phoenix/litellm-mirror
0
0
Fork 1
mirror of https://github.com/BerriAI/litellm.git synced 2025-04-27 03:34:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix allow PROXY_ADMIN_VIEW_ONLY to create an account

Browse source
This commit is contained in:
Ishaan Jaff 2024-05-31 17:29:17 -07:00
parent 358d4eec88
commit 524cfd458a
2 changed files with 40 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
litellm/proxy/proxy_server.py
View file

@ -97,6 +97,7 @@ from litellm.proxy.utils import (
_read_request_body, _read_request_body,
_is_valid_team_configs, _is_valid_team_configs,
_is_user_proxy_admin, _is_user_proxy_admin,
_get_user_role,
_is_projected_spend_over_limit, _is_projected_spend_over_limit,
_get_projected_spend_over_limit, _get_projected_spend_over_limit,
update_spend, update_spend,
@ -1273,6 +1274,8 @@ async def user_api_key_auth(
if _end_user_object is not None: if _end_user_object is not None:
valid_token_dict.update(end_user_params) valid_token_dict.update(end_user_params)
_user_role = _get_user_role(user_id_information=user_id_information)
if not _is_user_proxy_admin(user_id_information): # if non-admin if not _is_user_proxy_admin(user_id_information): # if non-admin
if route in LiteLLMRoutes.openai_routes.value: if route in LiteLLMRoutes.openai_routes.value:
pass pass
@ -1326,6 +1329,32 @@ async def user_api_key_auth(
): ):
pass pass
elif _user_role == LitellmUserRoles.PROXY_ADMIN_VIEW_ONLY:
if route in LiteLLMRoutes.openai_routes.value:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=f"user not allowed to access this OpenAI routes, role= {_user_role}",
)
if route in LiteLLMRoutes.management_routes.value:
# the Admin Viewer is only allowed to call /user/update for their own user_id and can only update
if route == "/user/update":
# Check the Request params are valid for PROXY_ADMIN_VIEW_ONLY
if request_data is not None and isinstance(
request_data, dict
):
_params_updated = request_data.keys()
for param in _params_updated:
if param not in ["user_email", "password"]:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=f"user not allowed to access this route, role= {_user_role}. Trying to access: {route} and updating invalid param: {param}. only user_email and password can be updated",
)
else:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=f"user not allowed to access this route, role= {_user_role}. Trying to access: {route}",
)
else: else:
user_role = "unknown" user_role = "unknown"
user_id = "unknown" user_id = "unknown"

11
litellm/proxy/utils.py
View file

@ -2658,6 +2658,17 @@ def _is_user_proxy_admin(user_id_information: Optional[list]):
return False return False
def _get_user_role(user_id_information: Optional[list]):
if user_id_information is None:
return None
if len(user_id_information) == 0 or user_id_information[0] is None:
return None
_user = user_id_information[0]
return _user.get("user_role")
def encrypt_value(value: str, master_key: str): def encrypt_value(value: str, master_key: str):
import hashlib import hashlib
import nacl.secret import nacl.secret