Enhancements to Secret Management

Author: maxjeblick

Pipfile

@@ -50,6 +50,7 @@ tiktoken = "==0.4.0"
 hf-transfer = "==0.1.3"
 peft = "==0.5.0"
 azure-storage-file-datalake = ">=12.12.0"
+keyring = "==24.2.0"
 
 [dev-packages]
 black = "==23.7.0"

Pipfile.lock

@@ -54,6 +54,7 @@ Using CLI for fine-tuning LLMs:
 
 ## What's New
 
+- [PR 364](https://github.com/h2oai/h2o-llmstudio/pull/364) User secrets are now handled more securely and flexible. Support for handling secrets using the 'keyring' library was added. User settings are tried to be migrated automatically.
 - [PR 328](https://github.com/h2oai/h2o-llmstudio/pull/328) RLHF is now a separate problem type. Note that starting a new RLHF experiment from an old experiment that used RLHF is no longer supported. To continue from a previous experiment, please start a new experiment and enter the settings from the previous experiment manually. 
 - [PR 308](https://github.com/h2oai/h2o-llmstudio/pull/308) Sequence to sequence models have been added as a new problem type.
 - [PR 152](https://github.com/h2oai/h2o-llmstudio/pull/152) Add RLHF functionality for fine-tuning LLMs.

README.md

@@ -85,6 +85,7 @@ def get_size(x):
     ],
     "user_settings": {
         "theme_dark": True,
+        "credential_saver": ".env File",
         "default_aws_bucket_name": f"{os.getenv('AWS_BUCKET', 'bucket_name')}",
         "default_aws_access_key": os.getenv("AWS_ACCESS_KEY_ID", ""),
         "default_aws_secret_key": os.getenv("AWS_SECRET_ACCESS_KEY", ""),

llm_studio/app_utils/config.py

@@ -42,11 +42,12 @@
     list_current_experiments,
 )
 from llm_studio.app_utils.sections.settings import settings
-from llm_studio.app_utils.utils import (
-    add_model_type,
-    load_user_settings,
-    save_user_settings,
+from llm_studio.app_utils.setting_utils import (
+    load_default_user_settings,
+    load_user_settings_and_secrets,
+    save_user_settings_and_secrets,
 )
+from llm_studio.app_utils.utils import add_model_type
 from llm_studio.app_utils.wave_utils import report_error, wave_utils_handle_error
 
 logger = logging.getLogger(__name__)
@@ -77,13 +78,13 @@ async def handle(q: Q) -> None:
             await settings(q)
         elif q.args["save_settings"]:
             logger.info("Saving user settings")
-            save_user_settings(q)
+            await save_user_settings_and_secrets(q)
             await settings(q)
         elif q.args["load_settings"]:
-            load_user_settings(q)
+            load_user_settings_and_secrets(q)
             await settings(q)
         elif q.args["restore_default_settings"]:
-            load_user_settings(q, force_defaults=True)
+            load_default_user_settings(q)
             await settings(q)
 
         elif q.args["report_error"]:

llm_studio/app_utils/handlers.py

@@ -6,21 +6,20 @@
 from bokeh.resources import Resources as BokehResources
 from h2o_wave import Q
 
+from llm_studio.app_utils.config import default_cfg
+from llm_studio.app_utils.db import Database, Dataset
 from llm_studio.app_utils.sections.common import interface
-from llm_studio.src.utils.config_utils import load_config_py, save_config_yaml
-
-from .config import default_cfg
-from .db import Database, Dataset
-from .utils import (
+from llm_studio.app_utils.setting_utils import load_user_settings_and_secrets
+from llm_studio.app_utils.utils import (
     get_data_dir,
     get_database_dir,
     get_download_dir,
     get_output_dir,
     get_user_db_path,
     get_user_name,
-    load_user_settings,
     prepare_default_dataset,
 )
+from llm_studio.src.utils.config_utils import load_config_py, save_config_yaml
 
 logger = logging.getLogger(__name__)
 
@@ -97,7 +96,7 @@ async def initialize_client(q: Q) -> None:
 
         import_data(q)
 
-        load_user_settings(q)
+        load_user_settings_and_secrets(q)
 
         await interface(q)
 

llm_studio/app_utils/initializers.py

@@ -4,6 +4,7 @@
 from h2o_wave import Q, ui
 
 from llm_studio.app_utils.sections.common import clean_dashboard
+from llm_studio.app_utils.setting_utils import Secrets
 from llm_studio.src.loggers import Loggers
 
 
@@ -24,6 +25,34 @@ async def settings(q: Q) -> None:
                 'Save settings persistently' button below. To reload \
                 the persistently saved settings, use the 'Load settings' button.",
             ),
+            ui.separator("Credential Storage"),
+            ui.inline(
+                items=[
+                    ui.label("Credential Handler", width=label_width),
+                    ui.dropdown(
+                        name="credential_saver",
+                        value=q.client["credential_saver"],
+                        choices=[ui.choice(name, name) for name in Secrets.names()],
+                        trigger=False,
+                        width="300px",
+                    ),
+                ]
+            ),
+            ui.message_bar(
+                type="info",
+                text="""Method used to save credentials (passwords) \
+                for 'Save settings persistently'. \
+                The recommended approach for saving credentials (passwords) is to \
+                use either Keyring or to avoid permanent storage \
+                (requiring re-entry upon app restart). \
+                Keyring will be disabled if it is not set up on the host machine. \
+                Only resort to local .env if your machine's \
+                accessibility is restricted to you.\n\
+                When you select 'Save settings persistently', \
+                credentials will be removed from all non-selected methods. \
+                'Restore Default Settings' will clear credentials from all methods.
+                """,
+            ),
             ui.separator("Appearance"),
             ui.inline(
                 items=[