From a60e85a15877b1c6352b5371e7fb235c93c84dcf Mon Sep 17 00:00:00 2001 From: "yunlu.wen" Date: Fri, 8 May 2026 09:52:00 +0800 Subject: [PATCH] allow skipping runtime credential check --- api/configs/enterprise/__init__.py | 6 ++++++ api/core/entities/provider_configuration.py | 9 +++++---- api/core/helper/credential_utils.py | 9 +++++++++ api/core/model_manager.py | 8 ++++---- api/core/tools/tool_manager.py | 4 ++-- 5 files changed, 26 insertions(+), 10 deletions(-) diff --git a/api/configs/enterprise/__init__.py b/api/configs/enterprise/__init__.py index 8a6a921a4e..1e56d761fe 100644 --- a/api/configs/enterprise/__init__.py +++ b/api/configs/enterprise/__init__.py @@ -23,6 +23,12 @@ class EnterpriseFeatureConfig(BaseSettings): ge=1, description="Maximum timeout in seconds for enterprise requests", default=5 ) + ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECK: bool = Field( + default=False, + description="When disabled, credential policy check is disabled at workflow run time." + "You can disable to gain performance by trading off consistency", + ) + class EnterpriseTelemetryConfig(BaseSettings): """ diff --git a/api/core/entities/provider_configuration.py b/api/core/entities/provider_configuration.py index a9f2300ba2..7179629326 100644 --- a/api/core/entities/provider_configuration.py +++ b/api/core/entities/provider_configuration.py @@ -9,6 +9,7 @@ from pydantic import BaseModel, ConfigDict, Field, model_validator from sqlalchemy import func, select from sqlalchemy.orm import Session +from configs import dify_config from constants import HIDDEN_VALUE from core.entities.model_entities import ModelStatus, ModelWithProviderEntity, SimpleModelProviderEntity from core.entities.provider_entities import ( @@ -144,9 +145,9 @@ class ProviderConfiguration(BaseModel): current_credential_id = self.custom_configuration.provider.current_credential_id if current_credential_id: - from core.helper.credential_utils import check_credential_policy_compliance + from core.helper.credential_utils import runtime_check_credential_policy_compliance - check_credential_policy_compliance( + runtime_check_credential_policy_compliance( credential_id=current_credential_id, provider=self.provider.provider, credential_type=PluginCredentialType.MODEL, @@ -155,9 +156,9 @@ class ProviderConfiguration(BaseModel): # no current credential id, check all available credentials if self.custom_configuration.provider: for credential_configuration in self.custom_configuration.provider.available_credentials: - from core.helper.credential_utils import check_credential_policy_compliance + from core.helper.credential_utils import runtime_check_credential_policy_compliance - check_credential_policy_compliance( + runtime_check_credential_policy_compliance( credential_id=credential_configuration.credential_id, provider=self.provider.provider, credential_type=PluginCredentialType.MODEL, diff --git a/api/core/helper/credential_utils.py b/api/core/helper/credential_utils.py index 240f498181..c608fb0290 100644 --- a/api/core/helper/credential_utils.py +++ b/api/core/helper/credential_utils.py @@ -2,6 +2,7 @@ Credential utility functions for checking credential existence and policy compliance. """ +from dify.api.configs import dify_config from services.enterprise.plugin_manager_service import PluginCredentialType @@ -39,6 +40,14 @@ def is_credential_exists(credential_id: str, credential_type: "PluginCredentialT return False +def runtime_check_credential_policy_compliance( + *args, **kwargs +) -> None: + if dify_config.ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECK: + return + check_credential_policy_compliance(*args, **kwargs) + + def check_credential_policy_compliance( credential_id: str, provider: str, credential_type: "PluginCredentialType", check_existence: bool = True ) -> None: diff --git a/api/core/model_manager.py b/api/core/model_manager.py index 7eab84b5bb..2eaf24aede 100644 --- a/api/core/model_manager.py +++ b/api/core/model_manager.py @@ -433,10 +433,10 @@ class ModelInstance: # Additional policy compliance check as fallback (in case fetch_next didn't catch it) try: - from core.helper.credential_utils import check_credential_policy_compliance + from core.helper.credential_utils import runtime_check_credential_policy_compliance if lb_config.credential_id: - check_credential_policy_compliance( + runtime_check_credential_policy_compliance( credential_id=lb_config.credential_id, provider=self.provider, credential_type=PluginCredentialType.MODEL, @@ -643,10 +643,10 @@ class LBModelManager: # Check policy compliance for the selected configuration try: - from core.helper.credential_utils import check_credential_policy_compliance + from core.helper.credential_utils import runtime_check_credential_policy_compliance if config.credential_id: - check_credential_policy_compliance( + runtime_check_credential_policy_compliance( credential_id=config.credential_id, provider=self._provider, credential_type=PluginCredentialType.MODEL, diff --git a/api/core/tools/tool_manager.py b/api/core/tools/tool_manager.py index 23a877b7e3..ba8707b649 100644 --- a/api/core/tools/tool_manager.py +++ b/api/core/tools/tool_manager.py @@ -246,9 +246,9 @@ class ToolManager: raise ToolProviderNotFoundError(f"builtin provider {provider_id} not found") # check if the credential is allowed to be used - from core.helper.credential_utils import check_credential_policy_compliance + from core.helper.credential_utils import runtime_check_credential_policy_compliance - check_credential_policy_compliance( + runtime_check_credential_policy_compliance( credential_id=builtin_provider.id, provider=provider_id, credential_type=PluginCredentialType.TOOL,