breaking(BA-5650-H): drop owner_access_key from REST v1 session API

REST v1 session endpoints no longer accept owner_access_key. The
delegation field is replaced with owner_id (user UUID) and is honored
only on the three session-creation endpoints
(create_from_template / create_from_params / create_cluster). Read and
control endpoints always act as the authenticated caller.

- common/dto/manager/session/request.py: drop the owner_access_key
  field from Create/Destroy/Restart/GetContainerLogs/GetStatusHistory
  request DTOs; add owner_id to the three creation DTOs.
- api/rest/session/handler.py: remove all 26 resolve_access_key_scope
  calls, drop the AuthProcessors dependency, and renumber log format
  placeholders that dropped the owner argument.
- api/rest/v2/session/handler.py: drop the redundant user_ctx /
  access_key arguments from shutdown_service / get_logs / update.
- api/adapters/session.py: update adapter call sites accordingly.
- api/rest/tree.py: drop the auth= argument from SessionHandler().

Test updates for the corresponding DTO assertions and component
fixtures are included.

Author: jopemachine

changes/BA-5650-H.breaking.md

@@ -0,0 +1 @@
+**Breaking**: Remove `owner_access_key` query parameter from REST v1 session endpoints. Delegation is now performed via `owner_id` (user UUID) and only on the session creation endpoints (`/session/_/create-from-template`, `/session/_/create`, `/session/_/create-cluster`). Read/control endpoints always act as the authenticated caller. Clients that previously passed `owner_access_key=<AK>` must migrate to `owner_id=<user-uuid>`.

src/ai/backend/common/dto/manager/session/request.py

@@ -135,7 +135,7 @@ class CreateFromTemplateRequest(BaseRequestModel):
         default=None,
         validation_alias=AliasChoices("callback_url", "callbackUrl", "callbackURL"),
     )
-    owner_access_key: str | None = None
+    owner_id: UUID | None = None
 
 
 class CreateFromParamsRequest(BaseRequestModel):
@@ -214,7 +214,7 @@ class CreateFromParamsRequest(BaseRequestModel):
         default=None,
         validation_alias=AliasChoices("callback_url", "callbackUrl", "callbackURL"),
     )
-    owner_access_key: str | None = None
+    owner_id: UUID | None = None
 
 
 class CreateClusterRequest(BaseRequestModel):
@@ -252,7 +252,7 @@ class CreateClusterRequest(BaseRequestModel):
         ge=0,
         validation_alias=AliasChoices("max_wait_seconds", "maxWaitSeconds"),
     )
-    owner_access_key: str | None = None
+    owner_id: UUID | None = None
 
 
 # ---------------------------------------------------------------------------
@@ -352,14 +352,11 @@ class DestroySessionRequest(BaseRequestModel):
 
     forced: bool = False
     recursive: bool = False
-    owner_access_key: str | None = None
 
 
 class RestartSessionRequest(BaseRequestModel):
     """PATCH ``/{session_name}``"""
 
-    owner_access_key: str | None = None
-
 
 class MatchSessionsRequest(BaseRequestModel):
     """GET ``/_/match``"""
@@ -419,10 +416,6 @@ class ListFilesRequest(BaseRequestModel):
 class GetContainerLogsRequest(BaseRequestModel):
     """GET ``/{session_name}/logs``"""
 
-    owner_access_key: str | None = Field(
-        default=None,
-        validation_alias=AliasChoices("owner_access_key", "ownerAccessKey"),
-    )
     kernel_id: UUID | None = Field(
         default=None,
         validation_alias=AliasChoices("kernel_id", "kernelId"),
@@ -441,5 +434,3 @@ class GetTaskLogsRequest(BaseRequestModel):
 
 class GetStatusHistoryRequest(BaseRequestModel):
     """GET ``/{session_name}/status-history``"""
-
-    owner_access_key: str | None = None

src/ai/backend/manager/api/adapters/session.py

@@ -223,8 +223,8 @@ async def enqueue(
 
         When ``input.owner_id`` is set, the session is created on behalf of the
         target user: their main access key, role, and domain are used in place
-        of the caller's. Resolution and authorization of the delegated user
-        are handled by the downstream session service, not by this adapter.
+        of the caller's. The target user must be loadable via the user
+        processor (RBAC enforced).
         """
         batch_spec: SessionBatchSpec | None = None
         if input.batch is not None:
@@ -849,12 +849,10 @@ async def shutdown_service(
         self,
         session_id: UUID,
         input: ShutdownSessionServiceInput,
-        access_key: str,
     ) -> None:
         """Shut down a service in a session."""
         action = ShutdownServiceAction(
             session_name=str(session_id),
-            owner_access_key=AccessKey(access_key),
             service_name=input.service,
         )
         await self._processors.session.shutdown_service.wait_for_complete(action)
@@ -866,13 +864,11 @@ async def shutdown_service(
     async def get_logs(
         self,
         session_id: UUID,
-        access_key: str,
         kernel_id: UUID | None = None,
     ) -> SessionLogsPayload:
         """Get container logs for a session."""
         action = GetContainerLogsAction(
             session_name=str(session_id),
-            owner_access_key=AccessKey(access_key),
             kernel_id=KernelId(kernel_id) if kernel_id else None,
         )
         result = await self._processors.session.get_container_logs.wait_for_complete(action)
@@ -887,14 +883,12 @@ async def update(
         self,
         session_id: UUID,
         input: UpdateSessionInput,
-        access_key: str,
     ) -> UpdateSessionPayload:
         """Update session fields (currently supports rename only)."""
         if input.name is not None:
             action = RenameSessionAction(
                 session_name=str(session_id),
                 new_name=input.name,
-                owner_access_key=AccessKey(access_key),
             )
             result = await self._processors.session.rename_session.wait_for_complete(action)
             return UpdateSessionPayload(session=self._session_data_to_node(result.session_data))
@@ -933,13 +927,13 @@ def _session_data_to_node(data: SessionData) -> SessionNode:
         return SessionNode(
             id=data.id,
             domain_name=data.domain_name,
-            user_id=data.user_uuid,
+            user_id=data.owner_id,
             project_id=data.group_id,
             metadata=SessionMetadataInfoGQLDTO(
                 creation_id=data.creation_id or "",
                 name=data.name or "",
                 session_type=data.session_type.value,
-                access_key=str(data.access_key) if data.access_key else "",
+                access_key=data.owner.main_access_key if data.owner else None,
                 cluster_mode=data.cluster_mode.name,
                 cluster_size=data.cluster_size,
                 priority=data.priority,
@@ -1011,8 +1005,8 @@ def _kernel_info_to_node(info: KernelInfo) -> KernelNode:
                 session_type=info.session.session_type.value,
             ),
             user_info=KernelUserInfoGQLDTO(
-                user_id=info.user_permission.user_uuid,
-                access_key=info.user_permission.access_key,
+                user_id=info.user_permission.owner_id,
+                access_key=info.user_permission.main_access_key,
                 domain_name=info.user_permission.domain_name,
                 group_id=info.user_permission.group_id,
             ),