draft feat: roles for api keys #2321
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ranted more finely grained access to specific parts of localai Signed-off-by: Dave Lee <[email protected]>
Signed-off-by: Dave Lee <[email protected]>
✅ Deploy Preview for localai canceled.
|
|
I really think this adds a complexity layer that should be out of LocalAI - ideally there are reverse proxy that can work with this. What is the use-case at hand here? I'm also ok to merge it - but it should at least use another argument to not break current |
mudler
requested changes
May 14, 2024
|
I agree with Mudler. I don't like the idea of breaking existing API_KEYS for this. |
… to do about env var Signed-off-by: Dave Lee <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Roles
This was prepared as a quick option in case we want a demo.
Currently working on an improved version using casbin for permanent version - will replace this PR when finished.
initial version of a role system for api keys, allowing users to be granted more finely grained access to specific parts of localai
Some notes:
adds a new configuration file that is shipped by default named
roles.json- exists to give sane combinations of endpoints easy names, though technically this can be skipped.changes how api_keys are interpreted. Now it's a map of api key ==> slice of endpoints
whenever api_keys.json is evaluated (including at the initial program load) we shake out the endpoint slice - reducing roles to raw endpoints and deduplicating
the old format for
api_keys.jsonstill works... and is interpreted as if all keys areui usera fake api key of
"_"represents the set of endpoints that should be authorized for unauthenticated users. Currently this also expands the access of all authenticated users - so"_"serves as the single default set of allowed to all endpoints. Let me know if anyone can think of a reason to have the complication of two distinct listsI'd appreciate help testing every possible use case... as well as ideas for ways to improve
roles.jsonsuch as different groupings or things I've missedDocs will need to be updated to match this, but I want to do that in a separate PR for organizational reasons.