[Core] Add token auth support in runtime env agent #58308
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: sampan <[email protected]>
- Created RayAuthTokenLoader singleton class with thread-safe token caching - Loads tokens from RAY_AUTH_TOKEN env, RAY_AUTH_TOKEN_PATH, or ~/.ray/auth_token - Support for token generation with UUID (cross-platform) - Modified GrpcServer to store and pass auth token to ServerCallImpl - Updated RPC_SERVICE_HANDLER macros to pass auth token - GCS server now loads token using RayAuthTokenLoader - Removed auth_token from RayConfig (now loaded via loader) - Token precedence: env var -> path env var -> default file path Signed-off-by: sampan <[email protected]>
- Created Python auth_token_loader module with thread-safe token caching - Loads tokens from same precedence as C++: RAY_AUTH_TOKEN, RAY_AUTH_TOKEN_PATH, ~/.ray/auth_token - Added enable_token_auth parameter to ray.init() with auto-generation support - Added --enable-token-auth flag to ray start CLI (fails if no token found) - Only pass enable_token_auth flag via system_config, not the token - Each side (C++/Python) loads tokens independently using their own loaders - ray.init() auto-generates token if not found, ray start fails with helpful error Signed-off-by: sampan <[email protected]>
- Test token loading from RAY_AUTH_TOKEN environment variable - Test token loading from RAY_AUTH_TOKEN_PATH file - Test token loading from default ~/.ray/auth_token path - Test precedence order (env var > path env var > default file) - Test token generation with GetToken(true) - Test token caching behavior - Test thread safety with concurrent GetToken calls - Test whitespace trimming from token files - Test behavior when no token is found Signed-off-by: sampan <[email protected]>
- Test token loading from RAY_AUTH_TOKEN environment variable - Test token loading from RAY_AUTH_TOKEN_PATH file - Test token loading from default ~/.ray/auth_token path - Test precedence order (env var > path env var > default file) - Test token generation with generate_if_not_found=True - Test token caching behavior across multiple calls - Test has_auth_token() function - Test thread safety with concurrent loads and generation - Test whitespace handling and empty values - Test file permissions on Unix systems (0600) - Test error handling for permission errors - Test integration with fixtures and cleanup Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
added 6 commits
October 31, 2025 06:57
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
added 3 commits
November 1, 2025 14:54
…ndling Signed-off-by: sampan <[email protected]>
When an HTTP error occurs that isn't an auth error (401/403), we should immediately re-raise it rather than continuing to retry. This ensures errors like 500 are properly propagated to the caller. Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Signed-off-by: sampan <[email protected]>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
added 7 commits
November 2, 2025 13:08
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
added 2 commits
November 3, 2025 11:33
Signed-off-by: sampan <[email protected]>
Signed-off-by: sampan <[email protected]>
edoakes
approved these changes
Nov 3, 2025
YoussefEssDS
pushed a commit
to YoussefEssDS/ray
that referenced
this pull request
Nov 8, 2025
Support token based authentication in runtime env (client and server). refactor existing dashboard head code so that the utils and midleware can be reused by runtime env agent as well --------- Signed-off-by: sampan <[email protected]> Signed-off-by: Edward Oakes <[email protected]> Co-authored-by: sampan <[email protected]> Co-authored-by: Edward Oakes <[email protected]>
landscapepainter
pushed a commit
to landscapepainter/ray
that referenced
this pull request
Nov 17, 2025
Support token based authentication in runtime env (client and server). refactor existing dashboard head code so that the utils and midleware can be reused by runtime env agent as well --------- Signed-off-by: sampan <[email protected]> Signed-off-by: Edward Oakes <[email protected]> Co-authored-by: sampan <[email protected]> Co-authored-by: Edward Oakes <[email protected]>
Aydin-ab
pushed a commit
to Aydin-ab/ray-aydin
that referenced
this pull request
Nov 19, 2025
Support token based authentication in runtime env (client and server). refactor existing dashboard head code so that the utils and midleware can be reused by runtime env agent as well --------- Signed-off-by: sampan <[email protected]> Signed-off-by: Edward Oakes <[email protected]> Co-authored-by: sampan <[email protected]> Co-authored-by: Edward Oakes <[email protected]> Signed-off-by: Aydin Abiar <[email protected]>
SheldonTsen
pushed a commit
to SheldonTsen/ray
that referenced
this pull request
Dec 1, 2025
Support token based authentication in runtime env (client and server). refactor existing dashboard head code so that the utils and midleware can be reused by runtime env agent as well --------- Signed-off-by: sampan <[email protected]> Signed-off-by: Edward Oakes <[email protected]> Co-authored-by: sampan <[email protected]> Co-authored-by: Edward Oakes <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Support token based authentication in runtime env (client and server). refactor existing dashboard head code so that the utils and midleware can be reused by runtime env agent as well