Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Issue with Token Authentication Using AsyncHttpClient #3057

Open
swy641205 opened this issue Nov 2, 2024 · 1 comment
Open

[Bug]: Issue with Token Authentication Using AsyncHttpClient #3057

swy641205 opened this issue Nov 2, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@swy641205
Copy link

swy641205 commented Nov 2, 2024

What happened?

Hello, I'm following the official documentation to set up token authentication for my Chroma server. Authentication works correctly with HttpClient, but fails when using AsyncHttpClient. Does anyone know what's the issue?

Succeeded with Synchronous Mode

CHROMA_ADMIN_TOKEN='admin-token'

client = chromadb.HttpClient(
    host=CHROMA_HOST,
    port=CHROMA_PORT,
    settings=Settings(
        chroma_client_auth_provider="chromadb.auth.token_authn.TokenAuthClientProvider",
        chroma_client_auth_credentials=CHROMA_ADMIN_TOKEN,
    ),
    ssl=False,
)

print(client.heartbeat())

Failed with Asynchronous Mode

CHROMA_ADMIN_TOKEN='admin-token'

client = await chromadb.AsyncHttpClient(
    host=CHROMA_HOST,
    port=CHROMA_PORT,
    settings=Settings(
        chroma_client_auth_provider="chromadb.auth.token_authn.TokenAuthClientProvider",
        chroma_client_auth_credentials=CHROMA_ADMIN_TOKEN,
    ),
)
print(await client.heartbeat())
---------------------------------------------------------------------------
ChromaAuthError                           Traceback (most recent call last)
Cell In[52], line 1
----> 1 client = chromadb.HttpClient(
      2     host=CHROMA_HOST,
      3     port=CHROMA_PORT,
      4     settings=Settings(
      5         chroma_client_auth_provider="chromadb.auth.token_authn.TokenAuthClientProvider",
      6         chroma_client_auth_credentials='CHROMA_ADMIN_TOKEN',
      7         # chroma_client_auth_credentials=CHROMA_ADMIN_TOKEN,
      8     ),
      9     ssl=False,
     10 )
     12 print(client.heartbeat())

File ~/Library/Caches/pypoetry/virtualenvs/chroma-example-OeFIc-7i-py3.11/lib/python3.11/site-packages/chromadb/__init__.py:204, in HttpClient(host, port, ssl, headers, settings, tenant, database)
    201 settings.chroma_server_ssl_enabled = ssl
    202 settings.chroma_server_headers = headers
--> 204 return ClientCreator(tenant=tenant, database=database, settings=settings)

File ~/Library/Caches/pypoetry/virtualenvs/chroma-example-OeFIc-7i-py3.11/lib/python3.11/site-packages/chromadb/api/client.py:65, in Client.__init__(self, tenant, database, settings)
     62 # Get the root system component we want to interact with
     63 self._server = self._system.instance(ServerAPI)
---> 65 user_identity = self.get_user_identity()
     67 maybe_tenant, maybe_database = maybe_set_tenant_and_database(
...
---> 96     raise chroma_error
     98 try:
     99     resp.raise_for_status()

ChromaAuthError: Forbidden

My Chroma server config:
ref: https://docs.trychroma.com/deployment/docker#static-api-token-authentication

authz.yaml

roles_mapping:
  admin:
    actions:
      [
        "system:reset",
        "tenant:create_tenant",
        "tenant:get_tenant",
        "db:create_database",
        "db:get_database",
        "db:list_collections",
        "collection:get_collection",
        "db:create_collection",
        "db:get_or_create_collection",
        "collection:delete_collection",
        "collection:update_collection",
        "collection:add",
        "collection:delete",
        "collection:get",
        "collection:query",
        "collection:peek",
        "collection:update",
        "collection:upsert",
        "collection:count",
      ]
# `users` config is used by both TokenAuthenticationServerPro vider and SimpleRBACAuthorizationServerProvider.
# - TokenAuthenticationProvider only needs the id and tokens.
# - SimpleRBACAuthorizationProvider only needs the id and the role.
users:
  - id: user@example.com
    role: admin
    tokens:
      - admin-token

docker container env:

CHROMA_SERVER_AUTHN_CREDENTIALS_FILE=/chroma/authz/authz.yaml
CHROMA_SERVER_AUTHZ_CONFIG_FILE=/chroma/authz/authz.yaml
CHROMA_SERVER_AUTHN_PROVIDER="chromadb.auth.token_authn.TokenAuthenticationServerProvider"
CHROMA_SERVER_AUTHZ_PROVIDER="chromadb.auth.simple_rbac_authz.SimpleRBACAuthorizationProvider"

Versions

docker image: ghcr.io/chroma-core/chroma:0.5.17
chromadb-client: 0.5.17
Python: 3.11.6

@swy641205 swy641205 added the bug Something isn't working label Nov 2, 2024
@tazarov
Copy link
Contributor

tazarov commented Nov 2, 2024

hey @swy641205, this is a duplicate of #2488, It should be fixed with #2489

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants