feat: Add configurable directory permission for vfolders

src/ai/backend/manager/api/vfolder.py

@@ -23,6 +23,7 @@
     List,
     Mapping,
     MutableMapping,
+    Optional,
     ParamSpec,
     Sequence,
     Tuple,
@@ -430,6 +431,7 @@ async def create(request: web.Request, params: CreateRequestModel) -> web.Respon
     group_type: ProjectType | None = None
     max_vfolder_count: int
     max_quota_scope_size: int
+    container_uid: Optional[int] = None
 
     async with root_ctx.db.begin_session() as sess:
         match group_id_or_name:
@@ -491,9 +493,12 @@ async def create(request: web.Request, params: CreateRequestModel) -> web.Respon
                     cast(int, user_row.resource_policy_row.max_vfolder_count),
                     cast(int, user_row.resource_policy_row.max_quota_scope_size),
                 )
+                container_uid = cast(Optional[int], user_row.container_uid)
             case _:
                 raise GroupNotFound(extra_data=group_id_or_name)
 
+        vfolder_permission_mode = 0o775 if container_uid is not None else None
+
         # Check if group exists when it's given a non-empty value.
         if group_id_or_name and group_uuid is None:
             raise GroupNotFound(extra_data=group_id_or_name)
@@ -615,6 +620,7 @@ async def create(request: web.Request, params: CreateRequestModel) -> web.Respon
                         "volume": root_ctx.storage_manager.split_host(folder_host)[1],
                         "vfid": str(vfid),
                         "options": options,
+                        "mode": vfolder_permission_mode,
                     },
                 ):
                     pass

src/ai/backend/storage/abc.py

@@ -20,6 +20,7 @@
 from ai.backend.common.types import BinarySize, HardwareMetadata, QuotaScopeID
 from ai.backend.logging import BraceStyleAdapter
 
+from .defs import DEFAULT_VFOLDER_PERMISSION_MODE
 from .exception import InvalidSubpathError, VFolderNotFoundError
 from .types import (
     CapacityUsage,
@@ -265,7 +266,8 @@ async def get_hwinfo(self) -> HardwareMetadata:
     async def create_vfolder(
         self,
         vfid: VFolderID,
-        exist_ok=False,
+        exist_ok: bool = False,
+        mode: int = DEFAULT_VFOLDER_PERMISSION_MODE,
     ) -> None:
         raise NotImplementedError
 

src/ai/backend/storage/api/manager.py

@@ -20,6 +20,7 @@
     Callable,
     Iterator,
     NotRequired,
+    Optional,
     TypedDict,
     cast,
 )
@@ -47,6 +48,7 @@
 from ai.backend.storage.watcher import ChownTask, MountTask, UmountTask
 
 from .. import __version__
+from ..defs import DEFAULT_VFOLDER_PERMISSION_MODE
 from ..exception import (
     ExternalError,
     InvalidQuotaConfig,
@@ -340,6 +342,7 @@ async def create_vfolder(request: web.Request) -> web.Response:
     class Params(TypedDict):
         volume: str
         vfid: VFolderID
+        mode: Optional[int]
         options: dict[str, Any] | None  # deprecated
 
     async with cast(
@@ -350,6 +353,7 @@ class Params(TypedDict):
                 {
                     t.Key("volume"): t.String(),
                     t.Key("vfid"): tx.VFolderID(),
+                    t.Key("mode", default=None): t.Null | t.Int,
                     t.Key("options", default=None): t.Null | t.Dict().allow_extra("*"),
                 },
             ),
@@ -358,9 +362,12 @@ class Params(TypedDict):
         await log_manager_api_entry(log, "create_vfolder", params)
         assert params["vfid"].quota_scope_id is not None
         ctx: RootContext = request.app["ctx"]
+        perm_mode = cast(
+            int, params["mode"] if params["mode"] is not None else DEFAULT_VFOLDER_PERMISSION_MODE
+        )
         async with ctx.get_volume(params["volume"]) as volume:
             try:
-                await volume.create_vfolder(params["vfid"])
+                await volume.create_vfolder(params["vfid"], mode=perm_mode)
             except QuotaScopeNotFoundError:
                 assert params["vfid"].quota_scope_id
                 if initial_max_size_for_quota_scope := (params["options"] or {}).get(
@@ -373,7 +380,7 @@ class Params(TypedDict):
                     params["vfid"].quota_scope_id, options=options
                 )
                 try:
-                    await volume.create_vfolder(params["vfid"])
+                    await volume.create_vfolder(params["vfid"], mode=perm_mode)
                 except QuotaScopeNotFoundError:
                     raise ExternalError("Failed to create vfolder due to quota scope not found.")
             return web.Response(status=204)

src/ai/backend/storage/defs.py

@@ -0,0 +1,3 @@
+from typing import Final
+
+DEFAULT_VFOLDER_PERMISSION_MODE: Final[int] = 0o755

src/ai/backend/storage/vfs/__init__.py

@@ -20,6 +20,7 @@
 from ai.backend.logging import BraceStyleAdapter
 
 from ..abc import CAP_VFOLDER, AbstractFSOpModel, AbstractQuotaModel, AbstractVolume
+from ..defs import DEFAULT_VFOLDER_PERMISSION_MODE
 from ..exception import (
     ExecutionError,
     InvalidAPIParameters,
@@ -387,13 +388,18 @@ async def get_hwinfo(self) -> HardwareMetadata:
     async def create_vfolder(
         self,
         vfid: VFolderID,
-        exist_ok=False,
+        exist_ok: bool = False,
+        mode: int = DEFAULT_VFOLDER_PERMISSION_MODE,
     ) -> None:
         qspath = self.quota_model.mangle_qspath(vfid)
         if not qspath.exists():
             raise QuotaScopeNotFoundError
         vfpath = self.mangle_vfpath(vfid)
-        await aiofiles.os.makedirs(vfpath, 0o755, exist_ok=exist_ok)
+        await aiofiles.os.makedirs(vfpath, mode, exist_ok=exist_ok)
+        if mode != DEFAULT_VFOLDER_PERMISSION_MODE:
+            # The mode parameter in os.makedirs() sometimes fails to set directory permissions correctly.
+            # Calling os.chmod() afterward ensures the desired permissions are properly applied.
+            os.chmod(vfpath, mode)
 
     @final
     async def delete_vfolder(self, vfid: VFolderID) -> None: