Skip to main content

Multi-user RAG server with team access control — built on zettabrain-rag

Project description

ZettaBrain Teams

Multi-user RAG server with team access control — the enterprise layer built on zettabrain-rag.

Fully self-hosted, no cloud dependencies, runs entirely on your own infrastructure.


Features

Access Control

  • JWT-based login with system-wide admin and user roles
  • Teams with per-member manager / member / viewer roles
  • Admins can create, deactivate, and delete users
  • Forced password change on first login

Multi-Tenant RAG

  • Per-team isolated document collections (separate ChromaDB store per team)
  • Per-team BM25 keyword index — IDF computed exclusively from each team's corpus, eliminating cross-team document leakage
  • Hybrid retrieval: semantic MMR + BM25 keyword search + FlashRank re-ranking
  • In-UI document ingestion — set a docs folder per team and click Ingest Docs
  • Incremental ingestion with MD5 hash tracking (re-ingests only changed files)

Active Directory / LDAP

  • Connect to any Active Directory or LDAP server from the admin panel
  • Test connection, run user searches, and preview results before importing
  • Import AD users directly into teams with a chosen role
  • Configurable base DN, bind credentials, and user filter

ZettaBrain Verified — Answer Provenance

  • Every chat answer produces a cryptographically signed provenance bundle
  • Bundle covers: SHA-256 of the query, SHA-256 of each retrieved chunk, SHA-256 of the answer, model identifier, and team ID
  • Signed with an Ed25519 key generated at first server start and stored at /opt/zettabrain-teams/data/server_signing.key
  • Admin UI shows a 🛡 Verify button on every audit log entry — one click confirms the answer bundle has not been altered
  • Public key exposed at GET /api/admin/keys/public for out-of-band verification

Audit Log

  • Every query recorded with: user, team, query text, response preview, confidence score, duration, model, chunk count
  • Full date-range filtering (last 24h / 3d / 7d / 30d / all time / custom)
  • Provenance signature included in CSV export
  • Admin-only access

Admin Portal

  • Dedicated /admin URL with sidebar navigation
  • Dashboard with live stats: users, teams, total queries, average confidence
  • System config panel — change LLM/embed models, Ollama host from the UI
  • Pull new Ollama models directly from the admin panel
  • One-page web UI for both chat portal and admin console

Quick install (Linux server, run as root)

# 1. Install pipx if needed
python3 -m pip install pipx && python3 -m pipx ensurepath

# 2. Install zettabrain-teams
pipx install git+https://github.com/zettabrain/zettabrain-teams

# 3. Run the one-command setup (installs Ollama, pulls models, creates systemd service)
sudo zettabrain-teams-setup

That's it. The setup script:

  • Installs Ollama if not present
  • Interactively selects LLM and embedding models (defaults: llama3.1:8b + nomic-embed-text)
  • Creates /opt/zettabrain-teams/{data,chromadb,certs}
  • Registers and starts a zettabrain-teams systemd service

Then open http://<your-server-ip>:7861 in a browser.
Default credentials: admin / P@ssword! (you will be prompted to change on first login).


Setup options

sudo zettabrain-teams-setup \
  --port  7861 \
  --llm   llama3.1:8b \
  --embed nomic-embed-text \
  --no-systemd        # skip systemd, start manually instead

Starting / stopping

# Managed by systemd after setup
sudo systemctl start   zettabrain-teams
sudo systemctl stop    zettabrain-teams
sudo systemctl restart zettabrain-teams
sudo journalctl -u zettabrain-teams -f   # live logs

# Or start manually (dev / testing)
zettabrain-teams --port 7861

Firewall

Open port 7861 on your firewall or cloud security group so users can reach the UI.

AWS example:

aws ec2 authorize-security-group-ingress \
  --group-id sg-xxxxxxxx \
  --protocol tcp --port 7861 --cidr 0.0.0.0/0

UFW example:

sudo ufw allow 7861/tcp

Admin workflow

  1. Log in at http://<ip>:7861 with admin + your password
  2. Admin → Users & LDAP — create user accounts or import from Active Directory
  3. Admin → Teams & Storage — create a team, expand it, add users with roles, set the docs folder path
  4. Click Ingest Docs in the team card to index documents from the configured folder
  5. Admin → Audit Log — review all queries, filter by date, verify answer provenance, export CSV
  6. Users log in at http://<ip>:7861, select their team from the sidebar, and start chatting

Active Directory setup

In Admin → Users & LDAP, fill in:

Field Example
LDAP URL ldap://dc.company.local:389
Base DN DC=company,DC=local
Bind DN CN=svc-account,OU=Service Accounts,DC=company,DC=local
Bind Password your service account password
User Filter (&(objectClass=user)(sAMAccountName=*))

Use Test Connection to verify, then Search Users to preview, then Import Selected to add users to a team.


ZettaBrain Verified — verification workflow

Every chat answer is stored with a provenance signature. To verify:

In the UI:

  1. Go to Admin → Audit Log
  2. Click 🛡 Verify on any log entry with a signature
  3. A green ✓ Valid or red ✗ Invalid result appears inline

Via API (out-of-band):

# Get server public key
curl -H "Authorization: Bearer $TOKEN" \
  http://localhost:7861/api/admin/keys/public

# Verify a specific log entry
curl -H "Authorization: Bearer $TOKEN" \
  http://localhost:7861/api/admin/audit/42/verify

The private key never leaves /opt/zettabrain-teams/data/server_signing.key. Back this file up — losing it means existing signatures can no longer be verified.


Configuration

/opt/zettabrain-teams/teams.env is written on first setup:

Variable Default Description
ZBT_PORT 7861 Server port
ZETTABRAIN_LLM_MODEL llama3.1:8b Ollama LLM model
ZETTABRAIN_EMBED_MODEL nomic-embed-text Ollama embed model
OLLAMA_HOST http://localhost:11434 Remote Ollama if not local
ZBT_JWT_SECRET auto-generated JWT signing secret
ZBT_TOKEN_EXPIRE 480 Token expiry in minutes
ZBT_TLS_CERT Path to TLS cert (enables HTTPS)
ZBT_TLS_KEY Path to TLS private key

All variables can also be overridden via shell environment. The admin System Config panel in the UI can update model and Ollama settings without editing the file.


Requirements

  • Linux (Ubuntu 20.04+ recommended)
  • Python 3.9+
  • 8 GB RAM minimum (16 GB recommended for llama3.1:8b)
  • ~10 GB disk for models

GPU is optional — Ollama runs in CPU-only mode if no GPU is detected.


Architecture

zettabrain-teams (port 7861)
├── FastAPI + SQLModel (SQLite)        — users, teams, audit log, system config
├── JWT auth + bcrypt                  — login / token / role enforcement
├── Active Directory / LDAP connector  — AD import + auth
├── ChromaDB (per team)                — /opt/zettabrain-teams/chromadb/<slug>/
├── BM25 index (per team)              — <slug>/bm25_index.pkl (team-scoped IDF)
├── Ed25519 signing key                — /opt/zettabrain-teams/data/server_signing.key
└── zettabrain-rag                     — hybrid_retrieve(), RAG prompt, embeddings
        └── Ollama (port 11434)        — LLM + embeddings (fully local)

Upgrading

pipx upgrade zettabrain-teams
# or reinstall from GitHub for latest commit:
pipx reinstall zettabrain-teams
sudo systemctl restart zettabrain-teams

Database migrations run automatically on startup — existing data is preserved.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

zettabrain_teams-0.2.1.tar.gz (56.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

zettabrain_teams-0.2.1-py3-none-any.whl (60.3 kB view details)

Uploaded Python 3

File details

Details for the file zettabrain_teams-0.2.1.tar.gz.

File metadata

  • Download URL: zettabrain_teams-0.2.1.tar.gz
  • Upload date:
  • Size: 56.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for zettabrain_teams-0.2.1.tar.gz
Algorithm Hash digest
SHA256 c2f18c53ad42b8814980cd9732a3b981b2539ebf8ebe1f0ea118cbb415f8e498
MD5 0df2a700a3ef750f5f9a06927d550e3e
BLAKE2b-256 7e77b9ab82000a1db4fb13f64cd07ee1ba92339029677e747a07700dd8b89d12

See more details on using hashes here.

File details

Details for the file zettabrain_teams-0.2.1-py3-none-any.whl.

File metadata

File hashes

Hashes for zettabrain_teams-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6c5904fe19e851dbb8649da57376999e60c1a1f7509dddcf1f933db0dda08fd9
MD5 36251fe5c84af6e9b72b6c248dd9051f
BLAKE2b-256 f9ee8cf2a2257dbbc5777d32e9d67a5713db8f10389c4c815ecb251142dd4118

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page