huggingface_hub icon indicating copy to clipboard operation
huggingface_hub copied to clipboard

Published 20 hours ago verified publisher icon huggingface

Update permissions for a token automatically

Open yjernite opened this issue 2 years ago • 5 comments

Is your feature request related to a problem? Please describe. Currently, using an authentication token only gives me access to organizations and repositories that were created before I generated the token. If I'm granted access to a new organization or a new repo is created in an org that I should have access to, I need a new token.

Describe the solution you'd like My write (or read) token gives me access to all the repositories my profile currently has access to

Describe alternatives you've considered The current setup is probably more secure, but the need for generating a new token is not documented any place that I could find

Additional context Add any other context or screenshots about the feature request here.

yjernite avatar Feb 23 '22 21:02 yjernite

Mmmm I'm quite sure that your expected solution is actually what is currently implemented cc @SBrandeis. We check at repo access time what orgs you're part of, not at token creation time - so creating a new personal access token after joining an org doesn't change anything (or at least shouldn't).

Can you provide a detailed example of a flow where this happened to you?

Pierrci avatar Feb 24 '22 01:02 Pierrci

OK! I've had to re-generate tokens to get access to new repos but might have misunderstood what was going on. The flow was:

  • generate a write token
  • get added to a new organization (https://huggingface.co/bigscience-catalogue-lm-data)
  • try to create a new repo with the python api and use_auth_token, fails
  • generate a new token
  • try to create a new repo with the python api and use_auth_token, succeeds

Teven also recently got access to more repos after re-generating a token https://huggingface.slack.com/archives/C0307KE5UNT/p1645653096572119?thread_ts=1645652029.630029&cid=C0307KE5UNT

I can't say for sure that there wasn't another issue, in both cases we were debugging other stuff at the same time

I'll check again next time that happens, should I close this issue in the meantime?

yjernite avatar Feb 24 '22 19:02 yjernite

Do you know the exact error you got?

@LysandreJik @muellerzr Is there any caching on the huggingface_hub side for auth/access info? (like what orgs a token gives access to for example). That's kind of the only thing I see that could explain this behavior.

Pierrci avatar Feb 24 '22 21:02 Pierrci

No, we don't do any caching on the client side. We save the token and use it for auth.

There's a single place where we first retrieve the valid organizations to validate that the user is allowed to create a repo there, which is here: https://github.com/huggingface/huggingface_hub/blob/main/src/huggingface_hub/repository.py#L535-L554

But this is not cached anywhere, so it shouldn't be any issue.

LysandreJik avatar Mar 01 '22 19:03 LysandreJik

I'm getting back to this issue. @yjernite is this solved for you ? (or at least more clear ?); If yes, you can close the issue.

Wauplin avatar Sep 30 '22 07:09 Wauplin