skypilot-nightly 1.0.0.dev20250617__py3-none-any.whl → 1.0.0.dev20250619__py3-none-any.whl

sky/server/server.py

@@ -23,6 +23,7 @@ import zipfile
 import aiofiles
 import fastapi
 from fastapi.middleware import cors
+from passlib.hash import apr_md5_crypt
 import starlette.middleware.base
 
 import sky
@@ -102,6 +103,74 @@ logger = sky_logging.init_logger(__name__)
 # response will block other requests from being processed.
 
 
+def _basic_auth_401_response(content: str):
+    """Return a 401 response with basic auth realm."""
+    return fastapi.responses.JSONResponse(
+        status_code=401,
+        headers={'WWW-Authenticate': 'Basic realm=\"SkyPilot\"'},
+        content=content)
+
+
+# TODO(hailong): Remove this function and use request.state.auth_user instead.
+async def _override_user_info_in_request_body(request: fastapi.Request,
+                                              auth_user: Optional[models.User]):
+    body = await request.body()
+    if auth_user and body:
+        try:
+            original_json = await request.json()
+        except json.JSONDecodeError as e:
+            logger.error(f'Error parsing request JSON: {e}')
+        else:
+            logger.debug(f'Overriding user for {request.state.request_id}: '
+                         f'{auth_user.name}, {auth_user.id}')
+            if 'env_vars' in original_json:
+                if isinstance(original_json.get('env_vars'), dict):
+                    original_json['env_vars'][
+                        constants.USER_ID_ENV_VAR] = auth_user.id
+                    original_json['env_vars'][
+                        constants.USER_ENV_VAR] = auth_user.name
+                else:
+                    logger.warning(
+                        f'"env_vars" in request body is not a dictionary '
+                        f'for request {request.state.request_id}. '
+                        'Skipping user info injection into body.')
+            else:
+                original_json['env_vars'] = {}
+                original_json['env_vars'][
+                    constants.USER_ID_ENV_VAR] = auth_user.id
+                original_json['env_vars'][
+                    constants.USER_ENV_VAR] = auth_user.name
+            request._body = json.dumps(original_json).encode('utf-8')  # pylint: disable=protected-access
+
+
+def _try_set_basic_auth_user(request: fastapi.Request):
+    auth_header = request.headers.get('authorization')
+    if not auth_header or not auth_header.lower().startswith('basic '):
+        return
+
+    # Check username and password
+    encoded = auth_header.split(' ', 1)[1]
+    try:
+        decoded = base64.b64decode(encoded).decode()
+        username, password = decoded.split(':', 1)
+    except Exception:  # pylint: disable=broad-except
+        return
+
+    users = global_user_state.get_user_by_name(username)
+    if not users:
+        return
+
+    for user in users:
+        if not user.name or not user.password:
+            continue
+        username_encoded = username.encode('utf8')
+        db_username_encoded = user.name.encode('utf8')
+        if (username_encoded == db_username_encoded and
+                apr_md5_crypt.verify(password, user.password)):
+            request.state.auth_user = user
+            break
+
+
 class RBACMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
     """Middleware to handle RBAC."""
 
@@ -112,7 +181,7 @@ class RBACMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
                 request.url.path.startswith('/api/')):
             return await call_next(request)
 
-        auth_user = _get_auth_user_header(request)
+        auth_user = request.state.auth_user
         if auth_user is None:
             return await call_next(request)
 
@@ -149,6 +218,50 @@ def _get_auth_user_header(request: fastapi.Request) -> Optional[models.User]:
     return models.User(id=user_hash, name=user_name)
 
 
+class BasicAuthMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
+    """Middleware to handle HTTP Basic Auth."""
+
+    async def dispatch(self, request: fastapi.Request, call_next):
+        if request.url.path.startswith('/api/'):
+            # Try to set the auth user from the basic auth header so the
+            # following endpoint handlers can leverage the auth_user info
+            _try_set_basic_auth_user(request)
+            return await call_next(request)
+
+        auth_header = request.headers.get('authorization')
+        if not auth_header or not auth_header.lower().startswith('basic '):
+            return _basic_auth_401_response('Invalid basic auth')
+
+        # Check username and password
+        encoded = auth_header.split(' ', 1)[1]
+        try:
+            decoded = base64.b64decode(encoded).decode()
+            username, password = decoded.split(':', 1)
+        except Exception:  # pylint: disable=broad-except
+            return _basic_auth_401_response('Invalid basic auth')
+
+        users = global_user_state.get_user_by_name(username)
+        if not users:
+            return _basic_auth_401_response('Invalid credentials')
+
+        valid_user = False
+        for user in users:
+            if not user.name or not user.password:
+                continue
+            username_encoded = username.encode('utf8')
+            db_username_encoded = user.name.encode('utf8')
+            if (username_encoded == db_username_encoded and
+                    apr_md5_crypt.verify(password, user.password)):
+                valid_user = True
+                request.state.auth_user = user
+                await _override_user_info_in_request_body(request, user)
+                break
+        if not valid_user:
+            return _basic_auth_401_response('Invalid credentials')
+
+        return await call_next(request)
+
+
 class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
     """Middleware to handle auth proxy."""
 
@@ -168,33 +281,7 @@ class AuthProxyMiddleware(starlette.middleware.base.BaseHTTPMiddleware):
         else:
             request.state.auth_user = None
 
-        body = await request.body()
-        if auth_user and body:
-            try:
-                original_json = await request.json()
-            except json.JSONDecodeError as e:
-                logger.error(f'Error parsing request JSON: {e}')
-            else:
-                logger.debug(f'Overriding user for {request.state.request_id}: '
-                             f'{auth_user.name}, {auth_user.id}')
-                if 'env_vars' in original_json:
-                    if isinstance(original_json.get('env_vars'), dict):
-                        original_json['env_vars'][
-                            constants.USER_ID_ENV_VAR] = auth_user.id
-                        original_json['env_vars'][
-                            constants.USER_ENV_VAR] = auth_user.name
-                    else:
-                        logger.warning(
-                            f'"env_vars" in request body is not a dictionary '
-                            f'for request {request.state.request_id}. '
-                            'Skipping user info injection into body.')
-                else:
-                    original_json['env_vars'] = {}
-                    original_json['env_vars'][
-                        constants.USER_ID_ENV_VAR] = auth_user.id
-                    original_json['env_vars'][
-                        constants.USER_ENV_VAR] = auth_user.name
-                request._body = json.dumps(original_json).encode('utf-8')  # pylint: disable=protected-access
+        await _override_user_info_in_request_body(request, auth_user)
         return await call_next(request)
 
 
@@ -306,6 +393,9 @@ app.add_middleware(
     allow_headers=['*'],
     # TODO(syang): remove X-Request-ID when v0.10.0 is released.
     expose_headers=['X-Request-ID', 'X-Skypilot-Request-ID'])
+enable_basic_auth = os.environ.get(constants.ENV_VAR_ENABLE_BASIC_AUTH, 'false')
+if str(enable_basic_auth).lower() == 'true':
+    app.add_middleware(BasicAuthMiddleware)
 app.add_middleware(AuthProxyMiddleware)
 app.add_middleware(RequestIDMiddleware)
 app.include_router(jobs_rest.router, prefix='/jobs', tags=['jobs'])
@@ -1232,7 +1322,7 @@ async def health(request: fastapi.Request) -> Dict[str, Any]:
           disk, which can be used to warn about restarting the API server
         - commit: str; The commit hash of SkyPilot used for API server.
     """
-    user = _get_auth_user_header(request)
+    user = request.state.auth_user
     return {
         'status': common.ApiServerStatus.HEALTHY.value,
         'api_version': server_constants.API_VERSION,
@@ -1240,6 +1330,8 @@ async def health(request: fastapi.Request) -> Dict[str, Any]:
         'version_on_disk': common.get_skypilot_version_on_disk(),
         'commit': sky.__commit__,
         'user': user.to_dict() if user is not None else None,
+        'basic_auth_enabled': os.environ.get(
+            constants.ENV_VAR_ENABLE_BASIC_AUTH, 'false').lower() == 'true',
     }
 
 

sky/setup_files/dependencies.py

@@ -58,8 +58,17 @@ install_requires = [
     'setproctitle',
     'sqlalchemy',
     'psycopg2-binary',
+    # TODO(hailong): These three dependencies should be removed after we make
+    # the client-side actually not importing them.
     'casbin',
     'sqlalchemy_adapter',
+    'passlib',
+]
+
+server_dependencies = [
+    'casbin',
+    'sqlalchemy_adapter',
+    'passlib',
 ]
 
 local_ray = [
@@ -162,7 +171,8 @@ extras_require: Dict[str, List[str]] = {
     'nebius': [
         'nebius>=0.2.0',
     ] + aws_dependencies,
-    'hyperbolic': []  # No dependencies needed for hyperbolic
+    'hyperbolic': [],  # No dependencies needed for hyperbolic
+    'server': server_dependencies,
 }
 
 # Nebius needs python3.10. If python 3.9 [all] will not install nebius

sky/skylet/constants.py

@@ -89,7 +89,7 @@ TASK_ID_LIST_ENV_VAR = f'{SKYPILOT_ENV_VAR_PREFIX}TASK_IDS'
 # cluster yaml is updated.
 #
 # TODO(zongheng,zhanghao): make the upgrading of skylet automatic?
-SKYLET_VERSION = '13'
+SKYLET_VERSION = '14'
 # The version of the lib files that skylet/jobs use. Whenever there is an API
 # change for the job_lib or log_lib, we need to bump this version, so that the
 # user can be notified to update their SkyPilot version on the remote cluster.
@@ -411,6 +411,11 @@ SKY_USER_FILE_PATH = '~/.sky/generated'
 # Environment variable that is set to 'true' if this is a skypilot server.
 ENV_VAR_IS_SKYPILOT_SERVER = 'IS_SKYPILOT_SERVER'
 
+# Environment variable that is set to 'true' if basic
+# authentication is enabled in the API server.
+ENV_VAR_ENABLE_BASIC_AUTH = 'ENABLE_BASIC_AUTH'
+SKYPILOT_INITIAL_BASIC_AUTH = 'SKYPILOT_INITIAL_BASIC_AUTH'
+
 SKYPILOT_DEFAULT_WORKSPACE = 'default'
 
 # BEGIN constants used for service catalog.
@@ -426,6 +431,9 @@ ALL_CLOUDS = ('aws', 'azure', 'gcp', 'ibm', 'lambda', 'scp', 'oci',
 # The user ID of the SkyPilot system.
 SKYPILOT_SYSTEM_USER_ID = 'skypilot-system'
 
+# The directory to store the logging configuration.
+LOGGING_CONFIG_DIR = '~/.sky/logging'
+
 # Resources constants
 TIME_UNITS = {
     's': 1 / 60,
@@ -460,3 +468,7 @@ MEMORY_SIZE_PATTERN = (
     f'{"|".join([unit.lower() for unit in MEMORY_SIZE_UNITS])}'
     ')?$/i')
 MEMORY_SIZE_PLUS_PATTERN = f'{MEMORY_SIZE_PATTERN[:-3]}+?$/i'
+
+MIN_PRIORITY = -1000
+MAX_PRIORITY = 1000
+DEFAULT_PRIORITY = 0

sky/skylet/job_lib.py

@@ -14,7 +14,7 @@ import sqlite3
 import threading
 import time
 import typing
-from typing import Any, Dict, List, Optional, Sequence
+from typing import Any, Dict, List, Optional, Sequence, Tuple
 
 import colorama
 import filelock
@@ -62,6 +62,7 @@ class JobInfoLoc(enum.IntEnum):
     END_AT = 7
     RESOURCES = 8
     PID = 9
+    LOG_PATH = 10
 
 
 def create_table(cursor, conn):
@@ -101,7 +102,8 @@ def create_table(cursor, conn):
         start_at FLOAT DEFAULT -1,
         end_at FLOAT DEFAULT NULL,
         resources TEXT DEFAULT NULL,
-        pid INTEGER DEFAULT -1)""")
+        pid INTEGER DEFAULT -1,
+        log_dir TEXT DEFAULT NULL)""")
 
     cursor.execute("""CREATE TABLE IF NOT EXISTS pending_jobs(
         job_id INTEGER,
@@ -114,6 +116,8 @@ def create_table(cursor, conn):
     db_utils.add_column_to_table(cursor, conn, 'jobs', 'resources', 'TEXT')
     db_utils.add_column_to_table(cursor, conn, 'jobs', 'pid',
                                  'INTEGER DEFAULT -1')
+    db_utils.add_column_to_table(cursor, conn, 'jobs', 'log_dir',
+                                 'TEXT DEFAULT NULL')
     conn.commit()
 
 
@@ -335,13 +339,13 @@ def make_job_command_with_user_switching(username: str,
 
 @init_db
 def add_job(job_name: str, username: str, run_timestamp: str,
-            resources_str: str) -> int:
+            resources_str: str) -> Tuple[int, str]:
     """Atomically reserve the next available job id for the user."""
     assert _DB is not None
     job_submitted_at = time.time()
     # job_id will autoincrement with the null value
     _DB.cursor.execute(
-        'INSERT INTO jobs VALUES (null, ?, ?, ?, ?, ?, ?, null, ?, 0)',
+        'INSERT INTO jobs VALUES (null, ?, ?, ?, ?, ?, ?, null, ?, 0, null)',
         (job_name, username, job_submitted_at, JobStatus.INIT.value,
          run_timestamp, None, resources_str))
     _DB.conn.commit()
@@ -350,7 +354,41 @@ def add_job(job_name: str, username: str, run_timestamp: str,
     for row in rows:
         job_id = row[0]
     assert job_id is not None
-    return job_id
+    log_dir = os.path.join(constants.SKY_LOGS_DIRECTORY, f'{job_id}-{job_name}')
+    set_log_dir_no_lock(job_id, log_dir)
+    return job_id, log_dir
+
+
+@init_db
+def set_log_dir_no_lock(job_id: int, log_dir: str) -> None:
+    """Set the log directory for the job.
+
+    We persist the log directory for the job to allow changing the log directory
+    generation logic over versions.
+
+    Args:
+        job_id: The ID of the job.
+        log_dir: The log directory for the job.
+    """
+    assert _DB is not None
+    _DB.cursor.execute('UPDATE jobs SET log_dir=(?) WHERE job_id=(?)',
+                       (log_dir, job_id))
+    _DB.conn.commit()
+
+
+@init_db
+def get_log_dir_for_job(job_id: int) -> Optional[str]:
+    """Get the log directory for the job.
+
+    Args:
+        job_id: The ID of the job.
+    """
+    assert _DB is not None
+    rows = _DB.cursor.execute('SELECT log_dir FROM jobs WHERE job_id=(?)',
+                              (job_id,))
+    for row in rows:
+        return row[0]
+    return None
 
 
 @init_db
@@ -978,8 +1016,8 @@ def get_run_timestamp(job_id: Optional[int]) -> Optional[str]:
 
 
 @init_db
-def run_timestamp_with_globbing_payload(job_ids: List[Optional[str]]) -> str:
-    """Returns the relative paths to the log files for job with globbing."""
+def get_log_dir_for_jobs(job_ids: List[Optional[str]]) -> str:
+    """Returns the relative paths to the log files for jobs with globbing."""
     assert _DB is not None
     query_str = ' OR '.join(['job_id GLOB (?)'] * len(job_ids))
     _DB.cursor.execute(
@@ -987,12 +1025,16 @@ def run_timestamp_with_globbing_payload(job_ids: List[Optional[str]]) -> str:
             SELECT * FROM jobs
             WHERE {query_str}""", job_ids)
     rows = _DB.cursor.fetchall()
-    run_timestamps = {}
+    job_to_dir = {}
     for row in rows:
         job_id = row[JobInfoLoc.JOB_ID.value]
-        run_timestamp = row[JobInfoLoc.RUN_TIMESTAMP.value]
-        run_timestamps[str(job_id)] = run_timestamp
-    return message_utils.encode_payload(run_timestamps)
+        if row[JobInfoLoc.LOG_PATH.value]:
+            job_to_dir[str(job_id)] = row[JobInfoLoc.LOG_PATH.value]
+        else:
+            run_timestamp = row[JobInfoLoc.RUN_TIMESTAMP.value]
+            job_to_dir[str(job_id)] = os.path.join(constants.SKY_LOGS_DIRECTORY,
+                                                   run_timestamp)
+    return message_utils.encode_payload(job_to_dir)
 
 
 class JobLibCodeGen:
@@ -1024,12 +1066,16 @@ class JobLibCodeGen:
             '\nif int(constants.SKYLET_VERSION) < 9: '
             'raise RuntimeError("SkyPilot runtime is too old, which does not '
             'support submitting jobs.")',
-            '\njob_id = job_lib.add_job('
+            '\nresult = job_lib.add_job('
             f'{job_name!r},'
             f'{username!r},'
             f'{run_timestamp!r},'
             f'{resources_str!r})',
-            'print("Job ID: " + str(job_id), flush=True)',
+            ('\nif isinstance(result, tuple):'
+             '\n  print("Job ID: " + str(result[0]), flush=True)'
+             '\n  print("Log Dir: " + str(result[1]), flush=True)'
+             '\nelse:'
+             '\n  print("Job ID: " + str(result), flush=True)'),
         ]
         return cls._build(code)
 
@@ -1098,9 +1144,17 @@ class JobLibCodeGen:
             # We use != instead of is not because 1 is not None will print a warning:
             # <stdin>:1: SyntaxWarning: "is not" with a literal. Did you mean "!="?
             f'job_id = {job_id} if {job_id} != None else job_lib.get_latest_job_id()',
-            'run_timestamp = job_lib.get_run_timestamp(job_id)',
-            f'log_dir = None if run_timestamp is None else os.path.join({constants.SKY_LOGS_DIRECTORY!r}, run_timestamp)',
-            f'tail_log_kwargs = {{"job_id": job_id, "log_dir": log_dir, "managed_job_id": {managed_job_id!r}, "follow": {follow}}}',
+            # For backward compatibility, use the legacy generation rule for
+            # jobs submitted before 0.11.0.
+            ('log_dir = None\n'
+             'if hasattr(job_lib, "get_log_dir_for_job"):\n'
+             '  log_dir = job_lib.get_log_dir_for_job(job_id)\n'
+             'if log_dir is None:\n'
+             '  run_timestamp = job_lib.get_run_timestamp(job_id)\n'
+             f'  log_dir = None if run_timestamp is None else os.path.join({constants.SKY_LOGS_DIRECTORY!r}, run_timestamp)'
+            ),
+            # Add a newline to leave the if indent block above.
+            f'\ntail_log_kwargs = {{"job_id": job_id, "log_dir": log_dir, "managed_job_id": {managed_job_id!r}, "follow": {follow}}}',
             f'{_LINUX_NEW_LINE}if getattr(constants, "SKYLET_LIB_VERSION", 1) > 1: tail_log_kwargs["tail"] = {tail}',
             f'{_LINUX_NEW_LINE}log_lib.tail_logs(**tail_log_kwargs)',
             # After tailing, check the job status and exit with appropriate code
@@ -1140,12 +1194,14 @@ class JobLibCodeGen:
         return cls._build(code)
 
     @classmethod
-    def get_run_timestamp_with_globbing(cls,
-                                        job_ids: Optional[List[str]]) -> str:
+    def get_log_dirs_for_jobs(cls, job_ids: Optional[List[str]]) -> str:
         code = [
             f'job_ids = {job_ids} if {job_ids} is not None '
             'else [job_lib.get_latest_job_id()]',
-            'log_dirs = job_lib.run_timestamp_with_globbing_payload(job_ids)',
+            # TODO(aylei): backward compatibility, remove after 0.12.0.
+            'log_dirs = job_lib.get_log_dir_for_jobs(job_ids) if '
+            'hasattr(job_lib, "get_log_dir_for_jobs") else '
+            'job_lib.run_timestamp_with_globbing_payload(job_ids)',
             'print(log_dirs, flush=True)',
         ]
         return cls._build(code)

sky/templates/kubernetes-ray.yml.j2

@@ -273,6 +273,15 @@ available_node_types:
             {% if (k8s_acc_label_key is not none and k8s_acc_label_values is not none) %}
             skypilot-binpack: "gpu"
             {% endif %}
+            {% if k8s_kueue_local_queue_name %}
+            kueue.x-k8s.io/queue-name: {{k8s_kueue_local_queue_name}}
+            kueue.x-k8s.io/pod-group-name: {{cluster_name_on_cloud}}
+            {% endif %}
+        {% if k8s_kueue_local_queue_name %}
+        annotations:
+            kueue.x-k8s.io/retriable-in-group: "false"
+            kueue.x-k8s.io/pod-group-total-count: "{{ num_nodes|string }}"
+        {% endif %}
       spec:
         # serviceAccountName: skypilot-service-account
         serviceAccountName: {{k8s_service_account_name}}

sky/users/permission.py

@@ -1,8 +1,8 @@
 """Permission service for SkyPilot API Server."""
 import contextlib
+import hashlib
 import logging
 import os
-import threading
 from typing import Generator, List
 
 import casbin
@@ -10,9 +10,11 @@ import filelock
 import sqlalchemy_adapter
 
 from sky import global_user_state
+from sky import models
 from sky import sky_logging
 from sky.skylet import constants
 from sky.users import rbac
+from sky.utils import common_utils
 
 logging.getLogger('casbin.policy').setLevel(sky_logging.ERROR)
 logging.getLogger('casbin.role').setLevel(sky_logging.ERROR)
@@ -23,31 +25,46 @@ POLICY_UPDATE_LOCK_PATH = os.path.expanduser('~/.sky/.policy_update.lock')
 POLICY_UPDATE_LOCK_TIMEOUT_SECONDS = 20
 
 _enforcer_instance = None
-_lock = threading.Lock()
 
 
 class PermissionService:
     """Permission service for SkyPilot API Server."""
 
     def __init__(self):
-        global _enforcer_instance
-        if _enforcer_instance is None:
-            # For different threads, we share the same enforcer instance.
-            with _lock:
-                if _enforcer_instance is None:
-                    _enforcer_instance = self
-                    engine = global_user_state.initialize_and_get_db()
-                    adapter = sqlalchemy_adapter.Adapter(engine)
-                    model_path = os.path.join(os.path.dirname(__file__),
-                                              'model.conf')
-                    enforcer = casbin.Enforcer(model_path, adapter)
-                    self.enforcer = enforcer
-                else:
-                    self.enforcer = _enforcer_instance.enforcer
-        else:
-            self.enforcer = _enforcer_instance.enforcer
         with _policy_lock():
-            self._maybe_initialize_policies()
+            global _enforcer_instance
+            if _enforcer_instance is None:
+                _enforcer_instance = self
+                engine = global_user_state.initialize_and_get_db()
+                adapter = sqlalchemy_adapter.Adapter(engine)
+                model_path = os.path.join(os.path.dirname(__file__),
+                                          'model.conf')
+                enforcer = casbin.Enforcer(model_path, adapter)
+                self.enforcer = enforcer
+                self._maybe_initialize_policies()
+                self._maybe_initialize_basic_auth_user()
+            else:
+                self.enforcer = _enforcer_instance.enforcer
+
+    def _maybe_initialize_basic_auth_user(self) -> None:
+        """Initialize basic auth user if it is enabled."""
+        basic_auth = os.environ.get(constants.SKYPILOT_INITIAL_BASIC_AUTH)
+        if not basic_auth:
+            return
+        username, password = basic_auth.split(':', 1)
+        if username and password:
+            user_hash = hashlib.md5(
+                username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH]
+            user_info = global_user_state.get_user(user_hash)
+            if user_info:
+                logger.info(f'Basic auth user {username} already exists')
+                return
+            global_user_state.add_or_update_user(
+                models.User(id=user_hash, name=username, password=password))
+            self.enforcer.add_grouping_policy(user_hash,
+                                              rbac.RoleName.ADMIN.value)
+            self.enforcer.save_policy()
+            logger.info(f'Basic auth user {username} initialized')
 
     def _maybe_initialize_policies(self) -> None:
         """Initialize policies if they don't already exist."""
@@ -147,6 +164,19 @@ class PermissionService:
             return True
         return False
 
+    def delete_user(self, user_id: str) -> None:
+        """Delete user role relationship."""
+        with _policy_lock():
+            # Get current roles
+            self._load_policy_no_lock()
+            # Avoid calling get_user_roles, as it will require the lock.
+            current_roles = self.enforcer.get_roles_for_user(user_id)
+            if not current_roles:
+                logger.warning(f'User {user_id} has no roles')
+                return
+            self.enforcer.remove_grouping_policy(user_id, current_roles[0])
+            self.enforcer.save_policy()
+
     def update_role(self, user_id: str, new_role: str) -> None:
         """Update user role relationship."""
         with _policy_lock():

sky/users/rbac.py

@@ -25,8 +25,17 @@ _DEFAULT_USER_BLOCKLIST = [{
     'path': '/workspaces/delete',
     'method': 'POST'
 }, {
-    'path': '/users/update',
+    'path': '/users/delete',
     'method': 'POST'
+}, {
+    'path': '/users/create',
+    'method': 'POST'
+}, {
+    'path': '/users/import',
+    'method': 'POST'
+}, {
+    'path': '/users/export',
+    'method': 'GET'
 }]