[2.7] Redesign Job-level Authorization Example (#4074)

Fixes # .

### Description

Redesign job-level-authorization example to utilize Recipe and ProdEnv.

### Types of changes
<!--- Put an `x` in all the boxes that apply, and remove the not
applicable items -->
- [x] Non-breaking change (fix or new feature that would not break
existing functionality).
- [ ] Breaking change (fix or new feature that would cause existing
functionality to change).
- [ ] New tests added to cover the changes.
- [ ] Quick tests passed locally by running `./runtest.sh`.
- [ ] In-line docstrings updated.
- [ ] Documentation updated.

Author: holgerroth

examples/advanced/job-level-authorization/README.md

@@ -16,7 +16,7 @@ source nvflare-env/bin/activate
 ```
 2. Install NVFlare
 ```
-pip install nvflare
+pip install -r requirements.txt
 ```
 3. The example is part of the NVFlare source code. The source code can be obtained like this,
 ```
@@ -39,6 +39,13 @@ All the startup kits will be generated in this folder,
 /tmp/nvflare/poc/job-level-authorization/prod_00
 ```
 
+**Important**: The `setup.sh` script performs the following operations:
+1. Removes the workspace folder (if it exists) and regenerates the POC environment
+2. Prepares the POC deployment with the specified configuration
+3. **Overwrites site_a's security settings** by copying the custom security handler from `security/site_a/*` to `/tmp/nvflare/poc/job-level-authorization/prod_00/site_a/local`
+
+This custom security configuration installs the `CustomSecurityHandler` that enforces job-level authorization on site_a, blocking jobs named "FL-Demo-Job2" while allowing all other jobs.
+
 Note that the "workspace" folder is removed every time `setup.sh` is run. Please do not save customized files in this folder.
 
 ### Starting NVFlare
@@ -48,33 +55,51 @@ This script will start up the server and 2 clients,
 nvflare poc start
 ```
 
-### Logging with Admin Console
+### Submitting Jobs to ProdEnv
 
-For example, to login as the `[email protected]` user:
+Here, we treat the created POC environment as a production environemnt running in the background.
+You can submit jobs programmatically using the Recipe API with `ProdEnv`. Two example scripts are provided:
 
+**job1.py** - Submits a job named "hello-numpy" (**ALLOWED by site_a**):
 ```
-cd /tmp/nvflare/poc/job-level-authorization/prod_00/[email protected]
-./startup/fl_admin.sh
+python job1.py
 ```
 
-At the prompt, enter the user email `[email protected]`
+**job2.py** - Submits a job named "FL-Demo-Job2" (**BLOCKED by site_a**):
+```
+python job2.py
+```
 
-The setup.sh has copied the jobs folder to the workspace folder.
-So jobs can be submitted like this, type the following command in the admin console:
+Both scripts use `ProdEnv` to connect to the production deployment and submit jobs via the Flare API. The jobs demonstrate how site_a's `CustomSecurityHandler` enforces authorization based on job name:
+- Job 1 with name "hello-numpy" will be accepted by both site_a and site_b
+- Job 2 with name "FL-Demo-Job2" will be rejected by site_a but accepted by site_b
 
+You can customize the startup kit location and username using command-line arguments:
 ```
-submit_job ../../job1
-submit_job ../../job2
+python job1.py --startup_kit_location /path/to/startup_kit --username [email protected]
 ```
 
 ## Participants
 
 ### Site
 * `server1`: NVFlare server
-* `site_a`: Site_a has a CustomSecurityHandler set up which does not allow the job "FL Demo Job1" to run. Any other named jobs will be able to deploy and run on site_a.
+* `site_a`: Site_a has a CustomSecurityHandler set up which does not allow the job "FL-Demo-Job2" to run. Any other named jobs will be able to deploy and run on site_a.
 * `site_b`: Site_b does not have the extra security handling codes. It allows any job to be deployed and run.
 
 ### Jobs
 
 * job1: The job is called `hello-numpy`. site_a will allow this job to run.
-* job2: The job is called `FL Demo Job1`. site_a will block this job to run.
+* job2: The job is called `FL-Demo-Job2`. site_a will block this job to run.
+
+### Output
+
+For job1, you will see successful completion with training on both clients (site_a & site_b).
+
+For job2, you will see an output like this in the POC log messages:
+
+```
+2026-01-30 12:41:51,006 - site_security - ERROR - Authorization failed. Reason: Job 'FL-Demo-Job2' BLOCKED by site_a's CustomSecurityHandler - not authorized to execute: check_resources
+2026-01-30 12:41:51,008 - ServerEngine - ERROR - Client reply error: Job 'FL-Demo-Job2' BLOCKED by site_a's CustomSecurityHandler - not authorized to execute: check_resources
+```
+Only site_b will execute the training run.
+

examples/advanced/job-level-authorization/client.py

@@ -0,0 +1,96 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+    client side training scripts
+"""
+
+import argparse
+
+import numpy as np
+
+import nvflare.client as flare
+from nvflare.app_common.np.constants import NPConstants
+from nvflare.client.tracking import SummaryWriter
+
+
+def train(input_numpy_array: np.ndarray) -> np.ndarray:
+    """Mock training of the model by adding 1 to the input numpy array.
+    In a real application, this would be actual model training.
+    """
+    return input_numpy_array + 1
+
+
+def evaluate(input_numpy_array: np.ndarray) -> dict:
+    """Mock evaluation of the model by returning the mean of the input numpy array.
+    In a real application, this would be actual model evaluation.
+    """
+    return {"weight_mean": np.mean(input_numpy_array)}
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--update_type", choices=["full", "diff"], default="full")
+    args = parser.parse_args()
+
+    # Initialize FLARE
+    flare.init()
+    sys_info = flare.system_info()
+    client_name = sys_info["site_name"]
+
+    print(f"Client {client_name} initialized")
+
+    # Initialize summary writer for tracking
+    summary_writer = SummaryWriter()
+
+    while flare.is_running():
+        # Receive model from server
+        input_model = flare.receive()
+        print(f"Client {client_name}, current_round={input_model.current_round}")
+
+        # Get model parameters
+        input_np_arr = input_model.params[NPConstants.NUMPY_KEY]
+        print(f"Received weights: {input_np_arr}")
+
+        new_params = train(input_np_arr)
+
+        # Evaluate the model
+        metrics = evaluate(new_params)
+        print(f"Client {client_name} evaluation metrics: {metrics}")
+
+        # Log metrics to summary writer
+        global_step = input_model.current_round
+        summary_writer.add_scalar(tag="weight_mean", scalar=metrics["weight_mean"], global_step=global_step)
+
+        print(f"Client {client_name} finished training for round {input_model.current_round}")
+        if args.update_type == "diff":
+            params_to_send = new_params - input_np_arr
+            params_type = flare.ParamsType.DIFF
+        else:
+            params_to_send = new_params
+            params_type = flare.ParamsType.FULL
+
+        # Send updated model back to server
+        print(f"Sending weights: {params_to_send}")
+        output_model = flare.FLModel(
+            params={NPConstants.NUMPY_KEY: params_to_send},
+            params_type=params_type,
+            metrics=metrics,
+            current_round=input_model.current_round,
+        )
+
+        flare.send(output_model)
+
+
+if __name__ == "__main__":
+    main()

examples/advanced/job-level-authorization/job1.py

@@ -0,0 +1,66 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+This job demonstrates job-level authorization with ProdEnv.
+Job1 has the name "hello-numpy" which is ALLOWED by site_a's CustomSecurityHandler.
+"""
+import argparse
+
+from nvflare.app_common.np.recipes.fedavg import NumpyFedAvgRecipe
+from nvflare.recipe import ProdEnv
+
+
+def define_parser():
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--startup_kit_location",
+        type=str,
+        default="/tmp/nvflare/poc/job-level-authorization/prod_00/[email protected]",
+        help="Path to the admin startup kit directory",
+    )
+    parser.add_argument("--username", type=str, default="[email protected]", help="Username for authentication")
+
+    return parser.parse_args()
+
+
+def main():
+    args = define_parser()
+
+    # Create recipe with job name "hello-numpy" - this is ALLOWED by site_a
+    recipe = NumpyFedAvgRecipe(
+        name="hello-numpy",  # This name is ALLOWED by site_a's security handler
+        min_clients=1,
+        num_rounds=1,
+        initial_model=[[1, 2, 3], [4, 5, 6], [7, 8, 9]],
+        train_script="client.py",
+    )
+
+    print("Submitting job with name: 'hello-numpy' (ALLOWED by site_a)")
+    print(f"Using startup kit at: {args.startup_kit_location}")
+    print(f"Authenticating as: {args.username}")
+
+    # Use ProdEnv to submit to the production environment
+    env = ProdEnv(startup_kit_location=args.startup_kit_location, username=args.username)
+
+    print("Submitting job to production environment...")
+    run = recipe.execute(env)
+    print()
+    print("Result can be found in:", run.get_result())
+    print("Job Status is:", run.get_status())
+    print()
+    print("SUCCESS: Job 'hello-numpy' should be ACCEPTED by site_a's security handler")
+
+
+if __name__ == "__main__":
+    main()

examples/advanced/job-level-authorization/job2.py

@@ -0,0 +1,70 @@
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+This job demonstrates job-level authorization with ProdEnv.
+Job2 has the name "FL-Demo-Job2" which is BLOCKED by site_a's CustomSecurityHandler.
+
+This script must be run from the job-level-authorization directory so that
+the client.py script can be found and included in the job package.
+"""
+import argparse
+
+from nvflare.app_common.np.recipes.fedavg import NumpyFedAvgRecipe
+from nvflare.recipe import ProdEnv
+
+
+def define_parser():
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--startup_kit_location",
+        type=str,
+        default="/tmp/nvflare/poc/job-level-authorization/prod_00/[email protected]",
+        help="Path to the admin startup kit directory",
+    )
+    parser.add_argument("--username", type=str, default="[email protected]", help="Username for authentication")
+
+    return parser.parse_args()
+
+
+def main():
+    args = define_parser()
+
+    # Create recipe with job name "FL-Demo-Job2" - this is BLOCKED by site_a
+    recipe = NumpyFedAvgRecipe(
+        name="FL-Demo-Job2",  # This name is BLOCKED by site_a's security handler
+        min_clients=1,
+        num_rounds=1,
+        initial_model=[[1, 2, 3], [4, 5, 6], [7, 8, 9]],
+        train_script="client.py",
+    )
+
+    print("Submitting job with name: 'FL-Demo-Job2' (BLOCKED by site_a)")
+    print(f"Using startup kit at: {args.startup_kit_location}")
+    print(f"Authenticating as: {args.username}")
+
+    # Use ProdEnv to submit to the production environment
+    env = ProdEnv(startup_kit_location=args.startup_kit_location, username=args.username)
+
+    print("Submitting job to production environment...")
+    run = recipe.execute(env)
+    print()
+    print("Job Status is:", run.get_status())
+    print("Result can be found in:", run.get_result())
+    print()
+    print("EXPECTED BEHAVIOR: Job 'FL-Demo-Job2' should be REJECTED by site_a's security handler")
+    print("site_a will block this job, but site_b (without security handler) will accept it")
+
+
+if __name__ == "__main__":
+    main()

examples/advanced/job-level-authorization/jobs/job1/meta.json

@@ -1 +1 @@
-nvflare~=2.5.0rc
+nvflare~=2.7.2rc

examples/advanced/job-level-authorization/jobs/job2/meta.json

@@ -1,4 +1,4 @@
-# Copyright (c) 2023, NVIDIA CORPORATION.  All rights reserved.
+# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -33,8 +33,12 @@ def authorize(self, fl_ctx: FLContext) -> tuple[bool, str]:
         if command in ["check_resources"]:
             security_items = fl_ctx.get_prop(FLContextKey.SECURITY_ITEMS)
             job_meta = security_items.get(FLContextKey.JOB_META)
-            if job_meta.get(JobMetaKey.JOB_NAME) == "FL Demo Job1":
-                return False, f"Not authorized to execute: {command}"
+            job_name = job_meta.get(JobMetaKey.JOB_NAME)
+            if job_name == "FL-Demo-Job2":
+                return (
+                    False,
+                    f"Job '{job_name}' BLOCKED by site_a's CustomSecurityHandler - not authorized to execute: {command}",
+                )
             else:
                 return True, ""
         else:

examples/advanced/job-level-authorization/requirements.txt

@@ -19,6 +19,11 @@
         "path": "nvflare.app_common.resource_consumers.gpu_resource_consumer.GPUResourceConsumer",
         "args": {}
       },
+      {
+        "id": "process_launcher",
+        "path": "nvflare.app_common.job_launcher.client_process_launcher.ClientProcessJobLauncher",
+        "args": {}
+      },
       {
             "id": "security_handler",
             "path": "security_handler.CustomSecurityHandler"

examples/advanced/job-level-authorization/security/site_a/custom/security_handler.py

@@ -7,10 +7,4 @@ nvflare poc prepare -i project.yml -c site_a
 WORKSPACE="/tmp/nvflare/poc/job-level-authorization/prod_00"
 cp -r security/site_a/* $WORKSPACE/site_a/local
 
-for i in {1..2}
-do
-  cp -r ../../hello-world/hello-numpy $WORKSPACE/job$i
-  cp -r jobs/job$i/* $WORKSPACE/job$i
-done
-
 echo Your workspace is "$WORKSPACE"