apache · SarahAsad23 · May 19, 2026 · May 19, 2026 · May 20, 2026 · May 20, 2026
diff --git a/...rol-service/src/main/scala/org/apache/texera/service/resource/AccessControlResource.scala b/...rol-service/src/main/scala/org/apache/texera/service/resource/AccessControlResource.scala
@@ -22,7 +22,7 @@ import com.fasterxml.jackson.module.scala.DefaultScalaModule
 import com.typesafe.scalalogging.LazyLogging
 import jakarta.ws.rs.client.{Client, ClientBuilder, Entity}
 import jakarta.ws.rs.core._
-import jakarta.ws.rs.{Consumes, GET, POST, Path, Produces}
+import jakarta.ws.rs.{Consumes, DELETE, GET, POST, Path, Produces}
 import org.apache.texera.auth.JwtParser.parseToken
 import org.apache.texera.auth.SessionUser
 import org.apache.texera.auth.util.{ComputingUnitAccess, HeaderField}
@@ -43,6 +43,10 @@ object AccessControlResource extends LazyLogging {
   private val wsapiWorkflowWebsocket: Regex = """.*/wsapi/workflow-websocket.*""".r
   private val apiExecutionsStats: Regex = """.*/api/executions/[0-9]+/stats/[0-9]+.*""".r
   private val apiExecutionsResultExport: Regex = """.*/api/executions/result/export.*""".r
+  private val pveRoute: Regex = """.*/(?:api/|wsapi/)?pve(?:/.*)?""".r
+  // Path patterns whose cuid lives in the URL path rather than the query string.
+  private val pvePvesCuidPath: Regex = """.*/pve/pves/([0-9]+).*""".r
+  private val pvePackagesCuidPath: Regex = """.*/pve/([0-9]+)/[^/]+/packages/.+""".r
 
   /**
     * Authorize the request based on the path and headers.
@@ -60,7 +64,8 @@ object AccessControlResource extends LazyLogging {
     logger.info(s"Authorizing request for path: $path")
 
     path match {
-      case wsapiWorkflowWebsocket() | apiExecutionsStats() | apiExecutionsResultExport() =>
+      case wsapiWorkflowWebsocket() | apiExecutionsStats() | apiExecutionsResultExport() |
+          pveRoute() =>
         checkComputingUnitAccess(uriInfo, headers, bodyOpt)
       case _ =>
         logger.warn(s"No authorization logic for path: $path. Denying access.")
@@ -95,7 +100,14 @@ object AccessControlResource extends LazyLogging {
       qToken.orElse(hToken).orElse(bToken).getOrElse("")
     }
     logger.info(s"token extracted from request $token")
-    val cuid = queryParams.getOrElse("cuid", "")
+
+    val cuid = queryParams.get("cuid").filter(_.nonEmpty).getOrElse {
+      uriInfo.getPath match {
+        case pvePvesCuidPath(c)     => c
+        case pvePackagesCuidPath(c) => c
+        case _                      => ""
+      }
+    }
     val cuidInt =
       try {
         cuid.toInt
@@ -213,6 +225,15 @@ class AccessControlResource extends LazyLogging {
     logger.info("Request body: " + body)
     AccessControlResource.authorize(uriInfo, headers, Option(body).map(_.trim).filter(_.nonEmpty))
   }
+
+  @DELETE
+  @Path("/{path:.*}")
+  def authorizeDelete(
+      @Context uriInfo: UriInfo,
+      @Context headers: HttpHeaders
+  ): Response = {
+    AccessControlResource.authorize(uriInfo, headers)
+  }
 }
 
 @Path("/chat")

diff --git a/.../src/main/scala/org/apache/texera/web/resource/pythonvirtualenvironment/PveResource.scala b/.../src/main/scala/org/apache/texera/web/resource/pythonvirtualenvironment/PveResource.scala
@@ -36,12 +36,10 @@ class PveResource {
   @GET
   @Path("/system")
   @Produces(Array(MediaType.APPLICATION_JSON))
-  def getSystemPackages: util.Map[String, util.List[String]] = {
+  def getSystemPackages(
+      @QueryParam("isLocal") isLocal: Boolean
+  ): util.Map[String, util.List[String]] = {
     try {
-
-      // TODO: Support Kubernetes environment handling
-      val isLocal = true
-
       val systemPkgs =
         PveManager.getSystemPackages(isLocal).toList.asJava
 

diff --git a/bin/computing-unit-master.dockerfile b/bin/computing-unit-master.dockerfile
@@ -71,11 +71,13 @@ WORKDIR /texera/amber
 
 COPY --from=build /texera/amber/requirements.txt /tmp/requirements.txt
 COPY --from=build /texera/amber/operator-requirements.txt /tmp/operator-requirements.txt
+COPY --from=build /texera/amber/system-requirements-lock.txt /tmp/system-requirements-lock.txt
 
 # Install Python runtime dependencies
 RUN apt-get update && apt-get install -y \
     python3-pip \
     python3-dev \
+    python3-venv \
     libpq-dev \
     && apt-get clean
 

diff --git a/bin/k8s/templates/gateway-routes.yaml b/bin/k8s/templates/gateway-routes.yaml
@@ -118,6 +118,20 @@ spec:
         - group: gateway.envoyproxy.io
           kind: Backend
           name: texera-dynamic-backend
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /pve
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            path:
+              type: ReplacePrefixMatch
+              replacePrefixMatch: /api/pve
+      backendRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: texera-dynamic-backend
 ---
 # MinIO Route
 {{- if .Values.minio.gateway.enabled }}

diff --git a/frontend/src/app/workspace/component/power-button/computing-unit-selection.component.ts b/frontend/src/app/workspace/component/power-button/computing-unit-selection.component.ts
@@ -802,7 +802,7 @@ export class ComputingUnitSelectionComponent implements OnInit {
           }));
 
           this.workflowPveService
-            .getSystemPackages(isLocal)
+            .getSystemPackages(cuId, isLocal)
             .pipe(untilDestroyed(this))
             .subscribe({
               next: installedResp => {

diff --git a/frontend/src/app/workspace/service/virtual-environment/virtual-environment.service.ts b/frontend/src/app/workspace/service/virtual-environment/virtual-environment.service.ts
@@ -49,8 +49,8 @@ export class WorkflowPveService {
     return params;
   }
 
-  getSystemPackages(isLocal: boolean): Observable<PackageResponse> {
-    const params = this.buildBaseParams();
+  getSystemPackages(cuid: number, isLocal: boolean): Observable<PackageResponse> {
+    const params = this.buildBaseParams().set("cuid", cuid.toString()).set("isLocal", isLocal.toString());
     return this.http.get<PackageResponse>("/pve/system", { params });
   }