shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add ai_gateway_keys table and related RBAC (#25563)

Browse Source 
Adds table to store keys that AI Gateway standalone replicas will use
to authenticate into Coderd.
Also adds RBAC and audit boilerplate.
This commit is contained in:
Paweł Banaszewski
2026-06-02 09:28:43 +02:00
committed by GitHub
parent 49c2142d2d
commit f22d4e2cbb
26 changed files with 264 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files
coderd/apidoc/docs.go
Generated
+12
View File
@@ -15269,6 +15269,10 @@ const docTemplate = `{
"enum": [ "enum": [
"all", "all",
"application_connect", "application_connect",
"ai_gateway_key:*",
"ai_gateway_key:create",
"ai_gateway_key:delete",
"ai_gateway_key:read",
"ai_model_price:*", "ai_model_price:*",
"ai_model_price:read", "ai_model_price:read",
"ai_model_price:update", "ai_model_price:update",
@@ -15499,6 +15503,10 @@ const docTemplate = `{
"x-enum-varnames": [ "x-enum-varnames": [
"APIKeyScopeAll", "APIKeyScopeAll",
"APIKeyScopeApplicationConnect", "APIKeyScopeApplicationConnect",
"APIKeyScopeAiGatewayKeyAll",
"APIKeyScopeAiGatewayKeyCreate",
"APIKeyScopeAiGatewayKeyDelete",
"APIKeyScopeAiGatewayKeyRead",
"APIKeyScopeAiModelPriceAll", "APIKeyScopeAiModelPriceAll",
"APIKeyScopeAiModelPriceRead", "APIKeyScopeAiModelPriceRead",
"APIKeyScopeAiModelPriceUpdate", "APIKeyScopeAiModelPriceUpdate",
@@ -22329,6 +22337,7 @@ const docTemplate = `{
"type": "string", "type": "string",
"enum": [ "enum": [
"*", "*",
"ai_gateway_key",
"ai_model_price", "ai_model_price",
"ai_provider", "ai_provider",
"ai_seat", "ai_seat",
@@ -22380,6 +22389,7 @@ const docTemplate = `{
], ],
"x-enum-varnames": [ "x-enum-varnames": [
"ResourceWildcard", "ResourceWildcard",
"ResourceAIGatewayKey",
"ResourceAiModelPrice", "ResourceAiModelPrice",
"ResourceAIProvider", "ResourceAIProvider",
"ResourceAiSeat", "ResourceAiSeat",
@@ -22641,6 +22651,7 @@ const docTemplate = `{
"ai_seat", "ai_seat",
"ai_provider", "ai_provider",
"ai_provider_key", "ai_provider_key",
"ai_gateway_key",
"group_ai_budget", "group_ai_budget",
"chat", "chat",
"user_secret", "user_secret",
@@ -22676,6 +22687,7 @@ const docTemplate = `{
"ResourceTypeAISeat", "ResourceTypeAISeat",
"ResourceTypeAIProvider", "ResourceTypeAIProvider",
"ResourceTypeAIProviderKey", "ResourceTypeAIProviderKey",
"ResourceTypeAIGatewayKey",
"ResourceTypeGroupAIBudget", "ResourceTypeGroupAIBudget",
"ResourceTypeChat", "ResourceTypeChat",
"ResourceTypeUserSecret", "ResourceTypeUserSecret",
coderd/apidoc/swagger.json
Generated
+12
View File
@@ -13653,6 +13653,10 @@
"enum": [ "enum": [
"all", "all",
"application_connect", "application_connect",
"ai_gateway_key:*",
"ai_gateway_key:create",
"ai_gateway_key:delete",
"ai_gateway_key:read",
"ai_model_price:*", "ai_model_price:*",
"ai_model_price:read", "ai_model_price:read",
"ai_model_price:update", "ai_model_price:update",
@@ -13883,6 +13887,10 @@
"x-enum-varnames": [ "x-enum-varnames": [
"APIKeyScopeAll", "APIKeyScopeAll",
"APIKeyScopeApplicationConnect", "APIKeyScopeApplicationConnect",
"APIKeyScopeAiGatewayKeyAll",
"APIKeyScopeAiGatewayKeyCreate",
"APIKeyScopeAiGatewayKeyDelete",
"APIKeyScopeAiGatewayKeyRead",
"APIKeyScopeAiModelPriceAll", "APIKeyScopeAiModelPriceAll",
"APIKeyScopeAiModelPriceRead", "APIKeyScopeAiModelPriceRead",
"APIKeyScopeAiModelPriceUpdate", "APIKeyScopeAiModelPriceUpdate",
@@ -20460,6 +20468,7 @@
"type": "string", "type": "string",
"enum": [ "enum": [
"*", "*",
"ai_gateway_key",
"ai_model_price", "ai_model_price",
"ai_provider", "ai_provider",
"ai_seat", "ai_seat",
@@ -20511,6 +20520,7 @@
], ],
"x-enum-varnames": [ "x-enum-varnames": [
"ResourceWildcard", "ResourceWildcard",
"ResourceAIGatewayKey",
"ResourceAiModelPrice", "ResourceAiModelPrice",
"ResourceAIProvider", "ResourceAIProvider",
"ResourceAiSeat", "ResourceAiSeat",
@@ -20762,6 +20772,7 @@
"ai_seat", "ai_seat",
"ai_provider", "ai_provider",
"ai_provider_key", "ai_provider_key",
"ai_gateway_key",
"group_ai_budget", "group_ai_budget",
"chat", "chat",
"user_secret", "user_secret",
@@ -20797,6 +20808,7 @@
"ResourceTypeAISeat", "ResourceTypeAISeat",
"ResourceTypeAIProvider", "ResourceTypeAIProvider",
"ResourceTypeAIProviderKey", "ResourceTypeAIProviderKey",
"ResourceTypeAIGatewayKey",
"ResourceTypeGroupAIBudget", "ResourceTypeGroupAIBudget",
"ResourceTypeChat", "ResourceTypeChat",
"ResourceTypeUserSecret", "ResourceTypeUserSecret",
coderd/audit/diff.go
+1
View File
@@ -36,6 +36,7 @@ type Auditable interface {
database.AiSeatState | database.AiSeatState |
database.AIProvider | database.AIProvider |
database.AIProviderKey | database.AIProviderKey |
database.AIGatewayKey |
database.Chat | database.Chat |
database.AuditableGroupAiBudget | database.AuditableGroupAiBudget |
database.UserSecret | database.UserSecret |
coderd/audit/request.go
+9
View File
@@ -138,6 +138,8 @@ func ResourceTarget[T Auditable](tgt T) string {
return typed.Name return typed.Name
case database.AIProviderKey: case database.AIProviderKey:
return typed.ID.String() return typed.ID.String()
case database.AIGatewayKey:
return typed.Name
case database.AuditableGroupAiBudget: case database.AuditableGroupAiBudget:
return typed.GroupName return typed.GroupName
case database.Chat: case database.Chat:
@@ -222,6 +224,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
return typed.ID return typed.ID
case database.AIProviderKey: case database.AIProviderKey:
return typed.ID return typed.ID
case database.AIGatewayKey:
return typed.ID
case database.AuditableGroupAiBudget: case database.AuditableGroupAiBudget:
return typed.GroupID return typed.GroupID
case database.Chat: case database.Chat:
@@ -291,6 +295,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
return database.ResourceTypeAIProvider return database.ResourceTypeAIProvider
case database.AIProviderKey: case database.AIProviderKey:
return database.ResourceTypeAIProviderKey return database.ResourceTypeAIProviderKey
case database.AIGatewayKey:
return database.ResourceTypeAIGatewayKey
case database.AuditableGroupAiBudget: case database.AuditableGroupAiBudget:
return database.ResourceTypeGroupAiBudget return database.ResourceTypeGroupAiBudget
case database.Chat: case database.Chat:
@@ -366,6 +372,9 @@ func ResourceRequiresOrgID[T Auditable]() bool {
// AI provider keys inherit the deployment scope of their parent // AI provider keys inherit the deployment scope of their parent
// provider. // provider.
return false return false
case database.AIGatewayKey:
// AI Gateway keys are deployment-scoped, not org-scoped.
return false
case database.AuditableGroupAiBudget: case database.AuditableGroupAiBudget:
// Group AI budgets are org-scoped through their parent group. // Group AI budgets are org-scoped through their parent group.
return true return true
coderd/database/check_constraint.go
Generated
+3
View File
@@ -6,6 +6,9 @@ type CheckConstraint string
// CheckConstraint enums. // CheckConstraint enums.
const ( const (
CheckAiGatewayKeysHashedSecretCheck CheckConstraint = "ai_gateway_keys_hashed_secret_check" // ai_gateway_keys
CheckAiGatewayKeysNameCheck CheckConstraint = "ai_gateway_keys_name_check" // ai_gateway_keys
CheckAiGatewayKeysSecretPrefixCheck CheckConstraint = "ai_gateway_keys_secret_prefix_check" // ai_gateway_keys
CheckAiModelPricesCacheReadPriceCheck CheckConstraint = "ai_model_prices_cache_read_price_check" // ai_model_prices CheckAiModelPricesCacheReadPriceCheck CheckConstraint = "ai_model_prices_cache_read_price_check" // ai_model_prices
CheckAiModelPricesCacheWritePriceCheck CheckConstraint = "ai_model_prices_cache_write_price_check" // ai_model_prices CheckAiModelPricesCacheWritePriceCheck CheckConstraint = "ai_model_prices_cache_write_price_check" // ai_model_prices
CheckAiModelPricesInputPriceCheck CheckConstraint = "ai_model_prices_input_price_check" // ai_model_prices CheckAiModelPricesInputPriceCheck CheckConstraint = "ai_model_prices_input_price_check" // ai_model_prices
coderd/database/dump.sql
Generated
+32 -2
View File
@@ -253,7 +253,11 @@ CREATE TYPE api_key_scope AS ENUM (
'boundary_log:*', 'boundary_log:*',
'boundary_log:create', 'boundary_log:create',
'boundary_log:delete', 'boundary_log:delete',
'boundary_log:read' 'boundary_log:read',
'ai_gateway_key:*',
'ai_gateway_key:create',
'ai_gateway_key:delete',
'ai_gateway_key:read'
); );
CREATE TYPE app_sharing_level AS ENUM ( CREATE TYPE app_sharing_level AS ENUM (
@@ -564,7 +568,8 @@ CREATE TYPE resource_type AS ENUM (
'ai_provider', 'ai_provider',
'ai_provider_key', 'ai_provider_key',
'group_ai_budget', 'group_ai_budget',
'user_skill' 'user_skill',
'ai_gateway_key'
); );
CREATE TYPE shareable_workspace_owners AS ENUM ( CREATE TYPE shareable_workspace_owners AS ENUM (
@@ -1287,6 +1292,22 @@ BEGIN
END; END;
$$; $$;
CREATE TABLE ai_gateway_keys (
id uuid NOT NULL,
created_at timestamp with time zone NOT NULL,
name text NOT NULL,
secret_prefix character varying(11) NOT NULL,
hashed_secret bytea NOT NULL,
last_used_at timestamp with time zone,
CONSTRAINT ai_gateway_keys_hashed_secret_check CHECK ((length(hashed_secret) > 0)),
CONSTRAINT ai_gateway_keys_name_check CHECK (((length(name) <= 64) AND (name ~ '^[a-z0-9]+(-[a-z0-9]+)*$'::text))),
CONSTRAINT ai_gateway_keys_secret_prefix_check CHECK ((length((secret_prefix)::text) = 11))
);
COMMENT ON TABLE ai_gateway_keys IS 'Hashed bearer secrets used by AI Gateway standalone replicas to authenticate into coderd.';
COMMENT ON COLUMN ai_gateway_keys.secret_prefix IS 'Public token prefix for display and audit correlation. Auth uses hashed_secret.';
CREATE TABLE ai_model_prices ( CREATE TABLE ai_model_prices (
provider text NOT NULL, provider text NOT NULL,
model text NOT NULL, model text NOT NULL,
@@ -3763,6 +3784,9 @@ ALTER TABLE ONLY workspace_resource_metadata ALTER COLUMN id SET DEFAULT nextval
ALTER TABLE ONLY workspace_agent_stats ALTER TABLE ONLY workspace_agent_stats
ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id); ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id);
ALTER TABLE ONLY ai_gateway_keys
ADD CONSTRAINT ai_gateway_keys_pkey PRIMARY KEY (id);
ALTER TABLE ONLY ai_model_prices ALTER TABLE ONLY ai_model_prices
ADD CONSTRAINT ai_model_prices_pkey PRIMARY KEY (provider, model); ADD CONSTRAINT ai_model_prices_pkey PRIMARY KEY (provider, model);
@@ -4147,6 +4171,12 @@ ALTER TABLE ONLY workspace_resources
ALTER TABLE ONLY workspaces ALTER TABLE ONLY workspaces
ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id); ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
CREATE UNIQUE INDEX ai_gateway_keys_hashed_secret_idx ON ai_gateway_keys USING btree (hashed_secret);
CREATE UNIQUE INDEX ai_gateway_keys_name_idx ON ai_gateway_keys USING btree (lower(name));
CREATE UNIQUE INDEX ai_gateway_keys_secret_prefix_idx ON ai_gateway_keys USING btree (secret_prefix);
CREATE UNIQUE INDEX ai_providers_name_unique ON ai_providers USING btree (name) WHERE (deleted = false); CREATE UNIQUE INDEX ai_providers_name_unique ON ai_providers USING btree (name) WHERE (deleted = false);
CREATE INDEX api_keys_last_used_idx ON api_keys USING btree (last_used DESC); CREATE INDEX api_keys_last_used_idx ON api_keys USING btree (last_used DESC);
coderd/database/migrations/000514_ai_gateway_keys.down.sql
+6
View File
@@ -0,0 +1,6 @@
-- Enum additions to resource_type and api_key_scope are intentionally not
-- reverted because Postgres cannot drop enum values safely.
DROP INDEX IF EXISTS ai_gateway_keys_hashed_secret_idx;
DROP INDEX IF EXISTS ai_gateway_keys_secret_prefix_idx;
DROP INDEX IF EXISTS ai_gateway_keys_name_idx;
DROP TABLE IF EXISTS ai_gateway_keys;
coderd/database/migrations/000514_ai_gateway_keys.up.sql
+25
View File
@@ -0,0 +1,25 @@
CREATE TABLE ai_gateway_keys (
id uuid PRIMARY KEY,
created_at timestamptz NOT NULL,
name text NOT NULL,
secret_prefix varchar(11) NOT NULL,
hashed_secret bytea NOT NULL,
last_used_at timestamptz NULL,
CONSTRAINT ai_gateway_keys_name_check CHECK (length(name) <= 64 AND name ~ '^[a-z0-9]+(-[a-z0-9]+)*$'),
CONSTRAINT ai_gateway_keys_secret_prefix_check CHECK (length(secret_prefix) = 11),
CONSTRAINT ai_gateway_keys_hashed_secret_check CHECK (length(hashed_secret) > 0)
);
COMMENT ON TABLE ai_gateway_keys IS 'Hashed bearer secrets used by AI Gateway standalone replicas to authenticate into coderd.';
COMMENT ON COLUMN ai_gateway_keys.secret_prefix IS 'Public token prefix for display and audit correlation. Auth uses hashed_secret.';
CREATE UNIQUE INDEX ai_gateway_keys_name_idx ON ai_gateway_keys USING btree (lower(name));
CREATE UNIQUE INDEX ai_gateway_keys_secret_prefix_idx ON ai_gateway_keys USING btree (secret_prefix);
CREATE UNIQUE INDEX ai_gateway_keys_hashed_secret_idx ON ai_gateway_keys USING btree (hashed_secret);
ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'ai_gateway_key';
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:*';
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:create';
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:delete';
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'ai_gateway_key:read';
coderd/database/migrations/testdata/fixtures/000514_ai_gateway_keys.up.sql
Vendored
+15
View File
@@ -0,0 +1,15 @@
INSERT INTO ai_gateway_keys (
id,
created_at,
name,
secret_prefix,
hashed_secret,
last_used_at
) VALUES (
'8b6f0a82-9a3a-4d2e-8c0c-2c9c9b9b1a01',
'2026-05-21 00:00:00+00',
'example-key',
'cdr_1234567',
'\x00'::bytea,
NULL
);
coderd/database/models.go
Generated
+28 -2
View File
@@ -324,6 +324,10 @@ const (
ApiKeyScopeBoundaryLogCreate APIKeyScope = "boundary_log:create" ApiKeyScopeBoundaryLogCreate APIKeyScope = "boundary_log:create"
ApiKeyScopeBoundaryLogDelete APIKeyScope = "boundary_log:delete" ApiKeyScopeBoundaryLogDelete APIKeyScope = "boundary_log:delete"
ApiKeyScopeBoundaryLogRead APIKeyScope = "boundary_log:read" ApiKeyScopeBoundaryLogRead APIKeyScope = "boundary_log:read"
ApiKeyScopeAiGatewayKey APIKeyScope = "ai_gateway_key:*"
ApiKeyScopeAiGatewayKeyCreate APIKeyScope = "ai_gateway_key:create"
ApiKeyScopeAiGatewayKeyDelete APIKeyScope = "ai_gateway_key:delete"
ApiKeyScopeAiGatewayKeyRead APIKeyScope = "ai_gateway_key:read"
) )
func (e *APIKeyScope) Scan(src interface{}) error { func (e *APIKeyScope) Scan(src interface{}) error {
@@ -588,7 +592,11 @@ func (e APIKeyScope) Valid() bool {
ApiKeyScopeBoundaryLog, ApiKeyScopeBoundaryLog,
ApiKeyScopeBoundaryLogCreate, ApiKeyScopeBoundaryLogCreate,
ApiKeyScopeBoundaryLogDelete, ApiKeyScopeBoundaryLogDelete,
ApiKeyScopeBoundaryLogRead: ApiKeyScopeBoundaryLogRead,
ApiKeyScopeAiGatewayKey,
ApiKeyScopeAiGatewayKeyCreate,
ApiKeyScopeAiGatewayKeyDelete,
ApiKeyScopeAiGatewayKeyRead:
return true return true
} }
return false return false
@@ -822,6 +830,10 @@ func AllAPIKeyScopeValues() []APIKeyScope {
ApiKeyScopeBoundaryLogCreate, ApiKeyScopeBoundaryLogCreate,
ApiKeyScopeBoundaryLogDelete, ApiKeyScopeBoundaryLogDelete,
ApiKeyScopeBoundaryLogRead, ApiKeyScopeBoundaryLogRead,
ApiKeyScopeAiGatewayKey,
ApiKeyScopeAiGatewayKeyCreate,
ApiKeyScopeAiGatewayKeyDelete,
ApiKeyScopeAiGatewayKeyRead,
} }
} }
@@ -3353,6 +3365,7 @@ const (
ResourceTypeAIProviderKey ResourceType = "ai_provider_key" ResourceTypeAIProviderKey ResourceType = "ai_provider_key"
ResourceTypeGroupAiBudget ResourceType = "group_ai_budget" ResourceTypeGroupAiBudget ResourceType = "group_ai_budget"
ResourceTypeUserSkill ResourceType = "user_skill" ResourceTypeUserSkill ResourceType = "user_skill"
ResourceTypeAIGatewayKey ResourceType = "ai_gateway_key"
) )
func (e *ResourceType) Scan(src interface{}) error { func (e *ResourceType) Scan(src interface{}) error {
@@ -3424,7 +3437,8 @@ func (e ResourceType) Valid() bool {
ResourceTypeAIProvider, ResourceTypeAIProvider,
ResourceTypeAIProviderKey, ResourceTypeAIProviderKey,
ResourceTypeGroupAiBudget, ResourceTypeGroupAiBudget,
ResourceTypeUserSkill: ResourceTypeUserSkill,
ResourceTypeAIGatewayKey:
return true return true
} }
return false return false
@@ -3465,6 +3479,7 @@ func AllResourceTypeValues() []ResourceType {
ResourceTypeAIProviderKey, ResourceTypeAIProviderKey,
ResourceTypeGroupAiBudget, ResourceTypeGroupAiBudget,
ResourceTypeUserSkill, ResourceTypeUserSkill,
ResourceTypeAIGatewayKey,
} }
} }
@@ -4435,6 +4450,17 @@ type AIBridgeUserPrompt struct {
CreatedAt time.Time `db:"created_at" json:"created_at"` CreatedAt time.Time `db:"created_at" json:"created_at"`
} }
// Hashed bearer secrets used by AI Gateway standalone replicas to authenticate into coderd.
type AIGatewayKey struct {
ID uuid.UUID `db:"id" json:"id"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
Name string `db:"name" json:"name"`
// Public token prefix for display and audit correlation. Auth uses hashed_secret.
SecretPrefix string `db:"secret_prefix" json:"secret_prefix"`
HashedSecret []byte `db:"hashed_secret" json:"hashed_secret"`
LastUsedAt sql.NullTime `db:"last_used_at" json:"last_used_at"`
}
// Runtime configuration for AI providers. Authoritative source for the provider set served by aibridged. Replaces deployment-time CODER_AIBRIDGE_* environment variables. // Runtime configuration for AI providers. Authoritative source for the provider set served by aibridged. Replaces deployment-time CODER_AIBRIDGE_* environment variables.
type AIProvider struct { type AIProvider struct {
ID uuid.UUID `db:"id" json:"id"` ID uuid.UUID `db:"id" json:"id"`
coderd/database/sqlc.yaml
+2
View File
@@ -261,8 +261,10 @@ sql:
ai_provider: AIProvider ai_provider: AIProvider
ai_provider_key: AIProviderKey ai_provider_key: AIProviderKey
ai_provider_type: AIProviderType ai_provider_type: AIProviderType
ai_gateway_key: AIGatewayKey
resource_type_ai_provider: ResourceTypeAIProvider resource_type_ai_provider: ResourceTypeAIProvider
resource_type_ai_provider_key: ResourceTypeAIProviderKey resource_type_ai_provider_key: ResourceTypeAIProviderKey
resource_type_ai_gateway_key: ResourceTypeAIGatewayKey
mcp_server_config: MCPServerConfig mcp_server_config: MCPServerConfig
mcp_server_configs: MCPServerConfigs mcp_server_configs: MCPServerConfigs
mcp_server_user_token: MCPServerUserToken mcp_server_user_token: MCPServerUserToken
coderd/database/unique_constraint.go
Generated
+4
View File
@@ -7,6 +7,7 @@ type UniqueConstraint string
// UniqueConstraint enums. // UniqueConstraint enums.
const ( const (
UniqueAgentStatsPkey UniqueConstraint = "agent_stats_pkey" // ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id); UniqueAgentStatsPkey UniqueConstraint = "agent_stats_pkey" // ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id);
UniqueAiGatewayKeysPkey UniqueConstraint = "ai_gateway_keys_pkey" // ALTER TABLE ONLY ai_gateway_keys ADD CONSTRAINT ai_gateway_keys_pkey PRIMARY KEY (id);
UniqueAiModelPricesPkey UniqueConstraint = "ai_model_prices_pkey" // ALTER TABLE ONLY ai_model_prices ADD CONSTRAINT ai_model_prices_pkey PRIMARY KEY (provider, model); UniqueAiModelPricesPkey UniqueConstraint = "ai_model_prices_pkey" // ALTER TABLE ONLY ai_model_prices ADD CONSTRAINT ai_model_prices_pkey PRIMARY KEY (provider, model);
UniqueAiProviderKeysPkey UniqueConstraint = "ai_provider_keys_pkey" // ALTER TABLE ONLY ai_provider_keys ADD CONSTRAINT ai_provider_keys_pkey PRIMARY KEY (id); UniqueAiProviderKeysPkey UniqueConstraint = "ai_provider_keys_pkey" // ALTER TABLE ONLY ai_provider_keys ADD CONSTRAINT ai_provider_keys_pkey PRIMARY KEY (id);
UniqueAiProvidersPkey UniqueConstraint = "ai_providers_pkey" // ALTER TABLE ONLY ai_providers ADD CONSTRAINT ai_providers_pkey PRIMARY KEY (id); UniqueAiProvidersPkey UniqueConstraint = "ai_providers_pkey" // ALTER TABLE ONLY ai_providers ADD CONSTRAINT ai_providers_pkey PRIMARY KEY (id);
@@ -135,6 +136,9 @@ const (
UniqueWorkspaceResourceMetadataPkey UniqueConstraint = "workspace_resource_metadata_pkey" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_pkey PRIMARY KEY (id); UniqueWorkspaceResourceMetadataPkey UniqueConstraint = "workspace_resource_metadata_pkey" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_pkey PRIMARY KEY (id);
UniqueWorkspaceResourcesPkey UniqueConstraint = "workspace_resources_pkey" // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id); UniqueWorkspaceResourcesPkey UniqueConstraint = "workspace_resources_pkey" // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id);
UniqueWorkspacesPkey UniqueConstraint = "workspaces_pkey" // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id); UniqueWorkspacesPkey UniqueConstraint = "workspaces_pkey" // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
UniqueAiGatewayKeysHashedSecretIndex UniqueConstraint = "ai_gateway_keys_hashed_secret_idx" // CREATE UNIQUE INDEX ai_gateway_keys_hashed_secret_idx ON ai_gateway_keys USING btree (hashed_secret);
UniqueAiGatewayKeysNameIndex UniqueConstraint = "ai_gateway_keys_name_idx" // CREATE UNIQUE INDEX ai_gateway_keys_name_idx ON ai_gateway_keys USING btree (lower(name));
UniqueAiGatewayKeysSecretPrefixIndex UniqueConstraint = "ai_gateway_keys_secret_prefix_idx" // CREATE UNIQUE INDEX ai_gateway_keys_secret_prefix_idx ON ai_gateway_keys USING btree (secret_prefix);
UniqueAiProvidersNameUnique UniqueConstraint = "ai_providers_name_unique" // CREATE UNIQUE INDEX ai_providers_name_unique ON ai_providers USING btree (name) WHERE (deleted = false); UniqueAiProvidersNameUnique UniqueConstraint = "ai_providers_name_unique" // CREATE UNIQUE INDEX ai_providers_name_unique ON ai_providers USING btree (name) WHERE (deleted = false);
UniqueIndexAPIKeyName UniqueConstraint = "idx_api_key_name" // CREATE UNIQUE INDEX idx_api_key_name ON api_keys USING btree (user_id, token_name) WHERE (login_type = 'token'::login_type); UniqueIndexAPIKeyName UniqueConstraint = "idx_api_key_name" // CREATE UNIQUE INDEX idx_api_key_name ON api_keys USING btree (user_id, token_name) WHERE (login_type = 'token'::login_type);
UniqueIndexChatDebugRunsIDChat UniqueConstraint = "idx_chat_debug_runs_id_chat" // CREATE UNIQUE INDEX idx_chat_debug_runs_id_chat ON chat_debug_runs USING btree (id, chat_id); UniqueIndexChatDebugRunsIDChat UniqueConstraint = "idx_chat_debug_runs_id_chat" // CREATE UNIQUE INDEX idx_chat_debug_runs_id_chat ON chat_debug_runs USING btree (id, chat_id);
coderd/rbac/object_gen.go
+10
View File
@@ -15,6 +15,15 @@ var (
Type: "*", Type: "*",
} }
// ResourceAIGatewayKey
// Valid Actions
// - "ActionCreate" :: create an AI Gateway key
// - "ActionDelete" :: delete an AI Gateway key
// - "ActionRead" :: read AI Gateway keys
ResourceAIGatewayKey = Object{
Type: "ai_gateway_key",
}
// ResourceAiModelPrice // ResourceAiModelPrice
// Valid Actions // Valid Actions
// - "ActionRead" :: read AI model prices // - "ActionRead" :: read AI model prices
@@ -479,6 +488,7 @@ var (
func AllResources() []Objecter { func AllResources() []Objecter {
return []Objecter{ return []Objecter{
ResourceWildcard, ResourceWildcard,
ResourceAIGatewayKey,
ResourceAiModelPrice, ResourceAiModelPrice,
ResourceAIProvider, ResourceAIProvider,
ResourceAiSeat, ResourceAiSeat,
coderd/rbac/policy/policy.go
+8
View File
@@ -429,6 +429,14 @@ var RBACPermissions = map[string]PermissionDefinition{
ActionDelete: "delete boundary logs", ActionDelete: "delete boundary logs",
}, },
}, },
"ai_gateway_key": {
Name: "AIGatewayKey",
Actions: map[Action]ActionDefinition{
ActionCreate: "create an AI Gateway key",
ActionRead: "read AI Gateway keys",
ActionDelete: "delete an AI Gateway key",
},
},
"boundary_usage": { "boundary_usage": {
Actions: map[Action]ActionDefinition{ Actions: map[Action]ActionDefinition{
ActionRead: "read boundary usage statistics", ActionRead: "read boundary usage statistics",
coderd/rbac/roles_test.go
+18
View File
@@ -1204,6 +1204,24 @@ func TestRolePermissions(t *testing.T) {
}, },
}, },
}, },
{
// Only owners can manage AI Gateway keys. They hold
// a hashed bearer secret used to authenticate Gateway
// replicas to coderd. Keys are deployment-wide.
Name: "AIGatewayKey",
Actions: []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
Resource: rbac.ResourceAIGatewayKey,
AuthorizeMap: map[bool][]hasAuthSubjects{
true: {owner},
false: {
memberMe, agentsAccessUser,
orgAdmin, otherOrgAdmin,
orgAuditor, otherOrgAuditor,
templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin,
userAdmin, orgUserAdmin, otherOrgUserAdmin,
},
},
},
{ {
Name: "BoundaryUsage", Name: "BoundaryUsage",
Actions: []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete}, Actions: []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
coderd/rbac/scopes_constants_gen.go
+9
View File
@@ -7,6 +7,9 @@ package rbac
// declared in code, not here, to avoid duplication. // declared in code, not here, to avoid duplication.
const ( const (
ScopeAiGatewayKeyCreate ScopeName = "ai_gateway_key:create"
ScopeAiGatewayKeyDelete ScopeName = "ai_gateway_key:delete"
ScopeAiGatewayKeyRead ScopeName = "ai_gateway_key:read"
ScopeAiModelPriceRead ScopeName = "ai_model_price:read" ScopeAiModelPriceRead ScopeName = "ai_model_price:read"
ScopeAiModelPriceUpdate ScopeName = "ai_model_price:update" ScopeAiModelPriceUpdate ScopeName = "ai_model_price:update"
ScopeAiProviderCreate ScopeName = "ai_provider:create" ScopeAiProviderCreate ScopeName = "ai_provider:create"
@@ -187,6 +190,9 @@ func (e ScopeName) Valid() bool {
case ScopeName("coder:all"), case ScopeName("coder:all"),
ScopeName("coder:application_connect"), ScopeName("coder:application_connect"),
ScopeName("no_user_data"), ScopeName("no_user_data"),
ScopeAiGatewayKeyCreate,
ScopeAiGatewayKeyDelete,
ScopeAiGatewayKeyRead,
ScopeAiModelPriceRead, ScopeAiModelPriceRead,
ScopeAiModelPriceUpdate, ScopeAiModelPriceUpdate,
ScopeAiProviderCreate, ScopeAiProviderCreate,
@@ -368,6 +374,9 @@ func AllScopeNameValues() []ScopeName {
ScopeName("coder:all"), ScopeName("coder:all"),
ScopeName("coder:application_connect"), ScopeName("coder:application_connect"),
ScopeName("no_user_data"), ScopeName("no_user_data"),
ScopeAiGatewayKeyCreate,
ScopeAiGatewayKeyDelete,
ScopeAiGatewayKeyRead,
ScopeAiModelPriceRead, ScopeAiModelPriceRead,
ScopeAiModelPriceUpdate, ScopeAiModelPriceUpdate,
ScopeAiProviderCreate, ScopeAiProviderCreate,
codersdk/apikey_scopes_gen.go
+4
View File
@@ -6,6 +6,10 @@ const (
APIKeyScopeAll APIKeyScope = "all" APIKeyScopeAll APIKeyScope = "all"
// Deprecated: use codersdk.APIKeyScopeCoderApplicationConnect instead. // Deprecated: use codersdk.APIKeyScopeCoderApplicationConnect instead.
APIKeyScopeApplicationConnect APIKeyScope = "application_connect" APIKeyScopeApplicationConnect APIKeyScope = "application_connect"
APIKeyScopeAiGatewayKeyAll APIKeyScope = "ai_gateway_key:*"
APIKeyScopeAiGatewayKeyCreate APIKeyScope = "ai_gateway_key:create"
APIKeyScopeAiGatewayKeyDelete APIKeyScope = "ai_gateway_key:delete"
APIKeyScopeAiGatewayKeyRead APIKeyScope = "ai_gateway_key:read"
APIKeyScopeAiModelPriceAll APIKeyScope = "ai_model_price:*" APIKeyScopeAiModelPriceAll APIKeyScope = "ai_model_price:*"
APIKeyScopeAiModelPriceRead APIKeyScope = "ai_model_price:read" APIKeyScopeAiModelPriceRead APIKeyScope = "ai_model_price:read"
APIKeyScopeAiModelPriceUpdate APIKeyScope = "ai_model_price:update" APIKeyScopeAiModelPriceUpdate APIKeyScope = "ai_model_price:update"
codersdk/audit.go
+3
View File
@@ -48,6 +48,7 @@ const (
ResourceTypeAISeat ResourceType = "ai_seat" ResourceTypeAISeat ResourceType = "ai_seat"
ResourceTypeAIProvider ResourceType = "ai_provider" ResourceTypeAIProvider ResourceType = "ai_provider"
ResourceTypeAIProviderKey ResourceType = "ai_provider_key" ResourceTypeAIProviderKey ResourceType = "ai_provider_key"
ResourceTypeAIGatewayKey ResourceType = "ai_gateway_key"
ResourceTypeGroupAIBudget ResourceType = "group_ai_budget" ResourceTypeGroupAIBudget ResourceType = "group_ai_budget"
ResourceTypeChat ResourceType = "chat" ResourceTypeChat ResourceType = "chat"
ResourceTypeUserSecret ResourceType = "user_secret" ResourceTypeUserSecret ResourceType = "user_secret"
@@ -116,6 +117,8 @@ func (r ResourceType) FriendlyString() string {
return "ai provider" return "ai provider"
case ResourceTypeAIProviderKey: case ResourceTypeAIProviderKey:
return "ai provider key" return "ai provider key"
case ResourceTypeAIGatewayKey:
return "ai gateway key"
case ResourceTypeGroupAIBudget: case ResourceTypeGroupAIBudget:
return "group ai budget" return "group ai budget"
case ResourceTypeChat: case ResourceTypeChat:
codersdk/rbacresources_gen.go
+2
View File
@@ -5,6 +5,7 @@ type RBACResource string
const ( const (
ResourceWildcard RBACResource = "*" ResourceWildcard RBACResource = "*"
ResourceAIGatewayKey RBACResource = "ai_gateway_key"
ResourceAiModelPrice RBACResource = "ai_model_price" ResourceAiModelPrice RBACResource = "ai_model_price"
ResourceAIProvider RBACResource = "ai_provider" ResourceAIProvider RBACResource = "ai_provider"
ResourceAiSeat RBACResource = "ai_seat" ResourceAiSeat RBACResource = "ai_seat"
@@ -82,6 +83,7 @@ const (
// said resource type. // said resource type.
var RBACResourceActions = map[RBACResource][]RBACAction{ var RBACResourceActions = map[RBACResource][]RBACAction{
ResourceWildcard: {}, ResourceWildcard: {},
ResourceAIGatewayKey: {ActionCreate, ActionDelete, ActionRead},
ResourceAiModelPrice: {ActionRead, ActionUpdate}, ResourceAiModelPrice: {ActionRead, ActionUpdate},
ResourceAIProvider: {ActionCreate, ActionDelete, ActionRead, ActionUpdate}, ResourceAIProvider: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
ResourceAiSeat: {ActionCreate, ActionRead}, ResourceAiSeat: {ActionCreate, ActionRead},
docs/admin/security/audit-logs.md
+1
View File
@@ -15,6 +15,7 @@ We track the following resources:
| <b>Resource<b> | | | | <b>Resource<b> | | |
|-----------------------------------------------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------------------------------------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| AIGatewayKey<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>created_at</td><td>false</td></tr><tr><td>hashed_secret</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_used_at</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>secret_prefix</td><td>true</td></tr></tbody></table> |
| AIProvider<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>base_url</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>enabled</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>settings</td><td>true</td></tr><tr><td>settings_key_id</td><td>false</td></tr><tr><td>type</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> | | AIProvider<br><i>create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>base_url</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>enabled</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>settings</td><td>true</td></tr><tr><td>settings_key_id</td><td>false</td></tr><tr><td>type</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> |
| AIProviderKey<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>api_key</td><td>true</td></tr><tr><td>api_key_key_id</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>id</td><td>true</td></tr><tr><td>provider_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> | | AIProviderKey<br><i>create, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>api_key</td><td>true</td></tr><tr><td>api_key_key_id</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>id</td><td>true</td></tr><tr><td>provider_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table> |
| APIKey<br><i>login, logout, register, create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>allow_list</td><td>false</td></tr><tr><td>created_at</td><td>true</td></tr><tr><td>expires_at</td><td>true</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>true</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scopes</td><td>false</td></tr><tr><td>token_name</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table> | | APIKey<br><i>login, logout, register, create, write, delete</i> | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>allow_list</td><td>false</td></tr><tr><td>created_at</td><td>true</td></tr><tr><td>expires_at</td><td>true</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>true</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scopes</td><td>false</td></tr><tr><td>token_name</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table> |
docs/reference/api/members.md
Generated
+20 -20
View File
@@ -193,10 +193,10 @@ Status Code **200**
#### Enumerated Values #### Enumerated Values
| Property | Value(s) | | Property | Value(s) |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | | `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` |
| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | | `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` |
To perform this operation, you must be authenticated. [Learn more](authentication.md). To perform this operation, you must be authenticated. [Learn more](authentication.md).
@@ -326,10 +326,10 @@ Status Code **200**
#### Enumerated Values #### Enumerated Values
| Property | Value(s) | | Property | Value(s) |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | | `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` |
| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | | `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` |
To perform this operation, you must be authenticated. [Learn more](authentication.md). To perform this operation, you must be authenticated. [Learn more](authentication.md).
@@ -459,10 +459,10 @@ Status Code **200**
#### Enumerated Values #### Enumerated Values
| Property | Value(s) | | Property | Value(s) |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | | `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` |
| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | | `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` |
To perform this operation, you must be authenticated. [Learn more](authentication.md). To perform this operation, you must be authenticated. [Learn more](authentication.md).
@@ -554,10 +554,10 @@ Status Code **200**
#### Enumerated Values #### Enumerated Values
| Property | Value(s) | | Property | Value(s) |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | | `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` |
| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | | `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` |
To perform this operation, you must be authenticated. [Learn more](authentication.md). To perform this operation, you must be authenticated. [Learn more](authentication.md).
@@ -960,9 +960,9 @@ Status Code **200**
#### Enumerated Values #### Enumerated Values
| Property | Value(s) | | Property | Value(s) |
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` | | `action` | `application_connect`, `assign`, `create`, `create_agent`, `delete`, `delete_agent`, `read`, `read_personal`, `share`, `ssh`, `start`, `stop`, `unassign`, `update`, `update_agent`, `update_personal`, `use`, `view_insights` |
| `resource_type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | | `resource_type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` |
To perform this operation, you must be authenticated. [Learn more](authentication.md). To perform this operation, you must be authenticated. [Learn more](authentication.md).
docs/reference/api/schemas.md
Generated
+9 -9
View File
File diff suppressed because one or more lines are too long
docs/reference/api/users.md
Generated
+5 -5
View File
@@ -865,11 +865,11 @@ Status Code **200**
#### Enumerated Values #### Enumerated Values
| Property | Value(s) | | Property | Value(s) |
|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `type` | `*`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` | | `type` | `*`, `ai_gateway_key`, `ai_model_price`, `ai_provider`, `ai_seat`, `aibridge_interception`, `api_key`, `assign_org_role`, `assign_role`, `audit_log`, `boundary_log`, `boundary_usage`, `chat`, `connection_log`, `crypto_key`, `debug_info`, `deployment_config`, `deployment_stats`, `file`, `group`, `group_member`, `idpsync_settings`, `inbox_notification`, `license`, `notification_message`, `notification_preference`, `notification_template`, `oauth2_app`, `oauth2_app_code_token`, `oauth2_app_secret`, `organization`, `organization_member`, `prebuilt_workspace`, `provisioner_daemon`, `provisioner_jobs`, `replicas`, `system`, `tailnet_coordinator`, `task`, `template`, `usage_event`, `user`, `user_secret`, `user_skill`, `webpush_subscription`, `workspace`, `workspace_agent_devcontainers`, `workspace_agent_resource_monitor`, `workspace_dormant`, `workspace_proxy` |
| `login_type` | `github`, `oidc`, `password`, `token` | | `login_type` | `github`, `oidc`, `password`, `token` |
| `scope` | `all`, `application_connect` | | `scope` | `all`, `application_connect` |
To perform this operation, you must be authenticated. [Learn more](authentication.md). To perform this operation, you must be authenticated. [Learn more](authentication.md).
enterprise/audit/table.go
+9
View File
@@ -31,6 +31,7 @@ var AuditActionMap = map[string][]codersdk.AuditAction{
"AiSeatState": {codersdk.AuditActionCreate}, "AiSeatState": {codersdk.AuditActionCreate},
"AIProvider": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, "AIProvider": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"AIProviderKey": {codersdk.AuditActionCreate, codersdk.AuditActionDelete}, "AIProviderKey": {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
"AIGatewayKey": {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
"AuditableGroupAiBudget": {codersdk.AuditActionWrite, codersdk.AuditActionDelete}, "AuditableGroupAiBudget": {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
"Chat": {codersdk.AuditActionCreate, codersdk.AuditActionWrite}, // chats get 'archived' by users, not deleted. "Chat": {codersdk.AuditActionCreate, codersdk.AuditActionWrite}, // chats get 'archived' by users, not deleted.
"UserSecret": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete}, "UserSecret": {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
@@ -400,6 +401,14 @@ var auditableResourcesTypes = map[any]map[string]Action{
"created_at": ActionIgnore, // Implicit; not useful in a diff. "created_at": ActionIgnore, // Implicit; not useful in a diff.
"updated_at": ActionIgnore, // Changes; not useful in a diff. "updated_at": ActionIgnore, // Changes; not useful in a diff.
}, },
&database.AIGatewayKey{}: {
"id": ActionTrack,
"name": ActionTrack,
"secret_prefix": ActionTrack,
"hashed_secret": ActionSecret, // Bearer token hash, never expose.
"created_at": ActionIgnore, // Implicit; not useful in a diff.
"last_used_at": ActionIgnore, // Bumped on every use.
},
&database.TaskTable{}: { &database.TaskTable{}: {
"id": ActionTrack, "id": ActionTrack,
"organization_id": ActionIgnore, // Never changes. "organization_id": ActionIgnore, // Never changes.
site/src/api/rbacresourcesGenerated.ts
+5
View File
@@ -8,6 +8,11 @@ import type { RBACAction, RBACResource } from "./typesGenerated";
export const RBACResourceActions: Partial< export const RBACResourceActions: Partial<
Record<RBACResource, Partial<Record<RBACAction, string>>> Record<RBACResource, Partial<Record<RBACAction, string>>>
> = { > = {
ai_gateway_key: {
create: "create an AI Gateway key",
delete: "delete an AI Gateway key",
read: "read AI Gateway keys",
},
ai_model_price: { ai_model_price: {
read: "read AI model prices", read: "read AI model prices",
update: "update AI model prices", update: "update AI model prices",
site/src/api/typesGenerated.ts
Generated
+12
View File
@@ -518,6 +518,10 @@ export interface APIKey {
// From codersdk/apikey.go // From codersdk/apikey.go
export type APIKeyScope = export type APIKeyScope =
| "ai_gateway_key:*"
| "ai_gateway_key:create"
| "ai_gateway_key:delete"
| "ai_gateway_key:read"
| "ai_model_price:*" | "ai_model_price:*"
| "ai_model_price:read" | "ai_model_price:read"
| "ai_model_price:update" | "ai_model_price:update"
@@ -748,6 +752,10 @@ export type APIKeyScope =
| "workspace:update_agent"; | "workspace:update_agent";
export const APIKeyScopes: APIKeyScope[] = [ export const APIKeyScopes: APIKeyScope[] = [
"ai_gateway_key:*",
"ai_gateway_key:create",
"ai_gateway_key:delete",
"ai_gateway_key:read",
"ai_model_price:*", "ai_model_price:*",
"ai_model_price:read", "ai_model_price:read",
"ai_model_price:update", "ai_model_price:update",
@@ -6873,6 +6881,7 @@ export const RBACActions: RBACAction[] = [
// From codersdk/rbacresources_gen.go // From codersdk/rbacresources_gen.go
export type RBACResource = export type RBACResource =
| "ai_gateway_key"
| "ai_provider" | "ai_provider"
| "ai_model_price" | "ai_model_price"
| "ai_seat" | "ai_seat"
@@ -6924,6 +6933,7 @@ export type RBACResource =
| "workspace_proxy"; | "workspace_proxy";
export const RBACResources: RBACResource[] = [ export const RBACResources: RBACResource[] = [
"ai_gateway_key",
"ai_provider", "ai_provider",
"ai_model_price", "ai_model_price",
"ai_seat", "ai_seat",
@@ -7080,6 +7090,7 @@ export interface ResolveAutostartResponse {
// From codersdk/audit.go // From codersdk/audit.go
export type ResourceType = export type ResourceType =
| "ai_gateway_key"
| "ai_provider" | "ai_provider"
| "ai_provider_key" | "ai_provider_key"
| "ai_seat" | "ai_seat"
@@ -7115,6 +7126,7 @@ export type ResourceType =
| "workspace_proxy"; | "workspace_proxy";
export const ResourceTypes: ResourceType[] = [ export const ResourceTypes: ResourceType[] = [
"ai_gateway_key",
"ai_provider", "ai_provider",
"ai_provider_key", "ai_provider_key",
"ai_seat", "ai_seat",