phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-12-23 11:22:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: enhance AccessDeniedError with detailed context and improve exception handling

Browse source 
• Enhanced AccessDeniedError class to include user, action, and resource context
  - Added constructor parameters for action, resource, and user
  - Generate detailed error messages showing user principal, attributes, and attempted resource
  - Backward compatible with existing usage (falls back to generic message)

• Updated exception handling in server.py
  - Import AccessDeniedError from access_control module
  - Return proper 403 status codes with detailed error messages
  - Separate handling for PermissionError (generic) vs AccessDeniedError (detailed)

• Enhanced error context at raise sites
  - Updated routing_tables/common.py to pass action, resource, and user context
  - Updated agents persistence to include context in access denied errors
  - Provides better debugging information for access control issues

• Added comprehensive unit tests
  - Created tests/unit/server/test_server.py with 13 test cases
  - Covers AccessDeniedError with and without context
  - Tests all exception types (ValidationError, BadRequestError, AuthenticationRequiredError, etc.)
  - Validates proper HTTP status codes and error message formats

Resolves access control error visibility issues where 500 errors were returned
instead of proper 403 responses with actionable error messages.

Signed-off-by: Akram Ben Aissi <<akram.benaissi@gmail.com>>
This commit is contained in:
Akram Ben Aissi 2025-07-03 10:26:48 +02:00
parent aa273944fd
commit 31f85076ad
5 changed files with 217 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

7
llama_stack/distribution/routing_tables/common.py
View file

@ -175,8 +175,9 @@ class CommonRoutingTableImpl(RoutingTable):
return obj
async def unregister_object(self, obj: RoutableObjectWithProvider) -> None:
if not is_action_allowed(self.policy, "delete", obj, get_authenticated_user()):
raise AccessDeniedError()
user = get_authenticated_user()
if not is_action_allowed(self.policy, "delete", obj, user):
raise AccessDeniedError("delete", obj, user)
await self.dist_registry.delete(obj.type, obj.identifier)
await unregister_object_from_provider(obj, self.impls_by_provider_id[obj.provider_id])
@ -193,7 +194,7 @@ class CommonRoutingTableImpl(RoutingTable):
# If object supports access control but no attributes set, use creator's attributes
creator = get_authenticated_user()
if not is_action_allowed(self.policy, "create", obj, creator):
raise AccessDeniedError()
raise AccessDeniedError("create", obj, creator)
if creator:
obj.owner = creator
logger.info(f"Setting owner for {obj.type} '{obj.identifier}' to {obj.owner.principal}")