add a separate class AuthenticationTokenValidator for validating tokens

Signed-off-by: Andrew Sy Kim <andrewsy@google.com>

Author: andrewsykim

python/ray/includes/rpc_token_authentication.pxd

@@ -27,6 +27,11 @@ cdef extern from "ray/rpc/authentication/authentication_token_loader.h" namespac
         @staticmethod
         CAuthenticationTokenLoader& instance()
         c_bool HasToken()
-        c_bool ValidateToken(const CAuthenticationToken& token)
         void ResetCache()
         optional[CAuthenticationToken] GetToken()
+
+cdef extern from "ray/rpc/authentication/authentication_token_validator.h" namespace "ray::rpc" nogil:
+    cdef cppclass CAuthenticationTokenValidator "ray::rpc::AuthenticationTokenValidator":
+        @staticmethod
+        CAuthenticationTokenValidator& instance()
+        c_bool ValidateToken(const optional[CAuthenticationToken]& expected_token, const CAuthenticationToken& provided_token)

python/ray/includes/rpc_token_authentication.pxi

@@ -3,6 +3,7 @@ from ray.includes.rpc_token_authentication cimport (
     GetAuthenticationMode,
     CAuthenticationToken,
     CAuthenticationTokenLoader,
+    CAuthenticationTokenValidator,
 )
 from ray._private.authentication.authentication_constants import AUTHORIZATION_HEADER_NAME
 import logging
@@ -38,13 +39,18 @@ def validate_authentication_token(provided_token: str) -> bool:
     Returns:
         bool: True if token is valid, False otherwise
     """
+    cdef optional[CAuthenticationToken] expected_opt = CAuthenticationTokenLoader.instance().GetToken()
+
+    if not expected_opt.has_value():
+        return False
+
     # Parse provided token from Bearer format
     cdef CAuthenticationToken provided = CAuthenticationToken.FromMetadata(provided_token.encode())
 
     if provided.empty():
         return False
 
-    return CAuthenticationTokenLoader.instance().ValidateToken(provided)
+    return CAuthenticationTokenValidator.instance().ValidateToken(expected_opt, provided)
 
 
 class AuthenticationTokenLoader:

src/ray/rpc/BUILD.bazel

@@ -110,6 +110,7 @@ ray_cc_library(
         "//src/ray/rpc/authentication:authentication_mode",
         "//src/ray/rpc/authentication:authentication_token",
         "//src/ray/rpc/authentication:authentication_token_loader",
+        "//src/ray/rpc/authentication:authentication_token_validator",
         "//src/ray/stats:stats_metric",
         "@com_github_grpc_grpc//:grpc++",
     ],

src/ray/rpc/authentication/BUILD.bazel

@@ -43,7 +43,18 @@ ray_cc_library(
     deps = [
         ":authentication_mode",
         ":authentication_token",
-        ":k8s_util",
         "//src/ray/util:logging",
     ],
 )
+
+ray_cc_library(
+    name = "authentication_token_validator",
+    srcs = ["authentication_token_validator.cc"],
+    hdrs = ["authentication_token_validator.h"],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":authentication_mode",
+        ":authentication_token",
+        ":k8s_util",
+    ],
+)

src/ray/rpc/authentication/authentication_token.h

@@ -174,5 +174,12 @@ class AuthenticationToken {
   }
 };
 
+// Hash function for AuthenticationToken
+struct AuthenticationTokenHash {
+  std::size_t operator()(const AuthenticationToken &token) const {
+    return std::hash<std::string>()(token.ToValue());
+  }
+};
+
 }  // namespace rpc
 }  // namespace ray

src/ray/rpc/authentication/authentication_token_loader.cc

@@ -21,7 +21,6 @@
 #include <string>
 #include <utility>
 
-#include "ray/rpc/authentication/k8s_util.h"
 #include "ray/util/logging.h"
 
 #ifdef _WIN32
@@ -38,61 +37,11 @@
 namespace ray {
 namespace rpc {
 
-namespace {
-const std::chrono::minutes kCacheTTL(5);
-}  // namespace
-
 AuthenticationTokenLoader &AuthenticationTokenLoader::instance() {
   static AuthenticationTokenLoader instance;
   return instance;
 }
 
-bool AuthenticationTokenLoader::ValidateToken(const AuthenticationToken &provided_token) {
-  if (GetAuthenticationMode() == AuthenticationMode::TOKEN) {
-    auto expected_token = GetToken();
-    if (!expected_token.has_value()) {
-      return false;
-    }
-    return expected_token->Equals(provided_token);
-  } else if (GetAuthenticationMode() == AuthenticationMode::K8S) {
-    std::call_once(k8s::k8s_client_config_flag, k8s::InitK8sClientConfig);
-    if (!k8s::k8s_client_initialized) {
-      return false;
-    }
-
-    // Check cache first.
-    {
-      std::lock_guard<std::mutex> lock(k8s_token_cache_mutex_);
-      auto it = k8s_token_cache_.find(provided_token);
-      if (it != k8s_token_cache_.end()) {
-        if (std::chrono::steady_clock::now() < it->second.expiration) {
-          return it->second.allowed;
-        } else {
-          k8s_token_cache_.erase(it);
-        }
-      }
-    }
-
-    bool is_allowed = false;
-    is_allowed = k8s::ValidateToken(provided_token);
-
-    // Only cache validated tokens for now. We don't want to invalidate a token
-    // due to unrelated errors from Kubernetes API server. This has the downside of
-    // causing more load if an unauthenticated client continues to make calls.
-    // TODO(andrewsykim): cache invalid tokens once k8s::ValidateToken can distinguish
-    // between invalid token errors and server errors.
-    if (is_allowed) {
-      std::lock_guard<std::mutex> lock(k8s_token_cache_mutex_);
-      k8s_token_cache_[provided_token] = {is_allowed,
-                                          std::chrono::steady_clock::now() + kCacheTTL};
-    }
-
-    return is_allowed;
-  }
-
-  return true;
-}
-
 std::optional<AuthenticationToken> AuthenticationTokenLoader::GetToken() {
   std::lock_guard<std::mutex> lock(token_mutex_);
 

src/ray/rpc/authentication/authentication_token_loader.h

@@ -18,22 +18,13 @@
 #include <mutex>
 #include <optional>
 #include <string>
-#include <unordered_map>
 
 #include "ray/rpc/authentication/authentication_mode.h"
 #include "ray/rpc/authentication/authentication_token.h"
-#include "ray/rpc/authentication/k8s_util.h"
 
 namespace ray {
 namespace rpc {
 
-// Hash function for AuthenticationToken
-struct AuthenticationTokenHash {
-  std::size_t operator()(const AuthenticationToken &token) const {
-    return std::hash<std::string>()(token.ToValue());
-  }
-};
-
 /// Singleton class for loading and caching authentication tokens.
 /// Supports loading tokens from multiple sources with precedence:
 /// 1. RAY_AUTH_TOKEN environment variable
@@ -55,14 +46,6 @@ class AuthenticationTokenLoader {
   /// \return true if a token exists, false otherwise.
   bool HasToken();
 
-  /// Validate the provided authentication token.
-  /// For TOKEN mode, it compares with the loaded token.
-  /// For K8S mode, it uses Kubernetes TokenReview and SubjectAccessReview APIs.
-  /// The results for K8S mode are cached.
-  /// \param provided_token The token to validate.
-  /// \return true if the token is valid, false otherwise.
-  bool ValidateToken(const AuthenticationToken &provided_token);
-
   void ResetCache() {
     std::lock_guard<std::mutex> lock(token_mutex_);
     cached_token_.reset();
@@ -89,15 +72,6 @@ class AuthenticationTokenLoader {
 
   std::mutex token_mutex_;
   std::optional<AuthenticationToken> cached_token_;
-
-  // Cache for K8s tokens.
-  struct K8sCacheEntry {
-    bool allowed;
-    std::chrono::steady_clock::time_point expiration;
-  };
-  std::mutex k8s_token_cache_mutex_;
-  std::unordered_map<AuthenticationToken, K8sCacheEntry, AuthenticationTokenHash>
-      k8s_token_cache_;
 };
 
 }  // namespace rpc

src/ray/rpc/authentication/authentication_token_validator.cc

@@ -0,0 +1,85 @@
+// Copyright 2025 The Ray Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions
+// and limitations under the License.
+
+#include "ray/rpc/authentication/authentication_token_validator.h"
+
+#include "ray/rpc/authentication/authentication_mode.h"
+#include "ray/rpc/authentication/k8s_util.h"
+#include "ray/util/logging.h"
+
+namespace ray {
+namespace rpc {
+
+const std::chrono::minutes kCacheTTL(5);
+
+AuthenticationTokenValidator &AuthenticationTokenValidator::instance() {
+  static AuthenticationTokenValidator instance;
+  return instance;
+}
+
+bool AuthenticationTokenValidator::ValidateToken(
+    const std::optional<AuthenticationToken> &expected_token,
+    const AuthenticationToken &provided_token) {
+  if (GetAuthenticationMode() == AuthenticationMode::TOKEN) {
+    if (!expected_token.has_value() || expected_token->empty()) {
+      return true;  // No auth required on server side
+    }
+
+    return expected_token->Equals(provided_token);
+  } else if (GetAuthenticationMode() == AuthenticationMode::K8S) {
+    std::call_once(k8s::k8s_client_config_flag, k8s::InitK8sClientConfig);
+    if (!k8s::k8s_client_initialized) {
+      RAY_LOG(WARNING) << "Kubernetes client not initialized, K8s authentication failed.";
+      return false;
+    }
+
+    // Check cache first.
+    {
+      std::lock_guard<std::mutex> lock(k8s_token_cache_mutex_);
+      auto it = k8s_token_cache_.find(provided_token);
+      if (it != k8s_token_cache_.end()) {
+        if (std::chrono::steady_clock::now() < it->second.expiration) {
+          RAY_LOG(DEBUG) << "K8s token found in cache and is valid.";
+          return it->second.allowed;
+        } else {
+          RAY_LOG(DEBUG) << "K8s token in cache expired, removing from cache.";
+          k8s_token_cache_.erase(it);
+        }
+      }
+    }
+
+    bool is_allowed = false;
+    is_allowed = k8s::ValidateToken(provided_token);
+
+    // Only cache validated tokens for now. We don't want to invalidate a token
+    // due to unrelated errors from Kubernetes API server. This has the downside of
+    // causing more load if an unauthenticated client continues to make calls.
+    // TODO(andrewsykim): cache invalid tokens once k8s::ValidateToken can distinguish
+    // between invalid token errors and server errors.
+    if (is_allowed) {
+      std::lock_guard<std::mutex> lock(k8s_token_cache_mutex_);
+      k8s_token_cache_[provided_token] = {is_allowed,
+                                          std::chrono::steady_clock::now() + kCacheTTL};
+      RAY_LOG(DEBUG) << "K8s token validated and saved to cached.";
+    }
+
+    return is_allowed;
+  }
+
+  RAY_LOG(DEBUG) << "Authentication mode is disabled, token considered valid.";
+  return true;
+}
+
+}  // namespace rpc
+}  // namespace ray

src/ray/rpc/authentication/authentication_token_validator.h

@@ -0,0 +1,50 @@
+// Copyright 2025 The Ray Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions
+// and limitations under the License.
+
+#pragma once
+
+#include <optional>
+#include <unordered_map>
+
+#include "ray/rpc/authentication/authentication_token.h"
+#include "ray/rpc/authentication/k8s_util.h"
+
+namespace ray {
+namespace rpc {
+
+class AuthenticationTokenValidator {
+ public:
+  static AuthenticationTokenValidator &instance();
+  /// Validate the provided authentication token against the expected token.
+  /// When auth_mode=token, this is a simple equality check.
+  /// When auth_mode=k8s, provided_token is validated against Kubernetes API.
+  /// \param expected_token The expected token (optional).
+  /// \param provided_token The token to validate.
+  /// \return true if the tokens are equal, false otherwise.
+  bool ValidateToken(const std::optional<AuthenticationToken> &expected_token,
+                     const AuthenticationToken &provided_token);
+
+ private:
+  // Cache for K8s tokens.
+  struct K8sCacheEntry {
+    bool allowed;
+    std::chrono::steady_clock::time_point expiration;
+  };
+  std::mutex k8s_token_cache_mutex_;
+  std::unordered_map<AuthenticationToken, K8sCacheEntry, AuthenticationTokenHash>
+      k8s_token_cache_;
+};
+
+}  // namespace rpc
+}  // namespace ray

src/ray/rpc/grpc_server.h

@@ -107,9 +107,7 @@ class GrpcServer {
     if (auth_token.has_value()) {
       auth_token_ = std::move(auth_token.value());
     } else {
-      if (GetAuthenticationMode() == AuthenticationMode::TOKEN) {
-        auth_token_ = AuthenticationTokenLoader::instance().GetToken();
-      }
+      auth_token_ = AuthenticationTokenLoader::instance().GetToken();
     }
     Init();
   }