From e9eade7cba1c6433992d622e1cf6da58728c95ec Mon Sep 17 00:00:00 2001 From: Spike Lu Date: Mon, 22 Apr 2024 21:25:25 -0700 Subject: [PATCH] add new access control using user id cookbook --- README.md | 3 + cookbook/access_control_using_user_id.md | 100 +++++++++++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 cookbook/access_control_using_user_id.md diff --git a/README.md b/README.md index 2279cc2..be7ca18 100644 --- a/README.md +++ b/README.md @@ -1517,6 +1517,9 @@ This endpoint is retrieving users. > |---------------| > | `[]User` | +``` +User +``` > | Field | type | example | description | > |---------------|-----------------------------------|-|-| > | id | `string` | `550e8400-e29b-41d4-a716-446655440000` | Id of the user object. | diff --git a/cookbook/access_control_using_user_id.md b/cookbook/access_control_using_user_id.md new file mode 100644 index 0000000..e7288dd --- /dev/null +++ b/cookbook/access_control_using_user_id.md @@ -0,0 +1,100 @@ +# Access Control Based On User ID + +## Use cases +* You have an internal AI powered application and would like to set model access based on people's email. +* You have an AI powered SaaS application and would like to enforce usage limits on for users on different tiers. + +## Getting Started +This guide shows you how to do user level access control. Let's say you want to offer different spend limits, rate limits and model access for different users. + +### Step 1 - Create a provider +```bash +curl -X PUT http://localhost:8001/api/provider-settings \ + -H "Content-Type: application/json" \ + -d '{ + "provider":"openai", + "setting": { + "apikey": "YOUR_OPENAI_API_KEY" + } + }' +``` +Copy the `id` from the response. + +### Step 2 - Create a Bricks API key +Use `id` from the previous step as `settingId` to create a key. + +```bash +curl -X PUT http://localhost:8001/api/key-management/keys \ + -H "Content-Type: application/json" \ + -d '{ + "name": "My Secret Key", + "key": "my-secret-key", + "tags": ["team-one"], + "settingIds": ["ID_FROM_STEP_ONE"] + }' +``` + +### Step 3 - Create a User +Use `tags` from the previous step and an `userId` that you defined to create a user. + +```bash +curl -X POST http://localhost:8001/api/users \ + -H "Content-Type: application/json" \ + -d '{ + "name": "Spike Lu", + "costLimitInUsd": 1, + "costLimitInUsdOverTime": 0.002, + "costLimitInUsdUnit": "m", + "rateLimitOverTime": 5, + "rateLimitUnit": "m", + "allowedPaths": [ + { + "path": "/api/providers/openai/v1/chat/completions", + "method": "POST" + } + ], + "allowedModels": ["gpt-4"], + "userId": "my-user-id", + "tags": ["team-one"] + }' +``` + +You just created a user referenced by the user id `my-user-id`. This user has a total spend limit of $1, a per minunte spend limit of $0.002, a rate limit of 5 req/m and can only access OpenAI's chat completion endpoint using `gpt-4`. + +### Congratulations you are done!!! +Then, just redirect your requests to us and use OpenAI as you would normally with the same `userId` from step 3. For example: +```bash +curl -X POST http://localhost:8002/api/providers/openai/v1/chat/completions \ + -H "Authorization: Bearer my-secret-key" \ + -H "Content-Type: application/json" \ + -d '{ + "model": "gpt-3.5-turbo", + "messages": [ + { + "role": "system", + "content": "hi" + } + ], + "user": "my-user-id" + }' +``` + +This request would result in a `401`, since this user only has access to `gpt-4`. + +```bash +curl -X POST http://localhost:8002/api/providers/openai/v1/chat/completions \ + -H "Authorization: Bearer my-secret-key" \ + -H "Content-Type: application/json" \ + -d '{ + "model": "gpt-4", + "messages": [ + { + "role": "system", + "content": "hi" + } + ], + "user": "my-user-id" + }' +``` + +This request would pass since this user is allowed to access `gpt-4`. \ No newline at end of file