PyPI - zenml-nightly - Versions diffs - 0.75.0.dev20250312__py3-none-any.whl → 0.75.0.dev20250313__py3-none-any.whl - Mend

zenml-nightly 0.75.0.dev20250312py3-none-any.whl → 0.75.0.dev20250313py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

zenml/VERSION +1 -1
zenml/__init__.py +2 -0
zenml/analytics/context.py +7 -0
zenml/artifacts/utils.py +0 -2
zenml/cli/login.py +6 -0
zenml/cli/model.py +7 -15
zenml/cli/secret.py +47 -44
zenml/cli/service_connectors.py +0 -1
zenml/cli/stack.py +0 -1
zenml/cli/tag.py +3 -5
zenml/cli/utils.py +25 -23
zenml/cli/workspace.py +79 -5
zenml/client.py +615 -348
zenml/config/global_config.py +16 -3
zenml/config/pipeline_configurations.py +3 -2
zenml/config/pipeline_run_configuration.py +2 -1
zenml/config/secret_reference_mixin.py +1 -1
zenml/constants.py +1 -3
zenml/enums.py +0 -7
zenml/event_hub/event_hub.py +3 -1
zenml/exceptions.py +0 -24
zenml/integrations/aws/orchestrators/sagemaker_orchestrator.py +5 -3
zenml/integrations/bitbucket/plugins/event_sources/bitbucket_webhook_event_source.py +1 -4
zenml/integrations/github/plugins/event_sources/github_webhook_event_source.py +1 -4
zenml/integrations/mlflow/steps/mlflow_registry.py +1 -1
zenml/integrations/seldon/model_deployers/seldon_model_deployer.py +1 -1
zenml/integrations/wandb/flavors/wandb_experiment_tracker_flavor.py +3 -3
zenml/model/model.py +8 -8
zenml/models/__init__.py +18 -1
zenml/models/v2/base/base.py +0 -5
zenml/models/v2/base/filter.py +1 -1
zenml/models/v2/base/scoped.py +104 -121
zenml/models/v2/core/api_key.py +1 -1
zenml/models/v2/core/artifact.py +31 -18
zenml/models/v2/core/artifact_version.py +42 -25
zenml/models/v2/core/component.py +22 -33
zenml/models/v2/core/device.py +3 -2
zenml/models/v2/core/event_source.py +2 -2
zenml/models/v2/core/flavor.py +19 -47
zenml/models/v2/core/logs.py +1 -2
zenml/models/v2/core/model.py +7 -4
zenml/models/v2/core/model_version.py +36 -27
zenml/models/v2/core/pipeline.py +1 -1
zenml/models/v2/core/pipeline_run.py +5 -13
zenml/models/v2/core/run_template.py +1 -2
zenml/models/v2/core/schedule.py +0 -9
zenml/models/v2/core/secret.py +93 -127
zenml/models/v2/core/server_settings.py +2 -2
zenml/models/v2/core/service.py +43 -12
zenml/models/v2/core/service_connector.py +14 -16
zenml/models/v2/core/stack.py +24 -26
zenml/models/v2/core/step_run.py +3 -15
zenml/models/v2/core/tag.py +41 -15
zenml/models/v2/core/user.py +19 -2
zenml/models/v2/misc/statistics.py +45 -0
zenml/models/v2/misc/tag.py +27 -0
zenml/orchestrators/cache_utils.py +1 -1
zenml/orchestrators/input_utils.py +1 -0
zenml/orchestrators/step_launcher.py +0 -1
zenml/orchestrators/step_run_utils.py +0 -2
zenml/orchestrators/step_runner.py +10 -1
zenml/pipelines/build_utils.py +0 -2
zenml/pipelines/pipeline_decorator.py +3 -2
zenml/pipelines/pipeline_definition.py +4 -5
zenml/pipelines/run_utils.py +3 -3
zenml/service_connectors/service_connector.py +0 -7
zenml/service_connectors/service_connector_utils.py +0 -1
zenml/stack/authentication_mixin.py +1 -1
zenml/stack/flavor.py +3 -14
zenml/stack/stack_component.py +1 -5
zenml/steps/step_context.py +19 -0
zenml/utils/string_utils.py +1 -1
zenml/utils/tag_utils.py +642 -0
zenml/zen_server/cloud_utils.py +21 -0
zenml/zen_server/exceptions.py +0 -6
zenml/zen_server/rbac/endpoint_utils.py +134 -46
zenml/zen_server/rbac/models.py +65 -3
zenml/zen_server/rbac/rbac_interface.py +9 -0
zenml/zen_server/rbac/rbac_sql_zen_store.py +15 -7
zenml/zen_server/rbac/utils.py +156 -29
zenml/zen_server/rbac/zenml_cloud_rbac.py +43 -11
zenml/zen_server/routers/actions_endpoints.py +3 -5
zenml/zen_server/routers/artifact_endpoint.py +0 -5
zenml/zen_server/routers/artifact_version_endpoints.py +15 -9
zenml/zen_server/routers/auth_endpoints.py +22 -7
zenml/zen_server/routers/code_repositories_endpoints.py +56 -3
zenml/zen_server/routers/devices_endpoints.py +0 -4
zenml/zen_server/routers/event_source_endpoints.py +0 -5
zenml/zen_server/routers/flavors_endpoints.py +0 -5
zenml/zen_server/routers/logs_endpoints.py +0 -1
zenml/zen_server/routers/model_versions_endpoints.py +102 -23
zenml/zen_server/routers/models_endpoints.py +51 -68
zenml/zen_server/routers/pipeline_builds_endpoints.py +58 -4
zenml/zen_server/routers/pipeline_deployments_endpoints.py +58 -4
zenml/zen_server/routers/pipelines_endpoints.py +73 -4
zenml/zen_server/routers/plugin_endpoints.py +0 -1
zenml/zen_server/routers/run_metadata_endpoints.py +99 -0
zenml/zen_server/routers/run_templates_endpoints.py +66 -3
zenml/zen_server/routers/runs_endpoints.py +60 -8
zenml/zen_server/routers/schedule_endpoints.py +69 -6
zenml/zen_server/routers/secrets_endpoints.py +40 -4
zenml/zen_server/routers/server_endpoints.py +53 -1
zenml/zen_server/routers/service_accounts_endpoints.py +14 -15
zenml/zen_server/routers/service_connectors_endpoints.py +96 -14
zenml/zen_server/routers/service_endpoints.py +20 -7
zenml/zen_server/routers/stack_components_endpoints.py +68 -7
zenml/zen_server/routers/stacks_endpoints.py +98 -7
zenml/zen_server/routers/steps_endpoints.py +17 -11
zenml/zen_server/routers/tag_resource_endpoints.py +115 -0
zenml/zen_server/routers/tags_endpoints.py +6 -17
zenml/zen_server/routers/triggers_endpoints.py +5 -8
zenml/zen_server/routers/users_endpoints.py +47 -12
zenml/zen_server/routers/workspaces_endpoints.py +56 -1285
zenml/zen_server/template_execution/utils.py +5 -4
zenml/zen_server/utils.py +21 -0
zenml/zen_server/zen_server_api.py +4 -0
zenml/zen_stores/base_zen_store.py +29 -44
zenml/zen_stores/migrations/versions/1cb6477f72d6_move_artifact_save_type.py +20 -10
zenml/zen_stores/migrations/versions/1f9d1cd00b90_add_unique_name_constraints.py +231 -0
zenml/zen_stores/migrations/versions/288f4fb6e112_make_tags_user_scoped.py +74 -0
zenml/zen_stores/migrations/versions/2e695a26fe7a_add_user_default_workspace.py +45 -0
zenml/zen_stores/migrations/versions/3b1776345020_remove_workspace_from_globals.py +81 -0
zenml/zen_stores/migrations/versions/41b28cae31ce_make_artifacts_workspace_scoped.py +136 -0
zenml/zen_stores/migrations/versions/9e7bf0970266_adding_exclusive_attribute_to_tags.py +47 -0
zenml/zen_stores/migrations/versions/b557b2871693_update_step_run_input_types.py +8 -4
zenml/zen_stores/migrations/versions/cc269488e5a9_separate_run_metadata.py +12 -6
zenml/zen_stores/migrations/versions/f1d723fd723b_add_secret_private_attr.py +61 -0
zenml/zen_stores/migrations/versions/f76a368a25a5_add_stack_description.py +35 -0
zenml/zen_stores/rest_zen_store.py +172 -171
zenml/zen_stores/schemas/action_schemas.py +8 -1
zenml/zen_stores/schemas/api_key_schemas.py +8 -1
zenml/zen_stores/schemas/artifact_schemas.py +28 -1
zenml/zen_stores/schemas/code_repository_schemas.py +8 -1
zenml/zen_stores/schemas/component_schemas.py +9 -14
zenml/zen_stores/schemas/event_source_schemas.py +8 -1
zenml/zen_stores/schemas/flavor_schemas.py +14 -20
zenml/zen_stores/schemas/model_schemas.py +3 -0
zenml/zen_stores/schemas/pipeline_deployment_schemas.py +3 -1
zenml/zen_stores/schemas/pipeline_run_schemas.py +0 -3
zenml/zen_stores/schemas/run_template_schemas.py +8 -4
zenml/zen_stores/schemas/schedule_schema.py +9 -14
zenml/zen_stores/schemas/secret_schemas.py +15 -25
zenml/zen_stores/schemas/service_connector_schemas.py +8 -17
zenml/zen_stores/schemas/service_schemas.py +0 -1
zenml/zen_stores/schemas/stack_schemas.py +12 -15
zenml/zen_stores/schemas/step_run_schemas.py +7 -8
zenml/zen_stores/schemas/tag_schemas.py +30 -2
zenml/zen_stores/schemas/trigger_schemas.py +8 -1
zenml/zen_stores/schemas/user_schemas.py +24 -2
zenml/zen_stores/schemas/utils.py +16 -0
zenml/zen_stores/schemas/workspace_schemas.py +7 -25
zenml/zen_stores/secrets_stores/service_connector_secrets_store.py +0 -3
zenml/zen_stores/sql_zen_store.py +2905 -2280
zenml/zen_stores/template_utils.py +1 -1
zenml/zen_stores/zen_store_interface.py +82 -58
{zenml_nightly-0.75.0.dev20250312.dist-info → zenml_nightly-0.75.0.dev20250313.dist-info}/METADATA +1 -1
{zenml_nightly-0.75.0.dev20250312.dist-info → zenml_nightly-0.75.0.dev20250313.dist-info}/RECORD +160 -147
{zenml_nightly-0.75.0.dev20250312.dist-info → zenml_nightly-0.75.0.dev20250313.dist-info}/LICENSE +0 -0
{zenml_nightly-0.75.0.dev20250312.dist-info → zenml_nightly-0.75.0.dev20250313.dist-info}/WHEEL +0 -0
{zenml_nightly-0.75.0.dev20250312.dist-info → zenml_nightly-0.75.0.dev20250313.dist-info}/entry_points.txt +0 -0

zenml/zen_server/rbac/endpoint_utils.py CHANGED Viewed

@@ -13,21 +13,17 @@
 #  permissions and limitations under the License.
 """High-level helper functions to write endpoints with RBAC."""
-from typing import Any, Callable, List, TypeVar, Union
+from typing import Any, Callable, List, Optional, Tuple, TypeVar, Union
 from uuid import UUID
-from pydantic import BaseModel
-from zenml.constants import (
-    REQUIRES_CUSTOM_RESOURCE_REPORTING,
-)
-from zenml.exceptions import IllegalOperationError
 from zenml.models import (
     BaseFilter,
     BaseIdentifiedResponse,
     BaseRequest,
+    BaseUpdate,
     Page,
     UserScopedRequest,
+    WorkspaceScopedFilter,
 )
 from zenml.zen_server.auth import get_auth_context
 from zenml.zen_server.feature_gate.endpoint_utils import (
@@ -36,36 +32,42 @@ from zenml.zen_server.feature_gate.endpoint_utils import (
 )
 from zenml.zen_server.rbac.models import Action, ResourceType
 from zenml.zen_server.rbac.utils import (
+    batch_verify_permissions_for_models,
     dehydrate_page,
     dehydrate_response_model,
+    dehydrate_response_model_batch,
+    delete_model_resource,
     get_allowed_resource_ids,
+    get_resource_type_for_model,
     verify_permission,
     verify_permission_for_model,
 )
-from zenml.zen_server.utils import server_config
+from zenml.zen_server.utils import server_config, set_filter_workspace_scope
 AnyRequest = TypeVar("AnyRequest", bound=BaseRequest)
 AnyResponse = TypeVar("AnyResponse", bound=BaseIdentifiedResponse)  # type: ignore[type-arg]
+AnyOtherResponse = TypeVar("AnyOtherResponse", bound=BaseIdentifiedResponse)  # type: ignore[type-arg]
 AnyFilter = TypeVar("AnyFilter", bound=BaseFilter)
-AnyUpdate = TypeVar("AnyUpdate", bound=BaseModel)
+AnyUpdate = TypeVar("AnyUpdate", bound=BaseUpdate)
 UUIDOrStr = TypeVar("UUIDOrStr", UUID, Union[UUID, str])
 def verify_permissions_and_create_entity(
     request_model: AnyRequest,
-    resource_type: ResourceType,
     create_method: Callable[[AnyRequest], AnyResponse],
+    surrogate_models: Optional[List[AnyOtherResponse]] = None,
+    skip_entitlements: bool = False,
 ) -> AnyResponse:
     """Verify permissions and create the entity if authorized.
     Args:
         request_model: The entity request model.
-        resource_type: The resource type of the entity to create.
         create_method: The method to create the entity.
-    Raises:
-        IllegalOperationError: If the request model has a different owner then
-            the currently authenticated user.
+        surrogate_models: Optional list of surrogate models to verify
+            UPDATE permissions for instead of verifying CREATE permissions for
+            the request model.
+        skip_entitlements: Whether to skip the entitlement check and usage
+            increment.
     Returns:
         A model of the created entity.
@@ -74,43 +76,47 @@ def verify_permissions_and_create_entity(
         auth_context = get_auth_context()
         assert auth_context
-        if request_model.user != auth_context.user.id:
-            raise IllegalOperationError(
-                f"Not allowed to create resource '{resource_type}' for a "
-                "different user."
-            )
-    verify_permission(resource_type=resource_type, action=Action.CREATE)
+        # Ignore the user field set in the request model, if any, and set it to
+        # the current user's ID instead. This is just a precaution, given that
+        # the SQLZenStore also does this same validation on all request models.
+        request_model.user = auth_context.user.id
-    needs_usage_increment = (
-        resource_type in server_config().reportable_resources
-        and resource_type not in REQUIRES_CUSTOM_RESOURCE_REPORTING
-    )
-    if needs_usage_increment:
-        check_entitlement(resource_type)
+    if surrogate_models:
+        batch_verify_permissions_for_models(
+            models=surrogate_models, action=Action.UPDATE
+        )
+    else:
+        verify_permission_for_model(model=request_model, action=Action.CREATE)
+    resource_type = get_resource_type_for_model(request_model)
+    if resource_type:
+        needs_usage_increment = (
+            not skip_entitlements
+            and resource_type in server_config().reportable_resources
+        )
+        if needs_usage_increment:
+            check_entitlement(resource_type)
     created = create_method(request_model)
-    if needs_usage_increment:
+    if resource_type and needs_usage_increment:
         report_usage(resource_type, resource_id=created.id)
-    return created
+    return dehydrate_response_model(created)
 def verify_permissions_and_batch_create_entity(
     batch: List[AnyRequest],
-    resource_type: ResourceType,
     create_method: Callable[[List[AnyRequest]], List[AnyResponse]],
 ) -> List[AnyResponse]:
     """Verify permissions and create a batch of entities if authorized.
     Args:
         batch: The batch to create.
-        resource_type: The resource type of the entities to create.
         create_method: The method to create the entities.
     Raises:
-        IllegalOperationError: If the request model has a different owner then
-            the currently authenticated user.
         RuntimeError: If the resource type is usage-tracked.
     Returns:
@@ -119,23 +125,73 @@ def verify_permissions_and_batch_create_entity(
     auth_context = get_auth_context()
     assert auth_context
+    resource_types = set()
     for request_model in batch:
+        resource_type = get_resource_type_for_model(request_model)
+        if resource_type:
+            resource_types.add(resource_type)
         if isinstance(request_model, UserScopedRequest):
-            if request_model.user != auth_context.user.id:
-                raise IllegalOperationError(
-                    f"Not allowed to create resource '{resource_type}' for a "
-                    "different user."
-                )
+            # Ignore the user field set in the request model, if any, and set it
+            # to the current user's ID instead. This is just a precaution, given
+            # that the SQLZenStore also does this same validation on all request
+            # models.
+            request_model.user = auth_context.user.id
-    verify_permission(resource_type=resource_type, action=Action.CREATE)
+    batch_verify_permissions_for_models(models=batch, action=Action.CREATE)
-    if resource_type in server_config().reportable_resources:
+    if resource_types & set(server_config().reportable_resources):
         raise RuntimeError(
-            "Batch requests are currently not possible with usage-tracked features."
+            "Batch requests are currently not possible with usage-tracked "
+            "features."
         )
     created = create_method(batch)
-    return created
+    return dehydrate_response_model_batch(created)
+def verify_permissions_and_get_or_create_entity(
+    request_model: AnyRequest,
+    get_or_create_method: Callable[
+        [AnyRequest, Optional[Callable[[], None]]], Tuple[AnyResponse, bool]
+    ],
+) -> Tuple[AnyResponse, bool]:
+    """Verify permissions and create the entity if authorized.
+    Args:
+        request_model: The entity request model.
+        get_or_create_method: The method to get or create the entity.
+    Returns:
+        The entity and a boolean indicating whether the entity was created.
+    """
+    if isinstance(request_model, UserScopedRequest):
+        auth_context = get_auth_context()
+        assert auth_context
+        # Ignore the user field set in the request model, if any, and set it to
+        # the current user's ID instead. This is just a precaution, given that
+        # the SQLZenStore also does this same validation on all request models.
+        request_model.user = auth_context.user.id
+    resource_type = get_resource_type_for_model(request_model)
+    needs_usage_increment = (
+        resource_type and resource_type in server_config().reportable_resources
+    )
+    def _pre_creation_hook() -> None:
+        verify_permission_for_model(model=request_model, action=Action.CREATE)
+        if resource_type and needs_usage_increment:
+            check_entitlement(resource_type=resource_type)
+    model, created = get_or_create_method(request_model, _pre_creation_hook)
+    if not created:
+        verify_permission_for_model(model=model, action=Action.READ)
+    elif resource_type and needs_usage_increment:
+        report_usage(resource_type, resource_id=model.id)
+    return dehydrate_response_model(model), created
 def verify_permissions_and_get_entity(
@@ -174,11 +230,30 @@ def verify_permissions_and_list_entities(
     Returns:
         A page of entity models.
+    Raises:
+        ValueError: If the filter's workspace scope is not set or is not a UUID.
     """
     auth_context = get_auth_context()
     assert auth_context
-    allowed_ids = get_allowed_resource_ids(resource_type=resource_type)
+    workspace_id: Optional[UUID] = None
+    if isinstance(filter_model, WorkspaceScopedFilter):
+        # A workspace scoped filter must always be scoped to a specific
+        # workspace. This is required for the RBAC check to work.
+        set_filter_workspace_scope(filter_model)
+        if not filter_model.workspace or not isinstance(
+            filter_model.workspace, UUID
+        ):
+            raise ValueError(
+                "Workspace scope must be a UUID, got "
+                f"{type(filter_model.workspace)}."
+            )
+        workspace_id = filter_model.workspace
+    allowed_ids = get_allowed_resource_ids(
+        resource_type=resource_type, workspace_id=workspace_id
+    )
     filter_model.configure_rbac(
         authenticated_user_id=auth_context.user.id, id=allowed_ids
     )
@@ -191,6 +266,7 @@ def verify_permissions_and_update_entity(
     update_model: AnyUpdate,
     get_method: Callable[[UUIDOrStr, bool], AnyResponse],
     update_method: Callable[[UUIDOrStr, AnyUpdate], AnyResponse],
+    **update_method_kwargs: Any,
 ) -> AnyResponse:
     """Verify permissions and update an entity.
@@ -199,6 +275,7 @@ def verify_permissions_and_update_entity(
         update_model: The entity update model.
         get_method: The method to fetch the entity.
         update_method: The method to update the entity.
+        update_method_kwargs: Keyword arguments to pass to the update method.
     Returns:
         A model of the updated entity.
@@ -206,7 +283,9 @@ def verify_permissions_and_update_entity(
     # We don't need the hydrated version here
     model = get_method(id, False)
     verify_permission_for_model(model, action=Action.UPDATE)
-    updated_model = update_method(model.id, update_model)
+    updated_model = update_method(
+        model.id, update_model, **update_method_kwargs
+    )
     return dehydrate_response_model(updated_model)
@@ -214,6 +293,7 @@ def verify_permissions_and_delete_entity(
     id: UUIDOrStr,
     get_method: Callable[[UUIDOrStr, bool], AnyResponse],
     delete_method: Callable[[UUIDOrStr], None],
+    **delete_method_kwargs: Any,
 ) -> AnyResponse:
     """Verify permissions and delete an entity.
@@ -221,6 +301,7 @@ def verify_permissions_and_delete_entity(
         id: The ID of the entity to delete.
         get_method: The method to fetch the entity.
         delete_method: The method to delete the entity.
+        delete_method_kwargs: Keyword arguments to pass to the delete method.
     Returns:
         The deleted entity.
@@ -228,7 +309,8 @@ def verify_permissions_and_delete_entity(
     # We don't need the hydrated version here
     model = get_method(id, False)
     verify_permission_for_model(model, action=Action.DELETE)
-    delete_method(model.id)
+    delete_method(model.id, **delete_method_kwargs)
+    delete_model_resource(model)
     return model
@@ -236,6 +318,7 @@ def verify_permissions_and_delete_entity(
 def verify_permissions_and_prune_entities(
     resource_type: ResourceType,
     prune_method: Callable[..., None],
+    workspace_id: Optional[UUID] = None,
     **kwargs: Any,
 ) -> None:
     """Verify permissions and prune entities of certain type.
@@ -243,7 +326,12 @@ def verify_permissions_and_prune_entities(
     Args:
         resource_type: The resource type of the entities to prune.
         prune_method: The method to prune the entities.
+        workspace_id: The workspace ID to prune the entities for.
         kwargs: Keyword arguments to pass to the prune method.
     """
-    verify_permission(resource_type=resource_type, action=Action.PRUNE)
+    verify_permission(
+        resource_type=resource_type,
+        action=Action.PRUNE,
+        workspace_id=workspace_id,
+    )
     prune_method(**kwargs)

zenml/zen_server/rbac/models.py CHANGED Viewed

@@ -16,7 +16,11 @@
 from typing import Optional
 from uuid import UUID
-from pydantic import BaseModel, ConfigDict
+from pydantic import (
+    BaseModel,
+    ConfigDict,
+    model_validator,
+)
 from zenml.utils.enum_utils import StrEnum
@@ -69,9 +73,28 @@ class ResourceType(StrEnum):
     TAG = "tag"
     TRIGGER = "trigger"
     TRIGGER_EXECUTION = "trigger_execution"
+    WORKSPACE = "workspace"
     # Deactivated for now
     # USER = "user"
-    # WORKSPACE = "workspace"
+    def is_workspace_scoped(self) -> bool:
+        """Check if a resource type is workspace scoped.
+        Returns:
+            Whether the resource type is workspace scoped.
+        """
+        return self not in [
+            self.FLAVOR,
+            self.SECRET,
+            self.SERVICE_CONNECTOR,
+            self.STACK,
+            self.STACK_COMPONENT,
+            self.TAG,
+            self.SERVICE_ACCOUNT,
+            self.WORKSPACE,
+            # Deactivated for now
+            # self.USER,
+        ]
 class Resource(BaseModel):
@@ -79,6 +102,7 @@ class Resource(BaseModel):
     type: str
     id: Optional[UUID] = None
+    workspace_id: Optional[UUID] = None
     def __str__(self) -> str:
         """Convert to a string.
@@ -86,10 +110,48 @@ class Resource(BaseModel):
         Returns:
             Resource string representation.
         """
-        representation = self.type
+        workspace_id = self.workspace_id
+        if self.type == ResourceType.WORKSPACE and self.id:
+            # TODO: For now, we duplicate the workspace ID in the string
+            # representation when describing a workspace instance, because
+            # this is what is expected by the RBAC implementation.
+            workspace_id = self.id
+        if workspace_id:
+            representation = f"{workspace_id}:"
+        else:
+            representation = ""
+        representation += self.type
         if self.id:
             representation += f"/{self.id}"
         return representation
+    @model_validator(mode="after")
+    def validate_workspace_id(self) -> "Resource":
+        """Validate that workspace_id is set in combination with workspace-scoped resource types.
+        Raises:
+            ValueError: If workspace_id is not set for a workspace-scoped
+                resource or set for an unscoped resource.
+        Returns:
+            The validated resource.
+        """
+        resource_type = ResourceType(self.type)
+        if resource_type.is_workspace_scoped() and not self.workspace_id:
+            raise ValueError(
+                "workspace_id must be set for workspace-scoped resource type "
+                f"'{self.type}'"
+            )
+        if not resource_type.is_workspace_scoped() and self.workspace_id:
+            raise ValueError(
+                "workspace_id must not be set for global resource type "
+                f"'{self.type}'"
+            )
+        return self
     model_config = ConfigDict(frozen=True)

zenml/zen_server/rbac/rbac_interface.py CHANGED Viewed

@@ -73,3 +73,12 @@ class RBACInterface(ABC):
             actions: The actions that the user should be able to perform on the
                 resource.
         """
+    @abstractmethod
+    def delete_resources(self, resources: List[Resource]) -> None:
+        """Delete resource membership information for a list of resources.
+        Args:
+            resources: The resources for which to delete the resource membership
+                information.
+        """

zenml/zen_server/rbac/rbac_sql_zen_store.py CHANGED Viewed

@@ -63,7 +63,9 @@ class RBACSqlZenStore(SqlZenStore):
         try:
             verify_permission(
-                resource_type=ResourceType.MODEL, action=Action.CREATE
+                resource_type=ResourceType.MODEL,
+                action=Action.CREATE,
+                workspace_id=model_request.workspace,
             )
             check_entitlement(resource_type=ResourceType.MODEL)
         except Exception as e:
@@ -76,7 +78,10 @@ class RBACSqlZenStore(SqlZenStore):
             )
         else:
             try:
-                model_response = self.get_model(model_request.name)
+                model_response = self.get_model_by_name_or_id(
+                    model_name_or_id=model_request.name,
+                    workspace=model_request.workspace,
+                )
                 created = False
             except KeyError:
                 # The model does not exist. We now raise the error that
@@ -145,17 +150,20 @@ class RBACSqlZenStore(SqlZenStore):
         try:
             verify_permission(
-                resource_type=ResourceType.MODEL_VERSION, action=Action.CREATE
+                resource_type=ResourceType.MODEL_VERSION,
+                action=Action.CREATE,
+                workspace_id=model_version_request.workspace,
             )
         except Exception as e:
             allow_creation = False
             error = e
         if allow_creation:
-            created, model_version_response = (
-                super()._get_or_create_model_version(
-                    model_version_request, producer_run_id=producer_run_id
-                )
+            (
+                created,
+                model_version_response,
+            ) = super()._get_or_create_model_version(
+                model_version_request, producer_run_id=producer_run_id
             )
         else:
             try:

zenml-nightly 0.75.0.dev20250312__py3-none-any.whl → 0.75.0.dev20250313__py3-none-any.whl

zenml-nightly 0.75.0.dev20250312py3-none-any.whl → 0.75.0.dev20250313py3-none-any.whl