From e248a72253c04942a0e4e0c4dc9779132990a700 Mon Sep 17 00:00:00 2001 From: Omer Tuchfeld Date: Tue, 26 Aug 2025 13:51:37 +0200 Subject: [PATCH] Bump lightspeed-stack to authorization commit Bump lightspeed-stack submodule to include the authorization changes from https://github.com/lightspeed-core/lightspeed-stack/pull/356 Use the new authorization features to restrict access to the assisted-chat service to, for now, Red Hat employees only. In the future we can open this up to all authenticated users. Also bumped to a version that no longer requires the patching of llama-stack / lightspeed-stack to support postgres SSL, so removed the patching steps from the Containerfile. --- Containerfile.assisted-chat | 10 ++-------- lightspeed-stack | 2 +- scripts/query.sh | 6 ++++++ template.yaml | 34 ++++++++++++++++++++++++++++++++++ 4 files changed, 43 insertions(+), 9 deletions(-) diff --git a/Containerfile.assisted-chat b/Containerfile.assisted-chat index 8799953e..4e1ae60a 100644 --- a/Containerfile.assisted-chat +++ b/Containerfile.assisted-chat @@ -1,18 +1,12 @@ # vim: set filetype=dockerfile -# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250814-7a531cb -FROM quay.io/lightspeed-core/lightspeed-stack@sha256:90deb575e0c18bdcf9721aa7614826653ad13b717c992f12b89b6e1f0413179c +# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250826-913b5a6 +FROM quay.io/lightspeed-core/lightspeed-stack@sha256:09d6e2222eb058d85bfdc4e1283b18cee086182a711d71e2c983f355af6dc7b7 RUN python3 -m ensurepip --default-pip && pip install --upgrade pip COPY requirements.txt . RUN python3 -m pip install --no-cache-dir -r requirements.txt - -USER root -RUN microdnf install -y patch -RUN curl -L https://github.com/meta-llama/llama-stack/commit/49c34dd0d49a960fec23d0be854890f219d917e7.patch | patch -p1 -d $(dirname $(dirname $(python3 -c "import llama_stack; print(llama_stack.__file__)"))) -RUN curl -L https://github.com/lightspeed-core/lightspeed-stack/commit/c59ea53ccfe1c6e0fb53d3ac880f925d1d3ede68.patch | patch -p1 -d $(dirname $(dirname $(python3 -c "import lightspeed_stack; print(lightspeed_stack.__file__)"))) - USER 1001 EXPOSE 8080 diff --git a/lightspeed-stack b/lightspeed-stack index 053d49fb..913b5a6b 160000 --- a/lightspeed-stack +++ b/lightspeed-stack @@ -1 +1 @@ -Subproject commit 053d49fb6e19c63cd51e77816f7c7cb5907d0f93 +Subproject commit 913b5a6b2887b4b9d47d7621cc3affd69d26e4e8 diff --git a/scripts/query.sh b/scripts/query.sh index 77b7f871..bb5b0cb9 100755 --- a/scripts/query.sh +++ b/scripts/query.sh @@ -218,6 +218,12 @@ if [[ -n "$CONVERSATION_ID" ]]; then else # Only select model for new conversations echo "Selecting model for new conversation..." + + if ! get_ocm_token; then + echo "Failed to get OCM token for query" + return 1 + fi + MODELS=$(get_available_models) model_selection=$(select_model "$MODELS") MODEL_NAME=$(echo "$model_selection" | cut -d'|' -f1) diff --git a/template.yaml b/template.yaml index bd6f618c..aab410ae 100644 --- a/template.yaml +++ b/template.yaml @@ -165,6 +165,40 @@ objects: jwt_configuration: user_id_claim: ${USER_ID_CLAIM} username_claim: ${USERNAME_CLAIM} + role_rules: + - jsonpath: "$.realm_access.roles[*]" + operator: "contains" + value: "redhat:employees" + roles: ["redhat_employee"] + authorization: + access_rules: + - role: redhat_employee + actions: + - get_models + # Temporarily we only want redhat employees to be able to use the service, + # uncomment when we want to allow all authenticated users + # - role: "*" + # actions: + - query + - streaming_query + - get_conversation + - list_conversations + - delete_conversation + - feedback + - get_metrics + - info + # "nobody" is a made up role, doesn't do anything but just good for being explicit + # about what is not allowed by anyone + - role: nobody + actions: + # This exposes the database password - once LSC fixes this issue we + # can allow this for employees + - get_config + # For now we don't want to let even administrators / employees access other users conversations + - query_other_conversations + - delete_other_conversations + - list_other_conversations + - read_other_conversations mcp_servers: - name: mcp::assisted url: "${MCP_SERVER_URL}"