skypilot-nightly 1.0.0.dev20250627__py3-none-any.whl → 1.0.0.dev20250630__py3-none-any.whl

sky/skylet/constants.py

@@ -346,6 +346,11 @@ API_SERVER_CREATION_LOCK_PATH = '~/.sky/api_server/.creation.lock'
 # API server.
 SKY_API_SERVER_URL_ENV_VAR = f'{SKYPILOT_ENV_VAR_PREFIX}API_SERVER_ENDPOINT'
 
+# The name for the environment variable that stores the SkyPilot service
+# account token on client side.
+SERVICE_ACCOUNT_TOKEN_ENV_VAR = (
+    f'{SKYPILOT_ENV_VAR_PREFIX}SERVICE_ACCOUNT_TOKEN')
+
 # SkyPilot environment variables
 SKYPILOT_NUM_NODES = f'{SKYPILOT_ENV_VAR_PREFIX}NUM_NODES'
 SKYPILOT_NODE_IPS = f'{SKYPILOT_ENV_VAR_PREFIX}NODE_IPS'
@@ -424,6 +429,7 @@ ENV_VAR_DB_CONNECTION_URI = (f'{SKYPILOT_ENV_VAR_PREFIX}DB_CONNECTION_URI')
 # authentication is enabled in the API server.
 ENV_VAR_ENABLE_BASIC_AUTH = 'ENABLE_BASIC_AUTH'
 SKYPILOT_INITIAL_BASIC_AUTH = 'SKYPILOT_INITIAL_BASIC_AUTH'
+ENV_VAR_ENABLE_SERVICE_ACCOUNTS = 'ENABLE_SERVICE_ACCOUNTS'
 
 SKYPILOT_DEFAULT_WORKSPACE = 'default'
 
@@ -475,6 +481,7 @@ MEMORY_SIZE_PATTERN = (
     ')?$')
 
 LAST_USE_TRUNC_LENGTH = 25
+USED_BY_TRUNC_LENGTH = 25
 
 MIN_PRIORITY = -1000
 MAX_PRIORITY = 1000

sky/skypilot_config.py

@@ -369,6 +369,34 @@ def get_nested(keys: Tuple[str, ...],
         disallowed_override_keys=None)
 
 
+def get_effective_region_config(
+        cloud: str,
+        keys: Tuple[str, ...],
+        region: Optional[str] = None,
+        default_value: Optional[Any] = None,
+        override_configs: Optional[Dict[str, Any]] = None) -> Any:
+    """Returns the nested key value by reading from config
+    Order to get the property_name value:
+    1. if region is specified,
+       try to get the value from <cloud>/<region_key>/<region>/keys
+    2. if no region or no override,
+       try to get it at the cloud level <cloud>/keys
+    3. if not found at cloud level,
+       return either default_value if specified or None
+
+    Note: This function currently only supports getting region-specific
+    config from "kubernetes" cloud. For other clouds, this function behaves
+    identically to get_nested().
+    """
+    return config_utils.get_cloud_config_value_from_dict(
+        dict_config=_get_loaded_config(),
+        cloud=cloud,
+        keys=keys,
+        region=region,
+        default_value=default_value,
+        override_configs=override_configs)
+
+
 def get_workspace_cloud(cloud: str,
                         workspace: Optional[str] = None) -> config_utils.Config:
     """Returns the workspace config."""
@@ -477,10 +505,10 @@ def overlay_skypilot_config(
 def safe_reload_config() -> None:
     """Reloads the config, safe to be called concurrently."""
     with filelock.FileLock(get_skypilot_config_lock_path()):
-        _reload_config()
+        reload_config()
 
 
-def _reload_config() -> None:
+def reload_config() -> None:
     internal_config_path = os.environ.get(ENV_VAR_SKYPILOT_CONFIG)
     if internal_config_path is not None:
         # {ENV_VAR_SKYPILOT_CONFIG} is used internally.
@@ -641,7 +669,7 @@ def loaded_config_path_serialized() -> Optional[str]:
 
 
 # Load on import, synchronization is guaranteed by python interpreter.
-_reload_config()
+reload_config()
 
 
 def loaded() -> bool:
@@ -864,4 +892,4 @@ def update_api_server_config_no_lock(config: config_utils.Config) -> None:
             config_map_utils.patch_configmap_with_config(
                 config, global_config_path)
 
-    _reload_config()
+    reload_config()

sky/task.py

@@ -884,6 +884,18 @@ class Task:
     def volumes(self) -> Dict[str, str]:
         return self._volumes
 
+    def set_volumes(self, volumes: Dict[str, str]) -> None:
+        """Sets the volumes for this task.
+
+        Args:
+          volumes: a dict of ``{mount_path: volume_name}``.
+        """
+        self._volumes = volumes
+
+    def update_volumes(self, volumes: Dict[str, str]) -> None:
+        """Updates the volumes for this task."""
+        self._volumes.update(volumes)
+
     def update_envs(
             self, envs: Union[None, List[Tuple[str, str]],
                               Dict[str, str]]) -> 'Task':

sky/users/permission.py

@@ -265,6 +265,35 @@ class PermissionService:
                      f'workspace={workspace_name}, result={result}')
         return result
 
+    def check_service_account_token_permission(self, user_id: str,
+                                               token_owner_id: str,
+                                               action: str) -> bool:
+        """Check service account token permission.
+
+        This method checks if a user has permission to perform an action on
+        a service account token owned by another user.
+
+        Args:
+            user_id: The ID of the user requesting the action
+            token_owner_id: The ID of the user who owns the token
+            action: The action being performed (e.g., 'delete', 'view')
+
+        Returns:
+            True if the user has permission, False otherwise
+        """
+        del action
+        # Users can always manage their own tokens
+        if user_id == token_owner_id:
+            return True
+
+        # Check if user has admin role (admins can manage any token)
+        user_roles = self.get_user_roles(user_id)
+        if rbac.RoleName.ADMIN.value in user_roles:
+            return True
+
+        # Regular users cannot manage tokens owned by others
+        return False
+
     def add_workspace_policy(self, workspace_name: str,
                              users: List[str]) -> None:
         """Add workspace policy.

sky/users/server.py

@@ -3,6 +3,9 @@
 import contextlib
 import hashlib
 import os
+import re
+import secrets
+import time
 from typing import Any, Dict, Generator, List
 
 import fastapi
@@ -16,8 +19,10 @@ from sky.server.requests import payloads
 from sky.skylet import constants
 from sky.users import permission
 from sky.users import rbac
+from sky.users import token_service
 from sky.utils import common
 from sky.utils import common_utils
+from sky.utils import resource_checker
 
 logger = sky_logging.init_logger(__name__)
 
@@ -34,10 +39,15 @@ async def users() -> List[Dict[str, Any]]:
     all_users = []
     user_list = global_user_state.get_all_users()
     for user in user_list:
+        # Filter out service accounts - they have IDs starting with "sa-"
+        if user.is_service_account():
+            continue
+
         user_roles = permission.permission_service.get_user_roles(user.id)
         all_users.append({
             'id': user.id,
             'name': user.name,
+            'created_at': user.created_at,
             'role': user_roles[0] if user_roles else ''
         })
     return all_users
@@ -146,10 +156,8 @@ async def user_update(request: fastapi.Request,
             permission.permission_service.update_role(user_info.id, role)
 
 
-@router.post('/delete')
-async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
-    user_id = user_delete_body.user_id
-
+def _delete_user(user_id: str) -> None:
+    """Delete a user."""
     user_info = global_user_state.get_user(user_id)
     if user_info is None:
         raise fastapi.HTTPException(status_code=400,
@@ -159,11 +167,25 @@ async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
         raise fastapi.HTTPException(status_code=400,
                                     detail=f'Cannot delete internal '
                                     f'API server user {user_info.name}')
+
+    # Check for active clusters and managed jobs owned by the user
+    try:
+        resource_checker.check_no_active_resources_for_users([(user_id,
+                                                               'delete')])
+    except ValueError as e:
+        raise fastapi.HTTPException(status_code=400, detail=str(e))
+
     with _user_lock(user_id):
         global_user_state.delete_user(user_id)
         permission.permission_service.delete_user(user_id)
 
 
+@router.post('/delete')
+async def user_delete(user_delete_body: payloads.UserDeleteBody) -> None:
+    user_id = user_delete_body.user_id
+    _delete_user(user_id)
+
+
 @router.post('/import')
 async def user_import(
         user_import_body: payloads.UserImportBody) -> Dict[str, Any]:
@@ -292,7 +314,12 @@ async def user_export() -> Dict[str, Any]:
         # Create CSV content
         csv_lines = ['username,password,role']  # Header
 
+        exported_users = []
         for user in user_list:
+            # Filter out service accounts - they have IDs starting with "sa-"
+            if user.is_service_account():
+                continue
+
             # Get user role
             user_roles = permission.permission_service.get_user_roles(user.id)
             role = user_roles[0] if user_roles else rbac.get_default_role()
@@ -307,10 +334,11 @@ async def user_export() -> Dict[str, Any]:
             if role:
                 line += role
             csv_lines.append(line)
+            exported_users.append(user)
 
         csv_content = '\n'.join(csv_lines)
 
-        return {'csv_content': csv_content, 'user_count': len(user_list)}
+        return {'csv_content': csv_content, 'user_count': len(exported_users)}
 
     except Exception as e:
         raise fastapi.HTTPException(status_code=500,
@@ -330,3 +358,354 @@ def _user_lock(user_id: str) -> Generator[None, None, None]:
                            f'{USER_LOCK_PATH.format(user_id=user_id)}. '
                            'Please try again or manually remove the lock '
                            f'file if you believe it is stale.') from e
+
+
+# ===============================
+# Service account tokens
+# ===============================
+# SkyPilot currently does not distinguish between service accounts and service
+# account tokens, i.e. service accounts have a 1-1 mapping to service account
+# tokens.
+
+
+@router.get('/service-account-tokens')
+async def get_service_account_tokens(
+        request: fastapi.Request) -> List[Dict[str, Any]]:
+    """Get service account tokens. All users can see all tokens."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # All authenticated users can see all tokens
+    tokens = global_user_state.get_all_service_account_tokens()
+
+    result = []
+    for token in tokens:
+        token_info = {
+            'token_id': token['token_id'],
+            'token_name': token['token_name'],
+            'created_at': token['created_at'],
+            'last_used_at': token['last_used_at'],
+            'expires_at': token['expires_at'],
+            'creator_user_hash': token['creator_user_hash'],
+            'service_account_user_id': token['service_account_user_id'],
+        }
+
+        # Add creator display name
+        creator_user = global_user_state.get_user(token['creator_user_hash'])
+        token_info[
+            'creator_name'] = creator_user.name if creator_user else 'Unknown'
+
+        # Add service account name
+        sa_user = global_user_state.get_user(token['service_account_user_id'])
+        token_info['service_account_name'] = (sa_user.name if sa_user else
+                                              token['token_name'])
+
+        # Add service account roles
+        roles = permission.permission_service.get_user_roles(
+            token['service_account_user_id'])
+        token_info['service_account_roles'] = roles
+
+        result.append(token_info)
+
+    return result
+
+
+def _generate_service_account_user_id() -> str:
+    """Generate a unique user ID for a service account."""
+    random_suffix = secrets.token_hex(16)  # 16 character hex string
+    service_account_id = (f'sa-{random_suffix}')
+    return service_account_id
+
+
+@router.post('/service-account-tokens')
+async def create_service_account_token(
+        request: fastapi.Request,
+        token_body: payloads.ServiceAccountTokenCreateBody) -> Dict[str, Any]:
+    """Create a new service account token."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    token_name = token_body.token_name.strip()
+
+    # Check if token follows a valid format
+    if not re.match(constants.CLUSTER_NAME_VALID_REGEX, token_name):
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='Token name must contain only letters, numbers, and '
+            'underscores. Please use a different name.')
+
+    # Validate expiration (allow 0 as special value for "never expire")
+    if (token_body.expires_in_days is not None and
+            token_body.expires_in_days < 0):
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='Expiration days must be positive or 0 for never expire')
+
+    try:
+        # Generate a unique service account user ID
+        service_account_user_id = _generate_service_account_user_id()
+
+        # Create a user entry for the service account
+        service_account_user = models.User(id=service_account_user_id,
+                                           name=token_name)
+        is_new_user = global_user_state.add_or_update_user(
+            service_account_user, allow_duplicate_name=False)
+
+        if not is_new_user:
+            raise fastapi.HTTPException(
+                status_code=400,
+                detail=f'Service account with name {token_name!r} '
+                f'already exists ({service_account_user_id}). '
+                'Please use a different name.')
+
+        # Add service account to permission system with default role
+        # Import here to avoid circular imports
+        # pylint: disable=import-outside-toplevel
+        from sky.users.permission import permission_service
+        permission_service.add_user_if_not_exists(service_account_user_id)
+
+        # Handle expiration: 0 means "never expire"
+        expires_in_days = token_body.expires_in_days
+        if expires_in_days == 0:
+            expires_in_days = None
+
+        # Create JWT-based token with service account user ID
+        token_data = token_service.token_service.create_token(
+            creator_user_id=auth_user.id,
+            service_account_user_id=service_account_user_id,
+            token_name=token_name,
+            expires_in_days=expires_in_days)
+
+        # Store token metadata in database
+        global_user_state.add_service_account_token(
+            token_id=token_data['token_id'],
+            token_name=token_name,
+            token_hash=token_data['token_hash'],
+            creator_user_hash=auth_user.id,
+            service_account_user_id=service_account_user_id,
+            expires_at=token_data['expires_at'])
+
+        # Return the JWT token only once (never stored in plain text)
+        return {
+            'token_id': token_data['token_id'],
+            'token_name': token_name,
+            'token': token_data['token'],  # Full JWT token with sky_ prefix
+            'expires_at': token_data['expires_at'],
+            'service_account_user_id': service_account_user_id,
+            'creator_user_id': auth_user.id,
+            'message': 'Please save this token - it will not be shown again!'
+        }
+
+    except Exception as e:  # pylint: disable=broad-except
+        logger.error(f'Failed to create service account token: {e}')
+        raise fastapi.HTTPException(
+            status_code=500,
+            detail=f'Failed to create service account token: {e}')
+
+
+@router.post('/service-account-tokens/delete')
+async def delete_service_account_token(
+        request: fastapi.Request,
+        token_body: payloads.ServiceAccountTokenDeleteBody) -> Dict[str, str]:
+    """Delete a service account token.
+
+    Admins can delete any token, users can only delete their own.
+    """
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info first
+    token_info = global_user_state.get_service_account_token(
+        token_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions using Casbin policy system
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'delete'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only delete your own tokens. Only admins can '
+            'delete tokens owned by other users.')
+
+    # Try to delete the service account user first to make sure there is no
+    # active resources owned by the service account.
+    service_account_user_id = token_info['service_account_user_id']
+    _delete_user(service_account_user_id)
+
+    # Delete the token
+    deleted = global_user_state.delete_service_account_token(
+        token_body.token_id)
+    if not deleted:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    return {'message': 'Token deleted successfully'}
+
+
+@router.post('/service-account-tokens/get-role')
+async def get_service_account_role(
+        request: fastapi.Request,
+        role_body: payloads.ServiceAccountTokenRoleBody) -> Dict[str, Any]:
+    """Get the role of a service account."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info to find the service account user ID
+    token_info = global_user_state.get_service_account_token(role_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions - only creator or admin can view roles
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'view'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only view roles for your own service accounts. '
+            'Only admins can view roles for service accounts owned by other '
+            'users.')
+
+    # Get service account roles
+    service_account_user_id = token_info['service_account_user_id']
+    roles = permission.permission_service.get_user_roles(
+        service_account_user_id)
+
+    return {
+        'token_id': role_body.token_id,
+        'service_account_user_id': service_account_user_id,
+        'roles': roles
+    }
+
+
+@router.post('/service-account-tokens/update-role')
+async def update_service_account_role(
+        request: fastapi.Request,
+        role_body: payloads.ServiceAccountTokenUpdateRoleBody
+) -> Dict[str, str]:
+    """Update the role of a service account."""
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info to find the service account user ID
+    token_info = global_user_state.get_service_account_token(role_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions - only creator or admin can update roles
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'update'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only update roles for your own service accounts. '
+            'Only admins can update roles for service accounts owned by other '
+            'users.')
+
+    try:
+        # Update service account role
+        service_account_user_id = token_info['service_account_user_id']
+        permission.permission_service.update_role(service_account_user_id,
+                                                  role_body.role)
+
+        return {
+            'message': f'Service account role updated to {role_body.role}',
+            'token_id': role_body.token_id,
+            'service_account_user_id': service_account_user_id,
+            'new_role': role_body.role
+        }
+    except Exception as e:  # pylint: disable=broad-except
+        logger.error(f'Failed to update service account role: {e}')
+        raise fastapi.HTTPException(
+            status_code=500, detail='Failed to update service account role')
+
+
+@router.post('/service-account-tokens/rotate')
+async def rotate_service_account_token(
+        request: fastapi.Request,
+        token_body: payloads.ServiceAccountTokenRotateBody) -> Dict[str, Any]:
+    """Rotate a service account token.
+
+    Generates a new token value for an existing service account while keeping
+    the same service account identity and roles.
+    """
+    auth_user = request.state.auth_user
+    if auth_user is None:
+        raise fastapi.HTTPException(status_code=401,
+                                    detail='Authentication required')
+
+    # Get token info
+    token_info = global_user_state.get_service_account_token(
+        token_body.token_id)
+    if token_info is None:
+        raise fastapi.HTTPException(status_code=404, detail='Token not found')
+
+    # Check permissions - same as delete permission (only creator or admin)
+    if not permission.permission_service.check_service_account_token_permission(
+            auth_user.id, token_info['creator_user_hash'], 'delete'):
+        raise fastapi.HTTPException(
+            status_code=403,
+            detail='You can only rotate your own tokens. Only admins can '
+            'rotate tokens owned by other users.')
+
+    # Validate expiration if provided (allow 0 as special value for "never
+    # expire")
+    if (token_body.expires_in_days is not None and
+            token_body.expires_in_days < 0):
+        raise fastapi.HTTPException(
+            status_code=400,
+            detail='Expiration days must be positive or 0 for never expire')
+
+    try:
+        # Use provided expiration or preserve original expiration logic
+        expires_in_days = token_body.expires_in_days
+        if expires_in_days == 0:
+            # Special value 0 means "never expire"
+            expires_in_days = None
+        elif expires_in_days is None:
+            # No expiration specified, try to preserve original expiration
+            if token_info['expires_at']:
+                current_time = time.time()
+                remaining_seconds = token_info['expires_at'] - current_time
+                if remaining_seconds > 0:
+                    expires_in_days = max(1,
+                                          int(remaining_seconds / (24 * 3600)))
+                else:
+                    # Token already expired, default to 30 days
+                    expires_in_days = 30
+
+        # Generate new JWT token with same service account user ID
+        token_data = token_service.token_service.create_token(
+            creator_user_id=token_info['creator_user_hash'],
+            service_account_user_id=token_info['service_account_user_id'],
+            token_name=token_info['token_name'],
+            expires_in_days=expires_in_days)
+
+        # Update token in database with new token hash
+        global_user_state.rotate_service_account_token(
+            token_id=token_body.token_id,
+            new_token_hash=token_data['token_hash'],
+            new_expires_at=token_data['expires_at'])
+
+        # Return the new JWT token only once (never stored in plain text)
+        return {
+            'token_id': token_body.token_id,
+            'token_name': token_info['token_name'],
+            'token': token_data['token'],  # Full JWT token with sky_ prefix
+            'expires_at': token_data['expires_at'],
+            'service_account_user_id': token_info['service_account_user_id'],
+            'message': ('Token rotated successfully! Please save this new '
+                        'token - it will not be shown again!')
+        }
+
+    except Exception as e:  # pylint: disable=broad-except
+        logger.error(f'Failed to rotate service account token: {e}')
+        raise fastapi.HTTPException(
+            status_code=500, detail='Failed to rotate service account token')