fix(proxy): restrict vector store index create/delete to proxy admins#29202
Conversation
Prevent non-admin API keys from registering indexes via POST /v1/indexes or deleting Azure AI Search indexes through managed pass-through routes. Co-authored-by: Cursor <[email protected]>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Greptile SummaryThis PR restricts AI Search index lifecycle operations (create, delete, replace) to proxy admins. Non-admin keys retain read/write access for document search and upsert but can no longer create LiteLLM index mappings or delete/replace indexes via Azure AI pass-through.
Confidence Score: 5/5Safe to merge — the changes tighten access controls, all three previously flagged issues have been resolved, and the test suite covers the critical admin/non-admin paths. All three issues from the prior review round are addressed: the substring-match prefix collision is fixed with a regex boundary lookahead, operation labels are now correctly distinguished per HTTP method, and the fail-closed behavior for unrecognized endpoints is intentional and acknowledged. The admin guard is applied early in both the direct endpoint and the pass-through path, with no observable bypass. New tests are fully mocked and cover the regression cases. No files require special attention.
|
| Filename | Overview |
|---|---|
| litellm/proxy/vector_store_endpoints/utils.py | Adds admin-only guard for index lifecycle requests; replaces the old substring match with a regex boundary lookahead; converts the unrecognized-endpoint fallthrough from return None to a 403 — intentional per reviewer instructions. |
| litellm/proxy/vector_store_endpoints/endpoints.py | Adds proxy-admin check as the first statement in index_create, correctly blocking non-admins before any DB work. |
| tests/test_litellm/proxy/vector_store_endpoints/test_vector_store_endpoints.py | Updated existing test to match the new 403 behavior for unrecognized endpoints; added full admin/non-admin matrix tests for index create, delete, update, and prefix-collision regression — all mocked, no real network calls. |
Reviews (2): Last reviewed commit: "fix(proxy): tighten vector store index l..." | Re-trigger Greptile
Co-authored-by: Cursor <[email protected]>
|
@greptile review again, with the new commit that resolves all the P2 issues. Note that the backwards incompatible change is expected. |
7ca796b
into
litellm_internal_staging
…BerriAI#29202) * fix(proxy): restrict vector store index create/delete to proxy admins Prevent non-admin API keys from registering indexes via POST /v1/indexes or deleting Azure AI Search indexes through managed pass-through routes. Co-authored-by: Cursor <[email protected]> * fix(proxy): tighten vector store index lifecycle checks Co-authored-by: Cursor <[email protected]> --------- Co-authored-by: Cursor <[email protected]>
LIT-2384
Restricts AI Search index lifecycle operations so only proxy admins can register or delete managed indexes. Non-admin keys retain read/write access for document search and upsert, but can no longer create LiteLLM index mappings or delete indexes via Azure AI pass-through.
Cause
POST /v1/indexes only required a valid API key — any authenticated user could register index mappings in the DB.
DELETE /azure_ai/indexes/{name} bypassed index permission checks because Azure AI endpoint ACLs only covered /docs/search (read) and PUT /docs (write). Index-level DELETE was unrecognized and allowed through for any key with vector store access, including keys with read-only index permissions.
Fix
Require PROXY_ADMIN for POST /v1/indexes.
Detect index lifecycle requests (DELETE/PUT/PATCH on /indexes/{name}, POST on /indexes) in pass-through auth and enforce admin-only access.
Deny unrecognized managed-index operations by default (403) instead of silently allowing pass-through.
Test plan
test_index_create_requires_admin / test_index_create_allowed_for_admin
test_delete_index_requires_admin / test_delete_index_allowed_for_admin
test_endpoint_not_recognized updated to expect 403
Existing vector store permission tests pass
Fix:
