Update README.md
Browse files
README.md
CHANGED
|
@@ -1,3 +1,63 @@
|
|
| 1 |
-
---
|
| 2 |
-
license: apache-2.0
|
| 3 |
-
---
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
license: apache-2.0
|
| 3 |
+
---
|
| 4 |
+
|
| 5 |
+
# Token vs. Resource Group Access Rights Demo
|
| 6 |
+
|
| 7 |
+
## Purpose
|
| 8 |
+
This README explains how to set up a quick test to demonstrate how fine-grained tokens interact with resource group permissions in Hugging Face.
|
| 9 |
+
|
| 10 |
+
## The Question We're Answering
|
| 11 |
+
If a user has access to a model through a resource group, but their fine-grained token doesn't explicitly mention that model, will an API request to write to the model succeed?
|
| 12 |
+
|
| 13 |
+
## Materials Needed
|
| 14 |
+
- Hugging Face account with Enterprise access
|
| 15 |
+
- Admin rights to create resource groups
|
| 16 |
+
- Permission to create models and tokens
|
| 17 |
+
|
| 18 |
+
## Setup Steps
|
| 19 |
+
|
| 20 |
+
### 1. Create a Test Model
|
| 21 |
+
1. Go to your Hugging Face profile
|
| 22 |
+
2. Click "New Model"
|
| 23 |
+
3. Name it "token-test-model" (or similar)
|
| 24 |
+
|
| 25 |
+
### 2. Create a Resource Group
|
| 26 |
+
1. Go to your organization settings
|
| 27 |
+
2. Navigate to Resource Groups
|
| 28 |
+
3. Create a new resource group named "token-test-group"
|
| 29 |
+
4. Add your test model to this resource group
|
| 30 |
+
5. Add yourself as a user with write permissions to this resource group
|
| 31 |
+
|
| 32 |
+
### 3. Create a Fine-Grained Token
|
| 33 |
+
1. Go to your profile settings (top right icon on the HF page - NOT your organization settings) > select Access Tokens
|
| 34 |
+
2. Click "Create new Token"
|
| 35 |
+
3. Select "Fine-grained" as token type
|
| 36 |
+
4. Give it a name like "limited-test-token"
|
| 37 |
+
5. Important: DO NOT select your test model or check any global repository permissions
|
| 38 |
+
6. This token will have minimal, read access to public repositories (which is the default for any token, as noted in the UI: "The token will always have read access to all public repos contents").
|
| 39 |
+
7. Create the token and save the value on the next screen for testing
|
| 40 |
+
|
| 41 |
+
### 4. Test the Token
|
| 42 |
+
1. Use the API Playground (https://huggingface.co/spaces/enzostvs/hub-api-playground)
|
| 43 |
+
2. Set up a POST request to `/api/repos/create-commit`
|
| 44 |
+
3. Add your fine-grained token in Headers (Authorization: Bearer YOUR_TOKEN)
|
| 45 |
+
4. Use this JSON in Parameters:
|
| 46 |
+
```json
|
| 47 |
+
{
|
| 48 |
+
"repo_id": "YOUR_ORG/token-test-model",
|
| 49 |
+
"repo_type": "model",
|
| 50 |
+
"commit_message": "Testing token permissions",
|
| 51 |
+
"operations": [
|
| 52 |
+
{
|
| 53 |
+
"operation": "create",
|
| 54 |
+
"path": "test.txt",
|
| 55 |
+
"content": "This is a permission test"
|
| 56 |
+
}
|
| 57 |
+
]
|
| 58 |
+
}
|
| 59 |
+
```
|
| 60 |
+
5. Send the request - it should fail with a permission error
|
| 61 |
+
|
| 62 |
+
## Expected Result
|
| 63 |
+
The request will fail despite your user having access to the model through the resource group. This demonstrates that fine-grained tokens require explicit permissions, regardless of resource group access.
|