Bump lightspeed-stack to authorization commit

omertuc · omertuc · commit b33e3eb5ef83 · 2025-08-26T13:59:23.000+02:00
Bump lightspeed-stack submodule to include the authorization changes from lightspeed-core/lightspeed-stack#356 Use the new authorization features to restrict access to the assisted-chat service to, for now, Red Hat employees only. In the future we can open this up to all authenticated users.
diff --git a/Containerfile.assisted-chat b/Containerfile.assisted-chat
@@ -1,6 +1,6 @@
 # vim: set filetype=dockerfile
-# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250814-7a531cb
-FROM quay.io/lightspeed-core/lightspeed-stack@sha256:90deb575e0c18bdcf9721aa7614826653ad13b717c992f12b89b6e1f0413179c
+# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250826-969904b
+FROM quay.io/lightspeed-core/lightspeed-stack@sha256:5582703f6220f0668ea465c66e81f2a5a425437e1a12b4419c8a61e930a11aad
 
 RUN python3 -m ensurepip --default-pip && pip install --upgrade pip
 
diff --git a/lightspeed-stack b/lightspeed-stack
@@ -1 +1 @@
-Subproject commit 053d49fb6e19c63cd51e77816f7c7cb5907d0f93
+Subproject commit 969904b4aef1dbe4379b279effe065237233a687
diff --git a/scripts/query.sh b/scripts/query.sh
@@ -218,6 +218,12 @@ if [[ -n "$CONVERSATION_ID" ]]; then
 else
     # Only select model for new conversations
     echo "Selecting model for new conversation..."
+
+    if ! get_ocm_token; then
+        echo "Failed to get OCM token for query"
+        return 1
+    fi
+
     MODELS=$(get_available_models)
     model_selection=$(select_model "$MODELS")
     MODEL_NAME=$(echo "$model_selection" | cut -d'|' -f1)
diff --git a/template.yaml b/template.yaml
@@ -165,6 +165,40 @@ objects:
           jwt_configuration:
             user_id_claim: ${USER_ID_CLAIM}
             username_claim: ${USERNAME_CLAIM}
+            role_rules:
+              - jsonpath: "$.realm_access.roles[*]"
+                operator: "contains"
+                value: "redhat:employees"
+                roles: ["redhat_employee"]
+      authorization:
+        access_rules:
+          - role: redhat_employee
+            actions:
+            - get_models
+          # Temporarily we only want redhat employees to be able to use the service,
+          # uncomment when we want to allow all authenticated users
+          # - role: "*"
+          #   actions:
+            - query
+            - streaming_query
+            - get_conversation
+            - list_conversations
+            - delete_conversation
+            - feedback
+            - get_metrics
+            - info
+          # "nobody" is a made up role, doesn't do anything but just good for being explicit
+          # about what is not allowed by anyone
+          - role: nobody
+            actions:
+            # This exposes the database password - once LSC fixes this issue we
+            # can allow this for employees
+            - get_config
+            # For now we don't want to let even administrators / employees access other users conversations
+            - query_other_conversations
+            - delete_other_conversations
+            - list_other_conversations
+            - read_other_conversations
       mcp_servers:
         - name: mcp::assisted
           url: "${MCP_SERVER_URL}"
