feat: add agent authorization in agent callback#303
Merged
BhAem merged 7 commits intovolcengine:mainfrom Nov 13, 2025
Merged
Conversation
fix: merge branch 'main' into feat/authz_agent
loveyana
reviewed
Nov 12, 2025
| f"Checking permission for principal {principal_id} on resource {resource_id} for operation {operation}..." | ||
| ) | ||
|
|
||
| request = volcenginesdkid.CheckPermissionRequest( |
Contributor
There was a problem hiding this comment.
这里request的字段不太对
class CheckPermissionRequest(
namespace_name: Any | None = None,
operation: Any | None = None,
original_callers: Any | None = None,
principal: Any | None = None,
references: Any | None = None,
resource: Any | None = None,
_configuration: Any | None = None
)
| agent_name = callback_context.agent_name | ||
| user_id = callback_context._invocation_context.user_id | ||
|
|
||
| namespace = "default" |
| workload_id = role_id if role_id else agent_name | ||
|
|
||
| allowed = identity_client.check_permission( | ||
| principal_id=user_id, |
Contributor
There was a problem hiding this comment.
这里 principal, operation, resource 都是 包含 Type和Id的结构体,可能适合先定义一个数据类直接传递,operation可以固定成type: action, id: invoke
| callback_context: CallbackContext, | ||
| ) -> Optional[types.Content]: | ||
| """Check if the agent is authorized to run using VeIdentity.""" | ||
| workload_token = await get_workload_token( |
Contributor
There was a problem hiding this comment.
这里目前 在workload_name为空的情况下 会取agent_name 调用到identity_client的get_workload_access_token,需要先改一下 get_workload_access_token 方法签名的 workload_name 参数改为 optional 然后token_manager不传递agent_name
| # Parse role_id from workload_token | ||
| # Format: trn:id:${Region}:${Account}:workloadpool/default/workload/${RoleId} | ||
| role_id = None | ||
| if workload_token: |
Contributor
There was a problem hiding this comment.
workload_token返回是JWT格式 需要参考 https://github.com/volcengine/veadk-python/pull/304/files#diff-3a2ff321505acec9407a08fd5d439d7be6925f1874f8683ba15986068108aa4eR63 解析获取sub
| KeyError: If required environment variables are not set. | ||
| """ | ||
| self.region = region | ||
| self._identity_config = identity_config or VeIdentityConfig() |
Contributor
There was a problem hiding this comment.
这里直接类似 https://github.com/volcengine/veadk-python/blob/main/veadk/integrations/ve_identity/auth_config.py#L30 用settings里全局的配置 可能就行 不太需要放到实例里 包括下面 self._identity_config的使用 都可以直接用 settings.veidentity
| logger.info( | ||
| f"No session token found, attempting AssumeRole with role: {self._identity_config.role_trn}" | ||
| ) | ||
| sts_credentials = self._assume_role(ak, sk) |
Contributor
There was a problem hiding this comment.
感觉后面得给这个 sts_credentials 做个缓存每次调用identity接口都需要请求assume role开销有点大
cuericlee
approved these changes
Nov 13, 2025
| namespace = "default" | ||
| user_id = user_id | ||
| action = "invoke" | ||
| workload_id = agent_name |
Collaborator
There was a problem hiding this comment.
it might be role id rather than agent name
zhxie
added a commit
to zhxie/veadk-python
that referenced
this pull request
Nov 14, 2025
commit 831329d Author: Qingfu Wu <wuqingfu.528@bytedance.com> Date: Thu Nov 13 16:26:19 2025 +0800 docs: add instructions for using the sandbox tool (volcengine#308) commit 56087ef Author: Qingfu Wu <wuqingfu.528@bytedance.com> Date: Thu Nov 13 16:12:33 2025 +0800 feat: add agent authorization in agent callback (volcengine#303) * feat: add agent authorization in agent callback * fix callback addition * fix: change workload id and using assumeRole * fix: fix docstrings * fix: fix comment issues and add getting role_trn from VEFAAS_IAM_CRIDENTIAL_PATH commit e96cf0b Author: Gou Tan <88194563+floritange@users.noreply.github.com> Date: Thu Nov 13 10:58:15 2025 +0800 fix(cli_args): format cli deploy update clean args (volcengine#307) commit f4c9dc7 Author: hanzhi <53893931+zakahan@users.noreply.github.com> Date: Wed Nov 12 21:06:15 2025 +0800 fix: redis backend and knowledge log (volcengine#306) * fix: redis backend * fix: log of kb commit a3bd513 Author: haojin2019 <jinhao.2019@bytedance.com> Date: Tue Nov 11 23:00:33 2025 +0800 fix(a2a): fix the error about missing ShortTermMemory for agent_executor of VeA2AServer. (volcengine#301) * optimize(tools): Support batch size for video_generate tool * fix(a2a): Fix the bug for missing ShortTermMemory for agent_executor of VeA2AServer * fix code format error commit 768ba33 Author: Eric <cu.eric.lee@gmail.com> Date: Tue Nov 11 21:03:11 2025 +0800 support to run C++ code via python implicitly (volcengine#305) commit f2f5279 Author: yaozheng-fang <fangyaozheng@bytedance.com> Date: Tue Nov 11 11:31:16 2025 +0800 release 0.2.22 (volcengine#299) commit cdad50b Author: Gou Tan <88194563+floritange@users.noreply.github.com> Date: Tue Nov 11 08:54:30 2025 +0800 fix(cli_update): fix ak-sk of cli update (volcengine#298) * fix(cli_update): fix ak-sk of cli update * fix(cli_update): fix ak-sk of cli update (cloudapp) commit d48235e Merge: 1d20a2d 7404d2f Author: haojin2019 <jinhao.2019@bytedance.com> Date: Mon Nov 10 19:12:50 2025 +0800 Merge pull request volcengine#285 from jinhao2019/feat/Support_customer_http_client Feat: Support custom http client for RemoteVeAgent commit 1d20a2d Author: diseng <dengqinglin@bytedance.com> Date: Mon Nov 10 15:28:44 2025 +0800 fix: change the default save path of evalset and trace file (volcengine#289) commit 973925b Author: M1a0 <liyuhan.loveyana@bytedance.com> Date: Mon Nov 10 15:27:51 2025 +0800 feat: add run_processor support for Agent Runner (volcengine#296) 1. **Runner run_processor support** - Add `run_processor` parameter to Runner.__init__() and Runner.run() - Support multiple sources with priority: run() arg > __init__ arg > agent.run_processor > NoOpRunProcessor 2. **Fix IdentityClient region initialization** - Change default region from hardcoded "cn-beijing" to None in WorkloadTokenManager - Auto-detect region using _get_default_region() when not specified - Import _get_default_region from auth_config module Changes: - veadk/runner.py: Add run_processor support with priority chain - veadk/integrations/ve_identity/token_manager.py: Fix region initialization - veadk/integrations/ve_identity/auth_mixins.py: Minor formatting fix commit fe6474a Author: wangyue <wangyuelucky@126.com> Date: Mon Nov 10 15:20:14 2025 +0800 feat(tools): support volcano text-to-speech tool * support volcano TTS tools * update pyaudio dependency * code lint * code lint * fix(tts): improve functionality and reliability of text-to-speech conversion * fix(tts): improve return structured dict with 'saved_audio_path' * fix(tts): enhance error message and clarify docstring * fix(tts): enhance error message and clarify docstring * auth(veauth): support query tts app_key from openapi * auth(veauth): support query tts app_key from openapi * auth(veauth): implement speech token retrieval with credential fallback * update config.yaml.full * fix: move pyaudio from py core dependency to extension * fix: move pyaudio from py core dependency to extension --------- Co-authored-by: wangyue.demon <wangyue.demon@bytedance.com> commit 7404d2f Author: jinhao.2019 <jinhao.2019@bytedance.com> Date: Thu Nov 6 09:28:52 2025 +0800 Optimize the code format commit 2029ee7 Author: jinhao.2019 <jinhao.2019@bytedance.com> Date: Thu Nov 6 00:27:07 2025 +0800 Support custom http client for RemoteVeAgent
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.