[core] use AuthenticationValidator in Ray sync server#60779
[core] use AuthenticationValidator in Ray sync server#60779edoakes merged 7 commits intoray-project:masterfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Ray sync server to use AuthenticationTokenValidator for token validation, which is a good step towards centralizing authentication logic and enabling features like Kubernetes token delegation. The changes correctly plumb the validator through to where it's needed.
However, I've found a critical issue in the implementation. The new validation logic is wrapped in a condition that prevents it from running when Kubernetes authentication is enabled, effectively bypassing security checks. I've left a detailed comment with a suggested fix. Please address this to ensure the authentication works as intended.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
andrewsykim
force-pushed
the
ray-sync-server-auth-fix
branch
from
34a9f20 to
092dca6
Compare
| const std::string_view header(it->second.data(), it->second.length()); | ||
|
|
||
| if (!auth_token_->CompareWithMetadata(header)) { | ||
| if (!auth_token_validator_.ValidateToken(auth_token_, header)) { |
There was a problem hiding this comment.
PR description lacks explanation of problem being fixed
Low Severity
The PR description states "This is a bug fix to Ray sync server to use authentication token validator" but doesn't explain what problem was present. It explains how the fix works (delegating to Kubernetes) but not what issue the code had before. For example, was token validation failing entirely? Was K8s authentication not being checked? The description needs a sentence explaining the actual problem.
To help reviewers, please ensure your PR includes:
- Title: A concise summary of the change
- Description:
- What problem does this solve?
- How does this PR solve it?
- Any relevant context for reviewers such as:
- Why is the problem important to solve?
- Why was this approach chosen over others?
See this list of PRs as examples for PRs that have gone above and beyond:
- [Core] Introduce local port service discovery #59613
- [Core] Improve Large-Scale Resource View Synchronization Through Sync Message Batching #57641
- Remove node observability information from hot path of core components #56474
- [core][rdt] Support out-of-order actors by extracting metadata when creating #59610
- [core] fix open leak for plasma store memory (shm/fallback) by workers #52622
| std::shared_ptr<const ray::rpc::AuthenticationToken> auth_token_; | ||
|
|
||
| // Validator for authentication token | ||
| ray::rpc::AuthenticationTokenValidator &auth_token_validator_; |
There was a problem hiding this comment.
any specific reason to pass and store this instance? why not just call ray::rpc::AuthenticationTokenValidator::instance() wherever required?
There was a problem hiding this comment.
thanks for working on this! I think we can release this as it is, but in a future pr we should consider skipping token loading
Lines 610 to 612 in 4f1ce10
3 participants
Description
This is a bug fix to Ray sync server to use authentication token validator which will delegate token auth to Kubernetes if Ray is configured to do so.
Related issues
Additional information