Hugging Face's logo

Spaces:
expressapi
/
chroma
Sleeping

App Files Community
chroma
File size: 4,318 Bytes 
287a0bc
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
# Authorization

## Configuration

### Resource Actions

```yaml
resource_type_action: # This is here just for reference
  - tenant:create_tenant
  - tenant:get_tenant
  - db:create_database
  - db:get_database
  - db:reset
  - db:list_collections
  - collection:get_collection
  - db:create_collection
  - db:get_or_create_collection
  - collection:delete_collection
  - collection:update_collection
  - collection:add
  - collection:delete
  - collection:get
  - collection:query
  - collection:peek #from API perspective this is the same as collection:get
  - collection:count
  - collection:update
  - collection:upsert
```

### Role Mapping

Following are the role mappings where we define roles and the actions they can perform. The actions spaces is taken from the resource actions defined above.

> **Note**: We also plan to support resource level authorization soon but for now only RBAC is available.

```yaml
roles_mapping:
  admin:
    actions:
      [
        db:list_collections,
        collection:get_collection,
        db:create_collection,
        db:get_or_create_collection,
        collection:delete_collection,
        collection:update_collection,
        collection:add,
        collection:delete,
        collection:get,
        collection:query,
        collection:peek,
        collection:update,
        collection:upsert,
        collection:count,
      ]
  write:
    actions:
      [
        db:list_collections,
        collection:get_collection,
        db:create_collection,
        db:get_or_create_collection,
        collection:delete_collection,
        collection:update_collection,
        collection:add,
        collection:delete,
        collection:get,
        collection:query,
        collection:peek,
        collection:update,
        collection:upsert,
        collection:count,
      ]
  db_read:
    actions:
      [
        db:list_collections,
        collection:get_collection,
        db:create_collection,
        db:get_or_create_collection,
        collection:delete_collection,
        collection:update_collection,
      ]
  collection_read:
    actions:
      [
        db:list_collections,
        collection:get_collection,
        collection:get,
        collection:query,
        collection:peek,
        collection:count,
      ]
  collection_x_read:
    actions:
      [
        collection:get_collection,
        collection:get,
        collection:query,
        collection:peek,
        collection:count,
      ]
    resources: ["<UUID>"] #not yet supported
```

You can update the roll mapping as per your requirements.

### Users

Last piece of the puzzle is the user configuration. Here we define the user id, role and the tokens they can use to authenticate.

> **Note**: In our example we use both AuthN and AuthZ where AuthN verifies whether a token is valid e.g. user has that token and AuthZ verifies whether the user has the right role to perform the action.

```yaml
users:
  - id: [email protected]
    role: admin
    tokens:
      - token: test-token-admin
        secret: my_api_secret # not yet supported
  - id: Anonymous
    role: admin
    tokens:
      - token: my_api_token
        secret: my_api_secret
```

## Starting the Server

```bash
IS_PERSISTENT=1 \
CHROMA_SERVER_AUTHZ_PROVIDER="chromadb.auth.authz.SimpleRBACAuthorizationProvider" \
CHROMA_SERVER_AUTH_CREDENTIALS_FILE=examples/basic_functionality/authz/authz.yaml \
CHROMA_SERVER_AUTH_CREDENTIALS_PROVIDER="user_token_config" \
CHROMA_SERVER_AUTH_PROVIDER="chromadb.auth.token.TokenAuthServerProvider" \
CHROMA_SERVER_AUTHZ_CONFIG_FILE=examples/basic_functionality/authz/authz.yaml \
uvicorn chromadb.app:app --workers 1 --host 0.0.0.0 --port 8000 --proxy-headers --log-config chromadb/log_config.yml --reload --timeout-keep-alive 30
```

## Testing the authorization

```python
import chromadb
from chromadb.config import Settings

client = chromadb.HttpClient("http://localhost:8000/",
                             settings=Settings(chroma_client_auth_provider="chromadb.auth.token.TokenAuthClientProvider",
                                               chroma_client_auth_credentials="test-token-admin"))

client.list_collections()
collection = client.get_or_create_collection("test_collection")

collection.add(documents=["test"],ids=["1"])
collection.get()
```