Skip to content

Commit

Permalink
chore: roles management update (#119)
Browse files Browse the repository at this point in the history 
* Update roles-management.md

* Update sidebars.js

* fix user-guide.md

* Update sidebars.js

* Update sidebars.js

* Update architecture.md

* Update README.md
  • Loading branch information
@sr-remsha
sr-remsha committed Jun 7, 2024
1 parent 1a3f5fa commit b81ce87
Show file tree
Hide file tree
Showing 5 changed files with 68 additions and 217 deletions.
6 changes: 6 additions & 0 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@

* [Contribution Guide](https://github.com/epam/ai-dial/blob/main/CONTRIBUTING.md)

## Architecture

* [Architecture Overview](./architecture.md)
* [Authentication and Authorization of API Keys](./tutorials/roles-management.md)
* [Authentication and Authorization of Users](./Deployment/idp-configuration/auth0.md)

## Quick Start

* [Quick Start Guide](./quick-start.md)
Expand Down
8 changes: 5 additions & 3 deletions docs/architecture.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,13 @@ AI DIAL Core is headless and is the **only mandatory component**. It includes al

#### Authentication and Authorization

AI DIAL provides native support for [OpenID Connect](https://openid.net/developers/how-connect-works/) and [OAuth2](https://oauth.net/2/) and offers integration with various Identity Providers (IDP) such as Azure AD, Auth0, Okta and Cognito where you can define user roles and attributes to support your custom permissions model. Additionally, you can leverage Keycloak to work with even wider range of IDPs.
AI DIAL provides native support for [OpenID Connect](https://openid.net/developers/how-connect-works/) and [OAuth2](https://oauth.net/2/) and offers integration with various Identity Providers (IDP) such as Azure AD, Auth0, Okta, Microsoft Entra, Google OAuth2, and AWS Cognito where you can define user roles and attributes to support your custom permissions model. Additionally, you can leverage Keycloak to work with even wider range of IDPs.

There are two methods of CORE API calls authorization supported: JWT token and key. Both options provide granular permission management, allowing you to control access to specific functionalities or resources. Additionally, these authorization methods also enable rate and cost control, giving you the ability to manage the frequently of API calls.
> Refer to [IDP Configuration](./Deployment/idp-configuration/auth0.md) to view deployment tutorials for supported IDP providers.
> Refer to [Roles Management](./tutorials/roles-management.md) to learn how to create roles and add them to AI DIAL.
There are two methods of CORE API calls authorization supported: JWT token and key. Both options provide granular permission management, allowing you to control access to specific functionalities or resources. Additionally, these authorization methods also enable rate and cost control, giving you the ability to manage the frequency of API calls.

> Refer to [API Keys Roles and Limits](./tutorials/roles-management.md) to learn how to authenticate and authorize API keys.
#### Load Balancer

Expand Down
264 changes: 51 additions & 213 deletions docs/tutorials/roles-management.md
View file
Original file line number Diff line number Diff line change
@@ -1,240 +1,78 @@
# Roles Management Guide

AI DIAL enables assignment of roles to Models, Applications, Addons, and Assistants to restrict the number of tokens that can be transmitted in a specific time frame. These roles and their limitations can be created in external systems and then assigned in AI DIAL's configuration.
# Roles Management for API Keys

This tutorial provides a guide on how to create these roles in both KeyCloak and MS Azure, and how to integrate them into AI DIAL's configuration.
> Refer to IDP Configuration to learn how to set and configure supported identity providers.
> Refer to [AI DIAL Configuration](/docs/Deployment/configuration.md#some-of-the-dynamic-parameters) to learn more abour `roles` and other parameters.
## Introduction

## KeyCloak
External systems can communicate with AI DIAL via its APIs using API keys. To authorize and authenticate API keys, you can set and configure roles and limits applicable to Models, Applications, Addons, and Assistants to restrict the number of tokens that can be transmitted in a specific time frame.

In this instruction, you will learn how to create roles in KeyCloak and add them to AI DIAL Models, Applications, Assistants, and Addons.
**To authenticate and authorize an API key:**

In KeyCloak **target realm**:
1. AI DIAL Core config is checked to see if a particular API Key is included.
2. If the first requirement is met, the system checks its roles and limits. In case the limit is exceeded or access to a particular requested AI DIAL resource is not specified, API Key's access is rejected.

1. Create a group(s)
2. Create role(s)
3. Map roles to groups
4. Assign groups to users
## AI DIAL Core Configuration

In AI DIAL config:
In [AI DIAL Core dynamic settings](https://github.com/epam/ai-dial-core?tab=readme-ov-file#dynamic-settings), you can define API keys, their roles and limits.

5. Assign roles to AI DIAL Models, Applications, Assistants, and Addons.
### Define API Keys

AI DIAL Core receives the roles assigned to it through user access tokens (JWTs). These roles can be accessed via the path: `resource_access.<client-id>.roles` where `client-id` is a client registered in KeyCloak `realm`, e.g. `chatbot-ui`.
In the `keys` section in the `aidial.config.json` file, you can add API keys ("proxyKey1" in the example below) and assign them `project` and `role`. Note, that you can assign only roles that are defined in the `roles` section - see [further in text](#define-roles-and-limits).

### Step 1: Create groups
> API Key should be a secure random key of at least 128 bit size.
> Refer to [KeyCloak Documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide) to learn how to create groups.
> Refer to [AI DIAL Core](https://github.com/epam/ai-dial-core/blob/development/sample/aidial.config.json) to view the full example.
In **Groups**, you can create a hierarchy of groups through admin console, similar to this example:

```
Models
-> AWS.Bedrock
-> Stable.Diffusion
Addons
-> Wolfram
```

### Step 2: Create roles

> Refer to [KeyCloak Documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#con-client-roles_server_administration_guide) to learn how to create roles.
1. In **Clients**, choose the client `chatbot-ui`.
2. In the table **Roles**, create required roles, for example:

- AWS.Bedrock
- Stable.Diffusion
- Wolfram

### Step 3: Map roles to groups

In **Groups**, do the roles mapping for each group:

1. Open the tab **Role Mapping**
2. Press the button **Assign role** and choose a role you want to assign to a group

### Step 4: Assign groups to users

1. In **Groups**, choose a group you want to work with
2. In **Members**, press the button **Add member**
3. Select a member you want to assign to a group

> Refer to [KeyCloak Documentation](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide) for the detailed info about group assignments.
### Step 5: Assign KeyCloak roles to AI DIAL Core deployments

The last step is to assign KeyCloak roles to AI DIAL core deployments: Applications, Addons, Assistants and Models.

> Refer to [AI DIAL Configuration](/docs/Deployment/configuration.md#some-of-the-dynamic-parameters) to learn more.
```yaml
"addons": {
"search": {
"endpoint": "http://localhost:7010/search",
"displayName": "Search",
"userRoles": ["keycloak-role1"]
}
}

...

"applications": {
"app": {
"endpoint": "http://localhost:7001/openai/deployments/app/chat/completions",
"userRoles": ["keycloak-role2"]
}
}

...

"assistant": {
"endpoint": "http://assistant.dial-development/openai/deployments/assistant/chat/completions",
"assistants": {
"assistant-1": {
"prompt": "Your system prompt.",
"addons": [
"addon-1",
"addon-2"
],
"userRoles": ["keycloak-role1"]
}
}
}

...

"models": {
"chat-gpt-35-turbo": {
"type": "chat",
"endpoint" : "http://localhost:7001/v1/openai/deployments/gpt-35-turbo/chat/completions",
"upstreams": [
{"endpoint": "http://localhost:7001", "key": "modelKey1"},
{"endpoint": "http://localhost:7002", "key": "modelKey2"},
{"endpoint": "http://localhost:7003", "key": "modelKey3"}
],
"userRoles": ["keycloak-role2"]
```json
//Example extract from aidial.config.json
"keys": {
"proxyKey1": {
"project": "Project1",
"role": "default"
},
"proxyKey2": {
"project": "Project2",
"role": "role1"
}
}
```

## Microsoft Azure Active Directory

> Refer to [Azure AD Configuration](./azure-ad-configuration.md) to learn how to enable authentication with Azure AD for AI DIAL.
### Define Roles and Limits

In this instruction, you will learn how to create roles in MS Azure Active Directory and add them to AI DIAL Models, Applications, Assistants, and Addons.
In the `roles` section in the `aidial.config.json` file, you can add roles ("default" and "role1" in the example below), which you can assign to API keys. Each role can have `limits` - a number of tokens (unlimited by default) that can be transmitted in a specific time frame (`minute` or `day`) to AI DIAL Models, Applications, Addons, and Assistants.

Group management process is consisted of three steps:
> Refer to [AI DIAL Core documentation](https://github.com/epam/ai-dial-core?tab=readme-ov-file#dynamic-settings) to view the description of parameters.
1. Create groups in Microsoft Azure Active Directory
2. Include groups into JWT custom `claim`
3. Assign roles to AI DIAL Models, Applications, Assistants, and Addons
> Note, that unless a Model, Application, Addon or Assistants is explicitly specified in the config ("chat-gpt-35-turbo" model is specified in the example below), access to it is prohibited for the API key that requested it.
The roles are provided to AI DIAL Core via user access token(JWT) by MS Azure AD and are available via the path: `groups`.
> Refer to [AI DIAL Core](https://github.com/epam/ai-dial-core/blob/development/sample/aidial.config.json) to view the full example.
### Step 1: Create groups in Microsoft Azure Active Directory

1. In **Groups**, you can create groups that you need
2. Add members for each group

> Refer to [MS Documentation](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups) to view the detailed info about group management.
### Step 2: Include groups into JWT custom claim

1. In Microsoft Entra ID, open the item **App Registrations**
2. Open the application you want to configure groups for
3. Go to the item **Token Configuration**
4. Press the button **Add Groups claim** and customize which groups you want to include and where (access, ID token)
5. When customizing the claim **groups**, you can choose the option **sAMAccountName** instead of **Group ID** to include group names instead of group UUIDs in the token

> Refer to [MS Documentation](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#important-caveats-for-this-functionality) to view the detailed info about configuration of group claims for applications.
> **Note**: by default, the claim **groups** is not included into the access token. You should add an application **scope** to the authorization request to obtain the claim from an access token.
> The **claim** is available in the ID token only.
> Refer to [stackoverflow](https://stackoverflow.com/questions/70542675/azure-ad-access-token-does-not-contain-groups-claim) to read more about this case.
> **Note***. The application **scope** is required to validate signature of the access token.
> Refer to [Microsoft Portal](https://learn.microsoft.com/en-us/answers/questions/318741/graphapi-cannot-validate-access-token-signature) to read more about this case.
How to create a custom **scope**:

1. Go to **Expose an API**
2. Set **Application ID URI** to something meaningful, e.g `api://chatbot-ui`
3. Press the button **Add a scope**
4. Fill the required fields in the form to create a new scope. Make sure **Who can consent?** is set to **Admin and users**.

Add the **scope** to the authorization request in `params`:

```
AzureProvider({
clientId: process.env.AUTH_AZURE_AD_CLIENT_ID,
clientSecret: process.env.AUTH_AZURE_AD_SECRET,
tenantId: process.env.AUTH_AZURE_AD_TENANT_ID,
name: process.env.AUTH_AZURE_AD_NAME ?? DEFAULT_NAME,
authorization: {
params: { scope: 'api://chatbot-ui/Client.Consumer openid profile user.Read email offline_access' },
},
token: tokenConfig,
}),
```

> **Note**: if the custom `scope` is provided, the rest of `scopes` in the authorization request is ignored by Microsoft Azure AD.
> As a result, clients who have requested the access token do not have access to MS Azure Graph API for reading user info such as user picture and job title.
### Step 3: Assign MS Azure AD groups to AI DIAL Core deployments

The last step is to assign Microsoft Azure AD groups to AI DIAL Core deployments: Applications, Addons, Assistants and Models.

> Refer to [AI DIAL Configuration](/docs/Deployment/configuration.md#some-of-the-dynamic-parameters) to learn more.
> **Note**: in the example below, MS Azure groups are mapped to AI DIAL Core user roles one to one.
```yaml
"addons": {
"search": {
"endpoint": "http://localhost:7010/search",
"displayName": "Search",
"userRoles": ["azure-group1"]
}
}

...

"applications": {
"app": {
"endpoint": "http://localhost:7001/openai/deployments/app/chat/completions",
"userRoles": ["azure-group2"]
```Json
//Example extract from aidial.config.json
"keys": {
"proxyKey1": {
"project": "Project1",
"role": "default"
},
"proxyKey2": {
"project": "Project2",
"role": "role1"
}
}

...

"assistant": {
"endpoint": "http://assistant.dial-development/openai/deployments/assistant/chat/completions",
"assistants": {
"assistant-1": {
"prompt": "Your system prompt.",
"addons": [
"addon-1",
"addon-2"
],
"userRoles": ["azure-group1"]
},
"roles": {
"default": { //role name
"limits": {
"chat-gpt-35-turbo": { //model name
"minute": "100000", //overrides the default value
"day": "10000000"
}
}
}

...

"models": {
"chat-gpt-35-turbo": {
"type": "chat",
"endpoint" : "http://localhost:7001/v1/openai/deployments/gpt-35-turbo/chat/completions",
"upstreams": [
{"endpoint": "http://localhost:7001", "key": "modelKey1"},
{"endpoint": "http://localhost:7002", "key": "modelKey2"},
{"endpoint": "http://localhost:7003", "key": "modelKey3"}
],
"userRoles": ["azure-group2"]
}
},
"role1": {
"limits": {
"chat-gpt-35-turbo": {} // the default value applies - unlimited
}
},
}
```
2 changes: 1 addition & 1 deletion docs/user-guide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ The Playback mode can be used to simulate the current conversation without any e

![](./img/playback2.png)

During the playback, you can manually stop and resume the playback process.
During the playback, you can move back and forward the playback process or stop it.

### Compare

Expand Down
5 changes: 5 additions & 0 deletions sidebars.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@ const sidebars = {
type: 'doc',
id: 'tutorials/quick-start-with-addon',
label: 'Chat with Addon',
},
{
type: 'doc',
id: 'tutorials/roles-management',
label: 'API Keys Roles and Limits',
}
],
},
Expand Down

0 comments on commit b81ce87

Please sign in to comment.