zenml-nightly 0.75.0.dev20250313__py3-none-any.whl → 0.75.0.dev20250315__py3-none-any.whl

zenml/zen_server/rbac/endpoint_utils.py

@@ -22,8 +22,8 @@ from zenml.models import (
     BaseRequest,
     BaseUpdate,
     Page,
+    ProjectScopedFilter,
     UserScopedRequest,
-    WorkspaceScopedFilter,
 )
 from zenml.zen_server.auth import get_auth_context
 from zenml.zen_server.feature_gate.endpoint_utils import (
@@ -42,7 +42,7 @@ from zenml.zen_server.rbac.utils import (
     verify_permission,
     verify_permission_for_model,
 )
-from zenml.zen_server.utils import server_config, set_filter_workspace_scope
+from zenml.zen_server.utils import server_config, set_filter_project_scope
 
 AnyRequest = TypeVar("AnyRequest", bound=BaseRequest)
 AnyResponse = TypeVar("AnyResponse", bound=BaseIdentifiedResponse)  # type: ignore[type-arg]
@@ -232,27 +232,27 @@ def verify_permissions_and_list_entities(
         A page of entity models.
 
     Raises:
-        ValueError: If the filter's workspace scope is not set or is not a UUID.
+        ValueError: If the filter's project scope is not set or is not a UUID.
     """
     auth_context = get_auth_context()
     assert auth_context
 
-    workspace_id: Optional[UUID] = None
-    if isinstance(filter_model, WorkspaceScopedFilter):
-        # A workspace scoped filter must always be scoped to a specific
-        # workspace. This is required for the RBAC check to work.
-        set_filter_workspace_scope(filter_model)
-        if not filter_model.workspace or not isinstance(
-            filter_model.workspace, UUID
+    project_id: Optional[UUID] = None
+    if isinstance(filter_model, ProjectScopedFilter):
+        # A project scoped filter must always be scoped to a specific
+        # project. This is required for the RBAC check to work.
+        set_filter_project_scope(filter_model)
+        if not filter_model.project or not isinstance(
+            filter_model.project, UUID
         ):
             raise ValueError(
-                "Workspace scope must be a UUID, got "
-                f"{type(filter_model.workspace)}."
+                "Project scope must be a UUID, got "
+                f"{type(filter_model.project)}."
             )
-        workspace_id = filter_model.workspace
+        project_id = filter_model.project
 
     allowed_ids = get_allowed_resource_ids(
-        resource_type=resource_type, workspace_id=workspace_id
+        resource_type=resource_type, project_id=project_id
     )
     filter_model.configure_rbac(
         authenticated_user_id=auth_context.user.id, id=allowed_ids
@@ -318,7 +318,7 @@ def verify_permissions_and_delete_entity(
 def verify_permissions_and_prune_entities(
     resource_type: ResourceType,
     prune_method: Callable[..., None],
-    workspace_id: Optional[UUID] = None,
+    project_id: Optional[UUID] = None,
     **kwargs: Any,
 ) -> None:
     """Verify permissions and prune entities of certain type.
@@ -326,12 +326,12 @@ def verify_permissions_and_prune_entities(
     Args:
         resource_type: The resource type of the entities to prune.
         prune_method: The method to prune the entities.
-        workspace_id: The workspace ID to prune the entities for.
+        project_id: The project ID to prune the entities for.
         kwargs: Keyword arguments to pass to the prune method.
     """
     verify_permission(
         resource_type=resource_type,
         action=Action.PRUNE,
-        workspace_id=workspace_id,
+        project_id=project_id,
     )
     prune_method(**kwargs)

zenml/zen_server/rbac/models.py

@@ -73,15 +73,15 @@ class ResourceType(StrEnum):
     TAG = "tag"
     TRIGGER = "trigger"
     TRIGGER_EXECUTION = "trigger_execution"
-    WORKSPACE = "workspace"
+    PROJECT = "project"
     # Deactivated for now
     # USER = "user"
 
-    def is_workspace_scoped(self) -> bool:
-        """Check if a resource type is workspace scoped.
+    def is_project_scoped(self) -> bool:
+        """Check if a resource type is project scoped.
 
         Returns:
-            Whether the resource type is workspace scoped.
+            Whether the resource type is project scoped.
         """
         return self not in [
             self.FLAVOR,
@@ -91,7 +91,7 @@ class ResourceType(StrEnum):
             self.STACK_COMPONENT,
             self.TAG,
             self.SERVICE_ACCOUNT,
-            self.WORKSPACE,
+            self.PROJECT,
             # Deactivated for now
             # self.USER,
         ]
@@ -102,7 +102,7 @@ class Resource(BaseModel):
 
     type: str
     id: Optional[UUID] = None
-    workspace_id: Optional[UUID] = None
+    project_id: Optional[UUID] = None
 
     def __str__(self) -> str:
         """Convert to a string.
@@ -110,15 +110,10 @@ class Resource(BaseModel):
         Returns:
             Resource string representation.
         """
-        workspace_id = self.workspace_id
-        if self.type == ResourceType.WORKSPACE and self.id:
-            # TODO: For now, we duplicate the workspace ID in the string
-            # representation when describing a workspace instance, because
-            # this is what is expected by the RBAC implementation.
-            workspace_id = self.id
-
-        if workspace_id:
-            representation = f"{workspace_id}:"
+        project_id = self.project_id
+
+        if project_id:
+            representation = f"{project_id}:"
         else:
             representation = ""
         representation += self.type
@@ -127,12 +122,42 @@ class Resource(BaseModel):
 
         return representation
 
+    @classmethod
+    def parse(cls, resource: str) -> "Resource":
+        """Parse an RBAC resource string into a Resource object.
+
+        Args:
+            resource: The resource to convert.
+
+        Returns:
+            The converted resource.
+        """
+        project_id: Optional[str] = None
+        if ":" in resource:
+            (
+                project_id,
+                resource_type_and_id,
+            ) = resource.split(":", maxsplit=1)
+        else:
+            project_id = None
+            resource_type_and_id = resource
+
+        resource_id: Optional[str] = None
+        if "/" in resource_type_and_id:
+            resource_type, resource_id = resource_type_and_id.split("/")
+        else:
+            resource_type = resource_type_and_id
+
+        return Resource(
+            type=resource_type, id=resource_id, project_id=project_id
+        )
+
     @model_validator(mode="after")
-    def validate_workspace_id(self) -> "Resource":
-        """Validate that workspace_id is set in combination with workspace-scoped resource types.
+    def validate_project_id(self) -> "Resource":
+        """Validate that project_id is set in combination with project-scoped resource types.
 
         Raises:
-            ValueError: If workspace_id is not set for a workspace-scoped
+            ValueError: If project_id is not set for a project-scoped
                 resource or set for an unscoped resource.
 
         Returns:
@@ -140,15 +165,15 @@ class Resource(BaseModel):
         """
         resource_type = ResourceType(self.type)
 
-        if resource_type.is_workspace_scoped() and not self.workspace_id:
+        if resource_type.is_project_scoped() and not self.project_id:
             raise ValueError(
-                "workspace_id must be set for workspace-scoped resource type "
+                "project_id must be set for project-scoped resource type "
                 f"'{self.type}'"
             )
 
-        if not resource_type.is_workspace_scoped() and self.workspace_id:
+        if not resource_type.is_project_scoped() and self.project_id:
             raise ValueError(
-                "workspace_id must not be set for global resource type "
+                "project_id must not be set for global resource type "
                 f"'{self.type}'"
             )
 

zenml/zen_server/rbac/rbac_sql_zen_store.py

@@ -65,7 +65,7 @@ class RBACSqlZenStore(SqlZenStore):
             verify_permission(
                 resource_type=ResourceType.MODEL,
                 action=Action.CREATE,
-                workspace_id=model_request.workspace,
+                project_id=model_request.project,
             )
             check_entitlement(resource_type=ResourceType.MODEL)
         except Exception as e:
@@ -80,7 +80,7 @@ class RBACSqlZenStore(SqlZenStore):
             try:
                 model_response = self.get_model_by_name_or_id(
                     model_name_or_id=model_request.name,
-                    workspace=model_request.workspace,
+                    project=model_request.project,
                 )
                 created = False
             except KeyError:
@@ -152,7 +152,7 @@ class RBACSqlZenStore(SqlZenStore):
             verify_permission(
                 resource_type=ResourceType.MODEL_VERSION,
                 action=Action.CREATE,
-                workspace_id=model_version_request.workspace,
+                project_id=model_version_request.project,
             )
         except Exception as e:
             allow_creation = False

zenml/zen_server/rbac/utils.py

@@ -32,10 +32,10 @@ from zenml.exceptions import IllegalOperationError
 from zenml.models import (
     BaseIdentifiedResponse,
     Page,
+    ProjectScopedRequest,
+    ProjectScopedResponse,
     UserResponse,
     UserScopedResponse,
-    WorkspaceScopedRequest,
-    WorkspaceScopedResponse,
 )
 from zenml.zen_server.auth import get_auth_context
 from zenml.zen_server.rbac.models import Action, Resource, ResourceType
@@ -300,7 +300,7 @@ def verify_permission(
     resource_type: str,
     action: Action,
     resource_id: Optional[UUID] = None,
-    workspace_id: Optional[UUID] = None,
+    project_id: Optional[UUID] = None,
 ) -> None:
     """Verifies if a user has permission to perform an action on a resource.
 
@@ -309,11 +309,11 @@ def verify_permission(
             action on.
         action: The action the user wants to perform.
         resource_id: ID of the resource the user wants to perform the action on.
-        workspace_id: ID of the workspace the user wants to perform the action
-            on. Only used for workspace scoped resources.
+        project_id: ID of the project the user wants to perform the action
+            on. Only used for project scoped resources.
     """
     resource = Resource(
-        type=resource_type, id=resource_id, workspace_id=workspace_id
+        type=resource_type, id=resource_id, project_id=project_id
     )
     batch_verify_permissions(resources={resource}, action=action)
 
@@ -321,15 +321,15 @@ def verify_permission(
 def get_allowed_resource_ids(
     resource_type: str,
     action: Action = Action.READ,
-    workspace_id: Optional[UUID] = None,
+    project_id: Optional[UUID] = None,
 ) -> Optional[Set[UUID]]:
     """Get all resource IDs of a resource type that a user can access.
 
     Args:
         resource_type: The resource type.
         action: The action the user wants to perform on the resource.
-        workspace_id: Optional workspace ID to filter the resources by.
-            Required for workspace scoped resources.
+        project_id: Optional project ID to filter the resources by.
+            Required for project scoped resources.
 
     Returns:
         A list of resource IDs or `None` if the user has full access to the
@@ -346,7 +346,7 @@ def get_allowed_resource_ids(
         allowed_ids,
     ) = rbac().list_allowed_resource_ids(
         user=auth_context.user,
-        resource=Resource(type=resource_type, workspace_id=workspace_id),
+        resource=Resource(type=resource_type, project_id=project_id),
         action=action,
     )
 
@@ -371,21 +371,19 @@ def get_resource_for_model(model: AnyModel) -> Optional[Resource]:
         # This model is not tied to any RBAC resource type
         return None
 
-    workspace_id: Optional[UUID] = None
-    if isinstance(model, WorkspaceScopedResponse):
-        # A workspace scoped response is always scoped to a specific workspace
-        workspace_id = model.workspace.id
-    elif isinstance(model, WorkspaceScopedRequest):
-        # A workspace scoped request is always scoped to a specific workspace
-        workspace_id = model.workspace
+    project_id: Optional[UUID] = None
+    if isinstance(model, ProjectScopedResponse):
+        # A project scoped response is always scoped to a specific project
+        project_id = model.project.id
+    elif isinstance(model, ProjectScopedRequest):
+        # A project scoped request is always scoped to a specific project
+        project_id = model.project
 
     resource_id: Optional[UUID] = None
     if isinstance(model, BaseIdentifiedResponse):
         resource_id = model.id
 
-    return Resource(
-        type=resource_type, id=resource_id, workspace_id=workspace_id
-    )
+    return Resource(type=resource_type, id=resource_id, project_id=project_id)
 
 
 def get_surrogate_permission_model_for_model(
@@ -456,6 +454,8 @@ def get_resource_type_for_model(
         PipelineResponse,
         PipelineRunRequest,
         PipelineRunResponse,
+        ProjectRequest,
+        ProjectResponse,
         RunMetadataRequest,
         RunTemplateRequest,
         RunTemplateResponse,
@@ -475,8 +475,6 @@ def get_resource_type_for_model(
         TriggerExecutionResponse,
         TriggerRequest,
         TriggerResponse,
-        WorkspaceRequest,
-        WorkspaceResponse,
     )
 
     mapping: Dict[
@@ -528,8 +526,8 @@ def get_resource_type_for_model(
         TriggerResponse: ResourceType.TRIGGER,
         TriggerExecutionRequest: ResourceType.TRIGGER_EXECUTION,
         TriggerExecutionResponse: ResourceType.TRIGGER_EXECUTION,
-        WorkspaceResponse: ResourceType.WORKSPACE,
-        WorkspaceRequest: ResourceType.WORKSPACE,
+        ProjectResponse: ResourceType.PROJECT,
+        ProjectRequest: ResourceType.PROJECT,
         # UserResponse: ResourceType.USER,
     }
 
@@ -673,7 +671,7 @@ def get_schema_for_resource_type(
         ResourceType.SERVICE: ServiceSchema,
         ResourceType.TAG: TagSchema,
         ResourceType.SERVICE_ACCOUNT: UserSchema,
-        # ResourceType.WORKSPACE: WorkspaceSchema,
+        # ResourceType.PROJECT: ProjectSchema,
         ResourceType.PIPELINE_RUN: PipelineRunSchema,
         ResourceType.PIPELINE_DEPLOYMENT: PipelineDeploymentSchema,
         ResourceType.PIPELINE_BUILD: PipelineBuildSchema,

zenml/zen_server/rbac/zenml_cloud_rbac.py

@@ -13,12 +13,11 @@
 #  permissions and limitations under the License.
 """Cloud RBAC implementation."""
 
-from typing import TYPE_CHECKING, Dict, List, Optional, Set, Tuple
+from typing import TYPE_CHECKING, Dict, List, Set, Tuple
 
 from zenml.zen_server.cloud_utils import cloud_connection
-from zenml.zen_server.rbac.models import Action, Resource, ResourceType
+from zenml.zen_server.rbac.models import Action, Resource
 from zenml.zen_server.rbac.rbac_interface import RBACInterface
-from zenml.zen_server.utils import server_config
 
 if TYPE_CHECKING:
     from zenml.models import UserResponse
@@ -29,68 +28,6 @@ ALLOWED_RESOURCE_IDS_ENDPOINT = "/rbac/allowed_resource_ids"
 RESOURCE_MEMBERSHIP_ENDPOINT = "/rbac/resource_members"
 RESOURCES_ENDPOINT = "/rbac/resources"
 
-SERVER_SCOPE_IDENTIFIER = "server"
-
-SERVER_ID = server_config().external_server_id
-
-
-def _convert_to_cloud_resource(resource: Resource) -> str:
-    """Convert a resource to a ZenML Pro Management Plane resource.
-
-    Args:
-        resource: The resource to convert.
-
-    Returns:
-        The converted resource.
-    """
-    return f"{SERVER_ID}@{SERVER_SCOPE_IDENTIFIER}:{resource}"
-
-
-def _convert_from_cloud_resource(cloud_resource: str) -> Resource:
-    """Convert a cloud resource to a ZenML server resource.
-
-    Args:
-        cloud_resource: The cloud resource to convert.
-
-    Raises:
-        ValueError: If the cloud resource is invalid for this server.
-
-    Returns:
-        The converted resource.
-    """
-    scope, workspace_resource_type_and_id = cloud_resource.split(
-        ":", maxsplit=1
-    )
-
-    if scope != f"{SERVER_ID}@{SERVER_SCOPE_IDENTIFIER}":
-        raise ValueError("Invalid scope for server resource.")
-
-    workspace_id: Optional[str] = None
-    if ":" in workspace_resource_type_and_id:
-        (
-            workspace_id,
-            resource_type_and_id,
-        ) = workspace_resource_type_and_id.split(":", maxsplit=1)
-    else:
-        workspace_id = None
-        resource_type_and_id = workspace_resource_type_and_id
-
-    resource_id: Optional[str] = None
-    if "/" in resource_type_and_id:
-        resource_type, resource_id = resource_type_and_id.split("/")
-    else:
-        resource_type = resource_type_and_id
-
-    if resource_type == ResourceType.WORKSPACE and workspace_id is not None:
-        # TODO: For now, we duplicate the workspace ID in the string
-        # representation when describing a workspace instance, because
-        # this is what is expected by the RBAC implementation.
-        workspace_id = None
-
-    return Resource(
-        type=resource_type, id=resource_id, workspace_id=workspace_id
-    )
-
 
 class ZenMLCloudRBAC(RBACInterface):
     """RBAC implementation that uses the ZenML Pro Management Plane as a backend."""
@@ -127,9 +64,7 @@ class ZenMLCloudRBAC(RBACInterface):
 
         params = {
             "user_id": str(user.external_user_id),
-            "resources": [
-                _convert_to_cloud_resource(resource) for resource in resources
-            ],
+            "resources": resources,
             "action": str(action),
         }
         response = self._connection.get(
@@ -138,7 +73,7 @@ class ZenMLCloudRBAC(RBACInterface):
         value = response.json()
 
         assert isinstance(value, dict)
-        return {_convert_from_cloud_resource(k): v for k, v in value.items()}
+        return {Resource.parse(k): v for k, v in value.items()}
 
     def list_allowed_resource_ids(
         self, user: "UserResponse", resource: Resource, action: Action
@@ -168,7 +103,7 @@ class ZenMLCloudRBAC(RBACInterface):
         assert user.external_user_id
         params = {
             "user_id": str(user.external_user_id),
-            "resource": _convert_to_cloud_resource(resource),
+            "resource": str(resource),
             "action": str(action),
         }
         response = self._connection.get(
@@ -198,7 +133,7 @@ class ZenMLCloudRBAC(RBACInterface):
 
         data = {
             "user_id": str(user.external_user_id),
-            "resource": _convert_to_cloud_resource(resource),
+            "resource": str(resource),
             "actions": [str(action) for action in actions],
         }
         self._connection.post(endpoint=RESOURCE_MEMBERSHIP_ENDPOINT, data=data)
@@ -211,8 +146,6 @@ class ZenMLCloudRBAC(RBACInterface):
                 information.
         """
         params = {
-            "resources": [
-                _convert_to_cloud_resource(resource) for resource in resources
-            ],
+            "resources": [str(resource) for resource in resources],
         }
         self._connection.delete(endpoint=RESOURCES_ENDPOINT, params=params)

zenml/zen_server/routers/artifact_version_endpoints.py

@@ -46,7 +46,7 @@ from zenml.zen_server.rbac.utils import (
 from zenml.zen_server.utils import (
     handle_exceptions,
     make_dependable,
-    set_filter_workspace_scope,
+    set_filter_project_scope,
     zen_store,
 )
 
@@ -81,14 +81,14 @@ def list_artifact_versions(
     Returns:
         The artifact versions according to query filters.
     """
-    # A workspace scoped request must always be scoped to a specific
-    # workspace. This is required for the RBAC check to work.
-    set_filter_workspace_scope(artifact_version_filter_model)
-    assert isinstance(artifact_version_filter_model.workspace, UUID)
+    # A project scoped request must always be scoped to a specific
+    # project. This is required for the RBAC check to work.
+    set_filter_project_scope(artifact_version_filter_model)
+    assert isinstance(artifact_version_filter_model.project, UUID)
 
     allowed_artifact_ids = get_allowed_resource_ids(
         resource_type=ResourceType.ARTIFACT,
-        workspace_id=artifact_version_filter_model.workspace,
+        project_id=artifact_version_filter_model.project,
     )
     artifact_version_filter_model.configure_rbac(
         authenticated_user_id=auth_context.user.id,
@@ -228,24 +228,24 @@ def delete_artifact_version(
 )
 @handle_exceptions
 def prune_artifact_versions(
-    workspace_name_or_id: Union[str, UUID],
+    project_name_or_id: Union[str, UUID],
     only_versions: bool = True,
     _: AuthContext = Security(authorize),
 ) -> None:
     """Prunes unused artifact versions and their artifacts.
 
     Args:
-        workspace_name_or_id: The workspace name or ID to prune artifact
+        project_name_or_id: The project name or ID to prune artifact
             versions for.
         only_versions: Only delete artifact versions, keeping artifacts
     """
-    workspace_id = zen_store().get_workspace(workspace_name_or_id).id
+    project_id = zen_store().get_project(project_name_or_id).id
 
     verify_permissions_and_prune_entities(
         resource_type=ResourceType.ARTIFACT_VERSION,
         prune_method=zen_store().prune_artifact_versions,
         only_versions=only_versions,
-        workspace_id=workspace_id,
+        project_id=project_id,
     )
 
 

zenml/zen_server/routers/auth_endpoints.py

@@ -582,7 +582,7 @@ def api_token(
             f"step run {token.step_run_id}."
         )
 
-    workspace_id: Optional[UUID] = None
+    project_id: Optional[UUID] = None
 
     if schedule_id:
         # The schedule must exist
@@ -593,7 +593,7 @@ def api_token(
                 f"Schedule {schedule_id} does not exist and API tokens cannot "
                 "be generated for non-existent schedules for security reasons."
             )
-        workspace_id = schedule.workspace.id
+        project_id = schedule.project.id
 
         if not schedule.active:
             raise ValueError(
@@ -614,7 +614,7 @@ def api_token(
 
         verify_permission_for_model(model=pipeline_run, action=Action.READ)
 
-        workspace_id = pipeline_run.workspace.id
+        project_id = pipeline_run.project.id
 
         if pipeline_run.status.is_finished:
             raise ValueError(
@@ -633,7 +633,7 @@ def api_token(
                 "be generated for non-existent step runs for security reasons."
             )
 
-        workspace_id = step_run.workspace.id
+        project_id = step_run.project.id
 
         if step_run.status.is_finished:
             raise ValueError(
@@ -642,11 +642,11 @@ def api_token(
                 "for security reasons."
             )
 
-    assert workspace_id is not None
+    assert project_id is not None
     verify_permission(
         resource_type=ResourceType.PIPELINE_RUN,
         action=Action.CREATE,
-        workspace_id=workspace_id,
+        project_id=project_id,
     )
 
     return generate_access_token(