+            {
+                # Check regex to be a valid python module path
+                'pattern': (r'^[a-zA-Z_][a-zA-Z0-9_]*'
+                            r'(\.[a-zA-Z_][a-zA-Z0-9_]*)+$'),
+            },
+            {
+                # Check for valid HTTP/HTTPS URL
+                'pattern': r'^https?://.*$',
+            }
+        ]
     }
 
     allowed_clouds = {

{skypilot_nightly-1.0.0.dev20250609.dist-info → skypilot_nightly-1.0.0.dev20250611.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skypilot-nightly
-Version: 1.0.0.dev20250609
+Version: 1.0.0.dev20250611
 Summary: SkyPilot: Run AI on Any Infra — Unified, Faster, Cheaper.
 Author: SkyPilot Team
 License: Apache 2.0