Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Assigning users to teams when teams passed via /user/new isn't working #8285

Open
dimm0 opened this issue Feb 5, 2025 · 1 comment
Open

[Bug]: Assigning users to teams when teams passed via /user/new isn't working #8285

dimm0 opened this issue Feb 5, 2025 · 1 comment
Assignees
@krrishdholakia
Labels
bug Something isn't working mlops user request

Comments

@dimm0
Copy link

dimm0 commented Feb 5, 2025
edited
Loading

What happened?

I'm working on the SSO plugin allowing me to add users to teams when using SSO.

Calling litellm.proxy.management_endpoints.internal_user_endpoints.new_user with list of teams gets user created in LiteLLM_UserTable (with proper team membership) , but does not update the membership in LiteLLM_TeamTable. (Both with and without providing the user_api_key_dict for admin user).

Additionally calling team_member_add after user_create resolves it (although it's already called from new_user). In that case I need to create user with no teams, and then add user to a team in a separate call.

Also removing a user who belongs to a team in 2 above tables from litellm through the web interface does not update the LiteLLM_TeamTable.

I get several messages below saying the user permissions are wrong, telling me the endpoint is invoked as the signing in user and not the admin when creating the new user.

        _user_info = await get_user_info(user_id=userIDPInfo.id)
        if _user_info is None:
            # User does not exist, create a new user
            new_user_data = NewUserRequest(
                user_id=userIDPInfo.id,
                user_email=userIDPInfo.email,
                max_budget=0,
                budget_duration="1d",
                user_role=LitellmUserRoles.INTERNAL_USER,
                # teams=['team_id'] # This is supposed to put user in the right team, but does not update the LiteLLM_TeamTable table
            )
            resp = await new_user(new_user_data, user_api_key_dict) # user_api_key_dict is for the admin, but I still get error messages saying the call is made by the user

            # I should do this intsead to put the user to team relation in both tables:
            try:
                await team_member_add(
                    data=TeamMemberAddRequest(
                        team_id=teams[0],
                        member=Member(
                            user_id=userIDPInfo.id,
                            role="user",
                            user_email=userIDPInfo.email,
                        ),
                    ),
                    http_request=Request(
                        scope={"type": "http", "path": "/user/new"},
                    ),
                    user_api_key_dict=user_api_key_dict,
                )
            except Exception as e:
                raise Exception("Failed assigning user to team") from e

Relevant log output

{"message": "litellm.proxy.proxy_server.user_api_key_auth(): Exception occured - Only proxy admin can be used to generate, delete, update info for new keys/users/teams. Route=/guardrails/list. Your role=internal_user. Your user_id=http://cilogon.org/serverA/users/15761\nRequester IP Address:10.244.42.174", "level": "ERROR", "timestamp": "2025-02-05T16:36:11.155101", "stacktrace": "Traceback (most recent call last):\n  File \"/usr/lib/python3.13/site-packages/litellm/proxy/auth/user_api_key_auth.py\", line 1067, in _user_api_key_auth_builder\n    _is_route_allowed = _is_allowed_route(\n        route=route,\n    ...<5 lines>...\n        valid_token=valid_token,\n    )\n  File \"/usr/lib/python3.13/site-packages/litellm/proxy/auth/user_api_key_auth.py\", line 164, in _is_allowed_route\n    return _is_api_route_allowed(\n        route=route,\n    ...<4 lines>...\n        user_obj=user_obj,\n    )\n  File \"/usr/lib/python3.13/site-packages/litellm/proxy/auth/user_api_key_auth.py\", line 136, in _is_api_route_allowed\n    RouteChecks.non_proxy_admin_allowed_routes_check(\n    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^\n        user_obj=user_obj,\n        ^^^^^^^^^^^^^^^^^^\n    ...<5 lines>...\n        valid_token=valid_token,\n        ^^^^^^^^^^^^^^^^^^^^^^^^\n    )\n    ^\n  File \"/usr/lib/python3.13/site-packages/litellm/proxy/auth/route_checks.py\", line 131, in non_proxy_admin_allowed_routes_check\n    raise Exception(\n        f\"Only proxy admin can be used to generate, delete, update info for new keys/users/teams. Route={route}. Your role={user_role}. Your user_id={user_id}\"\n    )\nException: Only proxy admin can be used to generate, delete, update info for new keys/users/teams. Route=/guardrails/list. Your role=internal_user. Your user_id=http://cilogon.org/serverA/users/15761"}

Are you a ML Ops Team?

Yes

What LiteLLM version are you on ?

v1.60.2

Twitter / LinkedIn details

No response
@dimm0 dimm0 added the bug Something isn't working label Feb 5, 2025
@krrishdholakia krrishdholakia self-assigned this Feb 5, 2025
@krrishdholakia
Copy link
Contributor

Hi @dimm0

Calling litellm.proxy.management_endpoints.internal_user_endpoints.new_user with list of teams gets user created in LiteLLM_UserTable

can you share a curl for this

@krrishdholakia krrishdholakia changed the title [Bug]: Assigning users to teams is not working properly [Bug]: Assigning users to teams when teams passed via /user/new isn't working Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krrishdholakia krrishdholakia

Labels
bug Something isn't working mlops user request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dimm0 @krrishdholakia