Skip to content

Bump lightspeed-stack to authorization commit #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 27, 2025
Merged

Bump lightspeed-stack to authorization commit #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions Containerfile.assisted-chat
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
# vim: set filetype=dockerfile
# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250814-7a531cb
FROM quay.io/lightspeed-core/lightspeed-stack@sha256:90deb575e0c18bdcf9721aa7614826653ad13b717c992f12b89b6e1f0413179c
# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250826-913b5a6
FROM quay.io/lightspeed-core/lightspeed-stack@sha256:09d6e2222eb058d85bfdc4e1283b18cee086182a711d71e2c983f355af6dc7b7

RUN python3 -m ensurepip --default-pip && pip install --upgrade pip

COPY requirements.txt .
RUN python3 -m pip install --no-cache-dir -r requirements.txt


USER root
RUN microdnf install -y patch
RUN curl -L https://github.com/meta-llama/llama-stack/commit/49c34dd0d49a960fec23d0be854890f219d917e7.patch | patch -p1 -d $(dirname $(dirname $(python3 -c "import llama_stack; print(llama_stack.__file__)")))
RUN curl -L https://github.com/lightspeed-core/lightspeed-stack/commit/c59ea53ccfe1c6e0fb53d3ac880f925d1d3ede68.patch | patch -p1 -d $(dirname $(dirname $(python3 -c "import lightspeed_stack; print(lightspeed_stack.__file__)")))

USER 1001

EXPOSE 8080
2 changes: 1 addition & 1 deletion lightspeed-stack
Open in desktop
Submodule lightspeed-stack updated 46 files
+2 −1 .github/workflows/e2e_tests.yaml
+25 −0 README.md
+134 −11 docs/openapi.json
+66 −6 docs/openapi.md
+69 −9 docs/output.md
+3 −2 pyproject.toml
+1 −0 run.yaml
+48 −31 scripts/gen_doc.py
+23 −0 src/README.md
+1 −1 src/__init__.py
+3 −2 src/app/endpoints/authorized.py
+19 −4 src/app/endpoints/config.py
+27 −8 src/app/endpoints/conversations.py
+6 −3 src/app/endpoints/feedback.py
+23 −4 src/app/endpoints/health.py
+20 −3 src/app/endpoints/info.py
+19 −2 src/app/endpoints/metrics.py
+21 −3 src/app/endpoints/models.py
+12 −4 src/app/endpoints/query.py
+20 −3 src/app/endpoints/root.py
+7 −1 src/app/endpoints/streaming_query.py
+2 −1 src/auth/jwk_token.py
+1 −0 src/authorization/__init__.py
+115 −0 src/authorization/middleware.py
+186 −0 src/authorization/resolvers.py
+1 −1 src/client.py
+13 −0 src/configuration.py
+1 −1 src/constants.py
+1 −1 src/lightspeed_stack.py
+118 −3 src/models/config.py
+16 −6 src/utils/endpoints.py
+22 −7 tests/unit/app/endpoints/test_config.py
+132 −37 tests/unit/app/endpoints/test_conversations.py
+11 −4 tests/unit/app/endpoints/test_feedback.py
+20 −7 tests/unit/app/endpoints/test_health.py
+14 −2 tests/unit/app/endpoints/test_info.py
+7 −1 tests/unit/app/endpoints/test_metrics.py
+30 −6 tests/unit/app/endpoints/test_models.py
+54 −18 tests/unit/app/endpoints/test_query.py
+8 −2 tests/unit/app/endpoints/test_root.py
+11 −2 tests/unit/auth/test_jwk_token.py
+1 −0 tests/unit/authorization/__init__.py
+101 −0 tests/unit/authorization/test_resolvers.py
+2 −0 tests/unit/models/test_config.py
+27 −0 tests/unit/utils/auth_helpers.py
+31 −8 uv.lock
6 changes: 6 additions & 0 deletions scripts/query.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,12 @@ if [[ -n "$CONVERSATION_ID" ]]; then
else
# Only select model for new conversations
echo "Selecting model for new conversation..."

if ! get_ocm_token; then
echo "Failed to get OCM token for query"
return 1
fi

Comment on lines +221 to +226
Copy link

@coderabbitai coderabbitai bot Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Top-level 'return' will abort with a confusing bash error; use 'exit 1' instead.

This block runs at the top level (not inside a function). Using 'return' here emits "bash: return: can only return' from a function or sourced script" and exits due to set -e, but the error is noisy and misleading. Replace with exit 1`.

-    if ! get_ocm_token; then
-        echo "Failed to get OCM token for query"
-        return 1
-    fi
+    if ! get_ocm_token; then
+        echo "Failed to get OCM token for model listing"
+        exit 1
+    fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if ! get_ocm_token; then
echo "Failed to get OCM token for query"
return 1
fi
if ! get_ocm_token; then
echo "Failed to get OCM token for model listing"
exit 1
fi
🤖 Prompt for AI Agents 
In scripts/query.sh around lines 221 to 226, the script uses "return 1" at
top-level which causes a confusing "can only `return' from a function or sourced
script" error; replace the top-level "return 1" with "exit 1" so the script
terminates cleanly when get_ocm_token fails, ensuring consistent exit behavior
under set -e.

MODELS=$(get_available_models)
model_selection=$(select_model "$MODELS")
MODEL_NAME=$(echo "$model_selection" | cut -d'|' -f1)
Expand Down
34 changes: 34 additions & 0 deletions template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,40 @@ objects:
jwt_configuration:
user_id_claim: ${USER_ID_CLAIM}
username_claim: ${USERNAME_CLAIM}
role_rules:
Copy link
Collaborator

@eranco74 eranco74 Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move this to a parameter so we can tweak it from app interface

Copy link
Member Author

@omertuc omertuc Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What kind of parameter?

- jsonpath: "$.realm_access.roles[*]"
operator: "contains"
value: "redhat:employees"
roles: ["redhat_employee"]
authorization:
Copy link
Collaborator

@eranco74 eranco74 Aug 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same

access_rules:
- role: redhat_employee
actions:
- get_models
# Temporarily we only want redhat employees to be able to use the service,
# uncomment when we want to allow all authenticated users
# - role: "*"
# actions:
- query
- streaming_query
- get_conversation
- list_conversations
- delete_conversation
- feedback
- get_metrics
- info
# "nobody" is a made up role, doesn't do anything but just good for being explicit
# about what is not allowed by anyone
- role: nobody
actions:
# This exposes the database password - once LSC fixes this issue we
# can allow this for employees
- get_config
# For now we don't want to let even administrators / employees access other users conversations
- query_other_conversations
- delete_other_conversations
- list_other_conversations
- read_other_conversations
mcp_servers:
- name: mcp::assisted
url: "${MCP_SERVER_URL}"
Expand Down