feat: enhance AccessDeniedError with detailed context and improve exception handling

• Enhanced AccessDeniedError class to include user, action, and resource context - Added constructor parameters for action, resource, and user - Generate detailed error messages showing user principal, attributes, and attempted resource - Backward compatible with existing usage (falls back to generic message) • Updated exception handling in server.py - Import AccessDeniedError from access_control module - Return proper 403 status codes with detailed error messages - Separate handling for PermissionError (generic) vs AccessDeniedError (detailed) • Enhanced error context at raise sites - Updated routing_tables/common.py to pass action, resource, and user context - Updated agents persistence to include context in access denied errors - Provides better debugging information for access control issues • Added comprehensive unit tests - Created tests/unit/server/test_server.py with 13 test cases - Covers AccessDeniedError with and without context - Tests all exception types (ValidationError, BadRequestError, AuthenticationRequiredError, etc.) - Validates proper HTTP status codes and error message formats Resolves access control error visibility issues where 500 errors were returned instead of proper 403 responses with actionable error messages. Signed-off-by: Akram Ben Aissi <<akram.benaissi@gmail.com>>
2025-12-23 11:32:28 +00:00 · 2025-07-03 10:26:48 +02:00 · 2025-07-03 10:26:48 +02:00 · 31f85076ad
commit 31f85076ad
parent aa273944fd
5 changed files with 217 additions and 7 deletions
--- a/llama_stack/distribution/access_control/access_control.py
+++ b/llama_stack/distribution/access_control/access_control.py
@ -106,4 +106,21 @@ def is_action_allowed(


 class AccessDeniedError(RuntimeError):
-    pass
+    def __init__(self, action: str | None = None, resource: ProtectedResource | None = None, user: User | None = None):
+        self.action = action
+        self.resource = resource
+        self.user = user
+
+        # Build detailed error message
+        if action and resource and user:
+            resource_info = f"{resource.type}::{resource.identifier}"
+            user_info = f"'{user.principal}'"
+            if user.attributes:
+                attrs = ", ".join([f"{k}={v}" for k, v in user.attributes.items()])
+                user_info += f" (attributes: {attrs})"
+
+            message = f"User {user_info} cannot perform action '{action}' on resource '{resource_info}'"
+        else:
+            message = "Insufficient permissions"
+
+        super().__init__(message)