Allow org admin to create teams on UI (#8407)

* fix(client_initialization_utils.py): handle custom llm provider set with valid value not from model name * fix(handle_jwt.py): handle groups not existing in jwt token if user not in group, this won't exist * fix(handle_jwt.py): add new `enforce_team_based_model_access` flag to jwt auth allows proxy admin to enforce user can only call model if team has access * feat(navbar.tsx): expose new dropdown in navbar - allow org admin to create teams within org context * fix(navbar.tsx): remove non-functional cogicon * fix(proxy/utils.py): include user-org memberships in `/user/info` response return orgs user is a member of and the user role within org * feat(organization_endpoints.py): allow internal user to query `/organizations/list` and get all orgs they belong to enables org admin to select org they belong to, to create teams * fix(navbar.tsx): show change in ui when org switcher clicked * feat(page.tsx): update user role based on org they're in allows org admin to create teams in the org context * feat(teams.tsx): working e2e flow for allowing org admin to add new teams * style(navbar.tsx): clarify switching orgs on UI is in BETA * fix(organization_endpoints.py): handle getting but not setting members * test: fix test * fix(client_initialization_utils.py): revert custom llm provider handling fix - causing unintended issues * docs(token_auth.md): cleanup docs
2025-04-27 11:43:54 +00:00 · 2025-02-09 00:07:15 -08:00 · 2025-02-09 00:07:15 -08:00 · c55422a2f8
commit c55422a2f8
parent fb121c82e8
12 changed files with 285 additions and 142 deletions
--- a/litellm/proxy/auth/handle_jwt.py
+++ b/litellm/proxy/auth/handle_jwt.py
@ -154,7 +154,10 @@ class JWTHandler:
        return False

    def get_team_ids_from_jwt(self, token: dict) -> List[str]:
-        if self.litellm_jwtauth.team_ids_jwt_field is not None:
+        if (
+            self.litellm_jwtauth.team_ids_jwt_field is not None
+            and token.get(self.litellm_jwtauth.team_ids_jwt_field) is not None
+        ):
            return token[self.litellm_jwtauth.team_ids_jwt_field]
        return []

@ -699,6 +702,11 @@ class JWTAuthManager:
        """Find first team with access to the requested model"""

        if not team_ids:
+            if jwt_handler.litellm_jwtauth.enforce_team_based_model_access:
+                raise HTTPException(
+                    status_code=403,
+                    detail="No teams found in token. `enforce_team_based_model_access` is set to True. Token must belong to a team.",
+                )
            return None, None

        for team_id in team_ids:
@ -731,7 +739,7 @@ class JWTAuthManager:
        if requested_model:
            raise HTTPException(
                status_code=403,
-                detail=f"No team has access to the requested model: {requested_model}. Checked teams={team_ids}",
+                detail=f"No team has access to the requested model: {requested_model}. Checked teams={team_ids}. Check `/models` to see all available models.",
            )

        return None, None