Skip to content

parameterize lightspeed-stack auth rules #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 3 commits into from
Aug 28, 2025
Merged

parameterize lightspeed-stack auth rules #163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0fa68d8
parameterize lightspeed-stack auth rules
maorfr Aug 28, 2025
e50e259
use single curly
maorfr Aug 28, 2025
44ae030
add dev template values
maorfr Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions template-params.dev.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@ LIGHTSPEED_FEEDBACK_ENABLED=false
DISABLE_QUERY_SYSTEM_PROMPT=false
ASSISTED_CHAT_DEFAULT_MODEL=gemini/gemini-2.0-flash
LIGHTSSPEED_STACK_POSTGRES_SSL_MODE=disable
AUTHN_ROLE_RULES='[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]'
AUTHZ_ACCESS_RULES='[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]'
Comment on lines +9 to +10
Copy link

@coderabbitai coderabbitai bot Aug 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix the Pydantic validation: inject a YAML list, not a quoted string.

The reported error (authorization.access_rules.1.role=None / .actions missing) is consistent with the list being rendered incorrectly (e.g., as a quoted scalar or creating an extra empty item). Avoid wrapping the flow-style list in single quotes so it renders as a proper YAML list in the ConfigMap.

Apply this diff:

-AUTHN_ROLE_RULES='[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]'
-AUTHZ_ACCESS_RULES='[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]'
+AUTHN_ROLE_RULES=[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]
+AUTHZ_ACCESS_RULES=[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]

Rationale:

  • Unquoted flow-style JSON/YAML will be injected as a list node, not a string.
  • Since the assignment is unquoted, keep values whitespace-free (already the case here) to avoid shell word-splitting when sourced locally.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
AUTHN_ROLE_RULES='[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]'
AUTHZ_ACCESS_RULES='[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]'
# template-params.dev.env, lines 9–10
AUTHN_ROLE_RULES=[{"jsonpath":"$.realm_access.roles[*]","operator":"contains","value":"redhat:employees","roles":["redhat_employee"]}]
AUTHZ_ACCESS_RULES=[{"role":"redhat_employee","actions":["get_models","query","streaming_query","get_conversation","list_conversations","delete_conversation","feedback","info","get_metrics"]}]
🤖 Prompt for AI Agents 
In template-params.dev.env around lines 9 to 10 the flow-style list values are
wrapped in single quotes, causing Pydantic to receive a string instead of a YAML
list and producing validation errors; remove the surrounding single quotes so
AUTHN_ROLE_RULES and AUTHZ_ACCESS_RULES are unquoted flow-style lists (keep them
whitespace-free) so they are injected as proper YAML list nodes into the
ConfigMap.

52 changes: 8 additions & 44 deletions template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,12 @@ parameters:
- name: LLAMA_STACK_POSTGRES_SSL_MODE
value: "verify-full"
description: "SSL mode for the PostgreSQL database connection used by llama-stack"
- name: AUTHN_ROLE_RULES
value: '[]'
description: "lightspeed-stack authentication role rules"
- name: AUTHZ_ACCESS_RULES
value: '[]'
description: "lightspeed-stack authorization access rules"

objects:
- apiVersion: v1
Expand Down Expand Up @@ -165,51 +171,9 @@ objects:
jwt_configuration:
user_id_claim: ${USER_ID_CLAIM}
username_claim: ${USERNAME_CLAIM}
role_rules:
- jsonpath: "$.realm_access.roles[*]"
operator: "contains"
value: "redhat:employees"
roles: ["redhat_employee"]
- jsonpath: "$.org_id"
operator: "in"
value: [["6405426"]]
roles: ["redhat_employee"]
- jsonpath: "$.is_internal"
operator: "equals"
value: [true]
roles: ["redhat_employee"]
role_rules: ${AUTHN_ROLE_RULES}
authorization:
access_rules:
- role: redhat_employee
actions:
- get_models
# Temporarily we only want redhat employees to be able to use the service,
# uncomment when we want to allow all authenticated users
# - role: "*"
# actions:
- query
- streaming_query
- get_conversation
- list_conversations
- delete_conversation
- feedback
# "nobody" is a made up role, doesn't do anything but just good for being explicit
# about what is not allowed by anyone
- role: nobody
actions:
# This exposes the database password - once LSC fixes this issue we
# can allow this for employees
- get_config
# For now we don't want to let even administrators / employees access other users conversations
- query_other_conversations
- delete_other_conversations
- list_other_conversations
- read_other_conversations
# For k8s pod probes
- role: "*"
actions:
- info
- get_metrics
access_rules: ${AUTHZ_ACCESS_RULES}
mcp_servers:
- name: mcp::assisted
url: "${MCP_SERVER_URL}"
Expand Down