9.4 KiB
Integration Settings Architecture Analysis
Current Setup (As of Dec 10, 2025)
1. How It Works Now
System Architecture:
┌─────────────────────────────────────────────────────────────┐
│ INTEGRATION SETTINGS (System-Wide API Keys) │
│ Stored in: IntegrationSettings model │
│ Account: AWS Admin (slug: aws-admin) │
└─────────────────────────────────────────────────────────────┘
│
│ Fallback mechanism
↓
┌─────────────────────────────────────────┐
│ │
↓ ↓
┌──────────────────┐ ┌──────────────────┐
│ SUPER USER │ │ NORMAL USER │
│ dev@igny8.com │ │ paid2@paid.com │
│ │ │ │
│ Role: developer │ │ Role: owner │
│ Superuser: True │ │ Superuser: False│
│ Account: │ │ Account: │
│ AWS Admin │ │ Paid 2 │
└──────────────────┘ └──────────────────┘
│ │
│ Can access & modify │ Cannot access
│ Integration Settings │ Integration Settings
│ │
↓ ↓
┌──────────────────┐ ┌──────────────────┐
│ FRONTEND: │ │ FRONTEND: │
│ Settings → │ │ (No access to │
│ Integration │ │ settings page) │
│ Page │ │ │
└──────────────────┘ └──────────────────┘
│
│ Uses AI functions
↓
┌──────────────────────┐
│ BACKEND: │
│ get_model_config() │
│ Falls back to │
│ aws-admin settings │
└──────────────────────┘
2. Current Database State
AWS Admin Account Integration Settings:
- OpenAI: Active, has API key, model: gpt-4o-mini
- Runware: Active, has API key
- Image Generation: Active, no API key (uses OpenAI/Runware settings)
Normal User Accounts:
- Have NO integration settings in database
- Use aws-admin settings via fallback
3. Permission Architecture
IntegrationSettingsViewSet:
permission_classes = [
IsAuthenticatedAndActive, # Must be logged in and active
HasTenantAccess, # Must have account
IsSystemAccountOrDeveloper # Must be superuser/developer/system user
]
Who Can Access:
- ✅ dev@igny8.com (superuser=True, role=developer)
- ❌ paid2@paid.com (superuser=False, role=owner)
Exception - task_progress endpoint:
@action(..., permission_classes=[IsAuthenticatedAndActive])
def task_progress(self, request, task_id=None):
- ✅ All authenticated users can check task progress
4. How Normal Users Use System API Keys
Flow:
- Normal user calls AI function (auto_cluster, generate_ideas, etc.)
- Backend calls
get_model_config(function_name, account) - Function checks user's account for IntegrationSettings
- User account has no settings → Fallback triggered
- Checks system accounts in order:
aws-admin→default-account→default - Uses aws-admin account's OpenAI settings
- AI function executes with system API key
Code Reference: backend/igny8_core/ai/settings.py lines 54-72
5. Your Questions Answered
Q: What is super user relation for integration config which are globally used?
A: Super user (dev@igny8.com) belongs to AWS Admin account. Integration settings are stored per-account in the database:
- AWS Admin account has the integration settings
- Super user can access/modify these via Integration Settings page in frontend
- These settings are "globally used" because ALL normal users fall back to them
Q: Do we have to use only backend Django admin to make changes?
A: No! You have TWO options:
-
Frontend Integration Settings Page (Recommended)
- Login as dev@igny8.com
- Go to Settings → Integration
- Modify OpenAI/Runware settings
- Changes saved to IntegrationSettings model for aws-admin account
-
Django Admin (Alternative)
- Access: http://api.igny8.com/admin/
- Navigate to System → Integration Settings
- Find aws-admin account settings
- Modify directly
Q: Can normal users access integration settings?
A: Currently: NO (by design)
The permission class IsSystemAccountOrDeveloper blocks normal users from:
- Viewing integration settings page
- Modifying API keys
- Testing connections
Normal users transparently use system API keys via fallback.
6. Current Issues You Mentioned
Issue 1: "Super user is now unable to change settings"
Status: This should work! Let me verify:
- dev@igny8.com has is_superuser=True ✓
- dev@igny8.com has role=developer ✓
- Permission class allows superuser/developer ✓
Possible causes if not working:
- Frontend routing issue (Integration page not accessible)
- Permission check failing due to HasTenantAccess
- Frontend not sending proper Authorization header
Issue 2: "There are some wrong configs in aws-admin integration services"
Current Config:
OpenAI:
- model: "gpt-4o-mini"
- active: true
- has API key: true
Runware:
- active: true
- has API key: true
Image Generation:
- active: true
- has API key: false ← WRONG! Should use OpenAI or Runware key
Fix needed: Image generation settings should reference OpenAI or Runware, not have its own API key field.
7. Recommendations
Option A: Keep Current Architecture (Recommended)
- Super user controls all API keys via AWS Admin account
- Normal users transparently use system keys
- Simple, centralized control
- Action needed:
- Verify super user can access Integration Settings page
- Fix image_generation config (remove apiKey field, ensure provider is set)
- Test that normal users can use AI functions
Option B: Allow Per-Account API Keys
- Each account can configure their own API keys
- Fallback to system if not configured
- More complex, but gives users control
- Action needed:
- Remove IsSystemAccountOrDeveloper from viewset
- Add UI to show "using system defaults" vs "custom keys"
- Update get_model_config to prefer user keys over system
Option C: Hybrid Approach
- Normal users can VIEW system settings (read-only)
- Only super users can MODIFY
- Allows transparency without risk
- Action needed:
- Create separate permission for view vs modify
- Update frontend to show read-only view for normal users
8. Verification Commands
Check if super user can access Integration Settings:
# Login as dev@igny8.com in frontend
# Navigate to Settings → Integration
# Should see OpenAI/Runware/Image Generation tabs
Check integration settings in database:
docker compose exec -T igny8_backend python manage.py shell <<'EOF'
from igny8_core.modules.system.models import IntegrationSettings
from igny8_core.auth.models import Account
aws = Account.objects.get(slug='aws-admin')
for s in IntegrationSettings.objects.filter(account=aws):
print(f"{s.integration_type}: active={s.is_active}, has_key={bool(s.config.get('apiKey'))}")
EOF
Test normal user AI function access:
# Login as paid2@paid.com
# Try auto_cluster on keywords
# Should work using aws-admin OpenAI key
9. Next Steps
Based on your needs, tell me:
-
Can dev@igny8.com access the Integration Settings page in the frontend?
- If NO: We need to debug permission/routing issue
- If YES: Proceed to fix wrong configs
-
What wrong configs need to be fixed in aws-admin integration?
- Specific model versions?
- API key rotation?
- Image generation settings?
-
Do you want to keep current architecture (super user only) or allow normal users to configure their own keys?
I'm ready to help fix specific issues once you clarify the current state and desired behavior.