From 8efca4786657d06136b4a158d4074451843aecee Mon Sep 17 00:00:00 2001 From: Ishaan Jaff Date: Tue, 2 Jul 2024 17:05:53 -0700 Subject: [PATCH 1/4] check if key does not want secret detection to run --- enterprise/enterprise_hooks/secret_detection.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/enterprise/enterprise_hooks/secret_detection.py b/enterprise/enterprise_hooks/secret_detection.py index d2bd22a5d4..befacc07b8 100644 --- a/enterprise/enterprise_hooks/secret_detection.py +++ b/enterprise/enterprise_hooks/secret_detection.py @@ -464,6 +464,14 @@ class _ENTERPRISE_SecretDetection(CustomLogger): return detected_secrets + async def should_run_check(self, user_api_key_dict: UserAPIKeyAuth) -> bool: + if user_api_key_dict.permissions is not None: + if "secret_detection" in user_api_key_dict.permissions: + if user_api_key_dict.permissions["secret_detection"] is False: + return False + + return True + #### CALL HOOKS - proxy only #### async def async_pre_call_hook( self, @@ -475,6 +483,9 @@ class _ENTERPRISE_SecretDetection(CustomLogger): from detect_secrets import SecretsCollection from detect_secrets.settings import default_settings + if await self.should_run_check(user_api_key_dict) is False: + return + if "messages" in data and isinstance(data["messages"], list): for message in data["messages"]: if "content" in message and isinstance(message["content"], str): From 04922e24b83bb5465825d531cae0072b699092ff Mon Sep 17 00:00:00 2001 From: Ishaan Jaff Date: Tue, 2 Jul 2024 17:50:09 -0700 Subject: [PATCH 2/4] doc - control guradrail per api key --- docs/my-website/docs/proxy/enterprise.md | 48 ++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/docs/my-website/docs/proxy/enterprise.md b/docs/my-website/docs/proxy/enterprise.md index 5dabba5ed3..95f222a800 100644 --- a/docs/my-website/docs/proxy/enterprise.md +++ b/docs/my-website/docs/proxy/enterprise.md @@ -599,6 +599,54 @@ https://api.groq.com/openai/v1/ \ } ``` +### Secret Detection On/Off per API Key + +❓ Use this when you need to switch guardrails on/off per API Key + +**Step 1** Create Key with `hide_secrets` Off + +👉 Set `"permissions": {"secret_detection": false}` + +This means the `hide_secrets` guardrail is off for all requests from this API Key + +```shell +curl --location 'http://0.0.0.0:4000/key/generate' \ + --header 'Authorization: Bearer sk-1234' \ + --header 'Content-Type: application/json' \ + --data '{ + "permissions": {"hide_secrets": false} +}' +``` + +```shell +# {"permissions":{"hide_secrets":false},"key":"sk-jNm1Zar7XfNdZXp49Z1kSQ"} +``` + +**Step 2** Test it with new key + +```shell +curl --location 'http://0.0.0.0:4000/chat/completions' \ + --header 'Authorization: Bearer sk-jNm1Zar7XfNdZXp49Z1kSQ' \ + --header 'Content-Type: application/json' \ + --data '{ + "model": "llama3", + "messages": [ + { + "role": "user", + "content": "does my openai key look well formatted OpenAI_API_KEY=sk-1234777" + } + ] +}' +``` + +Expect to see `sk-1234777` in your server logs on your callback. + +:::info +The `hide_secrets` guardrail check did not run on this request because api key=sk-jNm1Zar7XfNdZXp49Z1kSQ has `"permissions": {"hide_secrets": false}` +::: + + + ### Content Moderation with LLM Guard Set the LLM Guard API Base in your environment From 2fc36f122acb40e5753c52b159e4d5f5bf0dd1f5 Mon Sep 17 00:00:00 2001 From: Ishaan Jaff Date: Tue, 2 Jul 2024 17:50:23 -0700 Subject: [PATCH 3/4] correct guardrail name --- enterprise/enterprise_hooks/secret_detection.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/enterprise/enterprise_hooks/secret_detection.py b/enterprise/enterprise_hooks/secret_detection.py index befacc07b8..2289858bd5 100644 --- a/enterprise/enterprise_hooks/secret_detection.py +++ b/enterprise/enterprise_hooks/secret_detection.py @@ -32,6 +32,7 @@ from litellm._logging import verbose_proxy_logger litellm.set_verbose = True +GUARDRAIL_NAME = "hide_secrets" _custom_plugins_path = "file://" + os.path.join( os.path.dirname(os.path.abspath(__file__)), "secrets_plugins" @@ -466,8 +467,8 @@ class _ENTERPRISE_SecretDetection(CustomLogger): async def should_run_check(self, user_api_key_dict: UserAPIKeyAuth) -> bool: if user_api_key_dict.permissions is not None: - if "secret_detection" in user_api_key_dict.permissions: - if user_api_key_dict.permissions["secret_detection"] is False: + if GUARDRAIL_NAME in user_api_key_dict.permissions: + if user_api_key_dict.permissions[GUARDRAIL_NAME] is False: return False return True From 3f056972b2d4dd7b582c9af83ae5435b8feb25c7 Mon Sep 17 00:00:00 2001 From: Ishaan Jaff Date: Tue, 2 Jul 2024 18:01:21 -0700 Subject: [PATCH 4/4] doc controlling guardrail per api key --- docs/my-website/docs/proxy/enterprise.md | 25 +++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/docs/my-website/docs/proxy/enterprise.md b/docs/my-website/docs/proxy/enterprise.md index 95f222a800..401f090eee 100644 --- a/docs/my-website/docs/proxy/enterprise.md +++ b/docs/my-website/docs/proxy/enterprise.md @@ -605,10 +605,13 @@ https://api.groq.com/openai/v1/ \ **Step 1** Create Key with `hide_secrets` Off -👉 Set `"permissions": {"secret_detection": false}` +👉 Set `"permissions": {"secret_detection": false}` with either `/key/generate` or `/key/update` This means the `hide_secrets` guardrail is off for all requests from this API Key + + + ```shell curl --location 'http://0.0.0.0:4000/key/generate' \ --header 'Authorization: Bearer sk-1234' \ @@ -622,6 +625,26 @@ curl --location 'http://0.0.0.0:4000/key/generate' \ # {"permissions":{"hide_secrets":false},"key":"sk-jNm1Zar7XfNdZXp49Z1kSQ"} ``` + + + +```shell +curl --location 'http://0.0.0.0:4000/key/update' \ + --header 'Authorization: Bearer sk-1234' \ + --header 'Content-Type: application/json' \ + --data '{ + "key": "sk-jNm1Zar7XfNdZXp49Z1kSQ", + "permissions": {"hide_secrets": false} +}' +``` + +```shell +# {"permissions":{"hide_secrets":false},"key":"sk-jNm1Zar7XfNdZXp49Z1kSQ"} +``` + + + + **Step 2** Test it with new key ```shell