skypilot-nightly 1.0.0.dev20250627__py3-none-any.whl → 1.0.0.dev20250628__py3-none-any.whl

sky/users/server.py

@@ -3,6 +3,9 @@
 import contextlib
 import hashlib
 import os
+import re
+import secrets
+import time
 from typing import Any, Dict, Generator, List
 
 import fastapi
@@ -16,8 +19,10 @@ from sky.server.requests import payloads
 from sky.skylet import constants
 from sky.users import permission
 from sky.users import rbac
+from sky.users import token_service
 from sky.utils import common
 from sky.utils import common_utils
+from sky.utils import resource_checker
 
 logger = sky_logging.init_logger(__name__)
 
@@ -34,10 +39,15 @@ async def users() -> List[Dict[str, Any]]:
     all_users = []
     user_list = global_user_state.get_all_users()
     for user in user_list:
+        # Filter out service accounts - they have IDs starting with "sa-"
+        if user.is_service_account():
+            continue
+
         user_roles = permission.permission_service.get_user_roles(user.id)
         all_users.append({
             'id': user.id,
             'name': user.name,
+            'created_at': user.created_at,
             'role': user_roles[0] if user_roles else ''
         })
     return all_users
@@ -146,10 +156,8 @@ async def user_update(request: fastapi.Request,
             permission.permission_service.update_role(user_info.id, role)
 
 
-@router.post('/delete')
-async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
-    user_id = user_delete_body.user_id
-
+def _delete_user(user_id: str) -> None:
+    """Delete a user."""
     user_info = global_user_state.get_user(user_id)
     if user_info is None:
         raise fastapi.HTTPException(status_code=400,
@@ -159,11 +167,25 @@ async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'Cannot delete internal '
                                     f'API server user {user_info.name}')
+
+    # Check for active clusters and managed jobs owned by the user
+    try:
+        resource_checker.check_no_active_resources_for_users([(user_id,
+                                                               'delete')])
+    except ValueError as e:
+        raise fastapi.HTTPException(status_code=400, detail=str(e))
+
     with _user_lock(user_id):
         global_user_state.delete_user(user_id)
         permission.permission_service.delete_user(user_id)
 
 
+@router.post('/delete')
+async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
+    user_id = user_delete_body.user_id
+    _delete_user(user_id)
+
+
 @router.post('/import')
 async def user_import(
         user_import_body: payloads.UserImportBody) -> Dict[str, Any]:
@@ -292,7 +314,12 @@ async def user_export() -> Dict[str, Any]:
         # Create CSV content
         csv_lines = ['username,password,role']  # Header
 
+        exported_users = []
         for user in user_list:
+            # Filter out service accounts - they have IDs starting with "sa-"
+            if user.is_service_account():
+                continue
+
             # Get user role
             user_roles = permission.permission_service.get_user_roles(user.id)
             role = user_roles[0] if user_roles else rbac.get_default_role()
@@ -307,10 +334,11 @@ async def user_export() -> Dict[str, Any]:
             if role:
                 line += role
             csv_lines.append(line)
+            exported_users.append(user)
 
         csv_content = '\n'.join(csv_lines)
 
-        return {'csv_content': csv_content, 'user_count': len(user_list)}
+        return {'csv_content': csv_content, 'user_count': len(exported_users)}
 
     except Exception as e:
         raise fastapi.HTTPException(status_code=500,
@@ -330,3 +358,354 @@ def _user_lock(user_id: str) -> Generator[None, None, None]:
                            f'{USER_LOCK_PATH.format(user_id=user_id)}. '
                            'Please try again or manually remove the lock '
                            f'file if you believe it is stale.') from e
+
+
+# ===============================
+# Service account tokens
+# ===============================
+# SkyPilot currently does not distinguish between service accounts and service
+# account tokens, i.e. service accounts have a 1-1 mapping to service account
+# tokens.
+
+
+@router.get('/service-account-tokens')
+async def get_service_account_tokens(
+        request: fastapi.Request) -> List[Dict[str, Any]]:
+    """Get service account tokens. All users can see all tokens."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # All authenticated users can see all tokens
+    tokens = global_user_state.get_all_service_account_tokens()
+
+    result = []
+    for token in tokens:
+        token_info = {
+            'token_id': token['token_id'],
+            'token_name': token['token_name'],
+            'created_at': token['created_at'],
+            'last_used_at': token['last_used_at'],
+            'expires_at': token['expires_at'],
+            'creator_user_hash': token['creator_user_hash'],
+            'service_account_user_id': token['service_account_user_id'],
+        }
+
+        # Add creator display name
+        creator_user = global_user_state.get_user(token['creator_user_hash'])
+        token_info[
+            'creator_name'] = creator_user.name if creator_user else 'Unknown'
+
+        # Add service account name
+        sa_user = global_user_state.get_user(token['service_account_user_id'])
+        token_info['service_account_name'] = (sa_user.name if sa_user else
+                                              token['token_name'])
+
+        # Add service account roles
+        roles = permission.permission_service.get_user_roles(
+            token['service_account_user_id'])
+        token_info['service_account_roles'] = roles
+
+        result.append(token_info)
+
+    return result
+
+
+def _generate_service_account_user_id() -> str:
+    """Generate a unique user ID for a service account."""
+    random_suffix = secrets.token_hex(16)  # 16 character hex string
+    service_account_id = (f'sa-{random_suffix}')
+    return service_account_id
+
+
+@router.post('/service-account-tokens')
+async def create_service_account_token(
+        request: fastapi.Request,
+        token_body: payloads.ServiceAccountTokenCreateBody) -> Dict[str, Any]:
+    """Create a new service account token."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    token_name = token_body.token_name.strip()
+
+    # Check if token follows a valid format
+    if not re.match(constants.CLUSTER_NAME_VALID_REGEX, token_name):
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='Token name must contain only letters, numbers, and '
+            'underscores. Please use a different name.')
+
+    # Validate expiration (allow 0 as special value for "never expire")
+    if (token_body.expires_in_days is not None and
+            token_body.expires_in_days < 0):
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='Expiration days must be positive or 0 for never expire')
+
+    try:
+        # Generate a unique service account user ID
+        service_account_user_id = _generate_service_account_user_id()
+
+        # Create a user entry for the service account
+        service_account_user = models.User(id=service_account_user_id,
+                                           name=token_name)
+        is_new_user = global_user_state.add_or_update_user(
+            service_account_user, allow_duplicate_name=False)
+
+        if not is_new_user:
+            raise fastapi.HTTPException(
+                status_code=400,
+                detail=f'Service account with name {token_name!r} '
+                f'already exists ({service_account_user_id}). '
+                'Please use a different name.')
+
+        # Add service account to permission system with default role
+        # Import here to avoid circular imports
+        # pylint: disable=import-outside-toplevel
+        from sky.users.permission import permission_service
+        permission_service.add_user_if_not_exists(service_account_user_id)
+
+        # Handle expiration: 0 means "never expire"
+        expires_in_days = token_body.expires_in_days
+        if expires_in_days == 0:
+            expires_in_days = None
+
+        # Create JWT-based token with service account user ID
+        token_data = token_service.token_service.create_token(
+            creator_user_id=auth_user.id,
+            service_account_user_id=service_account_user_id,
+            token_name=token_name,
+            expires_in_days=expires_in_days)
+
+        # Store token metadata in database
+        global_user_state.add_service_account_token(
+            token_id=token_data['token_id'],
+            token_name=token_name,
+            token_hash=token_data['token_hash'],
+            creator_user_hash=auth_user.id,
+            service_account_user_id=service_account_user_id,
+            expires_at=token_data['expires_at'])
+
+        # Return the JWT token only once (never stored in plain text)
+        return {
+            'token_id': token_data['token_id'],
+            'token_name': token_name,
+            'token': token_data['token'],  # Full JWT token with sky_ prefix
+            'expires_at': token_data['expires_at'],
+            'service_account_user_id': service_account_user_id,
+            'creator_user_id': auth_user.id,
+            'message': 'Please save this token - it will not be shown again!'
+        }
+
+    except Exception as e:  # pylint: disable=broad-except
+        logger.error(f'Failed to create service account token: {e}')
+        raise fastapi.HTTPException(
+            status_code=500,
+            detail=f'Failed to create service account token: {e}')
+
+
+@router.post('/service-account-tokens/delete')
+async def delete_service_account_token(
+        request: fastapi.Request,
+        token_body: payloads.ServiceAccountTokenDeleteBody) -> Dict[str, str]:
+    """Delete a service account token.
+
+    Admins can delete any token, users can only delete their own.
+    """
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info first
+    token_info = global_user_state.get_service_account_token(
+        token_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions using Casbin policy system
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'delete'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only delete your own tokens. Only admins can '
+            'delete tokens owned by other users.')
+
+    # Try to delete the service account user first to make sure there is no
+    # active resources owned by the service account.
+    service_account_user_id = token_info['service_account_user_id']
+    _delete_user(service_account_user_id)
+
+    # Delete the token
+    deleted = global_user_state.delete_service_account_token(
+        token_body.token_id)
+    if not deleted:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    return {'message': 'Token deleted successfully'}
+
+
+@router.post('/service-account-tokens/get-role')
+async def get_service_account_role(
+        request: fastapi.Request,
+        role_body: payloads.ServiceAccountTokenRoleBody) -> Dict[str, Any]:
+    """Get the role of a service account."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info to find the service account user ID
+    token_info = global_user_state.get_service_account_token(role_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions - only creator or admin can view roles
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'view'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only view roles for your own service accounts. '
+            'Only admins can view roles for service accounts owned by other '
+            'users.')
+
+    # Get service account roles
+    service_account_user_id = token_info['service_account_user_id']
+    roles = permission.permission_service.get_user_roles(
+        service_account_user_id)
+
+    return {
+        'token_id': role_body.token_id,
+        'service_account_user_id': service_account_user_id,
+        'roles': roles
+    }
+
+
+@router.post('/service-account-tokens/update-role')
+async def update_service_account_role(
+        request: fastapi.Request,
+        role_body: payloads.ServiceAccountTokenUpdateRoleBody
+) -> Dict[str, str]:
+    """Update the role of a service account."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info to find the service account user ID
+    token_info = global_user_state.get_service_account_token(role_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions - only creator or admin can update roles
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'update'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only update roles for your own service accounts. '
+            'Only admins can update roles for service accounts owned by other '
+            'users.')
+
+    try:
+        # Update service account role
+        service_account_user_id = token_info['service_account_user_id']
+        permission.permission_service.update_role(service_account_user_id,
+                                                  role_body.role)
+
+        return {
+            'message': f'Service account role updated to {role_body.role}',
+            'token_id': role_body.token_id,
+            'service_account_user_id': service_account_user_id,
+            'new_role': role_body.role
+        }
+    except Exception as e:  # pylint: disable=broad-except
+        logger.error(f'Failed to update service account role: {e}')
+        raise fastapi.HTTPException(
+            status_code=500, detail='Failed to update service account role')
+
+
+@router.post('/service-account-tokens/rotate')
+async def rotate_service_account_token(
+        request: fastapi.Request,
+        token_body: payloads.ServiceAccountTokenRotateBody) -> Dict[str, Any]:
+    """Rotate a service account token.
+
+    Generates a new token value for an existing service account while keeping
+    the same service account identity and roles.
+    """
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info
+    token_info = global_user_state.get_service_account_token(
+        token_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions - same as delete permission (only creator or admin)
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'delete'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only rotate your own tokens. Only admins can '
+            'rotate tokens owned by other users.')
+
+    # Validate expiration if provided (allow 0 as special value for "never
+    # expire")
+    if (token_body.expires_in_days is not None and
+            token_body.expires_in_days < 0):
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='Expiration days must be positive or 0 for never expire')
+
+    try:
+        # Use provided expiration or preserve original expiration logic
+        expires_in_days = token_body.expires_in_days
+        if expires_in_days == 0:
+            # Special value 0 means "never expire"
+            expires_in_days = None
+        elif expires_in_days is None:
+            # No expiration specified, try to preserve original expiration
+            if token_info['expires_at']:
+                current_time = time.time()
+                remaining_seconds = token_info['expires_at'] - current_time
+                if remaining_seconds > 0:
+                    expires_in_days = max(1,
+                                          int(remaining_seconds / (24 * 3600)))
+                else:
+                    # Token already expired, default to 30 days
+                    expires_in_days = 30
+
+        # Generate new JWT token with same service account user ID
+        token_data = token_service.token_service.create_token(
+            creator_user_id=token_info['creator_user_hash'],
+            service_account_user_id=token_info['service_account_user_id'],
+            token_name=token_info['token_name'],
+            expires_in_days=expires_in_days)
+
+        # Update token in database with new token hash
+        global_user_state.rotate_service_account_token(
+            token_id=token_body.token_id,
+            new_token_hash=token_data['token_hash'],
+            new_expires_at=token_data['expires_at'])
+
+        # Return the new JWT token only once (never stored in plain text)
+        return {
+            'token_id': token_body.token_id,
+            'token_name': token_info['token_name'],
+            'token': token_data['token'],  # Full JWT token with sky_ prefix
+            'expires_at': token_data['expires_at'],
+            'service_account_user_id': token_info['service_account_user_id'],
+            'message': ('Token rotated successfully! Please save this new '
+                        'token - it will not be shown again!')
+        }
+
+    except Exception as e:  # pylint: disable=broad-except
+        logger.error(f'Failed to rotate service account token: {e}')
+        raise fastapi.HTTPException(
+            status_code=500, detail='Failed to rotate service account token')

sky/users/token_service.py

@@ -0,0 +1,196 @@
+"""JWT-based service account token management for SkyPilot."""
+
+import contextlib
+import datetime
+import hashlib
+import os
+import secrets
+from typing import Any, Dict, Generator, Optional
+
+import filelock
+import jwt
+
+from sky import global_user_state
+from sky import sky_logging
+
+logger = sky_logging.init_logger(__name__)
+
+# JWT Configuration
+JWT_ALGORITHM = 'HS256'
+JWT_ISSUER = 'sky'  # Shortened for compact tokens
+JWT_SECRET_DB_KEY = 'jwt_secret'
+
+# File lock for JWT secret initialization
+JWT_SECRET_LOCK_PATH = os.path.expanduser('~/.sky/.jwt_secret_init.lock')
+JWT_SECRET_LOCK_TIMEOUT_SECONDS = 20
+
+
+@contextlib.contextmanager
+def _jwt_secret_lock() -> Generator[None, None, None]:
+    """Context manager for JWT secret initialization lock."""
+    try:
+        with filelock.FileLock(JWT_SECRET_LOCK_PATH,
+                               JWT_SECRET_LOCK_TIMEOUT_SECONDS):
+            yield
+    except filelock.Timeout as e:
+        raise RuntimeError(f'Failed to initialize JWT secret due to a timeout '
+                           f'when trying to acquire the lock at '
+                           f'{JWT_SECRET_LOCK_PATH}. '
+                           'Please try again or manually remove the lock '
+                           f'file if you believe it is stale.') from e
+
+
+class TokenService:
+    """Service for managing JWT-based service account tokens."""
+
+    def __init__(self):
+        self.secret_key = self._get_or_generate_secret()
+
+    def _get_or_generate_secret(self) -> str:
+        """Get JWT secret from database or generate a new one."""
+        with _jwt_secret_lock():
+            # Try to get from database (persistent across deployments)
+            try:
+                db_secret = global_user_state.get_system_config(
+                    JWT_SECRET_DB_KEY)
+                if db_secret:
+                    logger.debug('Retrieved existing JWT secret from database')
+                    return db_secret
+            except Exception as e:  # pylint: disable=broad-except
+                logger.debug(f'Failed to get JWT secret from database: {e}')
+
+            # Generate a new secret and store in database
+            new_secret = secrets.token_urlsafe(64)
+            try:
+                global_user_state.set_system_config(JWT_SECRET_DB_KEY,
+                                                    new_secret)
+                logger.info(
+                    'Generated new JWT secret and stored in database. '
+                    'This secret will persist across API server restarts.')
+            except Exception as e:  # pylint: disable=broad-except
+                logger.warning(
+                    f'Failed to store new JWT secret in database: {e}. '
+                    f'Using in-memory secret (tokens will not persist '
+                    f'across restarts).')
+
+            return new_secret
+
+    def create_token(self,
+                     creator_user_id: str,
+                     service_account_user_id: str,
+                     token_name: str,
+                     expires_in_days: Optional[int] = None) -> Dict[str, Any]:
+        """Create a new JWT service account token.
+
+        Args:
+            creator_user_id: The creator's user hash
+            service_account_user_id: The service account's own user ID
+            token_name: Descriptive name for the token
+            expires_in_days: Optional expiration in days
+
+        Returns:
+            Dict containing token info including the JWT token
+        """
+        now = datetime.datetime.now(datetime.timezone.utc)
+        token_id = secrets.token_urlsafe(12)  # Shorter ID for JWT
+
+        # Build minimal JWT payload with single-character field names for
+        # compactness
+        payload = {
+            'i': JWT_ISSUER,  # Issuer (use constant)
+            't': int(now.timestamp()),  # Issued at (shortened from 'iat')
+            # Service account user ID (shortened from 'sub')
+            'u': service_account_user_id,
+            'k': token_id,  # Token ID (shortened from 'token_id')
+            'y': 'sa',  # Type: service account (shortened from 'type')
+        }
+
+        # Add expiration if specified
+        expires_at = None
+        if expires_in_days:
+            exp_time = now + datetime.timedelta(days=expires_in_days)
+            payload['e'] = int(
+                exp_time.timestamp())  # Expiration (shortened from 'exp')
+            expires_at = int(exp_time.timestamp())
+
+        # Generate JWT
+        jwt_token = jwt.encode(payload,
+                               self.secret_key,
+                               algorithm=JWT_ALGORITHM)
+
+        # Create token with SkyPilot prefix
+        full_token = f'sky_{jwt_token}'
+
+        # Generate hash for database storage (we still hash the full token)
+        token_hash = hashlib.sha256(full_token.encode()).hexdigest()
+
+        return {
+            'token_id': token_id,
+            'token': full_token,
+            'token_hash': token_hash,
+            'creator_user_id': creator_user_id,
+            'service_account_user_id': service_account_user_id,
+            'token_name': token_name,
+            'created_at': int(now.timestamp()),
+            'expires_at': expires_at,
+        }
+
+    def verify_token(self, token: str) -> Optional[Dict[str, Any]]:
+        """Verify and decode a JWT token.
+
+        Args:
+            token: The full token (with sky_ prefix)
+
+        Returns:
+            Decoded token payload or None if invalid
+        """
+        if not token.startswith('sky_'):
+            return None
+
+        # Remove the sky_ prefix
+        jwt_token = token[4:]
+
+        try:
+            # Decode and verify JWT (without issuer verification)
+            payload = jwt.decode(jwt_token,
+                                 self.secret_key,
+                                 algorithms=[JWT_ALGORITHM])
+
+            # Manually verify issuer using our shortened field name
+            token_issuer = payload.get('i')
+            if token_issuer != JWT_ISSUER:
+                logger.warning(f'Invalid token issuer: {token_issuer}')
+                return None
+
+            # Verify token type
+            token_type = payload.get('y')
+            if token_type != 'sa':
+                logger.warning(f'Invalid token type: {token_type}')
+                return None
+
+            # Convert shortened field names back to standard names for
+            # compatibility
+            normalized_payload = {
+                'iss': payload.get('i'),  # issuer
+                'iat': payload.get('t'),  # issued at
+                'sub': payload.get('u'),  # subject (service account user ID)
+                'token_id': payload.get('k'),  # token ID
+                'type': 'service_account',  # expand shortened type
+            }
+
+            # Add expiration if present
+            if 'e' in payload:
+                normalized_payload['exp'] = payload['e']
+
+            return normalized_payload
+
+        except jwt.ExpiredSignatureError:
+            logger.warning('Token has expired')
+            return None
+        except jwt.InvalidTokenError as e:
+            logger.warning(f'Invalid token: {e}')
+            return None
+
+
+# Singleton instance
+token_service = TokenService()

sky/utils/common_utils.py

@@ -71,11 +71,10 @@ def get_usage_run_id() -> str:
 def is_valid_user_hash(user_hash: Optional[str]) -> bool:
     if user_hash is None:
         return False
-    try:
-        int(user_hash, 16)
-    except (TypeError, ValueError):
-        return False
-    return len(user_hash) == USER_HASH_LENGTH
+    # Must start with a letter, followed by alphanumeric characters and hyphens
+    # This covers both old hex format (e.g., "abc123") and new service account
+    # format (e.g., "sa-abc123-token-xyz")
+    return bool(re.match(r'^[a-zA-Z0-9][a-zA-Z0-9-]*$', user_hash))
 
 
 def generate_user_hash() -> str: