Simple OAuth2 System (experimental)#
Xinference builds an In-memory OAuth2 authentication and authorization system using the account-password mode.
Note
If you don’t have authentication and authorization requirements, you can use Xinference as before, without any changes.
Permissions#
Currently, Xinference system internally defines some interface permissions:
models:list
: Permission to list models and get models’ information.models:read
: Permission to use models.models:register
: Permission to register custom models.models:unregister
: Permission to unregister custom models.models:start
: Permission to launch models.models:stop
: Permission to stop running models.admin
: Administrators have permissions for all interfaces.
Startup#
All authentication and authorization information needs to be specified and loaded into memory when Xinference is started. Xinference requires a JSON-formatted file with the following specific fields:
{
"auth_config": {
"algorithm": "HS256",
"secret_key": "09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7",
"token_expire_in_minutes": 30
},
"user_config": [
{
"username": "user1",
"password": "secret1",
"permissions": [
"admin"
],
"api_keys": [
"sk-72tkvudyGLPMi",
"sk-ZOTLIY4gt9w11"
]
},
{
"username": "user2",
"password": "secret2",
"permissions": [
"models:list",
"models:read"
],
"api_keys": [
"sk-35tkasdyGLYMy",
"sk-ALTbgl6ut981w"
]
}
]
}
auth_config
: This field is used to configure security-related information.algorithm
: The algorithm used for token generation and parsing.HS
series algorithms are recommended. For example,HS256
,HS384
orHS512
.secret_key
: The secret_key used for token generation and parsing. Use this command to generate the secret_key adapted to theHS
algorithms:openssl rand -hex 32
.token_expire_in_minutes
: Reserved field indicating the expiration time of the token. The current open-source version of Xinference does not check the expiration time of tokens.
user_config
: This field is used to configure user and permission information. Each user information is composed of these fields:username
: string field for username.password
: string field for password.permissions
: A list containing strings representing the permissions that this user has. The permissions are described as above.api_keys
: A list containing strings representing the api-keys of this user. With these api-keys, user can access the xinference interfaces without the need to signin. The api-key here is formatted similar to theOPENAI_API_KEY
, always starting withsk-
, followed by 13 alphanumeric characters.
Once you have configured such a JSON file, use the --auth-config
option to enable Xinference with the authentication and authorization system. For example, for local startup:
xinference-local -H 0.0.0.0 --auth-config /path/to/your_json_config_file
For distributed startup, just specify this option when starting the supervisor:
xinference-supervisor -H <supervisor_ip> --auth-config /path/to/your_json_config_file
Usage#
For Xinference with the authentication and authorization system enabled, all usage remains the same, except for the addition of a login step at the beginning or using the api-key.
Signin#
Signin for command line users:
xinference login -e <endpoint> --username <username> --password <password>
For python SDK users:
from xinference.client import Client
client = Client('<endpoint>')
client.login('<name>', '<pass>')
For web UI users, when opening the web UI, you will first be directed to the login page. After logging in, you can use the web UI normally.
Api-Key#
For command line users, just add --api-key
or -ak
option in the command you want to use.
xinference launch <other options> --api-key <your_api_key>
For python SDK users, pass the api_key
parameter when initializing the client, just like the OPENAI
Python client.
from xinference.client import Client
client = Client('<endpoint>', api_key='<your_api_key>')
Xinference is also compatible with the OPENAI
Python SDK as well.
from openai import OpenAI
client = OpenAI(base_url="<xinference endpoint>" + "/v1", api_key="<your_api_key>")
client.models.list()
Http Status Code#
Add the following two HTTP status codes:
401 Unauthorized
: login information or token verifies failed.403 Forbidden
: No enough permissions when accessing interfaces.
For the command line, SDK, or web UI users, there will be clear information prompts when encountering authorization and permissions issues.
Note#
This feature is still in an experimental stage. Feel free to provide feedback on usage issues or improvement suggestions through GitHub issues or our Slack.