Implement RBAC (Role-Based Access Control) UI with authentication and user management

[Copilot]

This PR implements a comprehensive Role-Based Access Control (RBAC) system for the RAG Document Assistant, transforming it from an open application into a secure, multi-user platform with authentication and fine-grained permission controls.

🔐 Features Implemented

Authentication System

• Secure Login/Logout: bcrypt password hashing with salt
• Session Management: Streamlit session state-based authentication
• Default Admin: Auto-created admin user (username: admin, password: admin123)
• File-Based Storage: YAML-based user database with encrypted passwords

Role-Based Access Control

• Admin Role: Full system access including user management
  • All tabs: Document Q&A, Document Ingestion, System Status, User Management
  • Complete system configuration and monitoring
• User Role: Standard user access for document operations
  • 3 tabs: Document Q&A, Document Ingestion, System Status
  • No user management capabilities
• Viewer Role: Read-only access for document viewing
  • 1 tab: Document Q&A only
  • Minimal system information

Permission System

• Granular Permissions: 7 distinct permissions (view, search, upload, delete, manage users, etc.)
• Dynamic UI: Tabs and features appear/disappear based on user permissions
• Permission Decorators: Clean implementation with @require_permission decorators

User Management Interface

• Admin Dashboard: Create, delete, and manage user accounts
• Role Assignment: Easy role selection and management
• User Profile: Display current user info with logout functionality

🖼️ Screenshots

Login Interface:

Role Comparison:

• Admin: 4 tabs (includes User Management)
• User: 3 tabs (standard access)
• Viewer: 1 tab (read-only)

🏗️ Implementation Details

New Files

• src/auth.py - Complete RBAC implementation with user management
• RBAC_GUIDE.md - Comprehensive documentation and security guide
• users.yaml - Auto-generated user database

Modified Files

• src/streamlit_app.py - Enhanced with authentication wrapper and role-based UI
• requirements.txt - Added authentication dependencies

Dependencies Added

• streamlit-authenticator>=0.3.2
• bcrypt>=4.0.0
• PyYAML>=6.0

🧪 Testing

• ✅ Authentication flows for all user roles
• ✅ Permission-based access control validation
• ✅ UI dynamic rendering based on roles
• ✅ User management operations (create/delete)
• ✅ Existing functionality preservation
• ✅ Core validation tests still pass

🔒 Security Features

• Password Security: bcrypt hashing with salt
• Session Security: Secure session management
• Permission Enforcement: Both UI and backend validation
• Default Credentials: Secure initial setup process

📖 Usage

1. First Time Setup: Login with default admin credentials (admin/admin123)
2. User Management: Admins can create users via the User Management tab
3. Role-Based Access: Users see different interfaces based on their assigned role
4. Security: Change default admin password immediately after deployment

🚀 Benefits

• Multi-User Support: Secure access for multiple users
• Granular Control: Fine-tuned permissions for different user types
• Enhanced Security: Authentication prevents unauthorized access
• Scalable Architecture: Easy to extend with additional roles/permissions
• Backward Compatibility: All existing functionality preserved

This implementation provides enterprise-ready user management while maintaining the simplicity and functionality of the original RAG assistant.

Fixes #4.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.