[fix-sso] Allow internal user viewer to view usage routes (#5825)

* use /user/list endpoint on admin ui * sso insert user with role when user does not exist * add sso sign in test * linting fix * rename self serve doc * add doc for self serve flow * test - sso sign in default values * add test for /user/list endpoint * allow internal user viewer to view usage tab
2024-09-21 16:58:52 -07:00 · 2024-09-21 16:58:52 -07:00 · 1333ab5ac7
commit 1333ab5ac7
parent 39e872c7eb
2 changed files with 11 additions and 6 deletions
--- a/litellm/proxy/_types.py
+++ b/litellm/proxy/_types.py
@ -284,11 +284,6 @@ class LiteLLMRoutes(enum.Enum):
    master_key_only_routes = ["/global/spend/reset", "/key/list"]

    sso_only_routes = [
-        "/key/generate",
-        "/key/update",
-        "/key/delete",
-        "/global/spend/logs",
-        "/global/predict/spend/logs",
        "/sso/get/ui_settings",
    ]

@ -336,6 +331,7 @@ class LiteLLMRoutes(enum.Enum):
        "/global/spend/models",
        "/global/predict/spend/logs",
        "/global/spend/report",
+        "/global/spend/provider",
    ]

    public_routes = [
@ -367,6 +363,10 @@ class LiteLLMRoutes(enum.Enum):
        + sso_only_routes
    )

+    internal_user_view_only_routes = (
+        spend_tracking_routes + global_spend_tracking_routes + sso_only_routes
+    )
+
    self_managed_routes = [
        "/team/member_add",
        "/team/member_delete",
--- a/litellm/proxy/auth/route_checks.py
+++ b/litellm/proxy/auth/route_checks.py
@ -55,7 +55,7 @@ def non_admin_allowed_routes_check(
            verbose_proxy_logger.debug(
                f"user_id: {user_id} & valid_token.user_id: {valid_token.user_id}"
            )
-            if user_id != valid_token.user_id:
+            if user_id and user_id != valid_token.user_id:
                raise HTTPException(
                    status_code=status.HTTP_403_FORBIDDEN,
                    detail="key not allowed to access this user's info. user_id={}, key's user_id={}".format(
@ -106,6 +106,11 @@ def non_admin_allowed_routes_check(
        and route in LiteLLMRoutes.internal_user_routes.value
    ):
        pass
+    elif (
+        _user_role == LitellmUserRoles.INTERNAL_USER_VIEW_ONLY.value
+        and route in LiteLLMRoutes.internal_user_view_only_routes.value
+    ):
+        pass
    elif (
        route in LiteLLMRoutes.self_managed_routes.value
    ):  # routes that manage their own allowed/disallowed logic