skypilot-nightly 1.0.0.dev20250617__py3-none-any.whl → 1.0.0.dev20250619__py3-none-any.whl

sky/users/server.py

@@ -1,19 +1,30 @@
 """REST API for workspace management."""
 
-from typing import Any, Dict, List
+import contextlib
+import hashlib
+import os
+from typing import Any, Dict, Generator, List
 
 import fastapi
+import filelock
+from passlib.hash import apr_md5_crypt
 
 from sky import global_user_state
+from sky import models
 from sky import sky_logging
 from sky.server.requests import payloads
 from sky.skylet import constants
 from sky.users import permission
 from sky.users import rbac
 from sky.utils import common
+from sky.utils import common_utils
 
 logger = sky_logging.init_logger(__name__)
 
+# Filelocks for the user management.
+USER_LOCK_PATH = os.path.expanduser('~/.sky/.{user_id}.lock')
+USER_LOCK_TIMEOUT_SECONDS = 20
+
 router = fastapi.APIRouter()
 
 
@@ -39,29 +50,283 @@ async def get_current_user_role(request: fastapi.Request):
     # hash for the request without 'X-Auth-Request-Email' header?
     auth_user = request.state.auth_user
     if auth_user is None:
-        return {'name': '', 'role': rbac.RoleName.ADMIN.value}
+        return {'id': '', 'name': '', 'role': rbac.RoleName.ADMIN.value}
     user_roles = permission.permission_service.get_user_roles(auth_user.id)
-    return {'name': auth_user.name, 'role': user_roles[0] if user_roles else ''}
+    return {
+        'id': auth_user.id,
+        'name': auth_user.name,
+        'role': user_roles[0] if user_roles else ''
+    }
+
+
+@router.post('/create')
+async def user_create(user_create_body: payloads.UserCreateBody) -> None:
+    username = user_create_body.username
+    password = user_create_body.password
+    role = user_create_body.role
+
+    if not username or not password:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail='Username and password are required')
+    if role and role not in rbac.get_supported_roles():
+        raise fastapi.HTTPException(status_code=400,
+                                    detail=f'Invalid role: {role}')
+
+    if not role:
+        role = rbac.get_default_role()
+
+    # Create user
+    password_hash = apr_md5_crypt.hash(password)
+    user_hash = hashlib.md5(
+        username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH]
+    with _user_lock(user_hash):
+        # Check if user already exists
+        if global_user_state.get_user_by_name(username):
+            raise fastapi.HTTPException(
+                status_code=400, detail=f'User {username!r} already exists')
+        global_user_state.add_or_update_user(
+            models.User(id=user_hash, name=username, password=password_hash))
+        permission.permission_service.update_role(user_hash, role)
 
 
 @router.post('/update')
-async def user_update(user_update_body: payloads.UserUpdateBody) -> None:
+async def user_update(request: fastapi.Request,
+                      user_update_body: payloads.UserUpdateBody) -> None:
     """Updates the user role."""
     user_id = user_update_body.user_id
     role = user_update_body.role
+    password = user_update_body.password
     supported_roles = rbac.get_supported_roles()
-    if role not in supported_roles:
+    if role and role not in supported_roles:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'Invalid role: {role}')
+    target_user_roles = permission.permission_service.get_user_roles(user_id)
+    need_update_role = role and (not target_user_roles or
+                                 (role != target_user_roles[0]))
+    current_user = request.state.auth_user
+    if current_user is not None:
+        current_user_roles = permission.permission_service.get_user_roles(
+            current_user.id)
+        if not current_user_roles:
+            raise fastapi.HTTPException(status_code=403, detail='Invalid user')
+        if current_user_roles[0] != rbac.RoleName.ADMIN.value:
+            if need_update_role:
+                raise fastapi.HTTPException(
+                    status_code=403, detail='Only admin can update user role')
+            if password and user_id != current_user.id:
+                raise fastapi.HTTPException(
+                    status_code=403,
+                    detail='Only admin can update password for other users')
     user_info = global_user_state.get_user(user_id)
     if user_info is None:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'User {user_id} does not exist')
-    # Disallow updating roles for the internal users.
-    if user_info.id in [common.SERVER_ID, constants.SKYPILOT_SYSTEM_USER_ID]:
+    # Disallow updating the internal users.
+    if need_update_role and user_info.id in [
+            common.SERVER_ID, constants.SKYPILOT_SYSTEM_USER_ID
+    ]:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'Cannot update role for internal '
                                     f'API server user {user_info.name}')
+    if password and user_info.id == constants.SKYPILOT_SYSTEM_USER_ID:
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail=f'Cannot update password for internal '
+            f'API server user {user_info.name}')
+
+    with _user_lock(user_info.id):
+        if password:
+            password_hash = apr_md5_crypt.hash(password)
+            global_user_state.add_or_update_user(
+                models.User(id=user_info.id,
+                            name=user_info.name,
+                            password=password_hash))
+        if role and need_update_role:
+            # Update user role in casbin policy
+            permission.permission_service.update_role(user_info.id, role)
+
+
+@router.post('/delete')
+async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
+    user_id = user_delete_body.user_id
+
+    user_info = global_user_state.get_user(user_id)
+    if user_info is None:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail=f'User {user_id} does not exist')
+    # Disallow deleting the internal users.
+    if user_info.id in [common.SERVER_ID, constants.SKYPILOT_SYSTEM_USER_ID]:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail=f'Cannot delete internal '
+                                    f'API server user {user_info.name}')
+    with _user_lock(user_id):
+        global_user_state.delete_user(user_id)
+        permission.permission_service.delete_user(user_id)
+
+
+@router.post('/import')
+async def user_import(
+        user_import_body: payloads.UserImportBody) -> Dict[str, Any]:
+    """Import users from CSV content."""
+    csv_content = user_import_body.csv_content
+
+    if not csv_content:
+        raise fastapi.HTTPException(status_code=400,
+                                    detail='CSV content is required')
+
+    # Parse CSV content
+    lines = csv_content.strip().split('\n')
+    if len(lines) < 2:
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='CSV must have at least a header row and one data row')
+
+    # Parse headers
+    headers = [h.strip().lower() for h in lines[0].split(',')]
+    required_headers = ['username', 'password', 'role']
+
+    # Check if all required headers are present
+    missing_headers = [
+        header for header in required_headers if header not in headers
+    ]
+    if missing_headers:
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail=f'Missing required columns: {", ".join(missing_headers)}')
+
+    # Parse user data
+    users_to_create = []
+    parse_errors = []
+
+    for i, line in enumerate(lines[1:], start=2):
+        if not line.strip():
+            continue  # Skip empty lines
+
+        values = [v.strip() for v in line.split(',')]
+        if len(values) != len(headers):
+            parse_errors.append(f'Line {i}: Invalid number of columns')
+            continue
+
+        user_data = dict(zip(headers, values))
+
+        # Validate required fields
+        if not user_data.get('username') or not user_data.get('password'):
+            parse_errors.append(f'Line {i}: Username and password are required')
+            continue
+
+        # Validate role
+        role = user_data.get('role', '').lower()
+        if role and role not in rbac.get_supported_roles():
+            role = rbac.get_default_role()  # Default to default role if invalid
+        elif not role:
+            role = rbac.get_default_role()
+
+        users_to_create.append({
+            'username': user_data['username'],
+            'password': user_data['password'],
+            'role': role
+        })
+
+    if not users_to_create and parse_errors:
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail=f'No valid users found. Errors: {"; ".join(parse_errors)}')
+
+    # Create users
+    success_count = 0
+    error_count = 0
+    creation_errors = []
+
+    for user_data in users_to_create:
+        try:
+            username = user_data['username']
+            password = user_data['password']
+            role = user_data['role']
+
+            # Check if user already exists
+            if global_user_state.get_user_by_name(username):
+                error_count += 1
+                creation_errors.append(f'{username}: User already exists')
+                continue
+
+            # Check if password is already hashed (APR1 hash)
+            if password.startswith('$apr1$'):
+                # Password is already hashed, use it directly
+                password_hash = password
+            else:
+                # Password is plain text, hash it
+                password_hash = apr_md5_crypt.hash(password)
+
+            user_hash = hashlib.md5(
+                username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH]
+
+            with _user_lock(user_hash):
+                global_user_state.add_or_update_user(
+                    models.User(id=user_hash,
+                                name=username,
+                                password=password_hash))
+                permission.permission_service.update_role(user_hash, role)
+
+            success_count += 1
+
+        except Exception as e:  # pylint: disable=broad-except
+            error_count += 1
+            creation_errors.append(f'{user_data["username"]}: {str(e)}')
+
+    return {
+        'success_count': success_count,
+        'error_count': error_count,
+        'total_processed': len(users_to_create),
+        'parse_errors': parse_errors,
+        'creation_errors': creation_errors
+    }
+
+
+@router.get('/export')
+async def user_export() -> Dict[str, Any]:
+    """Export all users as CSV content."""
+    try:
+        # Get all users
+        user_list = global_user_state.get_all_users()
+
+        # Create CSV content
+        csv_lines = ['username,password,role']  # Header
+
+        for user in user_list:
+            # Get user role
+            user_roles = permission.permission_service.get_user_roles(user.id)
+            role = user_roles[0] if user_roles else rbac.get_default_role()
+            # Avoid exporting `None` values
+            line = ''
+            if user.name:
+                line += user.name
+            line += ','
+            if user.password:
+                line += user.password
+            line += ','
+            if role:
+                line += role
+            csv_lines.append(line)
+
+        csv_content = '\n'.join(csv_lines)
+
+        return {'csv_content': csv_content, 'user_count': len(user_list)}
+
+    except Exception as e:
+        raise fastapi.HTTPException(status_code=500,
+                                    detail=f'Failed to export users: {str(e)}')
+
 
-    # Update user role in casbin policy
-    permission.permission_service.update_role(user_info.id, role)
+@contextlib.contextmanager
+def _user_lock(user_id: str) -> Generator[None, None, None]:
+    """Context manager for user lock."""
+    try:
+        with filelock.FileLock(USER_LOCK_PATH.format(user_id=user_id),
+                               USER_LOCK_TIMEOUT_SECONDS):
+            yield
+    except filelock.Timeout as e:
+        raise RuntimeError(f'Failed to update user due to a timeout '
+                           f'when trying to acquire the lock at '
+                           f'{USER_LOCK_PATH.format(user_id=user_id)}. '
+                           'Please try again or manually remove the lock '
+                           f'file if you believe it is stale.') from e

sky/utils/env_options.py

@@ -19,8 +19,14 @@ class Options(enum.Enum):
     # will not be multiple identities, and skipping the check can increase
     # robustness.
     SKIP_CLOUD_IDENTITY_CHECK = ('SKYPILOT_SKIP_CLOUD_IDENTITY_CHECK', False)
+    # Internal: This environment variable is set to "true" by Buildkite
+    # agent when running tests. It is used to identify when SkyPilot is
+    # running in a Buildkite container environment, which requires special
+    # handling for networking between containers.
+    RUNNING_IN_BUILDKITE = ('BUILDKITE', False)
 
     def __init__(self, env_var: str, default: bool) -> None:
+        super().__init__()
         self.env_var = env_var
         self.default = default
 

sky/utils/schemas.py

@@ -291,8 +291,8 @@ def _get_single_resources_schema():
             'autostop': _AUTOSTOP_SCHEMA,
             'priority': {
                 'type': 'integer',
-                'minimum': 0,
-                'maximum': 1000,
+                'minimum': constants.MIN_PRIORITY,
+                'maximum': constants.MAX_PRIORITY,
             },
             # The following fields are for internal use only. Should not be
             # specified in the task config.
@@ -1090,6 +1090,16 @@ def get_config_schema():
                         }
                     }
                 },
+                'kueue': {
+                    'type': 'object',
+                    'required': [],
+                    'additionalProperties': False,
+                    'properties': {
+                        'local_queue_name': {
+                            'type': 'string',
+                        },
+                    },
+                },
             }
         },
         'ssh': {
@@ -1380,6 +1390,35 @@ def get_config_schema():
         }
     }
 
+    logs_schema = {
+        'type': 'object',
+        'required': ['store'],
+        'additionalProperties': False,
+        'properties': {
+            'store': {
+                'type': 'string',
+                'case_insensitive_enum': ['gcp'],
+            },
+            'gcp': {
+                'type': 'object',
+                'properties': {
+                    'project_id': {
+                        'type': 'string',
+                    },
+                    'credentials_file': {
+                        'type': 'string',
+                    },
+                    'additional_labels': {
+                        'type': 'object',
+                        'additionalProperties': {
+                            'type': 'string',
+                        },
+                    },
+                },
+            },
+        },
+    }
+
     for cloud, config in cloud_configs.items():
         if cloud == 'aws':
             config['properties'].update(
@@ -1412,6 +1451,7 @@ def get_config_schema():
             'workspaces': workspaces_schema,
             'provision': provision_configs,
             'rbac': rbac_schema,
+            'logs': logs_schema,
             **cloud_configs,
         },
     }

{skypilot_nightly-1.0.0.dev20250617.dist-info → skypilot_nightly-1.0.0.dev20250619.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skypilot-nightly
-Version: 1.0.0.dev20250617
+Version: 1.0.0.dev20250619
 Summary: SkyPilot: Run AI on Any Infra — Unified, Faster, Cheaper.
 Author: SkyPilot Team
 License: Apache 2.0
@@ -51,6 +51,7 @@ Requires-Dist: sqlalchemy
 Requires-Dist: psycopg2-binary
 Requires-Dist: casbin
 Requires-Dist: sqlalchemy_adapter
+Requires-Dist: passlib
 Provides-Extra: aws
 Requires-Dist: awscli>=1.27.10; extra == "aws"
 Requires-Dist: botocore>=1.29.10; extra == "aws"
@@ -120,6 +121,10 @@ Requires-Dist: botocore>=1.29.10; extra == "nebius"
 Requires-Dist: boto3>=1.26.1; extra == "nebius"
 Requires-Dist: colorama<0.4.5; extra == "nebius"
 Provides-Extra: hyperbolic
+Provides-Extra: server
+Requires-Dist: casbin; extra == "server"
+Requires-Dist: sqlalchemy_adapter; extra == "server"
+Requires-Dist: passlib; extra == "server"
 Provides-Extra: all
 Requires-Dist: awscli>=1.27.10; extra == "all"
 Requires-Dist: botocore>=1.29.10; extra == "all"
@@ -169,6 +174,9 @@ Requires-Dist: awscli>=1.27.10; extra == "all"
 Requires-Dist: botocore>=1.29.10; extra == "all"
 Requires-Dist: boto3>=1.26.1; extra == "all"
 Requires-Dist: colorama<0.4.5; extra == "all"
+Requires-Dist: casbin; extra == "all"
+Requires-Dist: sqlalchemy_adapter; extra == "all"
+Requires-Dist: passlib; extra == "all"
 Dynamic: author
 Dynamic: classifier
 Dynamic: description