[Core] handling auth_mode=token in python ray.init() calls #57835
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 13 commits
October 16, 2025 08:35
Signed-off-by: sampan <sampan@anyscale.com>
- Created RayAuthTokenLoader singleton class with thread-safe token caching - Loads tokens from RAY_AUTH_TOKEN env, RAY_AUTH_TOKEN_PATH, or ~/.ray/auth_token - Support for token generation with UUID (cross-platform) - Modified GrpcServer to store and pass auth token to ServerCallImpl - Updated RPC_SERVICE_HANDLER macros to pass auth token - GCS server now loads token using RayAuthTokenLoader - Removed auth_token from RayConfig (now loaded via loader) - Token precedence: env var -> path env var -> default file path Signed-off-by: sampan <sampan@anyscale.com>
- Created Python auth_token_loader module with thread-safe token caching - Loads tokens from same precedence as C++: RAY_AUTH_TOKEN, RAY_AUTH_TOKEN_PATH, ~/.ray/auth_token - Added enable_token_auth parameter to ray.init() with auto-generation support - Added --enable-token-auth flag to ray start CLI (fails if no token found) - Only pass enable_token_auth flag via system_config, not the token - Each side (C++/Python) loads tokens independently using their own loaders - ray.init() auto-generates token if not found, ray start fails with helpful error Signed-off-by: sampan <sampan@anyscale.com>
- Test token loading from RAY_AUTH_TOKEN environment variable - Test token loading from RAY_AUTH_TOKEN_PATH file - Test token loading from default ~/.ray/auth_token path - Test precedence order (env var > path env var > default file) - Test token generation with GetToken(true) - Test token caching behavior - Test thread safety with concurrent GetToken calls - Test whitespace trimming from token files - Test behavior when no token is found Signed-off-by: sampan <sampan@anyscale.com>
- Test token loading from RAY_AUTH_TOKEN environment variable - Test token loading from RAY_AUTH_TOKEN_PATH file - Test token loading from default ~/.ray/auth_token path - Test precedence order (env var > path env var > default file) - Test token generation with generate_if_not_found=True - Test token caching behavior across multiple calls - Test has_auth_token() function - Test thread safety with concurrent loads and generation - Test whitespace handling and empty values - Test file permissions on Unix systems (0600) - Test error handling for permission errors - Test integration with fixtures and cleanup Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
sampan-s-nayak
force-pushed
the
grpc_auth_2
branch
from
c804ed5 to
7bde811
Compare
sampan-s-nayak
changed the title
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Contributor
Author
|
@edoakes addressed comments |
edoakes
reviewed
Oct 27, 2025
| raise | ||
|
|
||
|
|
||
| def _get_default_token_path() -> Path: |
Comment on lines
66
to
67
| is_new_cluster: Set to True if you're starting a new local cluster, or False if you're connecting | ||
| to an existing cluster. |
Collaborator
There was a problem hiding this comment.
This is an abstraction leak and also not quite correct because you might be called ray start --head, which is a new cluster, but it should error. Let's just call it what it is: generate_token_if_not_found
Contributor
Author
There was a problem hiding this comment.
in that case let me name this validate_token_exists(bool generate_if_not_exists=False) then depending on the various cases caller can set either generate_if_not_exists=True or False
Contributor
Author
There was a problem hiding this comment.
chat gpt suggested ensure_token_if_auth_enabled which i feel is even clearer.
Contributor
Author
There was a problem hiding this comment.
main purpose is to verify that token is present (generate a new one in certain cases) and fail early if not present. we also validate that enabling auth mode ray config is through env and not through system config
Comment on lines
+22
to
+31
| env_vars_to_clean = [ | ||
| "RAY_AUTH_TOKEN", | ||
| "RAY_AUTH_TOKEN_PATH", | ||
| "RAY_auth_mode", | ||
| ] | ||
| original_values = {} | ||
| for var in env_vars_to_clean: | ||
| original_values[var] = os.environ.get(var) | ||
| if var in os.environ: | ||
| del os.environ[var] |
Collaborator
There was a problem hiding this comment.
use monkeypatch env vars here instead of rewriting it
Contributor
Author
There was a problem hiding this comment.
this causes issues as the env vars are also used by the ray cluster
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Collaborator
|
test failures |
added 3 commits
October 28, 2025 15:54
Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: sampan <sampan@anyscale.com>
edoakes
approved these changes
Oct 30, 2025
YoussefEssDS
pushed a commit
to YoussefEssDS/ray
that referenced
this pull request
Nov 8, 2025
…ct#57835) ## Description builds atop of ray-project#58047, this pr ensures the following when `auth_mode` is `token`: calling `ray.init() `(without passing an existing cluster address) -> check if token is present, generate and store in default path if not present calling `ray.init(address="xyz")` (connecting to an existing cluster) -> check if token is present, raise exception if one is not present --------- Signed-off-by: sampan <sampan@anyscale.com> Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com> Co-authored-by: sampan <sampan@anyscale.com> Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
landscapepainter
pushed a commit
to landscapepainter/ray
that referenced
this pull request
Nov 17, 2025
…ct#57835) ## Description builds atop of ray-project#58047, this pr ensures the following when `auth_mode` is `token`: calling `ray.init() `(without passing an existing cluster address) -> check if token is present, generate and store in default path if not present calling `ray.init(address="xyz")` (connecting to an existing cluster) -> check if token is present, raise exception if one is not present --------- Signed-off-by: sampan <sampan@anyscale.com> Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com> Co-authored-by: sampan <sampan@anyscale.com> Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Aydin-ab
pushed a commit
to Aydin-ab/ray-aydin
that referenced
this pull request
Nov 19, 2025
…ct#57835) ## Description builds atop of ray-project#58047, this pr ensures the following when `auth_mode` is `token`: calling `ray.init() `(without passing an existing cluster address) -> check if token is present, generate and store in default path if not present calling `ray.init(address="xyz")` (connecting to an existing cluster) -> check if token is present, raise exception if one is not present --------- Signed-off-by: sampan <sampan@anyscale.com> Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com> Co-authored-by: sampan <sampan@anyscale.com> Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com> Signed-off-by: Aydin Abiar <aydin@anyscale.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
builds atop of #58047, this pr ensures the following when
auth_modeistoken:calling
ray.init()(without passing an existing cluster address) -> check if token is present, generate and store in default path if not presentcalling
ray.init(address="xyz")(connecting to an existing cluster) -> check if token is present, raise exception if one is not present