Semantic Kernel | 如何透過Kernel Memory對RAG資料的進行權限控管

2024-04-16

前言

在Kernel Memory (KM) 使用 Postgres 當 Vector DB中，
我們將許多文件的內容轉成 Vector 放到 PostgreSQL 之中，進行查詢。
然而在企業應用中，查詢時要依使用者的權限進行過濾，在Kernel Memory中要如何做呢?

實作

依Kernel Memory Security Filters可以在查詢時進行過濾。
1.先將 2 份文件(km1.txt, km2.txt)放到 PostgreSQL

var postgresqlConnstring = "postgresqlConnstring";
var azureAIChatOptions = new AzureOpenAIConfig { Auth= AzureOpenAIConfig.AuthTypes.APIKey,  APIKey = "apikey", Endpoint = "aoai endpoint", Deployment = "deployment name" };
var azureAIEmbeddingOptions = new AzureOpenAIConfig { Auth = AzureOpenAIConfig.AuthTypes.APIKey,  APIKey = "apikey", Endpoint = "aoai endpoint", Deployment = "deployment name" };
var kernelMemoryBuilder = new KernelMemoryBuilder()
    .WithPostgresMemoryDb(postgresqlConnstring)
    .WithAzureOpenAITextGeneration(azureAIChatOptions)
    .WithAzureOpenAITextEmbeddingGeneration(azureAIEmbeddingOptions);

var kernelMemory = kernelMemoryBuilder.Build();
//先存file
var index = "km1";
var docId1 = "1";
await kernelMemory.ImportDocumentAsync(new Document(docId1)
   .AddFile(@"C:\docs\km1.txt") //說明 kernel memory
   .AddTag("id", docId1)
   .AddTag("user", "user1")
   , index: index);

var docId2 = "2";
await kernelMemory.ImportDocumentAsync(new Document(docId2)
   .AddFile(@"C:\docs\km2.txt") //說明 kernel memory
   .AddTag("id", docId2)
   .AddTag("user", "user2")
   , index: index);

2.查詢時，依文件 id 過濾
假設使用者只允許讀取km1.txt，所以在查詢時，可以加上filter or filters(要使用OR條件)，如下，

var question = "Kernel Memory 是什麼?";
var answer = await kernelMemory.AskAsync(question
    , filters: new List<MemoryFilter>
                {
                    MemoryFilters.ByDocument("1")
                    ,
                    // or
                    //MemoryFilters.ByTag("id", "2")
                }
    ,index: index);
Console.WriteLine($"\nQuestion: {question}");
Console.WriteLine($"\nAnswer: {answer.Result}");
Console.WriteLine($" ====== 參考資訊 ======");
foreach (var r in answer.RelevantSources)
{
    Console.WriteLine($"Source:{r.SourceName}");
}

所以結果只會從km1.txt的內容來產生。
上面的做法是依使用者可以存取到的文件來加入filters之中，
就可以做到對 RAG 資料的進行權限控管
結果如下，

Q.但如果將查詢到的資料源，自已過濾後，再產生答案呢?

那就不能使用AskAsync，而要使用SearchAsync將相似的內容找出來後，再進行過濾(假設只取km1.txt)
3.自行過濾文件再產生結果
參考Kernel Memory-SearchClient.cs中的AskAsync來自行過濾，如下，

var noAnswerFound = new MemoryAnswer
{
    Question = question,
    NoResult = true,
    Result = "INFO NOT FOUND",
};
var selfAnswer = noAnswerFound;
var searchResult = await kernelMemory.SearchAsync(question, index: index);
var facts = new StringBuilder();
foreach (var r in searchResult.Results)
{
    if(r.DocumentId== "1")
    {
        foreach (var p in r.Partitions)
        {
            var fact = $"==== [File:{r.SourceName};Relevance:{p.Relevance:P1}]:\n{p.Text}\n";
            facts.Append(fact);
        }
        selfAnswer.RelevantSources.Add(r);
    }
}
//產生答案
var answerWithFacts = """
    Facts:
    {{$facts}}
    ======
    Given only the facts above, provide a comprehensive/detailed answer.
    You don't know where the knowledge comes from, just answer.
    If you don't have sufficient information, reply with 'INFO NOT FOUND'.
    Question: {{$input}}
    Answer:
    """;
var prompt = answerWithFacts.Replace("{{$facts}}", facts.ToString().Trim(), StringComparison.OrdinalIgnoreCase);
question = question.EndsWith('?') ? question : $"{question}?";
prompt = prompt.Replace("{{$input}}", question, StringComparison.OrdinalIgnoreCase);
var textGenerator = kernelMemoryBuilder.GetOrchestrator().GetTextGenerator();
var options = new TextGenerationOptions
{
    Temperature = 0
};
var generateResult = textGenerator.GenerateTextAsync(prompt, options);
var generateText = new StringBuilder();
await foreach (var x in generateResult.ConfigureAwait(false))
{
    generateText.Append(x);
}
Console.WriteLine($"\nQuestion: {question}");
Console.WriteLine($"\nAnswer: {generateText.ToString()}");
Console.WriteLine($" ====== 參考資訊 ======");
foreach (var r in selfAnswer.RelevantSources)
{
    Console.WriteLine($"Source:{r.SourceName}");
}

透過SearchAsync取得結果後，再自行針對來源進行過濾，再將組合好的內容透過TextGenerator來產生結果。
結果如下，

註:請再針對查無資料進行處理。

以上介紹透過 Kernel Memory 提供的 Security Filters 方式，
及自行進行資料權控過濾的方式，透過 Kernel Memory 真的很方便。

參考資源

Kernel Memory (KM) 使用 Postgres 當 Vector DB
Kernel Memory Security Filters
How are people ensuring secure access to RAG data
Kernel Memory-SearchClient.cs

一滴水一個泡，一報還一報: 因果循環，報應必爽，勸人要行好事，尊德性。

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true