Mistral 企业级权限控制

v20260311

mistral-enterprise-rbac

指导如何在 Mistral 企业环境中设置基于角色的权限，包括按团队限定的 API Key、代理网关、预算限额、使用审计与密钥轮换，以保障组织级别的安全与可控。

Mistral 权限控制访问管理 API密钥安全运维治理

获取技能

238 次下载

概览

Mistral AI Enterprise RBAC

Overview

Control access to Mistral AI models and API resources at the organization level. Mistral uses API key scoping and La Plateforme workspace management to separate environments.

Prerequisites

Mistral La Plateforme organization account
Organization admin or owner role
At least one active API key with admin scope

Instructions

Step 1: Create Scoped API Keys per Team

set -euo pipefail
# Create a key restricted to small models only (cost-safe for junior devs)
curl -X POST https://api.mistral.ai/v1/api-keys \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
  -d '{
    "name": "dev-team-small-only",
    "allowed_models": ["mistral-small-latest", "codestral-latest"],
    "rate_limit_rpm": 100
  }'

# Create an unrestricted key for the ML team
curl -X POST https://api.mistral.ai/v1/api-keys \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
  -d '{
    "name": "ml-team-full-access",
    "allowed_models": ["mistral-small-latest", "mistral-large-latest", "mistral-embed"],
    "rate_limit_rpm": 500  # HTTP 500 Internal Server Error
  }'

Step 2: Implement a Gateway That Enforces Roles

// mistral-gateway.ts - Proxy that checks roles before forwarding
const ROLE_MODEL_MAP: Record<string, string[]> = {
  analyst:   ['mistral-small-latest'],
  developer: ['mistral-small-latest', 'codestral-latest', 'mistral-embed'],
  senior:    ['mistral-small-latest', 'mistral-large-latest', 'mistral-embed'],
  admin:     ['*'],
};

function canUseModel(role: string, model: string): boolean {
  const allowed = ROLE_MODEL_MAP[role];
  return allowed?.includes('*') || allowed?.includes(model) || false;
}

Step 3: Set Workspace Spending Limits

Navigate to La Plateforme > Organization > Billing and set monthly budget caps. Configure alerts at 50%, 80%, and 95% thresholds. Each API key can also have independent rate limits to prevent a single integration from consuming the entire budget.

Step 4: Audit API Key Usage

set -euo pipefail
# List all API keys and their last-used timestamps
curl https://api.mistral.ai/v1/api-keys \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY" | \
  jq '.data[] | {name, created_at, last_used_at, allowed_models}'

# Revoke a compromised key
curl -X DELETE https://api.mistral.ai/v1/api-keys/key_abc123 \
  -H "Authorization: Bearer $MISTRAL_ADMIN_KEY"

Step 5: Rotate Keys on Schedule

Automate 90-day key rotation. Create the new key, update consuming services, then delete the old key after a 24-hour overlap window.

Error Handling

Issue	Cause	Solution
`401 Unauthorized`	API key revoked or invalid	Generate new key on La Plateforme
`403 model not allowed`	Key restricted from that model	Use a key with broader model scope
`429 rate limit`	Key RPM cap exceeded	Increase rate limit or distribute load across keys
Spending alert triggered	Monthly budget near cap	Review usage by key; restrict heavy consumers

Examples

Basic usage: Apply mistral enterprise rbac to a standard project setup with default configuration options.

Advanced scenario: Customize mistral enterprise rbac for production environments with multiple constraints and team-specific requirements.

Output

Configuration files or code changes applied to the project
Validation report confirming correct implementation
Summary of changes made and their rationale

Resources

Official Mistral documentation
Community best practices and patterns
Related skills in this plugin pack

信息

Category 编程开发

Name mistral-enterprise-rbac

版本 v20260311

大小 4.07KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-03-12