Updated docs and samples for to separate privilege

aosingh · aosingh · commit 1ae6aa069e76 · 2025-10-23T16:45:34.000-07:00
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -8,7 +8,7 @@ jobs:
       fail-fast: true
       matrix:
         os: [ ubuntu-latest ]
-        python-version: ['3.9', '3.13']
+        python-version: ['3.11', '3.12', '3.13']
 
     steps:
       - name: Check out python-select-ai repository code
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,7 @@ doc/drawio
 test.env
 test_19c.env
 pytest.env
+.venv3.10/
+.venv3.11/
+.venv3.9/
+sample_connect.py
diff --git a/doc/source/user_guide/privileges.rst b/doc/source/user_guide/privileges.rst
@@ -0,0 +1,55 @@
+.. _privileges:
+
+Admin user should grant execute privilege to select ai database users
+on the packages ``DBMS_CLOUD``, ``DBMS_CLOUD_AI``, ``DBMS_CLOUD_AI_AGENT``
+and ``DBMS_CLOUD_PIPELINE``
+
+.. note::
+
+   All sample scripts in this documentation read Oracle database connection
+   details from the environment. Create a dotenv file ``.env``, export the
+   the following environment variables and source it before running the
+   scripts.
+
+   .. code-block:: sh
+
+       export SELECT_AI_ADMIN_USER=<db_admin>
+       export SELECT_AI_ADMIN_PASSWORD=<db_admin_password>
+       export SELECT_AI_USER=<select_ai_db_user>
+       export SELECT_AI_PASSWORD=<select_ai_db_password>
+       export SELECT_AI_DB_CONNECT_STRING=<db_connect_string>
+       export TNS_ADMIN=<path/to/dir_containing_tnsnames.ora>
+
+***************
+Grant privilege
+***************
+
+Connect as admin and run the method
+``select_ai.grant_privileges(users=select_ai_user)`` to grant relevant select ai
+privileges to other users
+
+
+.. literalinclude:: ../../../samples/select_ai_grant_privilege.py
+   :language: python
+   :lines: 15-
+
+output::
+
+    Granted privileges to: <select_ai_db_user>
+
+
+****************
+Revoke privilege
+****************
+
+Similarly, to revoke use the method
+``select_ai.revoke_privileges(users=select_ai_user)``
+
+
+.. literalinclude:: ../../../samples/select_ai_revoke_privilege.py
+   :language: python
+   :lines: 15-
+
+output::
+
+    Granted privileges to: <select_ai_db_user>
diff --git a/doc/source/user_guide/provider.rst b/doc/source/user_guide/provider.rst
@@ -87,32 +87,15 @@ for the supported providers
 Enable AI service provider
 **************************
 
-.. note::
-
-   All sample scripts in this documentation read Oracle database connection
-   details from the environment. Create a dotenv file ``.env``, export the
-   the following environment variables and source it before running the
-   scripts.
-
-   .. code-block:: sh
-
-       export SELECT_AI_ADMIN_USER=<db_admin>
-       export SELECT_AI_ADMIN_PASSWORD=<db_admin_password>
-       export SELECT_AI_USER=<select_ai_db_user>
-       export SELECT_AI_PASSWORD=<select_ai_db_password>
-       export SELECT_AI_DB_CONNECT_STRING=<db_connect_string>
-       export TNS_ADMIN=<path/to/dir_containing_tnsnames.ora>
-
 Sync API
 ++++++++
 
-This method grants execute privilege on the packages
-``DBMS_CLOUD``, ``DBMS_CLOUD_AI`` and ``DBMS_CLOUD_PIPELINE``. It
-also enables the database user to invoke the AI(LLM) endpoint
+This method adds ACL allowing database users to invoke AI provider's
+HTTP endpoint
 
 .. literalinclude:: ../../../samples/enable_ai_provider.py
    :language: python
-   :lines: 15-
+   :lines: 14-
 
 output::
 
@@ -136,6 +119,9 @@ output::
 Disable AI service provider
 ***************************
 
+This method removes ACL blocking database users to invoke AI provider's
+HTTP endpoint
+
 Sync API
 ++++++++
 
diff --git a/samples/async/disable_ai_provider.py b/samples/async/disable_ai_provider.py
@@ -8,7 +8,7 @@
 # -----------------------------------------------------------------------------
 # async/disable_ai_provider.py
 #
-# Async API to disable AI provider for database users
+# Remove ACL to invoke AI provider's HTTP endpoint
 # -----------------------------------------------------------------------------
 
 import asyncio
@@ -24,7 +24,7 @@
 
 async def main():
     await select_ai.async_connect(user=admin_user, password=password, dsn=dsn)
-    await select_ai.async_disable_provider(
+    await select_ai.async_revoke_http_access(
         users=select_ai_user, provider_endpoint="*.openai.azure.com"
     )
     print("Disabled AI provider for user: ", select_ai_user)
diff --git a/samples/async/enable_ai_provider.py b/samples/async/enable_ai_provider.py
@@ -8,7 +8,7 @@
 # -----------------------------------------------------------------------------
 # async/enable_ai_provider.py
 #
-# Async API to enable AI provider for database users
+# Add ACL to invoke AI provider's HTTP endpoint
 # -----------------------------------------------------------------------------
 
 import asyncio
@@ -24,7 +24,7 @@
 
 async def main():
     await select_ai.async_connect(user=admin_user, password=password, dsn=dsn)
-    await select_ai.async_enable_provider(
+    await select_ai.async_grant_http_access(
         users=select_ai_user, provider_endpoint="*.openai.azure.com"
     )
     print("Enabled AI provider for user: ", select_ai_user)
diff --git a/samples/async/select_ai_grant_privilege.py b/samples/async/select_ai_grant_privilege.py
@@ -0,0 +1,34 @@
+# -----------------------------------------------------------------------------
+# Copyright (c) 2025, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+# -----------------------------------------------------------------------------
+
+# -----------------------------------------------------------------------------
+# async/select_ai_grant_privilege.py
+#
+# Grant execute privileges on DBMS_CLOUD, DMBS_CLOUD_AI, DBMS_CLOUD_AI_AGENT
+# and DBMS_CLOUD_PIPELINE PL/SQL packages
+# -----------------------------------------------------------------------------
+
+import asyncio
+import os
+
+import select_ai
+
+admin_user = os.getenv("SELECT_AI_ADMIN_USER")
+password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
+dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
+select_ai_user = os.getenv("SELECT_AI_USER")
+
+
+async def main():
+    await select_ai.async_connect(user=admin_user, password=password, dsn=dsn)
+    await select_ai.async_grant_privileges(
+        users=select_ai_user,
+    )
+    print("Granted privileges to: ", select_ai_user)
+
+
+asyncio.run(main())
diff --git a/samples/async/select_ai_revoke_privilege.py b/samples/async/select_ai_revoke_privilege.py
@@ -0,0 +1,34 @@
+# -----------------------------------------------------------------------------
+# Copyright (c) 2025, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+# -----------------------------------------------------------------------------
+
+# -----------------------------------------------------------------------------
+# async/select_ai_revoke_privilege.py
+#
+# Revoke execute privileges on DBMS_CLOUD, DMBS_CLOUD_AI, DBMS_CLOUD_AI_AGENT
+# and DBMS_CLOUD_PIPELINE PL/SQL packages
+# -----------------------------------------------------------------------------
+
+import asyncio
+import os
+
+import select_ai
+
+admin_user = os.getenv("SELECT_AI_ADMIN_USER")
+password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
+dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
+select_ai_user = os.getenv("SELECT_AI_USER")
+
+
+async def main():
+    await select_ai.async_connect(user=admin_user, password=password, dsn=dsn)
+    await select_ai.async_revoke_privileges(
+        users=select_ai_user,
+    )
+    print("Revoked privileges from: ", select_ai_user)
+
+
+asyncio.run(main())
diff --git a/samples/disable_ai_provider.py b/samples/disable_ai_provider.py
@@ -8,9 +8,9 @@
 # -----------------------------------------------------------------------------
 # disable_ai_provider.py
 #
-# Revokes privileges from the database user and removes ACL to invoke the AI
-# Provider endpoint
+# Removes ACL to invoke the AI Provider's HTTP endpoint
 # -----------------------------------------------------------------------------
+
 import os
 
 import select_ai
@@ -21,7 +21,7 @@
 select_ai_user = os.getenv("SELECT_AI_USER")
 
 select_ai.connect(user=admin_user, password=password, dsn=dsn)
-select_ai.disable_provider(
+select_ai.revoke_http_access(
     users=select_ai_user, provider_endpoint="*.openai.azure.com"
 )
 print("Disabled AI provider for user: ", select_ai_user)
diff --git a/samples/enable_ai_provider.py b/samples/enable_ai_provider.py
@@ -8,8 +8,7 @@
 # -----------------------------------------------------------------------------
 # enable_ai_provider.py
 #
-# Grants privileges to the database user and add ACL to invoke the AI Provider
-# endpoint
+# Adds ACL to invoke the AI Provider's HTTP endpoint
 # -----------------------------------------------------------------------------
 
 import os
@@ -22,7 +21,7 @@
 select_ai_user = os.getenv("SELECT_AI_USER")
 
 select_ai.connect(user=admin_user, password=password, dsn=dsn)
-select_ai.enable_provider(
+select_ai.grant_http_access(
     users=select_ai_user, provider_endpoint="api.OPENAI.com"
 )
 print("Enabled AI provider for user: ", select_ai_user)
diff --git a/samples/select_ai_grant_privilege.py b/samples/select_ai_grant_privilege.py
@@ -0,0 +1,27 @@
+# -----------------------------------------------------------------------------
+# Copyright (c) 2025, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+# -----------------------------------------------------------------------------
+
+# -----------------------------------------------------------------------------
+# select_ai_grant_privilege.py
+#
+# Grant execute privileges on DBMS_CLOUD, DMBS_CLOUD_AI, DBMS_CLOUD_AI_AGENT
+# and DBMS_CLOUD_PIPELINE PL/SQL packages
+# -----------------------------------------------------------------------------
+
+import os
+
+import select_ai
+
+admin_user = os.getenv("SELECT_AI_ADMIN_USER")
+password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
+dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
+select_ai_user = os.getenv("SELECT_AI_USER")
+
+
+select_ai.connect(user=admin_user, password=password, dsn=dsn)
+select_ai.grant_privileges(users=select_ai_user)
+print("Granted privileges to: ", select_ai_user)
diff --git a/samples/select_ai_revoke_privilege.py b/samples/select_ai_revoke_privilege.py
@@ -0,0 +1,27 @@
+# -----------------------------------------------------------------------------
+# Copyright (c) 2025, Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at
+# http://oss.oracle.com/licenses/upl.
+# -----------------------------------------------------------------------------
+
+# -----------------------------------------------------------------------------
+# select_ai_revoke_privilege.py
+#
+# Revoke execute privileges on DBMS_CLOUD, DMBS_CLOUD_AI, DBMS_CLOUD_AI_AGENT
+# and DBMS_CLOUD_PIPELINE PL/SQL packages
+# -----------------------------------------------------------------------------
+
+import os
+
+import select_ai
+
+admin_user = os.getenv("SELECT_AI_ADMIN_USER")
+password = os.getenv("SELECT_AI_ADMIN_PASSWORD")
+dsn = os.getenv("SELECT_AI_DB_CONNECT_STRING")
+select_ai_user = os.getenv("SELECT_AI_USER")
+
+
+select_ai.connect(user=admin_user, password=password, dsn=dsn)
+select_ai.revoke_privileges(users=select_ai_user)
+print("Revoked privileges from: ", select_ai_user)
diff --git a/src/select_ai/__init__.py b/src/select_ai/__init__.py
@@ -34,9 +34,11 @@
     async_grant_http_access,
     async_grant_privileges,
     async_revoke_http_access,
+    async_revoke_privileges,
     grant_http_access,
     grant_privileges,
     revoke_http_access,
+    revoke_privileges,
 )
 from .profile import Profile
 from .provider import (
diff --git a/src/select_ai/base_profile.py b/src/select_ai/base_profile.py
@@ -114,10 +114,10 @@ async def async_create(cls, **kwargs):
         for k, v in kwargs.items():
             if isinstance(v, oracledb.AsyncLOB):
                 v = await v.read()
-                if k in Provider.keys():
-                    provider_attributes[Provider.key_alias(k)] = v
-                else:
-                    profile_attributes[k] = v
+            if k in Provider.keys():
+                provider_attributes[Provider.key_alias(k)] = v
+            else:
+                profile_attributes[k] = v
         provider = Provider.create(**provider_attributes)
         profile_attributes["provider"] = provider
         return ProfileAttributes(**profile_attributes)
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -25,14 +25,14 @@
 #           OpenAI
 #   PYSAI_TEST_OPENAI_API_KEY
 
-
 import os
+import uuid
 
 import pytest
 import select_ai
 
 PYSAI_TEST_USER = "PYSAI_TEST_USER"
-PYSAI_OCI_CREDENTIAL_NAME = "PYSAI_OCI_CREDENTIAL"
+PYSAI_OCI_CREDENTIAL_NAME = f"PYSAI_OCI_CREDENTIAL_{uuid.uuid4().hex.upper()}"
 
 
 def get_env_value(name, default_value=None, required=False):
@@ -110,7 +110,9 @@ def connect(setup_test_user, test_env):
 
 @pytest.fixture(autouse=True, scope="session")
 async def async_connect(setup_test_user, test_env, anyio_backend):
-    await select_ai.async_connect(**test_env.connect_params())
+    await select_ai.async_connect(
+        **test_env.connect_params(), disable_oob=True
+    )
     yield
     await select_ai.async_disconnect()
 
@@ -147,7 +149,8 @@ def oci_credential(connect, test_env):
         "fingerprint": get_env_value("OCI_FINGERPRINT", required=True),
     }
     select_ai.create_credential(credential, replace=True)
-    return credential
+    yield credential
+    select_ai.delete_credential(PYSAI_OCI_CREDENTIAL_NAME)
 
 
 @pytest.fixture(scope="module")
diff --git a/tests/test_1000_basic_sanity.py b/tests/test_1000_basic_sanity.py
@@ -30,7 +30,6 @@ def oci_gen_ai_profile(oci_credential, oci_compartment_id, test_env):
                 oci_compartment_id=oci_compartment_id, oci_apiformat="GENERIC"
             ),
         ),
-        replace=True,
     )
     yield profile
     profile.delete(force=True)
diff --git a/tests/test_1100_basic_sanity_async.py b/tests/test_1100_basic_sanity_async.py
