zenml-nightly 0.72.0.dev20250115__py3-none-any.whl → 0.72.0.dev20250117__py3-none-any.whl

zenml/zen_server/deploy/helm/templates/_environment.tpl

@@ -140,8 +140,58 @@ Returns:
   A dictionary with the non-secret values configured for the ZenML server.
 */}}
 {{- define "zenml.serverConfigurationAttrs" -}}
+
+{{- if .ZenML.pro.enabled }}
+deployment_type: cloud
+pro_api_url: "{{ .ZenML.pro.apiURL }}"
+pro_dashboard_url: "{{ .ZenML.pro.dashboardURL }}"
+pro_oauth2_audience: "{{ .ZenML.pro.apiURL }}"
+pro_organization_id: "{{ .ZenML.pro.organizationID }}"
+pro_tenant_id: "{{ .ZenML.pro.tenantID }}"
+{{- if .ZenML.pro.tenantName }}
+pro_tenant_name: "{{ .ZenML.pro.tenantName }}"
+{{- end }}
+{{- if .ZenML.pro.organizationName }}
+pro_organization_name: "{{ .ZenML.pro.organizationName }}"
+{{- end }}
+{{- if .ZenML.pro.extraCorsOrigins }}
+cors_allow_origins: "{{ join "," .ZenML.pro.extraCorsOrigins }}"
+{{- end }}
+{{- if .ZenML.auth.jwtTokenExpireMinutes }}
+jwt_token_expire_minutes: {{ .ZenML.auth.jwtTokenExpireMinutes | quote }}
+{{- end }}
+
+{{- else }}
+
 auth_scheme: {{ .ZenML.authType | default .ZenML.auth.authType | quote }}
 deployment_type: {{ .ZenML.deploymentType | default "kubernetes" }}
+{{- if .ZenML.auth.corsAllowOrigins }}
+cors_allow_origins: {{ join "," .ZenML.auth.corsAllowOrigins | quote }}
+{{- end }}
+{{- if .ZenML.auth.externalLoginURL }}
+external_login_url: {{ .ZenML.auth.externalLoginURL | quote }}
+{{- end }}
+{{- if .ZenML.auth.externalUserInfoURL }}
+external_user_info_url: {{ .ZenML.auth.externalUserInfoURL | quote }}
+{{- end }}
+{{- if .ZenML.auth.externalServerID }}
+external_server_id: {{ .ZenML.auth.externalServerID | quote }}
+{{- end }}
+{{- if .ZenML.auth.jwtTokenExpireMinutes }}
+jwt_token_expire_minutes: {{ .ZenML.auth.jwtTokenExpireMinutes | quote }}
+{{- end }}
+{{- if .ZenML.auth.rbacImplementationSource }}
+rbac_implementation_source: {{ .ZenML.auth.rbacImplementationSource | quote }}
+{{- end }}
+{{- if .ZenML.auth.featureGateImplementationSource }}
+feature_gate_implementation_source: {{ .ZenML.auth.featureGateImplementationSource | quote }}
+{{- end }}
+{{- if .ZenML.dashboardURL }}
+dashboard_url: {{ .ZenML.dashboardURL | quote }}
+{{- end }}
+
+{{- end }}
+
 {{- if .ZenML.threadPoolSize }}
 thread_pool_size: {{ .ZenML.threadPoolSize | quote }}
 {{- end }}
@@ -157,18 +207,12 @@ jwt_token_audience: {{ .ZenML.auth.jwtTokenAudience | quote }}
 {{- if .ZenML.auth.jwtTokenLeewaySeconds }}
 jwt_token_leeway_seconds: {{ .ZenML.auth.jwtTokenLeewaySeconds | quote }}
 {{- end }}
-{{- if .ZenML.auth.jwtTokenExpireMinutes }}
-jwt_token_expire_minutes: {{ .ZenML.auth.jwtTokenExpireMinutes | quote }}
-{{- end }}
 {{- if .ZenML.auth.authCookieName }}
 auth_cookie_name: {{ .ZenML.auth.authCookieName | quote }}
 {{- end }}
 {{- if .ZenML.auth.authCookieDomain }}
 auth_cookie_domain: {{ .ZenML.auth.authCookieDomain | quote }}
 {{- end }}
-{{- if .ZenML.auth.corsAllowOrigins }}
-cors_allow_origins: {{ join "," .ZenML.auth.corsAllowOrigins | quote }}
-{{- end }}
 {{- if .ZenML.auth.maxFailedDeviceAuthAttempts }}
 max_failed_device_auth_attempts: {{ .ZenML.auth.maxFailedDeviceAuthAttempts | quote }}
 {{- end }}
@@ -184,30 +228,12 @@ device_expiration_minutes: {{ .ZenML.auth.deviceExpirationMinutes | quote }}
 {{- if .ZenML.auth.trustedDeviceExpirationMinutes }}
 trusted_device_expiration_minutes: {{ .ZenML.auth.trustedDeviceExpirationMinutes | quote }}
 {{- end }}
-{{- if .ZenML.auth.externalLoginURL }}
-external_login_url: {{ .ZenML.auth.externalLoginURL | quote }}
-{{- end }}
-{{- if .ZenML.auth.externalUserInfoURL }}
-external_user_info_url: {{ .ZenML.auth.externalUserInfoURL | quote }}
-{{- end }}
-{{- if .ZenML.auth.externalCookieName }}
-external_cookie_name: {{ .ZenML.auth.externalCookieName | quote }}
-{{- end }}
-{{- if .ZenML.auth.externalServerID }}
-external_server_id: {{ .ZenML.auth.externalServerID | quote }}
-{{- end }}
 {{- if .ZenML.rootUrlPath }}
 root_url_path: {{ .ZenML.rootUrlPath | quote }}
 {{- end }}
 {{- if .ZenML.serverURL }}
 server_url: {{ .ZenML.serverURL | quote }}
 {{- end }}
-{{- if .ZenML.dashboardURL }}
-dashboard_url: {{ .ZenML.dashboardURL | quote }}
-{{- end }}
-{{- if .ZenML.auth.rbacImplementationSource }}
-rbac_implementation_source: {{ .ZenML.auth.rbacImplementationSource | quote }}
-{{- end }}
 {{- range $key, $value := .ZenML.secure_headers }}
 secure_headers_{{ $key }}: {{ $value | quote }}
 {{- end }}

zenml/zen_server/deploy/helm/templates/server-secret.yaml

@@ -10,6 +10,17 @@ data:
   {{- else }}
   ZENML_SERVER_JWT_SECRET_KEY: {{ $prevServerSecret.data.ZENML_SERVER_JWT_SECRET_KEY | default (randAlphaNum 32 | b64enc | quote) }}
   {{- end }}
+  
+  {{- if .Values.zenml.pro.enabled }}
+  {{- if .Values.zenml.pro.enrollmentKey }}
+  ZENML_SERVER_PRO_OAUTH2_CLIENT_SECRET: {{ .Values.zenml.pro.enrollmentKey | b64enc | quote }}
+  {{- else if or .Release.IsInstall (not $prevServerSecret) }}
+  ZENML_SERVER_PRO_OAUTH2_CLIENT_SECRET: {{ randAlphaNum 64 | b64enc | quote }}
+  {{- else }}
+  ZENML_SERVER_PRO_OAUTH2_CLIENT_SECRET: {{ $prevServerSecret.data.ZENML_SERVER_PRO_OAUTH2_CLIENT_SECRET | default (randAlphaNum 64 | b64enc | quote) }}
+  {{- end }}
+  {{- end }}
+
   {{- range $k, $v := include "zenml.storeSecretEnvVariables" . | fromYaml}}
   {{ $k }}: {{ $v | b64enc | quote }}
   {{- end }}

zenml/zen_server/deploy/helm/values.yaml

@@ -27,8 +27,43 @@ zenml:
     # Overrides the image tag whose default is the chart appVersion.
     tag:
 
+  # ZenML Pro related options.
+  pro:
+    # Set `enabled` to true to enable ZenML Pro servers. If set, some of the
+    # configuration options in the `zenml` section will be overridden with
+    # values specific to ZenML Pro servers computed from the values set in the
+    # `pro` section.
+    enabled: false
+
+    # The URL where the ZenML Pro server API is reachable
+    apiURL: https://cloudapi.zenml.io
+
+    # The URL where the ZenML Pro dashboard is reachable.
+    dashboardURL: https://cloud.zenml.io
+
+    # Additional origins to allow in the CORS policy.
+    extraCorsOrigins:
+
+    # The ID of the ZenML Pro tenant to use.
+    tenantID:
+
+    # The name of the ZenML Pro tenant to use.
+    tenantName:
+
+    # The ID of the ZenML Pro organization to use.
+    organizationID:
+
+    # The name of the ZenML Pro organization to use.
+    organizationName:
+
+    # The enrollment key to use for the ZenML Pro tenant. If not specified,
+    # an enrollment key will be auto-generated.
+    enrollmentKey:
+
   # The URL where the ZenML server API is reachable. If not specified, the
   # clients will use the same URL used to connect them to the ZenML server.
+  #
+  # IMPORTANT: this value must be set for ZenML Pro servers.
   serverURL:
 
   # The URL where the ZenML dashboard is reachable.
@@ -39,6 +74,8 @@ zenml:
   # This is value is used to compute the dashboard URLs during the web login
   # authentication workflow, to print dashboard URLs in log messages when
   # running a pipeline and for other similar tasks.
+  #
+  # This value is overridden if the `zenml.pro.enabled` value is set.
   dashboardURL:
 
   debug: true
@@ -48,6 +85,8 @@ zenml:
 
   # ZenML server deployment type. This field is used for telemetry purposes.
   # Example values are "local", "kubernetes", "aws", "gcp", "azure".
+  #
+  # This value is overridden if the `zenml.pro.enabled` value is set.
   deploymentType:
 
   # Authentication settings that control how the ZenML server authenticates
@@ -60,6 +99,8 @@ zenml:
     # HTTP_BASIC - HTTP Basic authentication
     # OAUTH2_PASSWORD_BEARER - OAuth2 password bearer
     # EXTERNAL - External authentication (e.g. via a remote authenticator)
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
     authType: OAUTH2_PASSWORD_BEARER
 
     # The secret key used to sign JWT tokens. This should be set to
@@ -91,7 +132,6 @@ zenml:
     # ZenML Server ID.
     jwtTokenIssuer:
 
-
     # The audience of the JWT tokens. If not specified, the audience is set to
     # the ZenML Server ID.
     jwtTokenAudience:
@@ -102,6 +142,8 @@ zenml:
 
     # The expiration time of JWT tokens in minutes. If not specified, generated
     # JWT tokens will not be set to expire.
+    #
+    # This value is automatically set if the `zenml.pro.enabled` value is set.
     jwtTokenExpireMinutes: 
 
     # The name of the http-only cookie used to store the JWT tokens used to
@@ -117,20 +159,31 @@ zenml:
     # The origins allowed to make cross-origin requests to the ZenML server. If
     # not specified, all origins are allowed. Set this when the ZenML dashboard
     # is hosted on a different domain than the ZenML server.
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
     corsAllowOrigins:
       - "*"
 
     # The maximum number of failed authentication attempts allowed for an OAuth
     # 2.0 device before the device is locked.
+    #
+    # This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or
+    # `NO_AUTH`.
     maxFailedDeviceAuthAttempts: 3
 
     # The timeout in seconds after which a pending OAuth 2.0 device
     # authorization request expires.
+    #
+    # This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or
+    # `NO_AUTH`.
     deviceAuthTimeout: 300
 
     # The polling interval in seconds used by clients to poll the OAuth 2.0
     # device authorization endpoint for the status of a pending device
     # authorization request.
+    #
+    # This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or
+    # `NO_AUTH`.
     deviceAuthPollingInterval: 5
 
     # The time in minutes that an OAuth 2.0 device is allowed to be used to
@@ -139,6 +192,9 @@ zenml:
     # be used indefinitely. This controls the expiration time of the JWT tokens
     # issued to clients after they have authenticated with the ZenML server
     # using an OAuth 2.0 device.
+    #
+    # This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or
+    # `NO_AUTH`.
     deviceExpirationMinutes:
 
     # The time in minutes that a trusted OAuth 2.0 device is allowed to be used
@@ -147,33 +203,46 @@ zenml:
     # be used indefinitely. This controls the expiration time of the JWT tokens
     # issued to clients after they have authenticated with the ZenML server
     # using an OAuth 2.0 device that was previously trusted by the user.
+    #
+    # This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or
+    # `NO_AUTH`.
     trustedDeviceExpirationMinutes:
 
     # The login URL of an external authenticator service to use with the
     # `EXTERNAL` authentication scheme. Only relevant if `zenml.auth.authType`
     # is set to `EXTERNAL`.
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
     externalLoginURL:
 
     # The user info URL of an external authenticator service to use with the
     # `EXTERNAL` authentication scheme. Only relevant if `zenml.auth.authType`
     # is set to `EXTERNAL`.
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
     externalUserInfoURL:
 
-    # The name of the http-only cookie used to store the bearer token used to
-    # authenticate with the external authenticator service. Only relevant if
-    # `zenml.auth.authType` is set to `EXTERNAL`.
-    externalCookieName:
-
     # The UUID of the ZenML server to use with the `EXTERNAL` authentication
     # scheme. If not specified, the regular ZenML server ID (deployment ID) is
     # used.
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
     externalServerID:
 
     # Source pointing to a class implementing the RBAC interface defined by
-    # `zenml.zen_server.rbac_interface.RBACInterface`. If not specified,
+    # `zenml.zen_server.rbac.rbac_interface.RBACInterface`. If not specified,
     # RBAC will not be enabled for this server.
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
     rbacImplementationSource:
 
+    # Source pointing to a class implementing the feature gate interface defined
+    # by `zenml.zen_server.feature_gate.feature_gate_interface.FeatureGateInterface`.
+    # If not specified, feature gating will not be enabled for this server.
+    #
+    # This value is overridden if the `zenml.pro.enabled` value is set.
+    featureGateImplementationSource:
+
   # The root URL path to use when behind a proxy. This is useful when the
   # `rewrite-target` annotation is used in the ingress controller, e.g.:
   #

zenml/zen_server/feature_gate/feature_gate_interface.py

@@ -20,7 +20,7 @@ from zenml.zen_server.rbac.models import ResourceType
 
 
 class FeatureGateInterface(ABC):
-    """RBAC interface definition."""
+    """Feature gate interface definition."""
 
     @abstractmethod
     def check_entitlement(self, resource: ResourceType) -> None:

zenml/zen_server/jwt.py

@@ -11,7 +11,7 @@
 #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 #  or implied. See the License for the specific language governing
 #  permissions and limitations under the License.
-"""Authentication module for ZenML server."""
+"""JWT utilities module for ZenML server."""
 
 from datetime import datetime, timedelta
 from typing import (
@@ -45,6 +45,7 @@ class JWTToken(BaseModel):
             issued.
         step_run_id: The id of the step run for which the token was
             issued.
+        session_id: The id of the authenticated session (used for CSRF).
         claims: The original token claims.
     """
 
@@ -54,6 +55,7 @@ class JWTToken(BaseModel):
     schedule_id: Optional[UUID] = None
     pipeline_run_id: Optional[UUID] = None
     step_run_id: Optional[UUID] = None
+    session_id: Optional[UUID] = None
     claims: Dict[str, Any] = {}
 
     @classmethod
@@ -156,6 +158,16 @@ class JWTToken(BaseModel):
                     "UUID"
                 )
 
+        session_id: Optional[UUID] = None
+        if "session_id" in claims:
+            try:
+                session_id = UUID(claims.pop("session_id"))
+            except ValueError:
+                raise CredentialsNotValid(
+                    "Invalid JWT token: the session_id claim is not a valid "
+                    "UUID"
+                )
+
         return JWTToken(
             user_id=user_id,
             device_id=device_id,
@@ -163,6 +175,7 @@ class JWTToken(BaseModel):
             schedule_id=schedule_id,
             pipeline_run_id=pipeline_run_id,
             step_run_id=step_run_id,
+            session_id=session_id,
             claims=claims,
         )
 
@@ -201,6 +214,8 @@ class JWTToken(BaseModel):
             claims["pipeline_run_id"] = str(self.pipeline_run_id)
         if self.step_run_id:
             claims["step_run_id"] = str(self.step_run_id)
+        if self.session_id:
+            claims["session_id"] = str(self.session_id)
 
         return jwt.encode(
             claims,

zenml/zen_server/rbac/endpoint_utils.py

@@ -19,7 +19,6 @@ from uuid import UUID
 from pydantic import BaseModel
 
 from zenml.constants import (
-    REPORTABLE_RESOURCES,
     REQUIRES_CUSTOM_RESOURCE_REPORTING,
 )
 from zenml.exceptions import IllegalOperationError
@@ -43,6 +42,7 @@ from zenml.zen_server.rbac.utils import (
     verify_permission,
     verify_permission_for_model,
 )
+from zenml.zen_server.utils import server_config
 
 AnyRequest = TypeVar("AnyRequest", bound=BaseRequest)
 AnyResponse = TypeVar("AnyResponse", bound=BaseIdentifiedResponse)  # type: ignore[type-arg]
@@ -82,7 +82,7 @@ def verify_permissions_and_create_entity(
     verify_permission(resource_type=resource_type, action=Action.CREATE)
 
     needs_usage_increment = (
-        resource_type in REPORTABLE_RESOURCES
+        resource_type in server_config().reportable_resources
         and resource_type not in REQUIRES_CUSTOM_RESOURCE_REPORTING
     )
     if needs_usage_increment:
@@ -129,7 +129,7 @@ def verify_permissions_and_batch_create_entity(
 
     verify_permission(resource_type=resource_type, action=Action.CREATE)
 
-    if resource_type in REPORTABLE_RESOURCES:
+    if resource_type in server_config().reportable_resources:
         raise RuntimeError(
             "Batch requests are currently not possible with usage-tracked features."
         )

zenml/zen_server/routers/auth_endpoints.py

@@ -175,6 +175,12 @@ class OAuthLoginRequestForm:
             self.username = username
             self.password = password or ""
         elif self.grant_type == OAuthGrantTypes.OAUTH_DEVICE_CODE:
+            if config.auth_scheme in [AuthScheme.NO_AUTH, AuthScheme.EXTERNAL]:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Device authorization is not supported.",
+                )
+
             if not device_code or not client_id:
                 logger.info("Request with missing device code or client ID")
                 raise HTTPException(
@@ -237,6 +243,8 @@ def token(
         ValueError: If the grant type is invalid.
     """
     config = server_config()
+    cookie_response: Optional[Response] = response
+
     if auth_form_data.grant_type == OAuthGrantTypes.OAUTH_PASSWORD:
         auth_context = authenticate_credentials(
             user_name_or_id=auth_form_data.username,
@@ -248,38 +256,34 @@ def token(
             client_id=auth_form_data.client_id,
             device_code=auth_form_data.device_code,
         )
+        # API tokens for authorized device are only meant for non-web clients
+        # and should not be stored as cookies
+        cookie_response = None
+
     elif auth_form_data.grant_type == OAuthGrantTypes.ZENML_API_KEY:
         auth_context = authenticate_api_key(
             api_key=auth_form_data.api_key,
         )
+        # API tokens for API keys are only meant for non-web clients
+        # and should not be stored as cookies
+        cookie_response = None
 
     elif auth_form_data.grant_type == OAuthGrantTypes.ZENML_EXTERNAL:
-        assert config.external_cookie_name is not None
         assert config.external_login_url is not None
 
         authorization_url = config.external_login_url
 
-        # First, try to get the external access token from the external cookie
-        external_access_token = request.cookies.get(
-            config.external_cookie_name
-        )
-        if not external_access_token:
-            # Next, try to get the external access token from the authorization
-            # header
-            authorization_header = request.headers.get("Authorization")
-            if authorization_header:
-                scheme, _, token = authorization_header.partition(" ")
-                if token and scheme.lower() == "bearer":
-                    external_access_token = token
-                    logger.info(
-                        "External access token found in authorization header."
-                    )
-        else:
-            logger.info("External access token found in cookie.")
+        # Try to get the external session token or authorization token from the
+        # authorization header
+        authorization_header = request.headers.get("Authorization")
+        if authorization_header:
+            scheme, _, token = authorization_header.partition(" ")
+            if token and scheme.lower() == "bearer":
+                external_access_token = token
 
-        if not external_access_token:
+        if not authorization_header:
             logger.info(
-                "External access token not found. Redirecting to "
+                "External session or authorization token not found. Redirecting to "
                 "external authenticator."
             )
 
@@ -291,13 +295,18 @@ def token(
             request=request,
         )
 
+        # TODO: no easy way to detect which type of client issued this request
+        # (web or non-web) in order to decide whether to store the access token
+        # as a cookie in the response or not. For now, we always assume a web
+        # client.
     else:
         # Shouldn't happen, because we verify all grants in the form data
         raise ValueError("Invalid grant type.")
 
     return generate_access_token(
         user_id=auth_context.user.id,
-        response=response,
+        response=cookie_response,
+        request=request,
         device=auth_context.device,
         api_key=auth_context.api_key,
     )
@@ -351,8 +360,18 @@ def device_authorization(
 
     Returns:
         The device authorization response.
+
+    Raises:
+        HTTPException: If the device authorization is not supported.
     """
     config = server_config()
+
+    if config.auth_scheme in [AuthScheme.NO_AUTH, AuthScheme.EXTERNAL]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Device authorization is not supported.",
+        )
+
     store = zen_store()
 
     try:
@@ -521,6 +540,8 @@ def api_token(
         return generate_access_token(
             user_id=token.user_id,
             expires_in=expires_in,
+            # Don't include the access token as a cookie in the response
+            response=None,
         ).access_token
 
     verify_permission(
@@ -621,6 +642,8 @@ def api_token(
         schedule_id=schedule_id,
         pipeline_run_id=pipeline_run_id,
         step_run_id=step_run_id,
+        # Don't include the access token as a cookie in the response
+        response=None,
         # Never expire the token
         expires_in=0,
     ).access_token

zenml/zen_server/routers/models_endpoints.py

@@ -22,7 +22,6 @@ from zenml.constants import (
     API,
     MODEL_VERSIONS,
     MODELS,
-    REPORTABLE_RESOURCES,
     VERSION_1,
 )
 from zenml.models import (
@@ -170,7 +169,7 @@ def delete_model(
     )
 
     if server_config().feature_gate_enabled:
-        if ResourceType.MODEL in REPORTABLE_RESOURCES:
+        if ResourceType.MODEL in server_config().reportable_resources:
             report_decrement(ResourceType.MODEL, resource_id=model.id)
 
 

zenml/zen_server/routers/pipelines_endpoints.py

@@ -20,7 +20,6 @@ from fastapi import APIRouter, Depends, Security
 from zenml.constants import (
     API,
     PIPELINES,
-    REPORTABLE_RESOURCES,
     RUNS,
     VERSION_1,
 )
@@ -45,6 +44,7 @@ from zenml.zen_server.rbac.models import ResourceType
 from zenml.zen_server.utils import (
     handle_exceptions,
     make_dependable,
+    server_config,
     zen_store,
 )
 
@@ -159,7 +159,7 @@ def delete_pipeline(
     )
 
     should_decrement = (
-        ResourceType.PIPELINE in REPORTABLE_RESOURCES
+        ResourceType.PIPELINE in server_config().reportable_resources
         and zen_store().count_pipelines(PipelineFilter(name=pipeline.name))
         == 0
     )

zenml/zen_server/routers/stack_deployment_endpoints.py

@@ -34,7 +34,7 @@ from zenml.models import (
     StackDeploymentInfo,
 )
 from zenml.stack_deployments.utils import get_stack_deployment_class
-from zenml.zen_server.auth import AuthContext, authorize
+from zenml.zen_server.auth import AuthContext, authorize, generate_access_token
 from zenml.zen_server.exceptions import error_response
 from zenml.zen_server.rbac.models import Action, ResourceType
 from zenml.zen_server.rbac.utils import verify_permission
@@ -114,10 +114,10 @@ def get_stack_deployment_config(
     assert token is not None
 
     # A new API token is generated for the stack deployment
-    expires = datetime.datetime.utcnow() + datetime.timedelta(
-        minutes=STACK_DEPLOYMENT_API_TOKEN_EXPIRATION
-    )
-    api_token = token.encode(expires=expires)
+    api_token = generate_access_token(
+        user_id=token.user_id,
+        expires_in=STACK_DEPLOYMENT_API_TOKEN_EXPIRATION * 60,
+    ).access_token
 
     return stack_deployment_class(
         terraform=terraform,

zenml/zen_server/routers/workspaces_endpoints.py

@@ -27,7 +27,6 @@ from zenml.constants import (
     PIPELINE_BUILDS,
     PIPELINE_DEPLOYMENTS,
     PIPELINES,
-    REPORTABLE_RESOURCES,
     RUN_METADATA,
     RUN_TEMPLATES,
     RUNS,
@@ -112,6 +111,7 @@ from zenml.zen_server.rbac.utils import (
 from zenml.zen_server.utils import (
     handle_exceptions,
     make_dependable,
+    server_config,
     zen_store,
 )
 
@@ -524,7 +524,7 @@ def create_pipeline(
 
     # We limit pipeline namespaces, not pipeline versions
     needs_usage_increment = (
-        ResourceType.PIPELINE in REPORTABLE_RESOURCES
+        ResourceType.PIPELINE in server_config().reportable_resources
         and zen_store().count_pipelines(PipelineFilter(name=pipeline.name))
         == 0
     )