[PR] fix(auth): require REGULAR/ADMIN role on LiteLLM proxy endpoints [texera]

Sat, 06 Jun 2026 17:00:52 -0700 


Yicong-Huang opened a new pull request, #5421:
URL: https://github.com/apache/texera/pull/5421

   ### What changes were proposed in this PR?
   
   `LiteLLMProxyResource` (`/chat/*`) and `LiteLLMModelsResource` (`/models`) 
in `access-control-service` were `@PermitAll` — they contain no auth check 
beyond a `guiWorkflowWorkspaceCopilotEnabled` feature flag, so any anonymous 
caller could spend the deployment's LiteLLM credits whenever Copilot was on. PR 
#5404 left the annotations in place to preserve pre-eager-filter behavior and 
deferred the hardening decision; this picks it back up.
   
   Both classes now use `@RolesAllowed(Array("REGULAR", "ADMIN"))`. The 
JwtAuthFilter from #5404 runs at `Priorities.AUTHENTICATION`, so missing tokens 
fall to a 401 from the filter and bad-role tokens fall through to a 403 from 
Jersey's role check.
   
   `access-control-service` was the one microservice that hadn't picked up 
`RolesAllowedDynamicFeature` when #5199 added it elsewhere, so this PR also 
registers the feature in `AccessControlService.scala` — otherwise the 
annotations would have been decorative. `AccessControlServiceRunSpec` is 
updated to pin the registration so a future refactor can't quietly drop it and 
send us back to anonymous-LLM-access.
   
   ### Any related issues, documentation, discussions?
   
   Closes #5420. Follow-up hardening for #5404.
   
   ### How was this PR tested?
   
   `sbt AccessControlService/test` (22 cases) and `sbt scalafmtCheckAll` clean. 
Manual verification against a running access-control-service: anonymous `curl 
http://localhost:8081/api/models` returns 401 with `WWW-Authenticate: Bearer 
realm="texera"` instead of the pre-PR 200; a REGULAR-role bearer token gets 
through to LiteLLM as expected.
   
   ### Was this PR authored or co-authored using generative AI tooling?
   
   Generated-by: Claude Code (Opus 4.7)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to