gmakstutis/LightRAG
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
LightRAG/docs/archives/action_plan/01-audit-report.md
Raphael MANSUY 2b292d4924
docs: Enterprise Edition & Multi-tenancy attribution (#5) 
* Remove outdated documentation files: Quick Start Guide, Apache AGE Analysis, and Scratchpad.

* Add multi-tenant testing strategy and ADR index documentation

- Introduced ADR 008 detailing the multi-tenant testing strategy for the ./starter environment, covering compatibility and multi-tenant modes, testing scenarios, and implementation details.
- Created a comprehensive ADR index (README.md) summarizing all architecture decision records related to the multi-tenant implementation, including purpose, key sections, and reading paths for different roles.

* feat(docs): Add comprehensive multi-tenancy guide and README for LightRAG Enterprise

- Introduced `0008-multi-tenancy.md` detailing multi-tenancy architecture, key concepts, roles, permissions, configuration, and API endpoints.
- Created `README.md` as the main documentation index, outlining features, quick start, system overview, and deployment options.
- Documented the LightRAG architecture, storage backends, LLM integrations, and query modes.
- Established a task log (`2025-01-21-lightrag-documentation-log.md`) summarizing documentation creation actions, decisions, and insights.
2025-12-04 18:09:15 +08:00

82 lines
4.7 KiB
Markdown
Raw Blame History

# Multi-Tenancy Audit Report
**Date:** November 21, 2025
**Project:** LightRAG
**Auditor:** GitHub Copilot
## Executive Summary
The current multi-tenancy implementation in LightRAG relies on **application-level isolation**. While it provides helper classes (`TenantSQLBuilder`, `MongoTenantHelper`, etc.) to filter data by `tenant_id` and `kb_id`, it lacks **enforcement at the database or framework level**. This design is susceptible to data leaks if developers fail to use the helpers correctly.
The "battle-tested" approach requires **Row-Level Security (RLS)** for PostgreSQL, **strict repository wrappers** for NoSQL stores, and **middleware-enforced tenant identification** (subdomains + JWT).
## Gap Analysis
| Feature | Current Implementation | Battle-Tested Standard | Gap Severity |
| :--- | :--- | :--- | :--- |
| **Tenant Identification** | Headers (`X-Tenant-ID`) or JWT metadata. No subdomain support. | Subdomains (`tenant.app.com`) + JWT `tenant_id` claim. | **High** |
| **PostgreSQL Isolation** | `WHERE` clause filtering via `TenantSQLBuilder`. | **Row-Level Security (RLS)** + Tenant UUID PK. | **Critical** |
| **MongoDB Isolation** | Manual field filtering via `MongoTenantHelper`. | **Tenant-scoped Repository** or ODM Middleware (Beanie). | **High** |
| **Neo4j/Memgraph Isolation** | Cypher query modification via helper. | **Tenant Session Wrapper** or Label Prefixing. | **High** |
| **Vector DB Isolation** | Metadata filtering via helper. | **Tenant-scoped Repository** or Collection Separation. | **High** |
| **Redis Isolation** | Key prefixing via `RedisTenantNamespace` (manual usage). | **Key Prefixing** enforced by wrapper/dependency. | **Medium** |
| **Framework Enforcement** | Optional dependencies in routers. | **Global Middleware** + Dependency Injection. | **High** |
## Detailed Findings
### 1. Tenant Identification
* **Current**: `lightrag/api/dependencies.py` extracts `tenant_id` from headers or JWT.
* **Risk**: Clients can potentially spoof `X-Tenant-ID` if not strictly validated against the JWT. Subdomains are not used, making it harder to isolate tenants at the DNS/networking level (e.g., for CORS or cookies).
### 2. PostgreSQL
* **Current**: `lightrag/kg/postgres_tenant_support.py` modifies SQL strings.
* **Risk**: "Trusting the application code". A raw SQL query without the builder will leak data. RLS is the only way to prevent this at the database engine level.
### 3. MongoDB
* **Current**: `lightrag/kg/mongo_tenant_support.py` provides helper methods.
* **Risk**: Developers must remember to call `add_tenant_fields` and `get_tenant_filter`.
### 4. Neo4j
* **Current**: `lightrag/kg/graph_tenant_support.py` injects `WHERE` clauses.
* **Risk**: Complex Cypher queries might be difficult to parse and modify correctly. A session wrapper that enforces parameters is safer.
### 5. Redis
* **Current**: `lightrag/kg/redis_tenant_support.py` provides `RedisTenantNamespace`.
* **Risk**: Manual usage of the namespace wrapper is required.
### 6. Vector Databases (Qdrant, Milvus, FAISS, Nano)
* **Current**: `lightrag/kg/vector_tenant_support.py` provides helper methods for metadata filtering and ID prefixing.
* **Risk**: Similar to other NoSQL stores, developers must manually apply filters and metadata.
* **Qdrant**: Relies on `must` conditions in filters.
* **Milvus**: Relies on `expr` strings.
* **FAISS**: Relies on index naming or metadata filtering (which can be slow if not optimized).
* **Nano**: Relies on metadata filtering.
### 7. Other Graph Databases (Memgraph, NetworkX)
* **Current**: `lightrag/kg/graph_tenant_support.py` covers these.
* **Risk**:
* **Memgraph**: Similar to Neo4j, relies on Cypher query modification.
* **NetworkX**: In-memory graph. Isolation relies on creating subgraphs or filtering edges manually. If the graph is persisted, it needs careful handling.
## Recommendations
1. **Implement Subdomain Middleware**: Add middleware to resolve `tenant_id` from subdomains and validate it against Redis/DB.
2. **Enable PostgreSQL RLS**:
* Add `tenant_id` to `current_setting`.
* Enable RLS on all tables.
* Create policies to enforce isolation.
3. **Refactor MongoDB Access**: Create a `MongoTenantRepo` class that wraps the collection and automatically applies filters.
4. **Refactor Neo4j/Memgraph Access**: Create a `GraphTenantSession` class that wraps the driver session.
5. **Refactor Vector DB Access**: Create a `VectorTenantRepo` class (or specific implementations) that wraps the client and enforces metadata/filtering.
6. **Global Dependency**: Ensure `get_tenant_context` is used globally or at the router level for all tenant-specific endpoints.
## Action Plan
See `docs/action_plan/02-implementation-plan.md` for the detailed steps.
Reference in a new issue View git blame Copy permalink