Merge pull request #1584 from cnoe-io/prebuild/collapse-rbac-kb-prs

feat(rbac): add fine-grained Knowledge Base access controls

Author: sriaradhyula

.dockerignore

@@ -159,3 +159,7 @@ docs/_build/
 .env
 .env.local
 .env.*.local
+ui/.env
+ui/.env.local
+ui/.env.*.local
+!ui/.env.example

Makefile

@@ -15,7 +15,7 @@ APP_NAME ?= ai-platform-engineering
 # or unset to restore unlimited parallelism. Used by every target below that
 # invokes `docker compose ... up --build`.
 COMPOSE_PARALLEL_LIMIT ?= 4
-DOCKER_COMPOSE_BUILD_ENV := COMPOSE_PARALLEL_LIMIT=$(COMPOSE_PARALLEL_LIMIT) BUILDKIT_MAX_PARALLELISM=$(COMPOSE_PARALLEL_LIMIT)
+DOCKER_COMPOSE_BUILD_ENV := DOCKER_BUILDKIT=1 COMPOSE_PARALLEL_LIMIT=$(COMPOSE_PARALLEL_LIMIT) BUILDKIT_MAX_PARALLELISM=$(COMPOSE_PARALLEL_LIMIT)
 
 ## -------------------------------------------------
 .PHONY: \

ai_platform_engineering/knowledge_bases/rag/README.md

@@ -20,7 +20,7 @@
 ## Quick Start
 
 ```bash
-# Start all services (development mode with trusted network access)
+# Start all services
 docker compose --profile apps up
 ```
 
@@ -31,35 +31,29 @@ docker compose --profile apps up
 
 ### Authentication
 
-**Development (Trusted Network - Default):**
-Services trust localhost connections without authentication.
-
-**Production (OIDC/OAuth2):**
-Configure environment variables for JWT-based authentication:
+Configure environment variables for JWT authentication and OpenFGA authorization:
 
 ```bash
 # UI authentication (OIDC)
 OIDC_ISSUER=https://your-keycloak.com/realms/production
 OIDC_CLIENT_ID=rag-ui
 OIDC_CLIENT_SECRET=xxx
-OIDC_GROUP_CLAIM=groups  # Optional: auto-detects if empty; supports comma-separated (e.g., "groups,members,roles")
 
 # Ingestor authentication (OAuth2 client credentials)
 INGESTOR_OIDC_ISSUER=https://your-keycloak.com/realms/production
 INGESTOR_OIDC_CLIENT_ID=rag-ingestor
 INGESTOR_OIDC_CLIENT_SECRET=xxx
 
-# Disable trusted network in production
-ALLOW_TRUSTED_NETWORK=false
-
-# Role-based access control (map groups to roles)
-RBAC_ADMIN_GROUPS=rag-admins,platform-admins
-RBAC_INGESTONLY_GROUPS=rag-ingestors
-RBAC_READONLY_GROUPS=rag-readers
+# Human KB authorization
+OPENFGA_HTTP=http://openfga:8080
 ```
 
 **Supported OIDC Providers:** Keycloak, Azure AD, Okta, AWS Cognito
 
+RAG treats human JWTs as identity-only. KB, data-source, and tool authorization
+comes from OpenFGA relationships rather than AD/OIDC groups or Keycloak realm
+roles.
+
 If you have Claude code, VS code, Cursor etc. you can connect upto the MCP server running at http://localhost:9446/mcp
 
 **Documentation:**

ai_platform_engineering/knowledge_bases/rag/common/src/common/ingestor.py

@@ -21,9 +21,7 @@ class Client:
   """
   Client bindings for RAG server REST API - handles ingestor lifecycle and data ingestion
 
-  Supports two authentication modes:
-  1. OAuth2 Client Credentials (production) - via INGESTOR_OIDC_* env vars
-  2. Trusted Network (development) - no authentication required
+  Uses OAuth2 Client Credentials via INGESTOR_OIDC_* env vars.
   """
 
   def __init__(self, ingestor_name: str, ingestor_type: str, ingestor_description: str = "", ingestor_metadata: Optional[Dict[str, Any]] = {}):
@@ -83,7 +81,7 @@ def __init__(self, ingestor_name: str, ingestor_type: str, ingestor_description:
       logger.info(f"  - INGESTOR_OIDC_DISCOVERY_URL: {'SET' if has_discovery_url else 'NOT SET'}")
       logger.info(f"  - INGESTOR_OIDC_CLIENT_ID: {'SET' if has_client_id else 'NOT SET'}")
       logger.info(f"  - INGESTOR_OIDC_CLIENT_SECRET: {'SET' if has_client_secret else 'NOT SET'}")
-      logger.info("  - Authentication mode: TRUSTED NETWORK (will send unauthenticated requests)")
+      logger.info("  - Authentication mode: NOT CONFIGURED (requests will fail before send)")
 
     # Note: Health check will be done during initialize() with aiohttp
 
@@ -212,20 +210,22 @@ async def _fetch_discovery(self, discovery_url: str) -> str:
         logger.info(f"Ingestor '{self.ingestor_name}': ✓ Discovered token endpoint: {self._token_endpoint}")
         return self._token_endpoint
 
-  async def _get_access_token(self) -> Optional[str]:
+  async def _get_access_token(self) -> str:
     """
     Get valid OAuth2 access token using client credentials flow.
 
     Token is cached and automatically refreshed before expiry.
-    Returns None if OAuth2 is not configured (trusted network mode).
 
     Returns:
-        Access token string or None
+        Access token string
     """
     # Check if OAuth2 is configured (need either issuer or discovery URL, plus client credentials)
     if not (self.oidc_issuer or self.oidc_discovery_url) or not self.oidc_client_id or not self.oidc_client_secret:
-      # Trusted network mode - no token needed
-      return None
+      raise RuntimeError(
+        "Ingestor OAuth2 client credentials are required: configure "
+        "INGESTOR_OIDC_ISSUER or INGESTOR_OIDC_DISCOVERY_URL, "
+        "INGESTOR_OIDC_CLIENT_ID, and INGESTOR_OIDC_CLIENT_SECRET"
+      )
 
     # Check if cached token is still valid (with 60s buffer)
     if self._access_token and self._token_expiry:
@@ -275,8 +275,7 @@ async def _get_auth_headers(self) -> Dict[str, str]:
     """
     Get authentication headers for RAG server requests.
 
-    Returns headers with Authorization Bearer token if OAuth2 is configured,
-    otherwise returns basic headers for trusted network mode.
+    Returns headers with an Authorization Bearer token.
 
     Also includes X-Ingestor-Type and X-Ingestor-Name headers for identification.
 
@@ -289,13 +288,9 @@ async def _get_auth_headers(self) -> Dict[str, str]:
     headers["X-Ingestor-Type"] = self.ingestor_type
     headers["X-Ingestor-Name"] = self.ingestor_name
 
-    # Get access token (None if trusted network mode)
     token = await self._get_access_token()
-    if token:
-      headers["Authorization"] = f"Bearer {token}"
-      logger.debug(f"Ingestor '{self.ingestor_name}': Sending AUTHENTICATED request (OAuth2 Bearer token)")
-    else:
-      logger.debug(f"Ingestor '{self.ingestor_name}': Sending UNAUTHENTICATED request (trusted network mode)")
+    headers["Authorization"] = f"Bearer {token}"
+    logger.debug(f"Ingestor '{self.ingestor_name}': Sending AUTHENTICATED request (OAuth2 Bearer token)")
 
     return headers
 

ai_platform_engineering/knowledge_bases/rag/common/src/common/models/rbac.py

@@ -1,65 +1,36 @@
-"""
-Shared RBAC models for the RAG system.
-
-Includes legacy role-based models (Role, UserContext) and 098 Enterprise RBAC
-models (TeamKbOwnership, TeamRagToolConfig) for team-scoped RAG tool management.
-"""
+"""Shared RBAC models for the RAG system."""
 from datetime import datetime
 from typing import List, Optional
 from pydantic import BaseModel, Field
 
 
-class KeycloakRole:
-    """Realm role name constants used in Keycloak JWT ``roles`` claim (098 Enterprise RBAC)."""
-
-    ADMIN = "admin"
-    KB_ADMIN = "kb_admin"
-    TEAM_MEMBER = "team_member"
-    CHAT_USER = "chat_user"
-    DENIED = "denied"
-    # Spec 104 — platform-wide admin (assigned to BOOTSTRAP_ADMIN_EMAILS users
-    # by init-idp.sh). Treated as a synonym for ADMIN by the RAG mapper so a
-    # single Keycloak role grants both AgentGateway admin and RAG admin.
-    ADMIN_USER = "admin_user"
-
-
-class KbPermission(BaseModel):
-    """Per-knowledge-base permission parsed from realm roles such as ``kb_reader:my-kb``."""
-
-    kb_id: str
-    scope: str
-
-    class Config:
-        frozen = True
-
-
 class Role:
   """
   Role definitions with hierarchical permissions.
 
   Hierarchy (higher level inherits lower level permissions):
-  0. ANONYMOUS - No access (unauthenticated users)
   1. READONLY - Read-only access (GET, query, explore)
   2. INGESTONLY - Read + ingest data (POST ingest, manage jobs)
   3. ADMIN - Full access including deletions and bulk operations
   """
 
-  ANONYMOUS = "anonymous"
   READONLY = "readonly"
   INGESTONLY = "ingestonly"
   ADMIN = "admin"
 
 
 class UserContext(BaseModel):
-  """User authentication and authorization context"""
+  """Authenticated identity context.
+
+  Human resource authorization is resolved through OpenFGA using ``subject``.
+  Static IdP groups, AD groups, and Keycloak realm roles are intentionally not
+  carried in this model.
+  """
 
   subject: Optional[str] = None
   email: str
-  groups: List[str]
   role: str
   is_authenticated: bool
-  kb_permissions: List[KbPermission] = Field(default_factory=list)
-  realm_roles: List[str] = Field(default_factory=list)
 
   class Config:
     frozen = True  # Immutable for security
@@ -71,35 +42,25 @@ class UserInfoResponse(BaseModel):
   email: str
   role: str
   is_authenticated: bool
-  groups: List[str]
   permissions: List[str]  # List of permissions: ["read", "ingest", "delete"]
-  in_trusted_network: bool
-
-
-# ============================================================================
-# 098 Enterprise RBAC — Team-scoped RAG models (data-model.md)
-# ============================================================================
 
 
 class TeamKbOwnership(BaseModel):
     """
-    Team/KB ownership assignment stored in MongoDB (FR-009, FR-015).
+    Team/KB ownership metadata stored in MongoDB.
 
-    Defines which knowledge bases and datasources a team is permitted to access.
-    The ``keycloak_role`` field links this assignment to the Keycloak realm role
-    that gates access (e.g. ``team_member(team-a)``).
+    Runtime RAG authorization decisions are made through OpenFGA relationships.
     """
     team_id: str
     tenant_id: str
     kb_ids: List[str] = Field(default_factory=list)
     allowed_datasource_ids: List[str] = Field(default_factory=list)
-    keycloak_role: str
     updated_at: datetime = Field(default_factory=datetime.utcnow)
 
 
 class TeamRagToolConfig(BaseModel):
     """
-    Team-scoped RAG tool configuration stored in MongoDB (FR-009).
+    Team-scoped RAG tool configuration stored in MongoDB.
 
     Validation rules:
     - ``datasource_ids`` must be a subset of the owning team's