fe9b8ec02a
* feat: Implement multi-tenant architecture with tenant and knowledge base models - Added data models for tenants, knowledge bases, and related configurations. - Introduced role and permission management for users in the multi-tenant system. - Created a service layer for managing tenants and knowledge bases, including CRUD operations. - Developed a tenant-aware instance manager for LightRAG with caching and isolation features. - Added a migration script to transition existing workspace-based deployments to the new multi-tenant architecture. * chore: ignore lightrag/api/webui/assets/ directory * chore: stop tracking lightrag/api/webui/assets (ignore in .gitignore) * feat: Initialize LightRAG Multi-Tenant Stack with PostgreSQL - Added README.md for project overview, setup instructions, and architecture details. - Created docker-compose.yml to define services: PostgreSQL, Redis, LightRAG API, and Web UI. - Introduced env.example for environment variable configuration. - Implemented init-postgres.sql for PostgreSQL schema initialization with multi-tenant support. - Added reproduce_issue.py for testing default tenant access via API. * feat: Enhance TenantSelector and update related components for improved multi-tenant support * feat: Enhance testing capabilities and update documentation - Updated Makefile to include new test commands for various modes (compatibility, isolation, multi-tenant, security, coverage, and dry-run). - Modified API health check endpoint in Makefile to reflect new port configuration. - Updated QUICK_START.md and README.md to reflect changes in service URLs and ports. - Added environment variables for testing modes in env.example. - Introduced run_all_tests.sh script to automate testing across different modes. - Created conftest.py for pytest configuration, including database fixtures and mock services. - Implemented database helper functions for streamlined database operations in tests. - Added test collection hooks to skip tests based on the current MULTITENANT_MODE. * feat: Implement multi-tenant support with demo mode enabled by default - Added multi-tenant configuration to the environment and Docker setup. - Created pre-configured demo tenants (acme-corp and techstart) for testing. - Updated API endpoints to support tenant-specific data access. - Enhanced Makefile commands for better service management and database operations. - Introduced user-tenant membership system with role-based access control. - Added comprehensive documentation for multi-tenant setup and usage. - Fixed issues with document visibility in multi-tenant environments. - Implemented necessary database migrations for user memberships and legacy support. * feat(audit): Add final audit report for multi-tenant implementation - Documented overall assessment, architecture overview, test results, security findings, and recommendations. - Included detailed findings on critical security issues and architectural concerns. fix(security): Implement security fixes based on audit findings - Removed global RAG fallback and enforced strict tenant context. - Configured super-admin access and required user authentication for tenant access. - Cleared localStorage on logout and improved error handling in WebUI. chore(logs): Create task logs for audit and security fixes implementation - Documented actions, decisions, and next steps for both audit and security fixes. - Summarized test results and remaining recommendations. chore(scripts): Enhance development stack management scripts - Added scripts for cleaning, starting, and stopping the development stack. - Improved output messages and ensured graceful shutdown of services. feat(starter): Initialize PostgreSQL with AGE extension support - Created initialization scripts for PostgreSQL extensions including uuid-ossp, vector, and AGE. - Ensured successful installation and verification of extensions. * feat: Implement auto-select for first tenant and KB on initial load in WebUI - Removed WEBUI_INITIAL_STATE_FIX.md as the issue is resolved. - Added useTenantInitialization hook to automatically select the first available tenant and KB on app load. - Integrated the new hook into the Root component of the WebUI. - Updated RetrievalTesting component to ensure a KB is selected before allowing user interaction. - Created end-to-end tests for multi-tenant isolation and real service interactions. - Added scripts for starting, stopping, and cleaning the development stack. - Enhanced API and tenant routes to support tenant-specific pipeline status initialization. - Updated constants for backend URL to reflect the correct port. - Improved error handling and logging in various components. * feat: Add multi-tenant support with enhanced E2E testing scripts and client functionality * update client * Add integration and unit tests for multi-tenant API, models, security, and storage - Implement integration tests for tenant and knowledge base management endpoints in `test_tenant_api_routes.py`. - Create unit tests for tenant isolation, model validation, and role permissions in `test_tenant_models.py`. - Add security tests to enforce role-based permissions and context validation in `test_tenant_security.py`. - Develop tests for tenant-aware storage operations and context isolation in `test_tenant_storage_phase3.py`. * feat(e2e): Implement OpenAI model support and database reset functionality * Add comprehensive test suite for gpt-5-nano compatibility - Introduced tests for parameter normalization, embeddings, and entity extraction. - Implemented direct API testing for gpt-5-nano. - Validated .env configuration loading and OpenAI API connectivity. - Analyzed reasoning token overhead with various token limits. - Documented test procedures and expected outcomes in README files. - Ensured all tests pass for production readiness. * kg(postgres_impl): ensure AGE extension is loaded in session and configure graph initialization * dev: add hybrid dev helper scripts, Makefile, docker-compose.dev-db and local development docs * feat(dev): add dev helper scripts and local development documentation for hybrid setup * feat(multi-tenant): add detailed specifications and logs for multi-tenant improvements, including UX, backend handling, and ingestion pipeline * feat(migration): add generated tenant/kb columns, indexes, triggers; drop unused tables; update schema and docs * test(backward-compat): adapt tests to new StorageNameSpace/TenantService APIs (use concrete dummy storages) * chore: multi-tenant and UX updates — docs, webui, storage, tenant service adjustments * tests: stabilize integration tests + skip external services; fix multi-tenant API behavior and idempotency - gpt5_nano_compatibility: add pytest-asyncio markers, skip when OPENAI key missing, prevent module-level asyncio.run collection, add conftest - Ollama tests: add server availability check and skip markers; avoid pytest collection warnings by renaming helper classes - Graph storage tests: rename interactive test functions to avoid pytest collection - Document & Tenant routes: support external_ids for idempotency; ensure HTTPExceptions are re-raised - LightRAG core: support external_ids in apipeline_enqueue_documents and idempotent logic - Tests updated to match API changes (tenant routes & document routes) - Add logs and scripts for inspection and audit
5.4 KiB
5.4 KiB
Security Fixes Implementation Report
Date: November 29, 2025
Status: ✅ COMPLETED
Summary
All identified security vulnerabilities from the multi-tenant audit have been implemented and tested. The fixes maintain backward compatibility through configurable flags.
Implemented Fixes
SEC-001: Remove Global RAG Fallback ✅
Files Modified:
lightrag/api/config.py- AddedMULTI_TENANT_STRICT_MODEflaglightrag/api/dependencies.py- Updatedget_tenant_context_optional()to enforce strict modelightrag/api/routers/document_routes.py- Updatedget_tenant_rag()to block fallback in strict modelightrag/api/routers/query_routes.py- Updatedget_tenant_rag()to block fallback in strict mode
Configuration:
# Enable strict multi-tenant mode (default: true)
export LIGHTRAG_MULTI_TENANT_STRICT=true
Behavior:
- When
LIGHTRAG_MULTI_TENANT_STRICT=true: Requests without tenant context are rejected with HTTP 400 - When
LIGHTRAG_MULTI_TENANT_STRICT=false: Falls back to global RAG (backward compatible)
SEC-002: Remove Admin User Bypass ✅
Files Modified:
lightrag/api/config.py- AddedSUPER_ADMIN_USERSconfigurationlightrag/services/tenant_service.py- Replaced hardcoded "admin" bypass with configurable super-admin list
Configuration:
# Configure super-admin users (comma-separated list)
export LIGHTRAG_SUPER_ADMIN_USERS="admin@company.com,superuser"
Behavior:
- Only users explicitly listed in
LIGHTRAG_SUPER_ADMIN_USERSget super-admin access - Empty by default (no super-admins)
- Case-insensitive matching
SEC-003: Make user_id Required ✅
Files Modified:
lightrag/api/config.py- AddedREQUIRE_USER_AUTHflaglightrag/tenant_rag_manager.py- Updated to enforce user_id when flag is enabled
Configuration:
# Require user authentication for tenant access (default: true)
export LIGHTRAG_REQUIRE_USER_AUTH=true
Behavior:
- When
LIGHTRAG_REQUIRE_USER_AUTH=true: Requests without user_id are rejected with PermissionError - When
LIGHTRAG_REQUIRE_USER_AUTH=false: Allows anonymous access (backward compatible)
WUI-001: Clear localStorage on Logout ✅
Files Modified:
lightrag_webui/src/stores/state.ts- Added tenant context clearing inlogout()function
Changes:
logout: () => {
localStorage.removeItem('LIGHTRAG-API-TOKEN');
// NEW: Clear tenant context on logout
localStorage.removeItem('SELECTED_TENANT');
localStorage.removeItem('SELECTED_KB');
// ...
}
WUI-002: Better Error Handling ✅
Files Modified:
lightrag_webui/src/api/tenant.ts- Removed fake fallback data on API errors
Changes:
fetchTenantsPaginated()now throws errors instead of returning fake default tenantfetchTenants()now throws errors instead of returning fake default tenant- UI components can now properly display error states
WUI-003: Validate Tenant Context ✅
Files Modified:
lightrag_webui/src/api/client.ts- Added tenant context validation in Axios interceptor
Changes:
// Endpoints that require tenant context
const TENANT_REQUIRED_ENDPOINTS = [
'/documents',
'/query',
'/graph',
'/knowledge-bases',
]
// Block requests without tenant context for required endpoints
if (requiresTenantContext(config.url) && (!hasTenantContext || !hasKBContext)) {
throw new axios.Cancel('Please select a tenant and knowledge base...');
}
Configuration Summary
| Variable | Default | Description |
|---|---|---|
LIGHTRAG_MULTI_TENANT_STRICT |
true |
Enforce tenant context on all data endpoints |
LIGHTRAG_REQUIRE_USER_AUTH |
true |
Require user authentication for tenant access |
LIGHTRAG_SUPER_ADMIN_USERS |
"" |
Comma-separated list of super-admin usernames |
Test Results
| Test Suite | Tests | Result |
|---|---|---|
| test_multitenant_e2e.py | 32 | ✅ PASSED |
| test_tenant_security.py | 11 | ✅ PASSED |
| test_multi_tenant_backends.py | 37 | ✅ PASSED |
| test_tenant_storage_phase3.py | 22 | ✅ PASSED |
| TOTAL | 102 | ✅ ALL PASSED |
WebUI Build: ✅ PASSED
Migration Guide
For Existing Single-Tenant Deployments
If you want to maintain the old behavior (no tenant enforcement):
export LIGHTRAG_MULTI_TENANT_STRICT=false
export LIGHTRAG_REQUIRE_USER_AUTH=false
For New Multi-Tenant Deployments
The defaults are secure out of the box:
# These are the defaults, no need to set
export LIGHTRAG_MULTI_TENANT_STRICT=true
export LIGHTRAG_REQUIRE_USER_AUTH=true
# Optionally configure super-admins
export LIGHTRAG_SUPER_ADMIN_USERS="admin@example.com"
Security Verification Checklist
| Check | Status |
|---|---|
| Global RAG fallback blocked in strict mode | ✅ |
| Admin bypass removed | ✅ |
| User authentication enforced | ✅ |
| Tenant context cleared on logout | ✅ |
| API errors propagated to UI | ✅ |
| Client-side tenant validation | ✅ |
| All tests pass | ✅ |
| WebUI builds successfully | ✅ |
Remaining Recommendations
- Enable PostgreSQL RLS - Add database-level row security as defense-in-depth
- Add Audit Logging - Log cross-tenant access attempts for security monitoring
- Rate Limiting - Implement per-tenant rate limiting to prevent abuse
- Use httpOnly Cookies - Consider moving tokens from localStorage to httpOnly cookies