V3.5 修复SFTPGo reset password

src/mvp/configs/dev.yaml

@@ -41,10 +41,14 @@ data:
   # SFTPGo is optional in dev; when enabled, admin endpoints will call SFTPGo admin API.
   # Admin password is provided by env var `data.sftpgo.admin_password_env`.
   sftpgo:
-    enabled: false
+    enabled: true
     host: ""              # shown to users via GET /api/v2/me
     sftp_port: 2022
-    admin_api_base: ""    # e.g. http://argus-sftpgo:8080
+    # NOTE: the Ray head container image sometimes fails to resolve docker-internal DNS names
+    # (e.g. sftpgo/argus-sftpgo). Use the docker bridge gateway + published port for stability.
+    # - host port 8081 -> sftpgo container 8080
+    # - 172.22.0.1 is the gateway of `mvp_argus-ray-net` in the dev compose
+    admin_api_base: "http://172.22.0.1:8081/api/v2"    # head 容器内访问 SFTPGo admin API
     admin_user: "admin"
     admin_password_env: "SFTPGO_ADMIN_PASSWORD"
 

src/mvp/docker-compose.yaml

@@ -32,6 +32,9 @@ services:
       ARGUS_SHARED_ROOT: "/private"
       ARGUS_CLUSTER_NAME: "argus-ray"
       ARGUS_LOG_DIR: "/private/common/logs"
+      # Make SFTPGo admin password available to API server started via `docker exec`.
+      # Keep it consistent with the sftpgo container default below.
+      SFTPGO_ADMIN_PASSWORD: "${SFTPGO_ADMIN_PASSWORD:-my-dev-sftpgo-admin}"
       HF_HOME: "/private/hf"
       HUGGINGFACE_HUB_CACHE: "/private/hf/hub"
       TRANSFORMERS_CACHE: "/private/hf/transformers"
@@ -54,7 +57,10 @@ services:
       - ../../shared:/private
       - ../../shared/common/sftpgo:/var/lib/sftpgo
     networks:
-      - argus-ray-net
+      argus-ray-net:
+        aliases:
+          - sftpgo
+          - argus-sftpgo
     environment:
       # Create a default admin on first start (used by API server to manage users).
       # Override on host as needed:

src/mvp/py/argus/service/sftpgo.py

@@ -125,8 +125,13 @@ class SFTPGoAdminClient:
         perms = dict(user_payload.get("permissions") or {"/": ["*"]})
         # Ensure /common is visible as a directory and can be traversed.
         perms["/common"] = ["list"]
-        perms["/common/datasets"] = ["list", "download"]
-        perms["/common/hf"] = ["list", "download"]
+        # SFTPGo permissions are path-scoped. In practice, granting on the directory itself may
+        # not always cover nested paths depending on client/API behavior, so include common
+        # wildcard forms to ensure users can read files under these virtual folders.
+        perms["/common/datasets"] = ["list"]
+        perms["/common/datasets/*"] = ["list", "download"]
+        perms["/common/hf"] = ["list"]
+        perms["/common/hf/*"] = ["list", "download"]
         user_payload["permissions"] = perms
 
         desired_vf = [
@@ -157,8 +162,10 @@ class SFTPGoAdminClient:
             "permissions": {
                 "/": ["*"],
                 "/common": ["list"],
-                "/common/datasets": ["list", "download"],
-                "/common/hf": ["list", "download"],
+                "/common/datasets": ["list"],
+                "/common/datasets/*": ["list", "download"],
+                "/common/hf": ["list"],
+                "/common/hf/*": ["list", "download"],
             },
             "virtual_folders": [
                 {"name": "common_datasets", "virtual_path": "/common/datasets"},

src/mvp/scripts/60_start_api.sh

@@ -23,9 +23,8 @@ if [[ -z "${MVP_INTERNAL_TOKEN:-}" ]]; then
 fi
 
 env_args=(-e "MVP_INTERNAL_TOKEN=${MVP_INTERNAL_TOKEN}")
-if [[ -n "${SFTPGO_ADMIN_PASSWORD:-}" ]]; then
-  env_args+=(-e "SFTPGO_ADMIN_PASSWORD=${SFTPGO_ADMIN_PASSWORD}")
-fi
+# If host does not provide it, fall back to the dev default used by docker-compose (kept in sync).
+env_args+=(-e "SFTPGO_ADMIN_PASSWORD=${SFTPGO_ADMIN_PASSWORD:-my-dev-sftpgo-admin}")
 
 docker exec -d "${env_args[@]}" "${HEAD_CONTAINER}" bash -lc "nohup python3 /workspace/mvp/py/server.py --config '${CONFIG_IN_CONTAINER}' >>'${LOG_PATH}' 2>&1 & echo \$! >'${PID_PATH}'"