-
Notifications
You must be signed in to change notification settings - Fork 20
Bump lightspeed-stack to authorization commit #152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,12 @@ | ||
| # vim: set filetype=dockerfile | ||
| # This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250814-7a531cb | ||
| FROM quay.io/lightspeed-core/lightspeed-stack@sha256:90deb575e0c18bdcf9721aa7614826653ad13b717c992f12b89b6e1f0413179c | ||
| # This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250826-913b5a6 | ||
| FROM quay.io/lightspeed-core/lightspeed-stack@sha256:09d6e2222eb058d85bfdc4e1283b18cee086182a711d71e2c983f355af6dc7b7 | ||
|
|
||
| RUN python3 -m ensurepip --default-pip && pip install --upgrade pip | ||
|
|
||
| COPY requirements.txt . | ||
| RUN python3 -m pip install --no-cache-dir -r requirements.txt | ||
|
|
||
|
|
||
| USER root | ||
| RUN microdnf install -y patch | ||
| RUN curl -L https://github.com/meta-llama/llama-stack/commit/49c34dd0d49a960fec23d0be854890f219d917e7.patch | patch -p1 -d $(dirname $(dirname $(python3 -c "import llama_stack; print(llama_stack.__file__)"))) | ||
| RUN curl -L https://github.com/lightspeed-core/lightspeed-stack/commit/c59ea53ccfe1c6e0fb53d3ac880f925d1d3ede68.patch | patch -p1 -d $(dirname $(dirname $(python3 -c "import lightspeed_stack; print(lightspeed_stack.__file__)"))) | ||
|
|
||
| USER 1001 | ||
|
|
||
| EXPOSE 8080 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -165,6 +165,40 @@ objects: | |
| jwt_configuration: | ||
| user_id_claim: ${USER_ID_CLAIM} | ||
| username_claim: ${USERNAME_CLAIM} | ||
| role_rules: | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's move this to a parameter so we can tweak it from app interface
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What kind of parameter? |
||
| - jsonpath: "$.realm_access.roles[*]" | ||
| operator: "contains" | ||
| value: "redhat:employees" | ||
| roles: ["redhat_employee"] | ||
| authorization: | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same |
||
| access_rules: | ||
| - role: redhat_employee | ||
| actions: | ||
| - get_models | ||
| # Temporarily we only want redhat employees to be able to use the service, | ||
| # uncomment when we want to allow all authenticated users | ||
| # - role: "*" | ||
| # actions: | ||
| - query | ||
| - streaming_query | ||
| - get_conversation | ||
| - list_conversations | ||
| - delete_conversation | ||
| - feedback | ||
| - get_metrics | ||
| - info | ||
| # "nobody" is a made up role, doesn't do anything but just good for being explicit | ||
| # about what is not allowed by anyone | ||
| - role: nobody | ||
| actions: | ||
| # This exposes the database password - once LSC fixes this issue we | ||
| # can allow this for employees | ||
| - get_config | ||
| # For now we don't want to let even administrators / employees access other users conversations | ||
| - query_other_conversations | ||
| - delete_other_conversations | ||
| - list_other_conversations | ||
| - read_other_conversations | ||
| mcp_servers: | ||
| - name: mcp::assisted | ||
| url: "${MCP_SERVER_URL}" | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Top-level 'return' will abort with a confusing bash error; use 'exit 1' instead.
This block runs at the top level (not inside a function). Using 'return' here emits "bash: return: can only
return' from a function or sourced script" and exits due toset -e, but the error is noisy and misleading. Replace withexit 1`.📝 Committable suggestion
🤖 Prompt for AI Agents