Skip to content

[Core] Token auth support in Dashboard head #58209

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
edoakes merged 88 commits into from
Oct 30, 2025
Merged

[Core] Token auth support in Dashboard head #58209

edoakes merged 88 commits into from
Oct 30, 2025

Conversation

@sampan-s-nayak
Copy link
Contributor

@sampan-s-nayak sampan-s-nayak commented Oct 27, 2025
edited
Loading

Description

extend token auth support to dashboard head (all API's)

sampan and others added 30 commits October 16, 2025 08:35
[Core] Authentication for ray core rpc calls - part 1
021df65 
Signed-off-by: sampan <sampan@anyscale.com>
[Core] Token auth improvements - C++ RayAuthTokenLoader singleton
c96d1f4 
- Created RayAuthTokenLoader singleton class with thread-safe token caching
- Loads tokens from RAY_AUTH_TOKEN env, RAY_AUTH_TOKEN_PATH, or ~/.ray/auth_token
- Support for token generation with UUID (cross-platform)
- Modified GrpcServer to store and pass auth token to ServerCallImpl
- Updated RPC_SERVICE_HANDLER macros to pass auth token
- GCS server now loads token using RayAuthTokenLoader
- Removed auth_token from RayConfig (now loaded via loader)
- Token precedence: env var -> path env var -> default file path

Signed-off-by: sampan <sampan@anyscale.com>
[Core] Token auth improvements - Python token loader and CLI
91f783e 
- Created Python auth_token_loader module with thread-safe token caching
- Loads tokens from same precedence as C++: RAY_AUTH_TOKEN, RAY_AUTH_TOKEN_PATH, ~/.ray/auth_token
- Added enable_token_auth parameter to ray.init() with auto-generation support
- Added --enable-token-auth flag to ray start CLI (fails if no token found)
- Only pass enable_token_auth flag via system_config, not the token
- Each side (C++/Python) loads tokens independently using their own loaders
- ray.init() auto-generates token if not found, ray start fails with helpful error

Signed-off-by: sampan <sampan@anyscale.com>
[Core][Tests] Add unit tests for RayAuthTokenLoader
54d4eac 
- Test token loading from RAY_AUTH_TOKEN environment variable
- Test token loading from RAY_AUTH_TOKEN_PATH file
- Test token loading from default ~/.ray/auth_token path
- Test precedence order (env var > path env var > default file)
- Test token generation with GetToken(true)
- Test token caching behavior
- Test thread safety with concurrent GetToken calls
- Test whitespace trimming from token files
- Test behavior when no token is found

Signed-off-by: sampan <sampan@anyscale.com>
[Core][Tests] Add unit tests for Python auth_token_loader
092f29e 
- Test token loading from RAY_AUTH_TOKEN environment variable
- Test token loading from RAY_AUTH_TOKEN_PATH file
- Test token loading from default ~/.ray/auth_token path
- Test precedence order (env var > path env var > default file)
- Test token generation with generate_if_not_found=True
- Test token caching behavior across multiple calls
- Test has_auth_token() function
- Test thread safety with concurrent loads and generation
- Test whitespace handling and empty values
- Test file permissions on Unix systems (0600)
- Test error handling for permission errors
- Test integration with fixtures and cleanup

Signed-off-by: sampan <sampan@anyscale.com>
fix lint errors
fcd1d10 
Signed-off-by: sampan <sampan@anyscale.com>
missed change
411f6f4 
Signed-off-by: sampan <sampan@anyscale.com>
more lint issues
40fcdb5 
Signed-off-by: sampan <sampan@anyscale.com>
fix library
223dbf5 
Signed-off-by: sampan <sampan@anyscale.com>
more lint
cc89a63 
Signed-off-by: sampan <sampan@anyscale.com>
move python side changes to new pr
c079298 
Signed-off-by: sampan <sampan@anyscale.com>
remove unused import
34aa7a3 
Signed-off-by: sampan <sampan@anyscale.com>
Merge remote-tracking branch 'upstream/grpc_auth_1' into grpc_auth_2
7bde811 
Signed-off-by: sampan <sampan@anyscale.com>
remove generate token method from c++ code
733efca 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
16fd74e 
Signed-off-by: sampan <sampan@anyscale.com>
refactor code files
7094efd 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
f56d5ee 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
356a38e 
Signed-off-by: sampan <sampan@anyscale.com>
add missing imports
899973e 
Signed-off-by: sampan <sampan@anyscale.com>
refactor token loader and tests
47f2e5a 
Signed-off-by: sampan <sampan@anyscale.com>
refactor token loader + fix build
d6a87e2 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
e579741 
Signed-off-by: sampan <sampan@anyscale.com>
@sampan-s-nayak
Merge branch 'grpc_auth_1' into grpc_auth_2
99b7c22
fix issues + update tests
8678815 
Signed-off-by: sampan <sampan@anyscale.com>
missed change
4274544 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
4a5dda9 
Signed-off-by: sampan <sampan@anyscale.com>
address comments - version 1
b20e1ef 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
d1fe7b9 
Signed-off-by: sampan <sampan@anyscale.com>
missing imports
09359d6 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
886c109 
Signed-off-by: sampan <sampan@anyscale.com>
@edoakes
Copy link
Collaborator

edoakes commented Oct 28, 2025

lots of test failures

fix typo
e39247d 
Signed-off-by: sampan <sampan@anyscale.com>
@sampan-s-nayak
Copy link
Contributor Author

sampan-s-nayak commented Oct 28, 2025

lots of test failures

ah I think I missed .py in bazel file.

cursor[bot]

This comment was marked as outdated.

Sign in to view

sampan and others added 4 commits October 28, 2025 15:54
attempt to fix tests
bf4866a 
Signed-off-by: sampan <sampan@anyscale.com>
attempt to fix test in CI
61646af 
Signed-off-by: sampan <sampan@anyscale.com>
fix lint
5b3cc5b 
Signed-off-by: sampan <sampan@anyscale.com>
@sampan-s-nayak
Merge branch 'grpc_auth_2' into token_auth_4
3f40f21
Base automatically changed from grpc_auth_2 to master October 30, 2025 13:54
@edoakes
Merge branch 'master' into token_auth_4
cbf49ba 
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
@edoakes
Merge branch 'master' of https://github.com/ray-project/ray into toke…
9687632 
…n_auth_4
@edoakes
Fix
0e100db 
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
@edoakes
Fix
342727d 
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
edoakes
edoakes reviewed Oct 30, 2025
View reviewed changes
python/ray/dashboard/tests/test_dashboard_auth.py
from ray._raylet import Config


@pytest.fixture
Copy link
Collaborator

@edoakes edoakes Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sampan-s-nayak I pushed a commit to clean up the fixtures a bit here, FYI

Copy link
Collaborator

@edoakes edoakes Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also moved it into the dashboard/tests/ dir

Copy link
Contributor Author

@sampan-s-nayak sampan-s-nayak Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh I had another pr where I refactored all these fixtures and moved them to conf test

edoakes
edoakes reviewed Oct 30, 2025
View reviewed changes
python/ray/includes/rpc_token_authentication.pxi
return GetAuthenticationMode()


def validate_authentication_token(provided_token: str) -> bool:
Copy link
Collaborator

@edoakes edoakes Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like this could be implemented fully in the C++ layer?

@edoakes edoakes enabled auto-merge (squash) October 30, 2025 14:20
@edoakes
Fix
61497e3 
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
@edoakes
Fix
3e3f4c5 
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
@github-actions github-actions bot disabled auto-merge October 30, 2025 15:42
@edoakes edoakes enabled auto-merge (squash) October 30, 2025 15:43
@edoakes
Fix
07ce777 
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
@github-actions github-actions bot disabled auto-merge October 30, 2025 16:30
@edoakes edoakes merged commit fef5fa6 into master Oct 30, 2025
6 checks passed
@edoakes edoakes deleted the token_auth_4 branch October 30, 2025 21:25
YoussefEssDS pushed a commit to YoussefEssDS/ray that referenced this pull request Nov 8, 2025
@sampan-s-nayak @edoakes @YoussefEssDS
[Core] Token auth support in Dashboard head (ray-project#58209)
2969713 
Extend token auth support to dashboard head (all API's)

---------

Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Co-authored-by: sampan <sampan@anyscale.com>
Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
landscapepainter pushed a commit to landscapepainter/ray that referenced this pull request Nov 17, 2025
@sampan-s-nayak @edoakes @landscapepainter
[Core] Token auth support in Dashboard head (ray-project#58209)
d2ce19f 
Extend token auth support to dashboard head (all API's)

---------

Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Co-authored-by: sampan <sampan@anyscale.com>
Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Aydin-ab pushed a commit to Aydin-ab/ray-aydin that referenced this pull request Nov 19, 2025
@sampan-s-nayak @edoakes
[Core] Token auth support in Dashboard head (ray-project#58209)
3411346 
Extend token auth support to dashboard head (all API's)

---------

Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Co-authored-by: sampan <sampan@anyscale.com>
Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Signed-off-by: Aydin Abiar <aydin@anyscale.com>
Future-Outlier pushed a commit to Future-Outlier/ray that referenced this pull request Dec 7, 2025
@sampan-s-nayak @edoakes @Future-Outlier
[Core] Token auth support in Dashboard head (ray-project#58209)
1f6d69b 
Extend token auth support to dashboard head (all API's)

---------

Signed-off-by: sampan <sampan@anyscale.com>
Signed-off-by: Sampan S Nayak <sampansnayak2@gmail.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Co-authored-by: sampan <sampan@anyscale.com>
Co-authored-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Signed-off-by: Future-Outlier <eric901201@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edoakes edoakes edoakes approved these changes

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

core Issues that should be addressed in Ray Core go add ONLY when ready to merge, run all tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sampan-s-nayak @edoakes