Skip to content

fix(proxy): restrict vector store index create/delete to proxy admins#29202

Merged
mateo-berri merged 2 commits into
litellm_internal_stagingfrom
litellm_ai_search_index
May 30, 2026
Merged

fix(proxy): restrict vector store index create/delete to proxy admins#29202
mateo-berri merged 2 commits into
litellm_internal_stagingfrom
litellm_ai_search_index

Conversation

@shivamrawat1

@shivamrawat1 shivamrawat1 commented May 28, 2026

Copy link
Copy Markdown
Collaborator

LIT-2384

Restricts AI Search index lifecycle operations so only proxy admins can register or delete managed indexes. Non-admin keys retain read/write access for document search and upsert, but can no longer create LiteLLM index mappings or delete indexes via Azure AI pass-through.

Cause
POST /v1/indexes only required a valid API key — any authenticated user could register index mappings in the DB.
DELETE /azure_ai/indexes/{name} bypassed index permission checks because Azure AI endpoint ACLs only covered /docs/search (read) and PUT /docs (write). Index-level DELETE was unrecognized and allowed through for any key with vector store access, including keys with read-only index permissions.
Fix
Require PROXY_ADMIN for POST /v1/indexes.
Detect index lifecycle requests (DELETE/PUT/PATCH on /indexes/{name}, POST on /indexes) in pass-through auth and enforce admin-only access.
Deny unrecognized managed-index operations by default (403) instead of silently allowing pass-through.
Test plan

test_index_create_requires_admin / test_index_create_allowed_for_admin

test_delete_index_requires_admin / test_delete_index_allowed_for_admin

test_endpoint_not_recognized updated to expect 403

Existing vector store permission tests pass

Fix:
Screenshot 2026-05-30 at 3 07 22 PM

Prevent non-admin API keys from registering indexes via POST /v1/indexes or deleting Azure AI Search indexes through managed pass-through routes.

Co-authored-by: Cursor <[email protected]>
@codecov

codecov Bot commented May 28, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 90.90909% with 3 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
litellm/proxy/vector_store_endpoints/utils.py 90.62% 3 Missing ⚠️

📢 Thoughts on this report? Let us know!

@greptile-apps

greptile-apps Bot commented May 28, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR restricts AI Search index lifecycle operations (create, delete, replace) to proxy admins. Non-admin keys retain read/write access for document search and upsert but can no longer create LiteLLM index mappings or delete/replace indexes via Azure AI pass-through.

  • Adds assert_proxy_admin_for_vector_store_index_management guard at the top of the index_create endpoint so any authenticated non-admin is rejected with a 403 before hitting the database.
  • Adds _is_vector_store_index_lifecycle_request (using a regex boundary check to avoid prefix-collision false positives) and wires it into is_allowed_to_call_vector_store_endpoint, enforcing admin-only access for DELETE/PUT/PATCH on an index path and POST to the indexes collection. Unrecognized endpoints now fail closed with 403 rather than silently passing through.
  • Adds comprehensive mock tests covering the admin/non-admin matrix for both the direct index_create endpoint and the pass-through path, plus a regression test for the prefix-collision edge case.

Confidence Score: 5/5

Safe to merge — the changes tighten access controls, all three previously flagged issues have been resolved, and the test suite covers the critical admin/non-admin paths.

All three issues from the prior review round are addressed: the substring-match prefix collision is fixed with a regex boundary lookahead, operation labels are now correctly distinguished per HTTP method, and the fail-closed behavior for unrecognized endpoints is intentional and acknowledged. The admin guard is applied early in both the direct endpoint and the pass-through path, with no observable bypass. New tests are fully mocked and cover the regression cases.

No files require special attention.

Important Files Changed

Filename Overview
litellm/proxy/vector_store_endpoints/utils.py Adds admin-only guard for index lifecycle requests; replaces the old substring match with a regex boundary lookahead; converts the unrecognized-endpoint fallthrough from return None to a 403 — intentional per reviewer instructions.
litellm/proxy/vector_store_endpoints/endpoints.py Adds proxy-admin check as the first statement in index_create, correctly blocking non-admins before any DB work.
tests/test_litellm/proxy/vector_store_endpoints/test_vector_store_endpoints.py Updated existing test to match the new 403 behavior for unrecognized endpoints; added full admin/non-admin matrix tests for index create, delete, update, and prefix-collision regression — all mocked, no real network calls.

Reviews (2): Last reviewed commit: "fix(proxy): tighten vector store index l..." | Re-trigger Greptile

Comment thread litellm/proxy/vector_store_endpoints/utils.py
Comment thread litellm/proxy/vector_store_endpoints/utils.py
Comment thread litellm/proxy/vector_store_endpoints/utils.py Outdated
@shivamrawat1

Copy link
Copy Markdown
Collaborator Author

@greptile review again, with the new commit that resolves all the P2 issues. Note that the backwards incompatible change is expected.

@mateo-berri mateo-berri enabled auto-merge (squash) May 30, 2026 22:09

@mateo-berri mateo-berri left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; thanks!

@mateo-berri mateo-berri merged commit 7ca796b into litellm_internal_staging May 30, 2026
111 of 118 checks passed
@mateo-berri mateo-berri deleted the litellm_ai_search_index branch May 30, 2026 22:10
fzowl pushed a commit to fzowl/litellm that referenced this pull request Jun 24, 2026
…BerriAI#29202)

* fix(proxy): restrict vector store index create/delete to proxy admins

Prevent non-admin API keys from registering indexes via POST /v1/indexes or deleting Azure AI Search indexes through managed pass-through routes.

Co-authored-by: Cursor <[email protected]>

* fix(proxy): tighten vector store index lifecycle checks

Co-authored-by: Cursor <[email protected]>

---------

Co-authored-by: Cursor <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants