(feat proxy) [beta] add support for organization role based access controls (#6112)

* track LiteLLM_OrganizationMembership * add add_internal_user_to_organization * add org membership to schema * read organization membership when reading user info in auth checks * add check for valid organization_id * add test for test_create_new_user_in_organization * test test_create_new_user_in_organization * add new ADMIN role * add test for org admins creating teams * add test for test_org_admin_create_user_permissions * test_org_admin_create_user_team_wrong_org_permissions * test_org_admin_create_user_team_wrong_org_permissions * fix organization_role_based_access_check * fix getting user members * fix TeamBase * fix types used for use role * fix type checks * sync prisma schema * docs - organization admins * fix use organization_endpoints for /organization management * add types for org member endpoints * fix role name for org admin * add type for member add response * add organization/member_add * add error handling for adding members to an org * add nice doc string for oranization/member_add * fix test_create_new_user_in_organization * linting fix * use simple route changes * fix types * add organization member roles * add org admin auth checks * add auth checks for orgs * test for creating teams as org admin * simplify org id usage * fix typo * test test_org_admin_create_user_team_wrong_org_permissions * fix type check issue * code quality fix * fix schema.prisma
2025-04-26 11:14:04 +00:00 · 2024-10-09 15:18:18 +05:30 · 2024-10-09 15:18:18 +05:30 · a163464197
commit a163464197
parent d1c739f312
14 changed files with 1474 additions and 261 deletions
--- a/litellm/proxy/auth/route_checks.py
+++ b/litellm/proxy/auth/route_checks.py
@ -13,10 +13,11 @@ from litellm.proxy._types import (
 )
 from litellm.proxy.utils import hash_token

+from .auth_checks_organization import _user_is_org_admin
 from .auth_utils import _has_user_setup_sso


-def non_admin_allowed_routes_check(
+def non_proxy_admin_allowed_routes_check(
    user_obj: Optional[LiteLLM_UserTable],
    _user_role: Optional[LitellmUserRoles],
    route: str,
@ -26,7 +27,7 @@ def non_admin_allowed_routes_check(
    request_data: dict,
 ):
    """
-    Checks if Non-Admin User is allowed to access the route
+    Checks if Non Proxy Admin User is allowed to access the route
    """

    # Check user has defined custom admin routes
@ -106,6 +107,11 @@ def non_admin_allowed_routes_check(
        and route in LiteLLMRoutes.internal_user_routes.value
    ):
        pass
+    elif (
+        _user_is_org_admin(request_data=request_data, user_object=user_obj)
+        and route in LiteLLMRoutes.org_admin_allowed_routes.value
+    ):
+        pass
    elif (
        _user_role == LitellmUserRoles.INTERNAL_USER_VIEW_ONLY.value
        and route in LiteLLMRoutes.internal_user_view_only_routes.value