Skip to content

Instantly share code, notes, and snippets.

@Cozy228

Cozy228/ragaasauth.md

Last active May 20, 2025 06:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Cozy228/29cfe3c5a2c8ae12fec96b5957544233 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Cozy228/29cfe3c5a2c8ae12fec96b5957544233 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ragaasauth.md

Process Flow Breakdown

  1. Human Account & Initial Setup:

    • A Human Account is the starting point.
    • This account needs to create an Application and its corresponding Client ID & Client Secret. This is done via the APIGateway.
      • Onboarding Guide for App/Client ID creation: Refer to xxx
    • The permissions and roles associated with this Human Account (including those needed for consuming APIs and potentially for managing knowledge bases) are managed and approved in Sailpoint.

  2. Client Applications (Backstage Chatbot / Document Upload Pipeline):

    • Both Backstage Chatbot and the Document Upload Pipeline act as client applications.
    • Their operational flow for accessing RAGaaS is identical.

  3. Authentication & API Access Flow (for Backstage Chatbot & Document Upload Pipeline):

    • Token Request: The client application (either Backstage Chatbot or Document Upload Pipeline) uses its Client ID and Client Secret to request an authentication token from the RAI Gateway.
    • Token Issuance: The RAI Gateway validates the credentials. If successful, it generates and returns an authentication token to the client application.
    • API Request: The client application uses the obtained token to make API requests to RAGaaS (e.g., to query knowledge bases).

  4. RAGaaS - API Consumption & RBAC:

    • Request Reception: RAGaaS receives the API request and the token from the client application.
    • Internal RBAC (Role-Based Access Control) Check:
      • RAGaaS performs an internal check targeting the creator of the Client ID (i.e., the Human Account).
      • It verifies if the Human Account possesses the necessary roles/permissions for the requested action (e.g., accessing specific knowledge base content). These roles are expected to be based on information originating from or managed in Sailpoint.
      • The specific mechanism by which RAGaaS accesses or knows these roles (e.g., data synchronization, internal cache lookup) is an internal detail of RAGaaS.
      • Risk Note: This RBAC mechanism is currently limited by APIGee; a future switch to Kong is expected to improve this aspect.
    • Decision based on RBAC check:
      • If the Human Account has the required role(s):
        • RAGaaS accesses the relevant knowledge base.
        • Returns the API response to the client application.
      • If the Human Account does not have the required role(s):
        • Returns an error or access denied response to the client application.

  5. RAGaaS - Knowledge Base (KB) Creation (Separate Process):

    • The creation and management of knowledge bases within RAGaaS is a distinct process.
      • Guidance for RAGaaS Knowledge Base creation: Refer to xxxx
    • This typically requires the Human Account to have specific roles. Examples of such roles might include:
      • RAGaaS_Content_Admin
      • RAGaaS_KB_Creator
      • (Actual role names may vary)
    • These roles are defined and shared by the RAGaaS team. For a Human Account to perform KB creation tasks, these roles would need to be assigned to them and managed via Sailpoint.

  6. Client Application - Response Handling:

    • The client application (Backstage Chatbot or Document Upload Pipeline) receives and processes the API response from RAGaaS.
sequenceDiagram
    participant HumanAccount
    participant Backstage
    participant RAIGateway as "RAI Gateway"
    participant RAGaaS
    participant Sailpoint as "Sailpoint (Role Source of Truth)"

    Note over HumanAccount: Human Account generates Client ID & Secret. <br/> Creator's roles/permissions (e.g., for P1, P2) <br/> are managed and approved in Sailpoint.
    Backstage->>RAI Gateway: Request auth token (Client ID, Client Secret)
    RAI Gateway-->>Backstage: Auth Token
    Backstage->>RAGaaS: API Request (with Auth Token)
    RAGaaS->>RAGaaS: Internal RBAC Check (on Client ID's Creator - the Human Account)
    Note right of RAGaaS: RAGaaS verifies if the Human Account has the required roles. <br/> These roles are based on information <br/> originating from/managed in Sailpoint. <br/> The specific mechanism of how RAGaaS <br/> obtains/checks this role information is internal. <br/> --- <br/> Risk: Current APIGee limitation, <br/> Kong may improve this RBAC check.
    alt Human Account Has Required Role
        RAGaaS-->>Backstage: API Response (from Knowledge Base)
    else Human Account Does Not Have Required Role
        RAGaaS-->>Backstage: Error / Access Denied Response
    end
Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment