Some serverside fixes

Author: schustmi

src/zenml/config/pipeline_configurations.py

@@ -20,9 +20,9 @@
 from pydantic import SerializeAsAny, field_validator
 
 from zenml.config.constants import DOCKER_SETTINGS_KEY
+from zenml.config.frozen_base_model import FrozenBaseModel
 from zenml.config.retry_config import StepRetryConfig
 from zenml.config.source import SourceWithValidator
-from zenml.config.strict_base_model import FrozenBaseModel
 from zenml.model.model import Model
 from zenml.utils.tag_utils import Tag
 from zenml.utils.time_utils import utc_now

src/zenml/config/pipeline_run_configuration.py

@@ -19,11 +19,11 @@
 from pydantic import Field, SerializeAsAny
 
 from zenml.config.base_settings import BaseSettings
+from zenml.config.frozen_base_model import FrozenBaseModel
 from zenml.config.retry_config import StepRetryConfig
 from zenml.config.schedule import Schedule
 from zenml.config.source import SourceWithValidator
 from zenml.config.step_configurations import StepConfigurationUpdate
-from zenml.config.strict_base_model import FrozenBaseModel
 from zenml.model.model import Model
 from zenml.models import PipelineBuildBase
 from zenml.utils import pydantic_utils

src/zenml/config/pipeline_spec.py

@@ -16,9 +16,9 @@
 import json
 from typing import Any, Dict, List, Optional
 
+from zenml.config.frozen_base_model import FrozenBaseModel
 from zenml.config.source import Source, SourceWithValidator
 from zenml.config.step_configurations import StepSpec
-from zenml.config.strict_base_model import FrozenBaseModel
 from zenml.utils.json_utils import pydantic_encoder
 
 

src/zenml/config/retry_config.py

@@ -13,7 +13,7 @@
 #  permissions and limitations under the License.
 """Retry configuration for a step."""
 
-from zenml.config.strict_base_model import FrozenBaseModel
+from zenml.config.frozen_base_model import FrozenBaseModel
 
 
 class StepRetryConfig(FrozenBaseModel):

src/zenml/config/step_run_info.py

@@ -16,9 +16,9 @@
 from typing import Any, Callable
 from uuid import UUID
 
+from zenml.config.frozen_base_model import FrozenBaseModel
 from zenml.config.pipeline_configurations import PipelineConfiguration
 from zenml.config.step_configurations import StepConfiguration
-from zenml.config.strict_base_model import FrozenBaseModel
 
 
 class StepRunInfo(FrozenBaseModel):

src/zenml/zen_server/routers/run_templates_endpoints.py

@@ -40,7 +40,10 @@
     verify_permissions_and_update_entity,
 )
 from zenml.zen_server.rbac.models import Action, ResourceType
-from zenml.zen_server.rbac.utils import verify_permission
+from zenml.zen_server.rbac.utils import (
+    batch_verify_permissions_for_models,
+    verify_permission,
+)
 from zenml.zen_server.routers.projects_endpoints import workspace_router
 from zenml.zen_server.utils import (
     handle_exceptions,
@@ -242,6 +245,8 @@ def create_template_run(
         """
         from zenml.zen_server.template_execution.utils import run_template
 
+        rbac_read_checks = []
+
         with track_handler(
             event=AnalyticsEvent.EXECUTED_RUN_TEMPLATE,
         ) as analytics_handler:
@@ -265,6 +270,28 @@ def create_template_run(
                 project_id=template.project.id,
             )
 
+            if config:
+                rbac_read_checks.extend(
+                    [
+                        zen_store().get_secret_by_name_or_id(id)
+                        for id in config.secrets
+                    ]
+                )
+
+                for _, step in config.steps.items():
+                    if step.secrets:
+                        rbac_read_checks.extend(
+                            [
+                                zen_store().get_secret_by_name_or_id(id)
+                                for id in step.secrets
+                            ]
+                        )
+
+            if rbac_read_checks:
+                batch_verify_permissions_for_models(
+                    rbac_read_checks, action=Action.READ
+                )
+
             return run_template(
                 template=template,
                 auth_context=auth_context,

src/zenml/zen_server/template_execution/utils.py

@@ -48,7 +48,6 @@
 from zenml.utils import (
     dict_utils,
     requirements_utils,
-    secret_utils,
     settings_utils,
 )
 from zenml.zen_server.auth import AuthContext, generate_access_token
@@ -379,11 +378,10 @@ def deployment_request_from_template(
         exclude={"name", "parameters"},
     )
     if pipeline_secrets := pipeline_update_dict.get("secrets", []):
-        pipeline_update_dict["secrets"] = (
-            secret_utils.resolve_and_verify_secrets(
-                pipeline_secrets, zen_store=zen_store()
-            )
-        )
+        pipeline_update_dict["secrets"] = [
+            zen_store().get_secret_by_name_or_id(secret)
+            for secret in pipeline_secrets
+        ]
     pipeline_configuration = PipelineConfiguration(
         **pipeline_update_dict,
         name=deployment.pipeline_configuration.name,
@@ -422,11 +420,10 @@ def deployment_request_from_template(
             update_dict.pop("name", None)
 
             if step_secrets := update_dict.get("secrets", []):
-                update_dict["secrets"] = (
-                    secret_utils.resolve_and_verify_secrets(
-                        step_secrets, zen_store=zen_store()
-                    )
-                )
+                update_dict["secrets"] = [
+                    zen_store().get_secret_by_name_or_id(secret)
+                    for secret in step_secrets
+                ]
 
             configured_parameters = set(update.parameters)
             step_config_dict = dict_utils.recursive_update(

src/zenml/zen_stores/sql_zen_store.py

@@ -6228,8 +6228,10 @@ def get_secret(
 
         return secret_model
 
-    def get_secret_by_name(self, secret_name: str) -> SecretResponse:
-        """Get a secret by name.
+    def get_secret_by_name_or_id(
+        self, secret_name_or_id: Union[str, UUID]
+    ) -> SecretResponse:
+        """Get a secret by name or ID.
 
         Args:
             secret_name: The name of the secret to fetch.
@@ -6239,7 +6241,7 @@ def get_secret_by_name(self, secret_name: str) -> SecretResponse:
         """
         with Session(self.engine) as session:
             secret_in_db = self._get_schema_by_name_or_id(
-                secret_name, schema_class=SecretSchema, session=session
+                secret_name_or_id, schema_class=SecretSchema, session=session
             )
             secret_model = secret_in_db.to_model(
                 include_metadata=True, include_resources=True