aws-genai-llm-chatbot icon indicating copy to clipboard operation
aws-genai-llm-chatbot copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

feat(user_roles): Add User Roles/Permissions

Open flamingquaks opened this issue 1 year ago • 16 comments

This PR is for work on Issue #99 - Please see issue for detailed documentation of changes to user interface

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

flamingquaks avatar Dec 15 '23 19:12 flamingquaks

Hi,

when do you think this PR it will be validated ?

Thanks

hghandri avatar Dec 20 '23 13:12 hghandri

@hghandri - This feature is pending #269 successfully being merged. The code is introducing both front-end and API permission checks. The team wanted to prioritize the move to AppSync first before introducing this change, so this issue is built on top of the code for #269. We've been working through the bugs detected in #269 and testing to confirm all is good to go. I'm hoping once that is completed, this PR can wrapped up pretty quickly. As soon as it's done, this will shift to "Ready for Review"

flamingquaks avatar Dec 20 '23 13:12 flamingquaks

Thanks for reply. This PR bring a big changes, I'm waiting patiently :)

hghandri avatar Dec 20 '23 13:12 hghandri

@flamingquaks #269 has been merged

bigadsoleiman avatar Jan 15 '24 17:01 bigadsoleiman

I'm currently working through merge conflict resolution and related patches. I aim to have this ready within the next few days

flamingquaks avatar Jan 15 '24 19:01 flamingquaks

Waiting for this PR to merge..

abduljaleel avatar Jan 17 '24 09:01 abduljaleel

Waiting for this PR to merge..

We are working through some bugs that came up with the latest updates. Once those are resolved, the PR will move forward. Hoping to have them wrapped quickly!

flamingquaks avatar Jan 17 '24 13:01 flamingquaks

🚨 Update: After the latest merge from main, which merged in the v4 AppSync upgrade, we've determined that there are some introduced challenges with auth verification due to the way Amplify v5 handles Auth with AppSync. We believe that v6 of amplify will help resolve and simplify auth.

Therefore, this PR is now on hold until #303 is able to be worked on (Currently being moved up in the priority)

Once that is complete, updates will be made on this issue to align and we can move forward.

flamingquaks avatar Jan 17 '24 14:01 flamingquaks

This feature is now READY FOR REVIEW!

Overview of major functionality changes:

  • Cognito Users should now be added to one of the four user groups: chatbot_admin, chatbot_workspaces_manager, chatbot_workspaces_user, or chatbot_user. If a user isn't added, they will receive an error and provide instructions for the admin. Documentation has been updated for deployment and a new doc in docs/documentation/user-permissions.md has been added that breaks down the different permissions. If more than one of the four groups is added to the user, the group with the most permissions will be used.
  • After the initial user is added, users can be added, updated, removed by chatbot_admin users within the Chatbot solution.
  • In both the front-end UI and the back-end rest functions, there is now a notion of user permissions. In the front-end, leverage the UserContext within the react component to get the current role. In the back-end, there are now method decorators. Almost all rest-api endpoint functions have the method decorators to adjust/check permissions, especially the RAG management capabilities.
  • The API has new endpoints for User Administration. The front-end has an Administration section added which can have future admin features added.

It's recommended that an upgraded deployment and a fresh deployment are attempted. A full-sweep of functionality tests is recommended, including adjusting user permissions (you will need to logout/login to app after user group update)

flamingquaks avatar Jan 24 '24 16:01 flamingquaks

Neat PR

bigadsoleiman avatar Jan 25 '24 16:01 bigadsoleiman

I tested these changes and they worked as expected, good work

Rob-Powell avatar Jan 26 '24 05:01 Rob-Powell

I've shifted this back to Draft to allow time to refactor this work to use Amazon Verified Permissions. This will allow future access controls and permissions to be added more consistently.

flamingquaks avatar Feb 13 '24 19:02 flamingquaks

@flamingquaks have you considered the cost implication of shifting the draft to AVP as the only option? Whats not working well with the current draft? Just some things to keep in mind

Amrib24 avatar Feb 22 '24 14:02 Amrib24

Thanks @Amrib24 for raising this concern, but the cost of verified permissions is negligible compared to the running costs of an LLM based solution. Moreover, Verified Permissions provides out of the box, managed capabilities that you would need to account engineering and maintenance cost for in case you choose another solution.

massi-ang avatar Feb 23 '24 08:02 massi-ang

@flamingquaks, are you still planning on refactoring this PR to use Amazon Verified Permissions (AVP)? Please let us know if there are any blockers or challenges the team could help you with! Excited about this feature. :)

ystoneman avatar Apr 14 '24 16:04 ystoneman

@ystoneman, Apologies for the delay, it took me a bit more time to upskill on AVP than I had planned. I'm aiming to pick up steam on this by end of week and provide an update on timeline.

flamingquaks avatar Apr 15 '24 19:04 flamingquaks