Skip to content

[3.13] AI Gateway: Document metadata filtering + ACL support for AI RAG injector pluginΒ #3351

New issue
New issue
Closed
Feature
Closed
[3.13] AI Gateway: Document metadata filtering + ACL support for AI RAG injector plugin#3351
Feature
Assignees
tomek-labuk
Labels
priority: highproduct:ai-gatewayrelease-docsDocs for release
Milestone
Gateway 3.13
@tomek-labuk

Description

@tomek-labuk
tomek-labuk
opened on Nov 4, 2025

Jobs to be done

Explain how users can apply ACLs and metadata filters when ingesting and querying RAG content, so they can securely restrict access and refine search results.

Definition of done

  1. Update RAG injector plugin docs to reflect new capabilities:
  • Collection-based ACL behavior tied to Kong consumer groups
  • Metadata fields on ingestion (collection, tags, date, source)
  • Query-time metadata filters + filter_mode and stop_on_filter_error
  • Supported filter grammar options (Bedrock-like and Mongo-like)
  1. Provide working examples to the plugin examples section:
  • Ingest chunk with metadata
  • Lookup request using metadata filters + ACL context
  1. Create a short how-to showing:
  • How to set collection ACL config in plugin
  • How to structure metadata on ingest
  • How to issue filtered queries
  1. General updates:
  • Call out limits (max filter size, max clauses)
  • Add notes on behavior if filters fail / legacy mode

Sample comfiguration (TBD):

plugins:
  - name: ai-rag-injector
    config:
      inject_template: |
        Only use the following information surrounded by <RAG></RAG> to and your existing knowledge to provide the best possible answer to the user.
        <RAG><CONTEXT></RAG>
        User's question: <PROMPT>

      embeddings:
        auth:
          header_name: Authorization
          header_value: Bearer ${{ env "DECK_OPENAI_API_KEY" }}
        model:
          provider: openai
          name: text-embedding-3-large

      vectordb:
        strategy: redis
        redis:
          host: ${{ env "DECK_REDIS_HOST" }}
          port: 6379
        distance_metric: cosine
        dimensions: 76

      # --- NEW ACL + metadata filtering config ---
      global_acl_config:
        required_auth: true
        allowed_groups:
          - finance
          - admin
        legacy_behavior: deny

      collection_overrides:
        finance-reports:
          require_auth: true
          allowed_groups:
            - finance
            - admin

        public-knowledge:
          require_auth: false
          allowed_groups: []

Information

Due date

TBD with feature release

Size

L β€” new how-to + updates to reference sections

Metadata

Metadata

Assignees

Labels

priority: highproduct:ai-gatewayrelease-docsDocs for release

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions