Skip to content

Fix agent model authorization principal#60

Merged
casey-brooks merged 1 commit into
mainfrom
noa/issue-96
May 20, 2026
Merged

Fix agent model authorization principal#60
casey-brooks merged 1 commit into
mainfrom
noa/issue-96

Conversation

@casey-brooks
Copy link
Copy Markdown
Contributor

@casey-brooks casey-brooks commented May 20, 2026

Summary

  • Adds llm-proxy authorization diagnostics for the exact OpenFGA check tuple: user, relation, and object.
  • Logs the resolved principal components: identity_id, identity_type, workload ID, Ziti identity ID, resolved model ID, organization ID, and provider organization ID.
  • Preserves workload and Ziti identity data from Ziti management resolution and forwards optional identity metadata across gRPC calls.
  • Fixes agent authorization to check identity:<workload_id> when an agent request has a resolved workload ID; non-agent callers and agent calls without workload metadata continue using the resolved identity ID.

Fixes agynio/chat-app#96.

What the existing failure logs show

  • Failed chat-app e2e artifacts show the agent workload repeatedly receiving unexpected status 403 Forbidden: access denied from http://llm-proxy.ziti/v1/responses.
  • Existing llm-proxy logs only showed model resolution (remote_name=simple-hello, TestLLM endpoint) followed by proxy: error status=403 err=access denied, without the principal or tuple being checked.
  • Based on ziti-management, agent Ziti identities resolve to both an agent identity ID and a workload ID. This PR makes those values visible and authorizes agent model use against the workload principal expected for the runtime caller.

Test & Lint Summary

  • git diff --check: passed with no whitespace errors.
  • go test ./internal/proxy ./internal/auth ./internal/identity ./internal/zitimgmtclient: 2 packages passed, 2 packages had no test files, 0 failed, 0 skipped.
  • go test ./...: 4 packages passed, remaining packages had no test files, 0 failed, 0 skipped.
  • go vet ./...: passed with no errors.
  • go build ./...: passed.

@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented May 20, 2026

Test & Lint Summary

  • git diff --check: passed with no whitespace errors.
  • go test ./internal/proxy ./internal/auth ./internal/identity ./internal/zitimgmtclient: 2 packages passed, 2 packages had no test files, 0 failed, 0 skipped.
  • go test ./...: 4 packages passed, remaining packages had no test files, 0 failed, 0 skipped.
  • go vet ./...: passed with no errors.
  • go build ./...: passed.

@casey-brooks casey-brooks merged commit 95f4414 into main May 20, 2026
1 of 2 checks passed
@casey-brooks casey-brooks deleted the noa/issue-96 branch May 20, 2026 17:29
@casey-brooks casey-brooks mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Instrument llm-proxy authorization mismatch causing chat e2e 403

1 participant

@casey-brooks