User Management: Document-Level Access via Keycloak Helm Chart

[robodev-r2d2]

Summary

Implement user management in the rag-template project so that different users have access to different documents within the vectordatabase. Employ the Keycloak Helm chart to enable authentication and authorization features.

Motivation

Currently, all users may have equal access to the vectordatabase content. For compliance, security, and product feature requirements, we need document-level access control so that only authorized users can view or query specific documents.

Proposed Solution

• Integrate Keycloak using its Helm chart for Kubernetes-based deployment.
• Configure Keycloak realms, clients, and roles/groups to reflect user types and document access levels.
• Update the application logic to check user roles/groups and filter document access accordingly when querying the vectordatabase.
• Ensure vectordatabase queries are permission-aware, returning only documents the user is authorized to access.
• Provide admin functionality to assign documents to users/groups.

Implementation Steps

1. Add Keycloak Helm chart to the deployment process.
2. Define user roles/groups for document access control in Keycloak.
3. Update backend to authenticate users via Keycloak and enforce access restrictions when serving queries.
4. Create utilities for admins to manage user-document assignments.
5. Document the setup and usage in the repo's README.

Acceptance Criteria

• Keycloak is deployed via Helm and integrated with the app.
• Users can only access documents they are authorized for.
• Admins can assign/revoke document access to/from users.
• Documentation for setup and usage is available.

---

If you need code snippets, sample Keycloak Helm chart values, or integration examples, please specify.

[robodev-r2d2]

@codex according to you codex-instructions.md, please implement and provide a PR for this issue.

[robodev-r2d2]

test

[robodev-r2d2]

@codex according to you codex-instructions.md, please implement and provide a PR for this issue.

[robodev-r2d2]

test

[robodev-r2d2]

test

[robodev-r2d2]

test

[chatgpt-codex-connector]

Summary

• Added Keycloak security settings, authenticator, principal resolver, and accompanying access-control service plus unit tests to centralize document-level authorization metadata updates. libs/rag-core-api/src/rag_core_api/impl/security/keycloak_authenticator.pyL1-L115 libs/rag-core-api/src/rag_core_api/impl/access/document_access_service.pyL1-L98 libs/rag-core-api/tests/access/test_document_access_service.pyL1-L52
• Propagated authorization context through the chat pipeline and API by enriching retriever metadata, extending the abstract vector database API, and exposing a /documents/{document_id}/access administration endpoint. libs/rag-core-api/src/rag_core_api/impl/api_endpoints/default_chat.pyL5-L59 libs/rag-core-api/src/rag_core_api/apis/rag_api.pyL69-L223 libs/rag-core-api/src/rag_core_api/vector_databases/vector_database.pyL1-L135
• Updated Helm dependencies, backend config maps, and documentation to deploy Keycloak and surface the new KEYCLOAK_* and ACCESS_CONTROL_* environment settings for configuration. infrastructure/rag/Chart.yamlL11-L36 infrastructure/rag/values.yamlL6-L36 infrastructure/rag/values.yamlL241-L258 infrastructure/rag/templates/_backend_helpers.tplL72-L107 infrastructure/rag/templates/backend/configmap.yamlL128-L169 README.mdL122-L130

Testing

• ✅ poetry run black src tests
• ✅ poetry run isort src tests
• ⚠️ poetry run flake8 src tests (command unavailable in the offline environment)
• ❌ poetry run pytest (fails because required packages such as pydantic, langchain_community, and pytest_asyncio could not be installed without PyPI access)

View task →

[robodev-r2d2]

test

[chatgpt-codex-connector]

Summary

• Integrated Keycloak-based authentication with reusable FastAPI dependencies, token introspection, and session-level metadata filters so chat execution only retrieves documents authorized for the current user. libs/rag-core-api/src/rag_core_api/security/dependencies.pyL1-L52 libs/rag-core-api/src/rag_core_api/security/keycloak.pyL1-L115 libs/rag-core-api/src/rag_core_api/impl/api_endpoints/default_chat.pyL1-L58 libs/rag-core-api/src/rag_core_api/apis/rag_api.pyL13-L207
• Added document-access services across backend and admin layers, enabling Qdrant payload updates, admin-side access assignment endpoints, and default access-group tagging during uploads. libs/rag-core-api/src/rag_core_api/impl/api_endpoints/default_document_access_manager.pyL1-L27 libs/rag-core-api/src/rag_core_api/impl/vector_databases/qdrant_database.pyL69-L210 libs/admin-api-lib/src/admin_api_lib/impl/admin_api.pyL10-L180 libs/admin-api-lib/src/admin_api_lib/apis/admin_api.pyL31-L218
• Extended Helm configuration with a bundled Keycloak realm, access-control environment defaults, and documented the new authentication model for operators. infrastructure/rag/values.yamlL21-L235 infrastructure/rag/templates/keycloak-realm-config.yamlL1-L39 README.mdL21-L30

Testing

• ❌ pytest (fails: missing optional dependencies such as langchain_community and pytest_asyncio in the execution environment)

View task →

[robodev-r2d2]

test