fix: prevent telemetry from leaking sensitive info

Prevent sensitive information from being logged in telemetry output by assigning SecretStr type to sensitive fields. API keys, password from KV store are now covered. All providers have been converted. Signed-off-by: Sébastien Han <seb@redhat.com>
2025-10-04 20:14:13 +00:00 · 2025-08-08 15:54:45 +02:00 · 2025-08-08 15:54:45 +02:00 · c4cb6aa8d9
commit c4cb6aa8d9
parent 8dc9fd6844
53 changed files with 121 additions and 109 deletions
--- a/llama_stack/providers/utils/inference/litellm_openai_mixin.py
+++ b/llama_stack/providers/utils/inference/litellm_openai_mixin.py
@ -8,6 +8,7 @@ from collections.abc import AsyncGenerator, AsyncIterator
 from typing import Any

 import litellm
+from pydantic import SecretStr

 from llama_stack.apis.common.content_types import (
    InterleavedContent,
@ -68,7 +69,7 @@ class LiteLLMOpenAIMixin(
    def __init__(
        self,
        litellm_provider_name: str,
-        api_key_from_config: str | None,
+        api_key_from_config: SecretStr | None,
        provider_data_api_key_field: str,
        model_entries: list[ProviderModelEntry] | None = None,
        openai_compat_api_base: str | None = None,
@ -247,14 +248,14 @@ class LiteLLMOpenAIMixin(

        return {
            "model": request.model,
-            "api_key": self.get_api_key(),
+            "api_key": self.get_api_key().get_secret_value(),
            "api_base": self.api_base,
            **input_dict,
            "stream": request.stream,
            **get_sampling_options(request.sampling_params),
        }

-    def get_api_key(self) -> str:
+    def get_api_key(self) -> SecretStr:
        provider_data = self.get_request_provider_data()
        key_field = self.provider_data_api_key_field
        if provider_data and getattr(provider_data, key_field, None):
@ -305,7 +306,7 @@ class LiteLLMOpenAIMixin(
        response = litellm.embedding(
            model=self.get_litellm_model_name(model_obj.provider_resource_id),
            input=input_list,
-            api_key=self.get_api_key(),
+            api_key=self.get_api_key().get_secret_value(),
            api_base=self.api_base,
            dimensions=dimensions,
        )
@ -368,7 +369,7 @@ class LiteLLMOpenAIMixin(
            user=user,
            guided_choice=guided_choice,
            prompt_logprobs=prompt_logprobs,
-            api_key=self.get_api_key(),
+            api_key=self.get_api_key().get_secret_value(),
            api_base=self.api_base,
        )
        return await litellm.atext_completion(**params)
@ -424,7 +425,7 @@ class LiteLLMOpenAIMixin(
            top_logprobs=top_logprobs,
            top_p=top_p,
            user=user,
-            api_key=self.get_api_key(),
+            api_key=self.get_api_key().get_secret_value(),
            api_base=self.api_base,
        )
        return await litellm.acompletion(**params)
--- a/llama_stack/providers/utils/inference/openai_mixin.py
+++ b/llama_stack/providers/utils/inference/openai_mixin.py
@ -11,6 +11,7 @@ from collections.abc import AsyncIterator
 from typing import Any

 from openai import NOT_GIVEN, AsyncOpenAI
+from pydantic import SecretStr

 from llama_stack.apis.inference import (
    Model,
@ -70,14 +71,14 @@ class OpenAIMixin(ModelRegistryHelper, ABC):
    allowed_models: list[str] = []

    @abstractmethod
-    def get_api_key(self) -> str:
+    def get_api_key(self) -> SecretStr:
        """
        Get the API key.

        This method must be implemented by child classes to provide the API key
        for authenticating with the OpenAI API or compatible endpoints.

-        :return: The API key as a string
+        :return: The API key as a SecretStr
        """
        pass