Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
This commit is contained in:
master
@@ -2,10 +2,11 @@
|
||||
|
||||
**What changed**
|
||||
|
||||
- Introduced new `orch:quota` scope and `Orch.Admin` role for Orchestrator quota and burst adjustments.
|
||||
- Introduced new `orch:quota` scope and expanded `Orch.Admin` role for Orchestrator quota, burst, and historical backfill adjustments.
|
||||
- Client credential requests for `orch:quota` now require `quota_reason` (≤256 chars) and accept optional `quota_ticket` (≤128 chars). Authority records both values under `quota.reason` / `quota.ticket` audit properties.
|
||||
- Tokens embedding `orch:quota` expose the reason/ticket claims so downstream services and audit tooling can trace quota increases or emergency backfills.
|
||||
- Console, CLI, and configuration samples include the new role plus environment variables (`STELLAOPS_ORCH_QUOTA_REASON`, `STELLAOPS_ORCH_QUOTA_TICKET`) for automation.
|
||||
- Added dedicated `orch:backfill` scope. Tokens must include `backfill_reason` (≤256 chars) and `backfill_ticket` (≤128 chars); Authority persists them as `backfill.reason` / `backfill.ticket` claims and audit properties alongside operator metadata.
|
||||
- Tokens embedding `orch:quota` or `orch:backfill` expose the corresponding reason/ticket claims so downstream services and audit tooling can trace quota increases or emergency backfills.
|
||||
- Console, CLI, and configuration samples include the updated role plus environment variables (`STELLAOPS_ORCH_QUOTA_REASON`, `STELLAOPS_ORCH_QUOTA_TICKET`, `STELLAOPS_ORCH_BACKFILL_REASON`, `STELLAOPS_ORCH_BACKFILL_TICKET`) for automation.
|
||||
|
||||
**Why**
|
||||
|
||||
@@ -14,5 +15,5 @@ Quotas and replay backfills materially affect tenant isolation and platform capa
|
||||
**Actions**
|
||||
|
||||
1. Update Authority configuration/offline bundles to seed `Orch.Admin` role for the handful of ops identities that manage quotas.
|
||||
2. Adjust automation to pass `quota_reason`/`quota_ticket` when exchanging tokens for `orch:quota`.
|
||||
3. Monitor `authority.client_credentials.grant` records for the new `quota.*` audit properties when reviewing change windows.
|
||||
2. Adjust automation to pass `quota_reason`/`quota_ticket` when exchanging tokens for `orch:quota` and `backfill_reason`/`backfill_ticket` for `orch:backfill`.
|
||||
3. Monitor `authority.client_credentials.grant` records for the new `quota.*` and `backfill.*` audit properties when reviewing change windows.
|
||||
|
||||
18
docs/updates/2025-11-02-pack-scope-profiles.md
Normal file
18
docs/updates/2025-11-02-pack-scope-profiles.md
Normal file
@@ -0,0 +1,18 @@
|
||||
# 2025-11-02 · Pack scope catalogue & CLI profiles
|
||||
|
||||
**What changed**
|
||||
|
||||
- Authority configuration samples (`etc/authority.yaml.sample`) now seed Pack roles (`pack-viewer`, `pack-operator`, `pack-publisher`, `pack-approver`, `pack-admin`) with deterministic scope bundles.
|
||||
- Added `AddPacksResourcePolicies` helper in `StellaOps.Auth.ServerIntegration` so Packs Registry/Task Runner services can register consistent authorization policies; accompanying unit tests validate the policy catalogue.
|
||||
- Documented Task Pack CLI profiles (`docs/modules/cli/guides/packs-profiles.md`) and added quick-reference guidance in the CLI manual for setting `StellaOps:Authority:Scope` via profiles or environment variables.
|
||||
- Updated Authority scope docs and samples to reflect the new roles, keeping offline/air-gap defaults aligned.
|
||||
|
||||
**Why**
|
||||
|
||||
Task Pack rollout requires explicit RBAC and short-lived tokens per workflow (publish, run, approve). Providing ready-to-use roles, policies, and CLI profiles removes guesswork for operators and ensures tokens carry the correct scopes by default.
|
||||
|
||||
**Actions**
|
||||
|
||||
1. Refresh Authority configuration in each environment from the updated sample (or add the roles manually) so Pack clients can request tokens.
|
||||
2. Roll out the CLI profiles or equivalent configuration in automation (`STELLA_PROFILE=packs-operator`, etc.) before enabling pack workflows.
|
||||
3. Update Task Runner/Packs Registry services to call `AddPacksResourcePolicies()` when wiring authorization.
|
||||
Reference in New Issue
Block a user