Hugging Face's logo

Spaces:
expressapi
/
chroma
Runtime error

App Files Community
chroma / examples /basic_functionality /authz /README.md
badalsahani's picture
badalsahani
feat: chroma initial deploy
287a0bc
preview code
|
raw
history blame contribute delete
4.32 kB
# Authorization
## Configuration
### Resource Actions
```yaml
resource_type_action: # This is here just for reference
 - tenant:create_tenant
 - tenant:get_tenant
 - db:create_database
 - db:get_database
 - db:reset
 - db:list_collections
 - collection:get_collection
 - db:create_collection
 - db:get_or_create_collection
 - collection:delete_collection
 - collection:update_collection
 - collection:add
 - collection:delete
 - collection:get
 - collection:query
 - collection:peek #from API perspective this is the same as collection:get
 - collection:count
 - collection:update
 - collection:upsert
```
### Role Mapping
Following are the role mappings where we define roles and the actions they can perform. The actions spaces is taken from the resource actions defined above.
> **Note**: We also plan to support resource level authorization soon but for now only RBAC is available.
```yaml
roles_mapping:
 admin:
 actions:
 [
 db:list_collections,
 collection:get_collection,
 db:create_collection,
 db:get_or_create_collection,
 collection:delete_collection,
 collection:update_collection,
 collection:add,
 collection:delete,
 collection:get,
 collection:query,
 collection:peek,
 collection:update,
 collection:upsert,
 collection:count,
 ]
 write:
 actions:
 [
 db:list_collections,
 collection:get_collection,
 db:create_collection,
 db:get_or_create_collection,
 collection:delete_collection,
 collection:update_collection,
 collection:add,
 collection:delete,
 collection:get,
 collection:query,
 collection:peek,
 collection:update,
 collection:upsert,
 collection:count,
 ]
 db_read:
 actions:
 [
 db:list_collections,
 collection:get_collection,
 db:create_collection,
 db:get_or_create_collection,
 collection:delete_collection,
 collection:update_collection,
 ]
 collection_read:
 actions:
 [
 db:list_collections,
 collection:get_collection,
 collection:get,
 collection:query,
 collection:peek,
 collection:count,
 ]
 collection_x_read:
 actions:
 [
 collection:get_collection,
 collection:get,
 collection:query,
 collection:peek,
 collection:count,
 ]
 resources: ["<UUID>"] #not yet supported
```
You can update the roll mapping as per your requirements.
### Users
Last piece of the puzzle is the user configuration. Here we define the user id, role and the tokens they can use to authenticate.
> **Note**: In our example we use both AuthN and AuthZ where AuthN verifies whether a token is valid e.g. user has that token and AuthZ verifies whether the user has the right role to perform the action.
```yaml
users:
 - id: user@example.com
 role: admin
 tokens:
 - token: test-token-admin
 secret: my_api_secret # not yet supported
 - id: Anonymous
 role: admin
 tokens:
 - token: my_api_token
 secret: my_api_secret
```
## Starting the Server
```bash
IS_PERSISTENT=1 \
CHROMA_SERVER_AUTHZ_PROVIDER="chromadb.auth.authz.SimpleRBACAuthorizationProvider" \
CHROMA_SERVER_AUTH_CREDENTIALS_FILE=examples/basic_functionality/authz/authz.yaml \
CHROMA_SERVER_AUTH_CREDENTIALS_PROVIDER="user_token_config" \
CHROMA_SERVER_AUTH_PROVIDER="chromadb.auth.token.TokenAuthServerProvider" \
CHROMA_SERVER_AUTHZ_CONFIG_FILE=examples/basic_functionality/authz/authz.yaml \
uvicorn chromadb.app:app --workers 1 --host 0.0.0.0 --port 8000 --proxy-headers --log-config chromadb/log_config.yml --reload --timeout-keep-alive 30
```
## Testing the authorization
```python
import chromadb
from chromadb.config import Settings
client = chromadb.HttpClient("http://localhost:8000/",
 settings=Settings(chroma_client_auth_provider="chromadb.auth.token.TokenAuthClientProvider",
 chroma_client_auth_credentials="test-token-admin"))
client.list_collections()
collection = client.get_or_create_collection("test_collection")
collection.add(documents=["test"],ids=["1"])
collection.get()
```