Skip to main content

Release 0.5.1 — Fine-Grained Knowledge Base RBAC

Sri Aradhyula
Sri Aradhyula

Released: 2026-05-27 Chart: oci://ghcr.io/cnoe-io/charts/ai-platform-engineering:0.5.1 Previous release: 0.5.0

Highlights

0.5.1 makes OpenFGA the source of truth for human access to the RAG knowledge base surfaces — Search, Data Sources, Graph, and MCP Tools — and lets admins share individual knowledge bases with teams through relationship-based grants. Under the hood, team membership is consolidated into a single canonical store so every reader and writer agrees on who belongs to a team, eliminating the drift that caused authorized users to fall back to the Default CAIPE Supervisor instead of their configured agent. The release also adds a searchable team picker across admin panels, a friendlier first-run experience that seeds a working Hello-World agent, and an intentionally noisy emergency flag to bypass UI RBAC while repairing an OpenFGA/Keycloak stack.

What's New

Fine-Grained Knowledge Base Access Control

  • OpenFGA-backed KB access — Search, Data Sources, Graph, and MCP Tools now resolve human access through OpenFGA instead of legacy role/group/trusted-network checks, making one consistent decision across the UI, BFF, and RAG server (#1584)
  • Share knowledge bases with teams — admins can grant teams access to individual knowledge bases through an OpenFGA reconciler with backfill for already-shared KBs (#1584)
  • New data_source and mcp_tool resource types — added as first-class OpenFGA types with BFF list filtering, so users only see the data sources and tools they can actually use (#1584)
  • Per-tab Knowledge sidebar gates — each Knowledge tab is gated on the relevant OpenFGA relation with empty states instead of access-denied dead ends; the Graph tab unlocks when any KB is readable (#1584)
  • Explicit org-admin super-grant — org admins keep access to KB, Search, Data Sources, Graph, and MCP Tools, including the grant needed to create a datasource before its ownership tuples exist (#1584)

Canonical Team Membership & Onboarding

  • Single source of truth for membership — the duplicate teams.members[] array is retired in favor of the canonical team_membership_sources collection; every auth gate, API consumer, and admin view now reads from it, and GET /api/admin/teams returns a canonical member_count (#1583)
  • Searchable team picker — new TeamPicker and TeamMultiPicker components replace native <select> dropdowns across admin panels for team selection and "Share with Teams" (#1583)
  • Persisted onboarding defaults — admins can choose default teams and agents with an explicit Save flow and clear pending-changes affordance, and agent "Share with Teams" is persisted in OpenFGA with a one-shot backfill (#1583)
  • Working first-run experience — fresh installs seed a default Hello-World agent and an auto-create-teams sync rule, with opt-in login-time team auto-creation via IDENTITY_SYNC_LOGIN_AUTO_CREATE_TEAMS (#1583)

Operational Safety

  • CAIPE_UNSAFE_RBAC_BYPASS escape hatch — an intentionally noisy dev/emergency flag that allows UI RBAC checks without consulting OpenFGA/Keycloak, for recovering a 0.5.x install while the RBAC stack is being repaired; defaults to false and emits a one-time server warning when enabled (#1581)

Bug Fixes

  • rbac: complete the RAG OpenFGA access model so the RAG server enforces the same team/KB relationships as the UI and BFF (#1584)
  • rbac: read knowledge-base tuples with a valid paginated OpenFGA query, and grant ingestor on shared knowledge bases so team members can re-ingest (#1584)
  • rbac/ui: let read-only viewers load the configured default platform agent — fixes "Generic user sees Default CAIPE Supervisor instead of the configured Hello World agent," caused by the BFF mapping every /api/admin/* GET to an admin-only gate before the route's own system_config#read check ran (#1583)
  • dynamic-agents: surface LLM configuration errors over SSE instead of a generic "something went wrong," so Slack/Webex/UI show the actionable message (#1583)
  • slack-bot: relay specific dynamic-agent errors (LLM config, RBAC denial) and stop silently retrying behind a generic toast (#1583)
  • rbac: chunk OpenFGA writes and make identity-group-sync apply transactionally, so large-realm syncs no longer fail on write limits or leave half-applied state (#1583)

Security

  • Authorization for knowledge-base surfaces is now centralized on OpenFGA, reducing the chance that the UI, BFF, and RAG server make different access decisions for the same user.
  • The new CAIPE_UNSAFE_RBAC_BYPASS flag is a deliberate escape hatch: it defaults to false, logs a loud one-time warning when enabled, and is documented as unsafe for staging or production.

Breaking Changes

No breaking changes. Drop-in upgrade from 0.5.0.

Known Issues

None known at this time.

Upgrade

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.5.1 \
  -f your-values.yaml

Upgrade Guide: 0.5.0 → 0.5.1

Overview

Drop-in upgrade — no values.yaml edits are required. 0.5.1 adds a small set of new optional RBAC environment variables on caipe-ui and rag-server, all with working defaults. The only behavior worth noting is that the RAG server now ships with team-scoped RBAC enabled by default (RBAC_TEAM_SCOPE_ENABLED: "true"); if your OpenFGA model is already initialized (as expected on 0.5.x), this aligns RAG access with the UI with no action needed.

Helm Values Changes

No keys were renamed, removed, or changed type between 0.5.0 and 0.5.1. The diff only adds new optional fields.

New Optional Fields

caipe-ui config — adds the emergency RBAC bypass flag:

KeyDefaultDescription
CAIPE_UNSAFE_RBAC_BYPASS"false"When true, UI RBAC checks allow all requests without consulting OpenFGA. Dev/emergency only — never enable in staging or production.

rag-stack.rag-server.env — a new env block wires the RAG server to OpenFGA:

KeyDefaultDescription
RBAC_TEAM_SCOPE_ENABLED"true"Enforce team-scoped RBAC on RAG server requests via OpenFGA.
OPENFGA_HTTP"http://ai-platform-engineering-openfga:8080"OpenFGA endpoint the RAG server queries for KB/team relationships.
OPENFGA_STORE_NAME"caipe-openfga"OpenFGA store name.
CAIPE_UNSAFE_RBAC_BYPASS"false"Same emergency escape hatch as the UI, applied to RAG server RBAC.

If you override rag-server.env in your own values, merge these keys in rather than replacing the block. Operators on an air-gapped or renamed OpenFGA service should point OPENFGA_HTTP at their endpoint.

Deprecated / Removed Keys

None.

Data Migrations

No MongoDB schema or data migrations are required to upgrade. The canonical team-membership refactor reads from the team_membership_sources collection; a migration script (make target) is available to clear the legacy teams.members[] array, but it is optional cleanup and not required for the upgrade.

Upgrade Runbook

1. Update chart version

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.5.1 \
  -f your-values.yaml

2. (Optional) Point the RAG server at a non-default OpenFGA

If your OpenFGA service is not the in-release default, set the new env keys under rag-stack.rag-server.env in your values.yaml:

rag-stack:
  rag-server:
    env:
      RBAC_TEAM_SCOPE_ENABLED: "true"
      OPENFGA_HTTP: "http://your-openfga:8080"
      OPENFGA_STORE_NAME: "caipe-openfga"

3. Verify

kubectl get pods -n <namespace>

Then confirm a team member can open the Knowledge tabs they have access to, and that the configured default agent loads for non-admin users instead of falling back to the Default CAIPE Supervisor.

Full Values Diff

Raw diff (0.5.0 → 0.5.1)
--- values-0.5.0.yaml
+++ values-0.5.1.yaml
@@ -836,6 +836,9 @@
     OPENFGA_HTTP: ""
     OPENFGA_STORE_NAME: "caipe-openfga"
     OPENFGA_RECONCILE_ENABLED: "false"
+    # Unsafe dev/emergency escape hatch: when true, UI RBAC checks allow all
+    # requests without consulting OpenFGA. Do not enable in staging or prod.
+    CAIPE_UNSAFE_RBAC_BYPASS: "false"
     # Keycloak Admin API integration for resource/scope synchronization.
     KEYCLOAK_URL: ""
     KEYCLOAK_REALM: "caipe"
@@ -1412,6 +1415,11 @@
       # tag defaults to .Chart.AppVersion when not specified
       tag: ""
       pullPolicy: "IfNotPresent"
+    env:
+      RBAC_TEAM_SCOPE_ENABLED: "true"
+      OPENFGA_HTTP: "http://ai-platform-engineering-openfga:8080"
+      OPENFGA_STORE_NAME: "caipe-openfga"
+      CAIPE_UNSAFE_RBAC_BYPASS: "false"
 
   agent-rag:
     enabled: true