arize-phoenix 4.36.0__py3-none-any.whl → 5.0.0__py3-none-any.whl

phoenix/db/enums.py

@@ -0,0 +1,20 @@
+from enum import Enum
+from typing import Mapping, Type
+
+from sqlalchemy.orm import InstrumentedAttribute
+
+from phoenix.db import models
+from phoenix.db.models import AuthMethod
+
+__all__ = ["AuthMethod", "UserRole", "COLUMN_ENUMS"]
+
+
+class UserRole(Enum):
+    SYSTEM = "SYSTEM"
+    ADMIN = "ADMIN"
+    MEMBER = "MEMBER"
+
+
+COLUMN_ENUMS: Mapping[InstrumentedAttribute[str], Type[Enum]] = {
+    models.UserRole.name: UserRole,
+}

phoenix/db/facilitator.py

@@ -0,0 +1,112 @@
+from __future__ import annotations
+
+import asyncio
+import secrets
+from functools import partial
+
+from sqlalchemy import (
+    distinct,
+    insert,
+    select,
+)
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from phoenix.auth import (
+    DEFAULT_ADMIN_EMAIL,
+    DEFAULT_ADMIN_PASSWORD,
+    DEFAULT_ADMIN_USERNAME,
+    DEFAULT_SECRET_LENGTH,
+    DEFAULT_SYSTEM_EMAIL,
+    DEFAULT_SYSTEM_USERNAME,
+    compute_password_hash,
+)
+from phoenix.db import models
+from phoenix.db.enums import COLUMN_ENUMS, UserRole
+from phoenix.server.types import DbSessionFactory
+
+
+class Facilitator:
+    """
+    Facilitates the creation of database records necessary for Phoenix to function. This includes
+    ensuring that all enum values are present in their respective tables, ensuring that all user
+    roles are present, and ensuring that the admin user has a password hash. These tasks will be
+    carried out as callbacks at the very beginning of Starlette's lifespan process.
+    """
+
+    def __init__(self, *, db: DbSessionFactory) -> None:
+        self._db = db
+
+    async def __call__(self) -> None:
+        async with self._db() as session:
+            for fn in (
+                _ensure_enums,
+                _ensure_user_roles,
+            ):
+                async with session.begin_nested():
+                    await fn(session)
+
+
+async def _ensure_enums(session: AsyncSession) -> None:
+    """
+    Ensure that all enum values are present in their respective tables. If any values are missing,
+    they will be added. If any values are present in the database but not in the enum, an error will
+    be raised. This function is idempotent: it will not add duplicate values to the database.
+    """
+    for column, enum in COLUMN_ENUMS.items():
+        table = column.class_
+        existing = set([_ async for _ in await session.stream_scalars(select(distinct(column)))])
+        expected = set(e.value for e in enum)
+        if unexpected := existing - expected:
+            raise ValueError(f"Unexpected values in {table.name}.{column.key}: {unexpected}")
+        if not (missing := expected - existing):
+            continue
+        await session.execute(insert(table), [{column.key: v} for v in missing])
+
+
+async def _ensure_user_roles(session: AsyncSession) -> None:
+    """
+    Ensure that the system and admin roles are present in the database. If they are not, they will
+    be added. The system user will have the email "system@localhost" and the admin user will have
+    the email "admin@localhost".
+    """
+    role_ids = {
+        name: id_
+        async for name, id_ in await session.stream(
+            select(models.UserRole.name, models.UserRole.id)
+        )
+    }
+    existing_roles = [
+        name
+        async for name in await session.stream_scalars(
+            select(distinct(models.UserRole.name)).join_from(models.User, models.UserRole)
+        )
+    ]
+    if (system_role := UserRole.SYSTEM.value) not in existing_roles and (
+        system_role_id := role_ids.get(system_role)
+    ) is not None:
+        system_user = models.User(
+            user_role_id=system_role_id,
+            username=DEFAULT_SYSTEM_USERNAME,
+            email=DEFAULT_SYSTEM_EMAIL,
+            reset_password=False,
+            password_salt=secrets.token_bytes(DEFAULT_SECRET_LENGTH),
+            password_hash=secrets.token_bytes(DEFAULT_SECRET_LENGTH),
+        )
+        session.add(system_user)
+    if (admin_role := UserRole.ADMIN.value) not in existing_roles and (
+        admin_role_id := role_ids.get(admin_role)
+    ) is not None:
+        salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
+        compute = partial(compute_password_hash, password=DEFAULT_ADMIN_PASSWORD, salt=salt)
+        loop = asyncio.get_running_loop()
+        hash_ = await loop.run_in_executor(None, compute)
+        admin_user = models.User(
+            user_role_id=admin_role_id,
+            username=DEFAULT_ADMIN_USERNAME,
+            email=DEFAULT_ADMIN_EMAIL,
+            password_salt=salt,
+            password_hash=hash_,
+            reset_password=True,
+        )
+        session.add(admin_user)
+    await session.flush()

phoenix/db/migrations/versions/cd164e83824f_users_and_tokens.py

@@ -0,0 +1,157 @@
+"""users and tokens
+
+Revision ID: cd164e83824f
+Revises: 10460e46d750
+Create Date: 2024-08-01 18:36:52.157604
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "cd164e83824f"
+down_revision: Union[str, None] = "3be8647b87d8"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "user_roles",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column(
+            "name",
+            sa.String,
+            nullable=False,
+            unique=True,
+            index=True,
+        ),
+    )
+    op.create_table(
+        "users",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column(
+            "user_role_id",
+            sa.Integer,
+            sa.ForeignKey("user_roles.id", ondelete="CASCADE"),
+            nullable=False,
+            index=True,
+        ),
+        sa.Column("username", sa.String, nullable=False, unique=True, index=True),
+        sa.Column("email", sa.String, nullable=False, unique=True, index=True),
+        sa.Column("profile_picture_url", sa.String, nullable=True),
+        sa.Column("password_hash", sa.LargeBinary, nullable=True),
+        sa.Column("password_salt", sa.LargeBinary, nullable=True),
+        sa.Column("reset_password", sa.Boolean, nullable=False),
+        sa.Column("oauth2_client_id", sa.String, nullable=True, index=True),
+        sa.Column("oauth2_user_id", sa.String, nullable=True, index=True),
+        sa.Column(
+            "created_at",
+            sa.TIMESTAMP(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column(
+            "updated_at",
+            sa.TIMESTAMP(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+            onupdate=sa.func.now(),
+        ),
+        sa.CheckConstraint(
+            "(password_hash IS NULL) = (password_salt IS NULL)",
+            name="password_hash_and_salt",
+        ),
+        sa.CheckConstraint(
+            "(oauth2_client_id IS NULL) = (oauth2_user_id IS NULL)",
+            name="oauth2_client_id_and_user_id",
+        ),
+        sa.CheckConstraint(
+            "(password_hash IS NULL) != (oauth2_client_id IS NULL)",
+            name="exactly_one_auth_method",
+        ),
+        sa.UniqueConstraint(
+            "oauth2_client_id",
+            "oauth2_user_id",
+        ),
+        sqlite_autoincrement=True,
+    )
+    op.create_table(
+        "password_reset_tokens",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column(
+            "user_id",
+            sa.Integer,
+            sa.ForeignKey("users.id", ondelete="CASCADE"),
+            unique=True,
+            index=True,
+        ),
+        sa.Column(
+            "created_at",
+            sa.TIMESTAMP(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column("expires_at", sa.TIMESTAMP(timezone=True), nullable=False, index=True),
+        sqlite_autoincrement=True,
+    )
+    op.create_table(
+        "refresh_tokens",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), index=True),
+        sa.Column(
+            "created_at",
+            sa.TIMESTAMP(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column("expires_at", sa.TIMESTAMP(timezone=True), nullable=False, index=True),
+        sqlite_autoincrement=True,
+    )
+    op.create_table(
+        "access_tokens",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), index=True),
+        sa.Column(
+            "created_at",
+            sa.TIMESTAMP(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column("expires_at", sa.TIMESTAMP(timezone=True), nullable=False, index=True),
+        sa.Column(
+            "refresh_token_id",
+            sa.Integer,
+            sa.ForeignKey("refresh_tokens.id", ondelete="CASCADE"),
+            index=True,
+            unique=True,
+        ),
+        sqlite_autoincrement=True,
+    )
+    op.create_table(
+        "api_keys",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), index=True),
+        sa.Column("name", sa.String, nullable=False),
+        sa.Column("description", sa.String, nullable=True),
+        sa.Column(
+            "created_at",
+            sa.TIMESTAMP(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column("expires_at", sa.TIMESTAMP(timezone=True), nullable=True, index=True),
+        sqlite_autoincrement=True,
+    )
+
+
+def downgrade() -> None:
+    op.drop_table("api_keys")
+    op.drop_table("access_tokens")
+    op.drop_table("refresh_tokens")
+    op.drop_table("password_reset_tokens")
+    op.drop_table("users")
+    op.drop_table("user_roles")

phoenix/db/models.py

@@ -1,4 +1,5 @@
 from datetime import datetime, timezone
+from enum import Enum
 from typing import Any, Dict, List, Optional, TypedDict
 
 from sqlalchemy import (
@@ -18,6 +19,7 @@ from sqlalchemy import (
     case,
     func,
     insert,
+    not_,
     select,
     text,
 )
@@ -34,10 +36,15 @@ from sqlalchemy.orm import (
 )
 from sqlalchemy.sql import expression
 
-from phoenix.config import ENABLE_AUTH, get_env_database_schema
+from phoenix.config import get_env_database_schema
 from phoenix.datetime_utils import normalize_datetime
 
 
+class AuthMethod(Enum):
+    LOCAL = "LOCAL"
+    OAUTH2 = "OAUTH2"
+
+
 class JSONB(JSON):
     # See https://docs.sqlalchemy.org/en/20/core/custom_types.html
     __visit_name__ = "JSONB"
@@ -620,65 +627,143 @@ class ExperimentRunAnnotation(Base):
     )
 
 
-# todo: unnest the following models when auth is released (https://github.com/Arize-ai/phoenix/issues/4183)
-if ENABLE_AUTH:
+class UserRole(Base):
+    __tablename__ = "user_roles"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    name: Mapped[str] = mapped_column(unique=True, index=True)
+    users: Mapped[List["User"]] = relationship("User", back_populates="role")
 
-    class UserRole(Base):
-        __tablename__ = "user_roles"
-        id: Mapped[int] = mapped_column(primary_key=True)
-        name: Mapped[str] = mapped_column(unique=True)
-        users: Mapped[List["User"]] = relationship("User", back_populates="role")
 
-    class User(Base):
-        __tablename__ = "users"
-        id: Mapped[int] = mapped_column(primary_key=True)
-        user_role_id: Mapped[int] = mapped_column(
-            ForeignKey("user_roles.id"),
-            index=True,
-        )
-        role: Mapped["UserRole"] = relationship("UserRole", back_populates="users")
-        username: Mapped[Optional[str]] = mapped_column(nullable=True, unique=True, index=True)
-        email: Mapped[str] = mapped_column(nullable=False, unique=True, index=True)
-        auth_method: Mapped[str] = mapped_column(
-            CheckConstraint("auth_method IN ('LOCAL')", name="valid_auth_method")
-        )
-        password_hash: Mapped[Optional[str]]
-        reset_password: Mapped[bool]
-        created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
-        updated_at: Mapped[datetime] = mapped_column(
-            UtcTimeStamp, server_default=func.now(), onupdate=func.now()
-        )
-        deleted_at: Mapped[Optional[datetime]] = mapped_column(UtcTimeStamp)
-        api_keys: Mapped[List["APIKey"]] = relationship("APIKey", back_populates="user")
-
-    class APIKey(Base):
-        __tablename__ = "api_keys"
-        id: Mapped[int] = mapped_column(primary_key=True)
-        user_id: Mapped[int] = mapped_column(
-            ForeignKey("users.id"),
-            index=True,
-        )
-        user: Mapped["User"] = relationship("User", back_populates="api_keys")
-        name: Mapped[str]
-        description: Mapped[Optional[str]]
-        created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
-        expires_at: Mapped[Optional[datetime]] = mapped_column(UtcTimeStamp)
-
-    # todo: standardize audit table format (https://github.com/Arize-ai/phoenix/issues/4185)
-    class AuditAPIKey(Base):
-        __tablename__ = "audit_api_keys"
-        id: Mapped[int] = mapped_column(primary_key=True)
-        api_key_id: Mapped[int] = mapped_column(
-            ForeignKey("api_keys.id"),
-            nullable=False,
-            index=True,
-        )
-        user_id: Mapped[int] = mapped_column(
-            ForeignKey("users.id"),
-            nullable=False,
-            index=True,
-        )
-        action: Mapped[str] = mapped_column(
-            CheckConstraint("action IN ('CREATE', 'DELETE')", name="valid_action")
+class User(Base):
+    __tablename__ = "users"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_role_id: Mapped[int] = mapped_column(
+        ForeignKey("user_roles.id", ondelete="CASCADE"),
+        index=True,
+    )
+    role: Mapped["UserRole"] = relationship("UserRole", back_populates="users")
+    username: Mapped[str] = mapped_column(nullable=False, unique=True, index=True)
+    email: Mapped[str] = mapped_column(nullable=False, unique=True, index=True)
+    profile_picture_url: Mapped[Optional[str]]
+    password_hash: Mapped[Optional[bytes]]
+    password_salt: Mapped[Optional[bytes]]
+    reset_password: Mapped[bool]
+    oauth2_client_id: Mapped[Optional[str]] = mapped_column(index=True, nullable=True)
+    oauth2_user_id: Mapped[Optional[str]] = mapped_column(index=True, nullable=True)
+    created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
+    updated_at: Mapped[datetime] = mapped_column(
+        UtcTimeStamp, server_default=func.now(), onupdate=func.now()
+    )
+    password_reset_token: Mapped[Optional["PasswordResetToken"]] = relationship(
+        "PasswordResetToken",
+        back_populates="user",
+        uselist=False,
+    )
+    access_tokens: Mapped[List["AccessToken"]] = relationship("AccessToken", back_populates="user")
+    refresh_tokens: Mapped[List["RefreshToken"]] = relationship(
+        "RefreshToken", back_populates="user"
+    )
+    api_keys: Mapped[List["ApiKey"]] = relationship("ApiKey", back_populates="user")
+
+    @hybrid_property
+    def auth_method(self) -> Optional[str]:
+        if self.password_hash is not None:
+            return AuthMethod.LOCAL.value
+        elif self.oauth2_client_id is not None:
+            return AuthMethod.OAUTH2.value
+        return None
+
+    @auth_method.inplace.expression
+    @classmethod
+    def _auth_method_expression(cls) -> ColumnElement[Optional[str]]:
+        return case(
+            (
+                not_(cls.password_hash.is_(None)),
+                AuthMethod.LOCAL.value,
+            ),
+            (
+                not_(cls.oauth2_client_id.is_(None)),
+                AuthMethod.OAUTH2.value,
+            ),
+            else_=None,
         )
-        created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
+
+    __table_args__ = (
+        CheckConstraint(
+            "(password_hash IS NULL) = (password_salt IS NULL)",
+            name="password_hash_and_salt",
+        ),
+        CheckConstraint(
+            "(oauth2_client_id IS NULL) = (oauth2_user_id IS NULL)",
+            name="oauth2_client_id_and_user_id",
+        ),
+        CheckConstraint(
+            "(password_hash IS NULL) != (oauth2_client_id IS NULL)",
+            name="exactly_one_auth_method",
+        ),
+        UniqueConstraint(
+            "oauth2_client_id",
+            "oauth2_user_id",
+        ),
+        dict(sqlite_autoincrement=True),
+    )
+
+
+class PasswordResetToken(Base):
+    __tablename__ = "password_reset_tokens"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_id: Mapped[int] = mapped_column(
+        ForeignKey("users.id", ondelete="CASCADE"),
+        unique=True,
+        index=True,
+    )
+    user: Mapped["User"] = relationship("User", back_populates="password_reset_token")
+    created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
+    expires_at: Mapped[Optional[datetime]] = mapped_column(UtcTimeStamp, nullable=False, index=True)
+    __table_args__ = (dict(sqlite_autoincrement=True),)
+
+
+class RefreshToken(Base):
+    __tablename__ = "refresh_tokens"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_id: Mapped[int] = mapped_column(
+        ForeignKey("users.id", ondelete="CASCADE"),
+        index=True,
+    )
+    user: Mapped["User"] = relationship("User", back_populates="refresh_tokens")
+    created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
+    expires_at: Mapped[Optional[datetime]] = mapped_column(UtcTimeStamp, nullable=False, index=True)
+    __table_args__ = (dict(sqlite_autoincrement=True),)
+
+
+class AccessToken(Base):
+    __tablename__ = "access_tokens"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_id: Mapped[int] = mapped_column(
+        ForeignKey("users.id", ondelete="CASCADE"),
+        index=True,
+    )
+    user: Mapped["User"] = relationship("User", back_populates="access_tokens")
+    created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
+    expires_at: Mapped[Optional[datetime]] = mapped_column(UtcTimeStamp, nullable=False, index=True)
+    refresh_token_id: Mapped[int] = mapped_column(
+        ForeignKey("refresh_tokens.id", ondelete="CASCADE"),
+        index=True,
+        unique=True,
+    )
+    __table_args__ = (dict(sqlite_autoincrement=True),)
+
+
+class ApiKey(Base):
+    __tablename__ = "api_keys"
+    id: Mapped[int] = mapped_column(primary_key=True)
+    user_id: Mapped[int] = mapped_column(
+        ForeignKey("users.id", ondelete="CASCADE"),
+        index=True,
+    )
+    user: Mapped["User"] = relationship("User", back_populates="api_keys")
+    name: Mapped[str]
+    description: Mapped[Optional[str]]
+    created_at: Mapped[datetime] = mapped_column(UtcTimeStamp, server_default=func.now())
+    expires_at: Mapped[Optional[datetime]] = mapped_column(UtcTimeStamp, nullable=True, index=True)
+    __table_args__ = (dict(sqlite_autoincrement=True),)

phoenix/experiments/evaluators/code_evaluators.py

@@ -2,7 +2,13 @@ from __future__ import annotations
 
 import json
 import re
-from typing import Any, List, Optional, Union
+from typing import (
+    Any,
+    List,
+    Optional,
+    Pattern,  # import from re module when we drop support for 3.8
+    Union,
+)
 
 from phoenix.experiments.evaluators.base import CodeEvaluator
 from phoenix.experiments.types import EvaluationResult, TaskOutput
@@ -144,7 +150,7 @@ class MatchesRegex(CodeEvaluator):
     An experiment evaluator that checks if the output of an experiment run matches a regex pattern.
 
     Args:
-        pattern (Union[str, re.Pattern[str]]): The regex pattern to match the output against.
+        pattern (Union[str, Pattern[str]]): The regex pattern to match the output against.
         name (str, optional): An optional name for the evaluator. Defaults to "matches_({pattern})".
 
     Example:
@@ -157,7 +163,7 @@ class MatchesRegex(CodeEvaluator):
             run_experiment(dataset, task, evaluators=[phone_number_evaluator])
     """
 
-    def __init__(self, pattern: Union[str, re.Pattern[str]], name: Optional[str] = None) -> None:
+    def __init__(self, pattern: Union[str, Pattern[str]], name: Optional[str] = None) -> None:
         if isinstance(pattern, str):
             pattern = re.compile(pattern)
         self.pattern = pattern

phoenix/experiments/functions.py

@@ -41,7 +41,7 @@ from opentelemetry.sdk.trace.export import SimpleSpanProcessor
 from opentelemetry.trace import Status, StatusCode, Tracer
 from typing_extensions import TypeAlias
 
-from phoenix.config import get_base_url, get_env_client_headers
+from phoenix.config import get_base_url
 from phoenix.evals.executors import get_executor_on_sync_context
 from phoenix.evals.models.rate_limiters import RateLimiter
 from phoenix.evals.utils import get_tqdm_progress_bar_formatter
@@ -77,13 +77,10 @@ from phoenix.utilities.json import jsonify
 
 
 def _phoenix_clients() -> Tuple[httpx.Client, httpx.AsyncClient]:
-    headers = get_env_client_headers()
     return VersionedClient(
         base_url=get_base_url(),
-        headers=headers,
     ), VersionedAsyncClient(
         base_url=get_base_url(),
-        headers=headers,
     )
 
 

phoenix/server/api/README.md

@@ -0,0 +1,28 @@
+# Permission Matrix for GraphQL API
+
+## Mutations
+
+| Action                       | Admin | Member |
+|:-----------------------------|:-----:|:------:|
+| Create User                  |  Yes  |   No   |
+| Delete User                  |  Yes  |   No   |
+| Change Own Password          |  Yes  |  Yes   |
+| Change Other's Password      |  Yes  |   No   |
+| Change Own Username          |  Yes  |  Yes   |
+| Change Other's Username      |  Yes  |   No   |
+| Change Own Email             |  No   |   No   |
+| Change Other's Email         |  No   |   No   |
+| Create System API Keys       |  Yes  |   No   |
+| Delete System API Keys       |  Yes  |   No   |
+| Create Own User API Keys     |  Yes  |  Yes   |
+| Delete Own User API Keys     |  Yes  |  Yes   |
+| Delete Other's User API Keys |  Yes  |   No   |
+
+## Queries
+
+| Action                               | Admin | Member |
+|:-------------------------------------|:-----:|:------:|
+| List All System API Keys             |  Yes  |   No   |
+| List All User API Keys               |  Yes  |   No   |
+| List All Users                       |  Yes  |   No   |
+| Fetch Other User's Info, e.g. emails |  Yes  |   No   |

phoenix/server/api/auth.py

@@ -0,0 +1,32 @@
+from abc import ABC
+from typing import Any
+
+from strawberry import Info
+from strawberry.permission import BasePermission
+
+from phoenix.server.api.exceptions import Unauthorized
+from phoenix.server.bearer_auth import PhoenixUser
+
+
+class Authorization(BasePermission, ABC):
+    def on_unauthorized(self) -> None:
+        raise Unauthorized(self.message)
+
+
+class IsNotReadOnly(Authorization):
+    message = "Application is read-only"
+
+    def has_permission(self, source: Any, info: Info, **kwargs: Any) -> bool:
+        return not info.context.read_only
+
+
+MSG_ADMIN_ONLY = "Only admin can perform this action"
+
+
+class IsAdmin(Authorization):
+    message = MSG_ADMIN_ONLY
+
+    def has_permission(self, source: Any, info: Info, **kwargs: Any) -> bool:
+        if not info.context.auth_enabled:
+            return False
+        return isinstance((user := info.context.user), PhoenixUser) and user.is_admin