feat: allow access attributes for resources to be configured

This allows a set of rules to be defined for determining the access attributes to apply to a particular resource. It also checks that the attributes determined for a new resource to be registered are matched by attributes associated with the request context. Signed-off-by: Gordon Sim <gsim@redhat.com>
2025-12-28 04:41:58 +00:00 · 2025-05-06 18:54:58 +01:00 · 2025-05-06 18:54:58 +01:00 · 490e77bffa
commit 490e77bffa
parent 0cc0731189
10 changed files with 402 additions and 19 deletions
--- a/llama_stack/distribution/routers/init.py
+++ b/llama_stack/distribution/routers/init.py
@ -7,6 +7,7 @@
 from typing import Any

 from llama_stack.distribution.datatypes import RoutedProtocol
+from llama_stack.distribution.resource_attributes import ResourceAccessAttributes
 from llama_stack.distribution.store import DistributionRegistry
 from llama_stack.providers.datatypes import Api, RoutingTable

@ -26,6 +27,7 @@ async def get_routing_table_impl(
    impls_by_provider_id: dict[str, RoutedProtocol],
    _deps,
    dist_registry: DistributionRegistry,
+    resource_attributes: ResourceAccessAttributes,
 ) -> Any:
    api_to_tables = {
        "vector_dbs": VectorDBsRoutingTable,
@ -40,7 +42,7 @@ async def get_routing_table_impl(
    if api.value not in api_to_tables:
        raise ValueError(f"API {api.value} not found in router map")

-    impl = api_to_tables[api.value](impls_by_provider_id, dist_registry)
+    impl = api_to_tables[api.value](impls_by_provider_id, dist_registry, resource_attributes)
    await impl.initialize()
    return impl

--- a/llama_stack/distribution/routers/routing_tables.py
+++ b/llama_stack/distribution/routers/routing_tables.py
@ -58,6 +58,7 @@ from llama_stack.distribution.datatypes import (
    VectorDBWithACL,
 )
 from llama_stack.distribution.request_headers import get_auth_attributes
+from llama_stack.distribution.resource_attributes import ResourceAccessAttributes
 from llama_stack.distribution.store import DistributionRegistry
 from llama_stack.providers.datatypes import Api, RoutingTable

@ -114,9 +115,11 @@ class CommonRoutingTableImpl(RoutingTable):
        self,
        impls_by_provider_id: dict[str, RoutedProtocol],
        dist_registry: DistributionRegistry,
+        resource_attributes: ResourceAccessAttributes,
    ) -> None:
        self.impls_by_provider_id = impls_by_provider_id
        self.dist_registry = dist_registry
+        self.resource_attributes = resource_attributes

    async def initialize(self) -> None:
        async def add_objects(objs: list[RoutableObjectWithProvider], provider_id: str, cls) -> None:
@ -219,8 +222,12 @@ class CommonRoutingTableImpl(RoutingTable):

        p = self.impls_by_provider_id[obj.provider_id]

-        # If object supports access control but no attributes set, use creator's attributes
-        if not obj.access_attributes:
+        if self.resource_attributes.apply(obj, get_auth_attributes()):
+            logger.info(
+                f"Setting access attributes for {obj.type} '{obj.identifier}' based on resource attribute rules"
+            )
+        else:
+            # If object supports access control but no attributes set, use creator's attributes
            creator_attributes = get_auth_attributes()
            if creator_attributes:
                obj.access_attributes = AccessAttributes(**creator_attributes)