feat: add infra-admin plane gated by OPENRAG_ENABLE_INFRA_ENDPOINTS

[edwinjosechittilappilly]

Add a higher-privilege /api/infra/* router that bypasses the DB-resident
RBAC at /api/admin/*: a configurable JWT claim grants access in SaaS /
on_prem mode, HTTP Basic in OSS. Lets an operator bootstrap a fresh
install before any user rows exist.

The plane owns OpenSearch security setup + post-bootstrap user
provisioning + (via the same idempotent endpoint) DLS config updates.
A new migration_status row "opensearch_security_v1" tracks setup state;
the status endpoint also probes OpenSearch for drift.

Master flag OPENRAG_ENABLE_INFRA_ENDPOINTS (default false) gates the
entire surface:
- When false, the router is NOT mounted and today's startup behaviour
is preserved exactly (auto-OpenSearch-setup + first-user-admin).
- When true, OPENRAG_AUTO_OPENSEARCH_SETUP and OPENRAG_AUTO_FIRST_ADMIN
become operator-controlled. The infra endpoint registers admins
explicitly when first-user-admin is disabled.

Default OSS installs see zero behaviour change.

Endpoints (all gated by require_infra_admin()):
GET /api/infra/opensearch/status - docling-style status report
POST /api/infra/opensearch/setup - idempotent setup + DLS update
GET /api/infra/users - list users
GET /api/infra/users/{id} - read user
POST /api/infra/users - create user with optional roles
PATCH /api/infra/users/{id} - update is_active / display / roles
PUT /api/infra/users/{id}/roles - replace full role set atomically
DELETE /api/infra/users/{id} - delete user (last-admin guarded)

Audit rows use actor_user_id=None with {actor, source} in audit_metadata
because the infra principal is not (yet) a row in the users table.

New env vars:
OPENRAG_ENABLE_INFRA_ENDPOINTS master kill-switch (default: false)
OPENRAG_AUTO_OPENSEARCH_SETUP skip startup auto-setup (default: true)
OPENRAG_AUTO_FIRST_ADMIN skip first-user-admin (default: true)
OPENRAG_INFRA_ADMIN_CLAIM JWT claim name (default: roles)
OPENRAG_INFRA_ADMIN_CLAIM_VALUES comma-separated accepted values
(default: Manager)
OPENRAG_INFRA_ADMIN_USER OSS basic-auth username (falls back to
OPENSEARCH_USERNAME)
OPENRAG_INFRA_ADMIN_PASSWORD OSS basic-auth password (falls back to
OPENSEARCH_PASSWORD)
OPENRAG_INFRA_ALLOW_INSECURE permit basic-auth over plain HTTP
(default: false; localhost is exempt;
honours X-Forwarded-Proto)

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 33ad86b3-bf93-4723-9757-6428357d32c6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-infra

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[edwinjosechittilappilly]

Will be closed Soon.
Operator to handle the Cloud Security config updation for OpenSerach.

Only take in the code to disable openserach updation of security config during onbaording.