diff --git a/litellm/proxy/_types.py b/litellm/proxy/_types.py index 086971366..a32bf3e94 100644 --- a/litellm/proxy/_types.py +++ b/litellm/proxy/_types.py @@ -477,6 +477,7 @@ class UserAPIKeyAuth( """ api_key: Optional[str] = None + user_role: Optional[Literal["proxy_admin", "app_owner", "app_user"]] = None @root_validator(pre=True) def check_api_key(cls, values): diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py index 8b544fb76..ad414285f 100644 --- a/litellm/proxy/proxy_server.py +++ b/litellm/proxy/proxy_server.py @@ -332,8 +332,7 @@ async def user_api_key_auth( # note: never string compare api keys, this is vulenerable to a time attack. Use secrets.compare_digest instead is_master_key_valid = secrets.compare_digest(api_key, master_key) if is_master_key_valid: - return UserAPIKeyAuth(api_key=master_key) - + return UserAPIKeyAuth(api_key=master_key, user_role="proxy_admin") if isinstance( api_key, str ): # if generated token, make sure it starts with sk-. @@ -794,7 +793,9 @@ async def user_api_key_auth( pass else: if _is_user_proxy_admin(user_id_information): - pass + return UserAPIKeyAuth( + api_key=api_key, user_role="proxy_admin", **valid_token_dict + ) else: raise Exception( f"This key is made for LiteLLM UI, Tried to access route: {route}. Not allowed" @@ -4524,50 +4525,54 @@ async def new_team( data.team_id = str(uuid.uuid4()) if ( - data.tpm_limit is not None - and user_api_key_dict.tpm_limit is not None - and data.tpm_limit > user_api_key_dict.tpm_limit - ): - raise HTTPException( - status_code=400, - detail={ - "error": f"tpm limit higher than user max. User tpm limit={user_api_key_dict.tpm_limit}" - }, - ) + user_api_key_dict.user_role is None + or user_api_key_dict.user_role != "proxy_admin" + ): # don't restrict proxy admin + if ( + data.tpm_limit is not None + and user_api_key_dict.tpm_limit is not None + and data.tpm_limit > user_api_key_dict.tpm_limit + ): + raise HTTPException( + status_code=400, + detail={ + "error": f"tpm limit higher than user max. User tpm limit={user_api_key_dict.tpm_limit}" + }, + ) - if ( - data.rpm_limit is not None - and user_api_key_dict.rpm_limit is not None - and data.rpm_limit > user_api_key_dict.rpm_limit - ): - raise HTTPException( - status_code=400, - detail={ - "error": f"rpm limit higher than user max. User rpm limit={user_api_key_dict.rpm_limit}" - }, - ) + if ( + data.rpm_limit is not None + and user_api_key_dict.rpm_limit is not None + and data.rpm_limit > user_api_key_dict.rpm_limit + ): + raise HTTPException( + status_code=400, + detail={ + "error": f"rpm limit higher than user max. User rpm limit={user_api_key_dict.rpm_limit}" + }, + ) - if ( - data.max_budget is not None - and user_api_key_dict.max_budget is not None - and data.max_budget > user_api_key_dict.max_budget - ): - raise HTTPException( - status_code=400, - detail={ - "error": f"max budget higher than user max. User max budget={user_api_key_dict.max_budget}" - }, - ) + if ( + data.max_budget is not None + and user_api_key_dict.max_budget is not None + and data.max_budget > user_api_key_dict.max_budget + ): + raise HTTPException( + status_code=400, + detail={ + "error": f"max budget higher than user max. User max budget={user_api_key_dict.max_budget}" + }, + ) - if data.models is not None: - for m in data.models: - if m not in user_api_key_dict.models: - raise HTTPException( - status_code=400, - detail={ - "error": f"Model not in allowed user models. User allowed models={user_api_key_dict.models}" - }, - ) + if data.models is not None: + for m in data.models: + if m not in user_api_key_dict.models: + raise HTTPException( + status_code=400, + detail={ + "error": f"Model not in allowed user models. User allowed models={user_api_key_dict.models}" + }, + ) if user_api_key_dict.user_id is not None: creating_user_in_list = False