Litellm dev 11 23 2024 (#6881)

* build(ui/create_key_button.tsx): support adding tags for cost tracking/routing when making key * LiteLLM Minor Fixes & Improvements (11/23/2024) (#6870) * feat(pass_through_endpoints/): support logging anthropic/gemini pass through calls to langfuse/s3/etc. * fix(utils.py): allow disabling end user cost tracking with new param Allows proxy admin to disable cost tracking for end user - keeps prometheus metrics small * docs(configs.md): add disable_end_user_cost_tracking reference to docs * feat(key_management_endpoints.py): add support for restricting access to `/key/generate` by team/proxy level role Enables admin to restrict key creation, and assign team admins to handle distributing keys * test(test_key_management.py): add unit testing for personal / team key restriction checks * docs: add docs on restricting key creation * docs(finetuned_models.md): add new guide on calling finetuned models * docs(input.md): cleanup anthropic supported params Closes https://github.com/BerriAI/litellm/issues/6856 * test(test_embedding.py): add test for passing extra headers via embedding * feat(cohere/embed): pass client to async embedding * feat(rerank.py): add `/v1/rerank` if missing for cohere base url Closes https://github.com/BerriAI/litellm/issues/6844 * fix(main.py): pass extra_headers param to openai Fixes https://github.com/BerriAI/litellm/issues/6836 * fix(litellm_logging.py): don't disable global callbacks when dynamic callbacks are set Fixes issue where global callbacks - e.g. prometheus were overriden when langfuse was set dynamically * fix(handler.py): fix linting error * fix: fix typing * build: add conftest to proxy_admin_ui_tests/ * test: fix test * fix: fix linting errors * test: fix test * fix: fix pass through testing * feat(key_management_endpoints.py): allow proxy_admin to enforce params on key creation allows admin to force team keys to have tags * build(ui/): show teams in leftnav + allow team admin to add new members * build(ui/): show created tags in dropdown makes it easier for admin to add tags to keys * test(test_key_management.py): fix test * test: fix test * fix playwright e2e ui test * fix e2e ui testing deps * fix: fix linting errors * fix e2e ui testing * fix e2e ui testing, only run e2e ui testing in playwright --------- Co-authored-by: Ishaan Jaff <ishaanjaffer0324@gmail.com>
2024-11-23 22:37:16 +05:30 · 2024-11-23 22:37:16 +05:30 · 424b8b0231
commit 424b8b0231
parent 6b6353d4e7
9 changed files with 270 additions and 80 deletions
--- a/litellm/proxy/management_endpoints/key_management_endpoints.py
+++ b/litellm/proxy/management_endpoints/key_management_endpoints.py
@ -39,16 +39,20 @@ from litellm.proxy.utils import (
    handle_exception_on_proxy,
 )
 from litellm.secret_managers.main import get_secret
+from litellm.types.utils import PersonalUIKeyGenerationConfig, TeamUIKeyGenerationConfig


 def _is_team_key(data: GenerateKeyRequest):
    return data.team_id is not None


-def _team_key_generation_check(user_api_key_dict: UserAPIKeyAuth):
+def _team_key_generation_team_member_check(
+    user_api_key_dict: UserAPIKeyAuth,
+    team_key_generation: Optional[TeamUIKeyGenerationConfig],
+):
    if (
-        litellm.key_generation_settings is None
-        or litellm.key_generation_settings.get("team_key_generation") is None
+        team_key_generation is None
+        or "allowed_team_member_roles" not in team_key_generation
    ):
        return True

@ -59,12 +63,7 @@ def _team_key_generation_check(user_api_key_dict: UserAPIKeyAuth):
        )

    team_member_role = user_api_key_dict.team_member.role
-    if (
-        team_member_role
-        not in litellm.key_generation_settings["team_key_generation"][  # type: ignore
-            "allowed_team_member_roles"
-        ]
-    ):
+    if team_member_role not in team_key_generation["allowed_team_member_roles"]:
        raise HTTPException(
            status_code=400,
            detail=f"Team member role {team_member_role} not in allowed_team_member_roles={litellm.key_generation_settings['team_key_generation']['allowed_team_member_roles']}",  # type: ignore
@ -72,7 +71,67 @@ def _team_key_generation_check(user_api_key_dict: UserAPIKeyAuth):
    return True


-def _personal_key_generation_check(user_api_key_dict: UserAPIKeyAuth):
+def _key_generation_required_param_check(
+    data: GenerateKeyRequest, required_params: Optional[List[str]]
+):
+    if required_params is None:
+        return True
+
+    data_dict = data.model_dump(exclude_unset=True)
+    for param in required_params:
+        if param not in data_dict:
+            raise HTTPException(
+                status_code=400,
+                detail=f"Required param {param} not in data",
+            )
+    return True
+
+
+def _team_key_generation_check(
+    user_api_key_dict: UserAPIKeyAuth, data: GenerateKeyRequest
+):
+    if (
+        litellm.key_generation_settings is None
+        or litellm.key_generation_settings.get("team_key_generation") is None
+    ):
+        return True
+
+    _team_key_generation = litellm.key_generation_settings["team_key_generation"]  # type: ignore
+
+    _team_key_generation_team_member_check(
+        user_api_key_dict,
+        team_key_generation=_team_key_generation,
+    )
+    _key_generation_required_param_check(
+        data,
+        _team_key_generation.get("required_params"),
+    )
+
+    return True
+
+
+def _personal_key_membership_check(
+    user_api_key_dict: UserAPIKeyAuth,
+    personal_key_generation: Optional[PersonalUIKeyGenerationConfig],
+):
+    if (
+        personal_key_generation is None
+        or "allowed_user_roles" not in personal_key_generation
+    ):
+        return True
+
+    if user_api_key_dict.user_role not in personal_key_generation["allowed_user_roles"]:
+        raise HTTPException(
+            status_code=400,
+            detail=f"Personal key creation has been restricted by admin. Allowed roles={litellm.key_generation_settings['personal_key_generation']['allowed_user_roles']}. Your role={user_api_key_dict.user_role}",  # type: ignore
+        )
+
+    return True
+
+
+def _personal_key_generation_check(
+    user_api_key_dict: UserAPIKeyAuth, data: GenerateKeyRequest
+):

    if (
        litellm.key_generation_settings is None
@ -80,16 +139,18 @@ def _personal_key_generation_check(user_api_key_dict: UserAPIKeyAuth):
    ):
        return True

-    if (
-        user_api_key_dict.user_role
-        not in litellm.key_generation_settings["personal_key_generation"][  # type: ignore
-            "allowed_user_roles"
-        ]
-    ):
-        raise HTTPException(
-            status_code=400,
-            detail=f"Personal key creation has been restricted by admin. Allowed roles={litellm.key_generation_settings['personal_key_generation']['allowed_user_roles']}. Your role={user_api_key_dict.user_role}",  # type: ignore
-        )
+    _personal_key_generation = litellm.key_generation_settings["personal_key_generation"]  # type: ignore
+
+    _personal_key_membership_check(
+        user_api_key_dict,
+        personal_key_generation=_personal_key_generation,
+    )
+
+    _key_generation_required_param_check(
+        data,
+        _personal_key_generation.get("required_params"),
+    )
+
    return True


@ -99,16 +160,23 @@ def key_generation_check(
    """
    Check if admin has restricted key creation to certain roles for teams or individuals
    """
-    if litellm.key_generation_settings is None:
+    if (
+        litellm.key_generation_settings is None
+        or user_api_key_dict.user_role == LitellmUserRoles.PROXY_ADMIN.value
+    ):
        return True

    ## check if key is for team or individual
    is_team_key = _is_team_key(data=data)

    if is_team_key:
-        return _team_key_generation_check(user_api_key_dict)
+        return _team_key_generation_check(
+            user_api_key_dict=user_api_key_dict, data=data
+        )
    else:
-        return _personal_key_generation_check(user_api_key_dict=user_api_key_dict)
+        return _personal_key_generation_check(
+            user_api_key_dict=user_api_key_dict, data=data
+        )


 router = APIRouter()