2b292d4924
* Remove outdated documentation files: Quick Start Guide, Apache AGE Analysis, and Scratchpad. * Add multi-tenant testing strategy and ADR index documentation - Introduced ADR 008 detailing the multi-tenant testing strategy for the ./starter environment, covering compatibility and multi-tenant modes, testing scenarios, and implementation details. - Created a comprehensive ADR index (README.md) summarizing all architecture decision records related to the multi-tenant implementation, including purpose, key sections, and reading paths for different roles. * feat(docs): Add comprehensive multi-tenancy guide and README for LightRAG Enterprise - Introduced `0008-multi-tenancy.md` detailing multi-tenancy architecture, key concepts, roles, permissions, configuration, and API endpoints. - Created `README.md` as the main documentation index, outlining features, quick start, system overview, and deployment options. - Documented the LightRAG architecture, storage backends, LLM integrations, and query modes. - Established a task log (`2025-01-21-lightrag-documentation-log.md`) summarizing documentation creation actions, decisions, and insights.
5.4 KiB
5.4 KiB
Security Fixes Implementation Report
Date: November 29, 2025
Status: ✅ COMPLETED
Summary
All identified security vulnerabilities from the multi-tenant audit have been implemented and tested. The fixes maintain backward compatibility through configurable flags.
Implemented Fixes
SEC-001: Remove Global RAG Fallback ✅
Files Modified:
lightrag/api/config.py- AddedMULTI_TENANT_STRICT_MODEflaglightrag/api/dependencies.py- Updatedget_tenant_context_optional()to enforce strict modelightrag/api/routers/document_routes.py- Updatedget_tenant_rag()to block fallback in strict modelightrag/api/routers/query_routes.py- Updatedget_tenant_rag()to block fallback in strict mode
Configuration:
# Enable strict multi-tenant mode (default: true)
export LIGHTRAG_MULTI_TENANT_STRICT=true
Behavior:
- When
LIGHTRAG_MULTI_TENANT_STRICT=true: Requests without tenant context are rejected with HTTP 400 - When
LIGHTRAG_MULTI_TENANT_STRICT=false: Falls back to global RAG (backward compatible)
SEC-002: Remove Admin User Bypass ✅
Files Modified:
lightrag/api/config.py- AddedSUPER_ADMIN_USERSconfigurationlightrag/services/tenant_service.py- Replaced hardcoded "admin" bypass with configurable super-admin list
Configuration:
# Configure super-admin users (comma-separated list)
export LIGHTRAG_SUPER_ADMIN_USERS="admin@company.com,superuser"
Behavior:
- Only users explicitly listed in
LIGHTRAG_SUPER_ADMIN_USERSget super-admin access - Empty by default (no super-admins)
- Case-insensitive matching
SEC-003: Make user_id Required ✅
Files Modified:
lightrag/api/config.py- AddedREQUIRE_USER_AUTHflaglightrag/tenant_rag_manager.py- Updated to enforce user_id when flag is enabled
Configuration:
# Require user authentication for tenant access (default: true)
export LIGHTRAG_REQUIRE_USER_AUTH=true
Behavior:
- When
LIGHTRAG_REQUIRE_USER_AUTH=true: Requests without user_id are rejected with PermissionError - When
LIGHTRAG_REQUIRE_USER_AUTH=false: Allows anonymous access (backward compatible)
WUI-001: Clear localStorage on Logout ✅
Files Modified:
lightrag_webui/src/stores/state.ts- Added tenant context clearing inlogout()function
Changes:
logout: () => {
localStorage.removeItem('LIGHTRAG-API-TOKEN');
// NEW: Clear tenant context on logout
localStorage.removeItem('SELECTED_TENANT');
localStorage.removeItem('SELECTED_KB');
// ...
}
WUI-002: Better Error Handling ✅
Files Modified:
lightrag_webui/src/api/tenant.ts- Removed fake fallback data on API errors
Changes:
fetchTenantsPaginated()now throws errors instead of returning fake default tenantfetchTenants()now throws errors instead of returning fake default tenant- UI components can now properly display error states
WUI-003: Validate Tenant Context ✅
Files Modified:
lightrag_webui/src/api/client.ts- Added tenant context validation in Axios interceptor
Changes:
// Endpoints that require tenant context
const TENANT_REQUIRED_ENDPOINTS = [
'/documents',
'/query',
'/graph',
'/knowledge-bases',
]
// Block requests without tenant context for required endpoints
if (requiresTenantContext(config.url) && (!hasTenantContext || !hasKBContext)) {
throw new axios.Cancel('Please select a tenant and knowledge base...');
}
Configuration Summary
| Variable | Default | Description |
|---|---|---|
LIGHTRAG_MULTI_TENANT_STRICT |
true |
Enforce tenant context on all data endpoints |
LIGHTRAG_REQUIRE_USER_AUTH |
true |
Require user authentication for tenant access |
LIGHTRAG_SUPER_ADMIN_USERS |
"" |
Comma-separated list of super-admin usernames |
Test Results
| Test Suite | Tests | Result |
|---|---|---|
| test_multitenant_e2e.py | 32 | ✅ PASSED |
| test_tenant_security.py | 11 | ✅ PASSED |
| test_multi_tenant_backends.py | 37 | ✅ PASSED |
| test_tenant_storage_phase3.py | 22 | ✅ PASSED |
| TOTAL | 102 | ✅ ALL PASSED |
WebUI Build: ✅ PASSED
Migration Guide
For Existing Single-Tenant Deployments
If you want to maintain the old behavior (no tenant enforcement):
export LIGHTRAG_MULTI_TENANT_STRICT=false
export LIGHTRAG_REQUIRE_USER_AUTH=false
For New Multi-Tenant Deployments
The defaults are secure out of the box:
# These are the defaults, no need to set
export LIGHTRAG_MULTI_TENANT_STRICT=true
export LIGHTRAG_REQUIRE_USER_AUTH=true
# Optionally configure super-admins
export LIGHTRAG_SUPER_ADMIN_USERS="admin@example.com"
Security Verification Checklist
| Check | Status |
|---|---|
| Global RAG fallback blocked in strict mode | ✅ |
| Admin bypass removed | ✅ |
| User authentication enforced | ✅ |
| Tenant context cleared on logout | ✅ |
| API errors propagated to UI | ✅ |
| Client-side tenant validation | ✅ |
| All tests pass | ✅ |
| WebUI builds successfully | ✅ |
Remaining Recommendations
- Enable PostgreSQL RLS - Add database-level row security as defense-in-depth
- Add Audit Logging - Log cross-tenant access attempts for security monitoring
- Rate Limiting - Implement per-tenant rate limiting to prevent abuse
- Use httpOnly Cookies - Consider moving tokens from localStorage to httpOnly cookies