huggingface_hub
huggingface_hub copied to clipboard
Update permissions for a token automatically
Is your feature request related to a problem? Please describe. Currently, using an authentication token only gives me access to organizations and repositories that were created before I generated the token. If I'm granted access to a new organization or a new repo is created in an org that I should have access to, I need a new token.
Describe the solution you'd like My write (or read) token gives me access to all the repositories my profile currently has access to
Describe alternatives you've considered The current setup is probably more secure, but the need for generating a new token is not documented any place that I could find
Additional context Add any other context or screenshots about the feature request here.
Mmmm I'm quite sure that your expected solution is actually what is currently implemented cc @SBrandeis. We check at repo access time what orgs you're part of, not at token creation time - so creating a new personal access token after joining an org doesn't change anything (or at least shouldn't).
Can you provide a detailed example of a flow where this happened to you?
OK! I've had to re-generate tokens to get access to new repos but might have misunderstood what was going on. The flow was:
- generate a write token
- get added to a new organization (https://huggingface.co/bigscience-catalogue-lm-data)
- try to create a new repo with the python api and
use_auth_token
, fails - generate a new token
- try to create a new repo with the python api and
use_auth_token
, succeeds
Teven also recently got access to more repos after re-generating a token https://huggingface.slack.com/archives/C0307KE5UNT/p1645653096572119?thread_ts=1645652029.630029&cid=C0307KE5UNT
I can't say for sure that there wasn't another issue, in both cases we were debugging other stuff at the same time
I'll check again next time that happens, should I close this issue in the meantime?
Do you know the exact error you got?
@LysandreJik @muellerzr Is there any caching on the huggingface_hub
side for auth/access info? (like what orgs a token gives access to for example). That's kind of the only thing I see that could explain this behavior.
No, we don't do any caching on the client side. We save the token and use it for auth.
There's a single place where we first retrieve the valid organizations to validate that the user is allowed to create a repo there, which is here: https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/repository.py#L535-L554
But this is not cached anywhere, so it shouldn't be any issue.
I'm getting back to this issue. @yjernite is this solved for you ? (or at least more clear ?); If yes, you can close the issue.