18004: Fixes a couple of race condition bugs related to caching remote users.
[arvados.git] / services / api / config / arvados_config.rb
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: AGPL-3.0
4
5 #
6 # Load Arvados configuration from /etc/arvados/config.yml, using defaults
7 # from config.default.yml
8 #
9 # Existing application.yml is migrated into the new config structure.
10 # Keys in the legacy application.yml take precedence.
11 #
12 # Use "bundle exec config:dump" to get the complete active configuration
13 #
14 # Use "bundle exec config:migrate" to migrate application.yml and
15 # database.yml to config.yml.  After adding the output of
16 # config:migrate to /etc/arvados/config.yml, you will be able to
17 # delete application.yml and database.yml.
18
19 require "cgi"
20 require 'config_loader'
21 require 'open3'
22
23 begin
24   # If secret_token.rb exists here, we need to load it first.
25   require_relative 'secret_token.rb'
26 rescue LoadError
27   # Normally secret_token.rb is missing and the secret token is
28   # configured by application.yml (i.e., here!) instead.
29 end
30
31 if (File.exist?(File.expand_path '../omniauth.rb', __FILE__) and
32     not defined? WARNED_OMNIAUTH_CONFIG)
33   Rails.logger.warn <<-EOS
34 DEPRECATED CONFIGURATION:
35  Please move your SSO provider config into config/application.yml
36  and delete config/initializers/omniauth.rb.
37 EOS
38   # Real values will be copied from globals by omniauth_init.rb. For
39   # now, assign some strings so the generic *.yml config loader
40   # doesn't overwrite them or complain that they're missing.
41   Rails.configuration.Login["SSO"]["ProviderAppID"] = 'xxx'
42   Rails.configuration.Login["SSO"]["ProviderAppSecret"] = 'xxx'
43   Rails.configuration.Services["SSO"]["ExternalURL"] = '//xxx'
44   WARNED_OMNIAUTH_CONFIG = true
45 end
46
47 # Load the defaults, used by config:migrate and fallback loading
48 # legacy application.yml
49 defaultYAML, stderr, status = Open3.capture3("arvados-server", "config-dump", "-config=-", "-skip-legacy", stdin_data: "Clusters: {xxxxx: {}}")
50 if !status.success?
51   puts stderr
52   raise "error loading config: #{status}"
53 end
54 confs = YAML.load(defaultYAML, deserialize_symbols: false)
55 clusterID, clusterConfig = confs["Clusters"].first
56 $arvados_config_defaults = clusterConfig
57 $arvados_config_defaults["ClusterID"] = clusterID
58
59 if ENV["ARVADOS_CONFIG"] == "none"
60   # Don't load config. This magic value is set by packaging scripts so
61   # they can run "rake assets:precompile" without a real config.
62   $arvados_config_global = $arvados_config_defaults.deep_dup
63 else
64   # Load the global config file
65   Open3.popen2("arvados-server", "config-dump", "-skip-legacy") do |stdin, stdout, status_thread|
66     confs = YAML.load(stdout, deserialize_symbols: false)
67     if confs && !confs.empty?
68       # config-dump merges defaults with user configuration, so every
69       # key should be set.
70       clusterID, clusterConfig = confs["Clusters"].first
71       $arvados_config_global = clusterConfig
72       $arvados_config_global["ClusterID"] = clusterID
73     else
74       # config-dump failed, assume we will be loading from legacy
75       # application.yml, initialize with defaults.
76       $arvados_config_global = $arvados_config_defaults.deep_dup
77     end
78   end
79 end
80
81 # Now make a copy
82 $arvados_config = $arvados_config_global.deep_dup
83
84 def arrayToHash cfg, k, v
85   val = {}
86   v.each do |entry|
87     val[entry.to_s] = {}
88   end
89   ConfigLoader.set_cfg cfg, k, val
90 end
91
92 # Declare all our configuration items.
93 arvcfg = ConfigLoader.new
94 arvcfg.declare_config "ClusterID", NonemptyString, :uuid_prefix
95 arvcfg.declare_config "ManagementToken", String, :ManagementToken
96 arvcfg.declare_config "SystemRootToken", String
97 arvcfg.declare_config "Git.Repositories", String, :git_repositories_dir
98 arvcfg.declare_config "API.DisabledAPIs", Hash, :disable_api_methods, ->(cfg, k, v) { arrayToHash cfg, "API.DisabledAPIs", v }
99 arvcfg.declare_config "API.MaxRequestSize", Integer, :max_request_size
100 arvcfg.declare_config "API.MaxIndexDatabaseRead", Integer, :max_index_database_read
101 arvcfg.declare_config "API.MaxItemsPerResponse", Integer, :max_items_per_response
102 arvcfg.declare_config "API.MaxTokenLifetime", ActiveSupport::Duration
103 arvcfg.declare_config "API.AsyncPermissionsUpdateInterval", ActiveSupport::Duration, :async_permissions_update_interval
104 arvcfg.declare_config "Users.AutoSetupNewUsers", Boolean, :auto_setup_new_users
105 arvcfg.declare_config "Users.AutoSetupNewUsersWithVmUUID", String, :auto_setup_new_users_with_vm_uuid
106 arvcfg.declare_config "Users.AutoSetupNewUsersWithRepository", Boolean, :auto_setup_new_users_with_repository
107 arvcfg.declare_config "Users.AutoSetupUsernameBlacklist", Hash, :auto_setup_name_blacklist, ->(cfg, k, v) { arrayToHash cfg, "Users.AutoSetupUsernameBlacklist", v }
108 arvcfg.declare_config "Users.NewUsersAreActive", Boolean, :new_users_are_active
109 arvcfg.declare_config "Users.AutoAdminUserWithEmail", String, :auto_admin_user
110 arvcfg.declare_config "Users.AutoAdminFirstUser", Boolean, :auto_admin_first_user
111 arvcfg.declare_config "Users.UserProfileNotificationAddress", String, :user_profile_notification_address
112 arvcfg.declare_config "Users.AdminNotifierEmailFrom", String, :admin_notifier_email_from
113 arvcfg.declare_config "Users.EmailSubjectPrefix", String, :email_subject_prefix
114 arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_email_from
115 arvcfg.declare_config "Users.UserNotifierEmailBcc", Hash
116 arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
117 arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
118 arvcfg.declare_config "Login.SSO.ProviderAppSecret", String, :sso_app_secret
119 arvcfg.declare_config "Login.SSO.ProviderAppID", String, :sso_app_id
120 arvcfg.declare_config "Login.LoginCluster", String
121 arvcfg.declare_config "Login.TrustedClients", Hash
122 arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
123 arvcfg.declare_config "Login.TokenLifetime", ActiveSupport::Duration
124 arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
125 arvcfg.declare_config "Services.SSO.ExternalURL", String, :sso_provider_url
126 arvcfg.declare_config "AuditLogs.MaxAge", ActiveSupport::Duration, :max_audit_log_age
127 arvcfg.declare_config "AuditLogs.MaxDeleteBatch", Integer, :max_audit_log_delete_batch
128 arvcfg.declare_config "AuditLogs.UnloggedAttributes", Hash, :unlogged_attributes, ->(cfg, k, v) { arrayToHash cfg, "AuditLogs.UnloggedAttributes", v }
129 arvcfg.declare_config "SystemLogs.MaxRequestLogParamsSize", Integer, :max_request_log_params_size
130 arvcfg.declare_config "Collections.DefaultReplication", Integer, :default_collection_replication
131 arvcfg.declare_config "Collections.DefaultTrashLifetime", ActiveSupport::Duration, :default_trash_lifetime
132 arvcfg.declare_config "Collections.CollectionVersioning", Boolean, :collection_versioning
133 arvcfg.declare_config "Collections.PreserveVersionIfIdle", ActiveSupport::Duration, :preserve_version_if_idle
134 arvcfg.declare_config "Collections.TrashSweepInterval", ActiveSupport::Duration, :trash_sweep_interval
135 arvcfg.declare_config "Collections.BlobSigningKey", String, :blob_signing_key
136 arvcfg.declare_config "Collections.BlobSigningTTL", ActiveSupport::Duration, :blob_signature_ttl
137 arvcfg.declare_config "Collections.BlobSigning", Boolean, :permit_create_collection_with_unsigned_manifest, ->(cfg, k, v) { ConfigLoader.set_cfg cfg, "Collections.BlobSigning", !v }
138 arvcfg.declare_config "Collections.ForwardSlashNameSubstitution", String
139 arvcfg.declare_config "Containers.SupportedDockerImageFormats", Hash, :docker_image_formats, ->(cfg, k, v) { arrayToHash cfg, "Containers.SupportedDockerImageFormats", v }
140 arvcfg.declare_config "Containers.LogReuseDecisions", Boolean, :log_reuse_decisions
141 arvcfg.declare_config "Containers.DefaultKeepCacheRAM", Integer, :container_default_keep_cache_ram
142 arvcfg.declare_config "Containers.MaxDispatchAttempts", Integer, :max_container_dispatch_attempts
143 arvcfg.declare_config "Containers.MaxRetryAttempts", Integer, :container_count_max
144 arvcfg.declare_config "Containers.UsePreemptibleInstances", Boolean, :preemptible_instances
145 arvcfg.declare_config "Containers.MaxComputeVMs", Integer, :max_compute_nodes
146 arvcfg.declare_config "Containers.Logging.LogBytesPerEvent", Integer, :crunch_log_bytes_per_event
147 arvcfg.declare_config "Containers.Logging.LogSecondsBetweenEvents", ActiveSupport::Duration, :crunch_log_seconds_between_events
148 arvcfg.declare_config "Containers.Logging.LogThrottlePeriod", ActiveSupport::Duration, :crunch_log_throttle_period
149 arvcfg.declare_config "Containers.Logging.LogThrottleBytes", Integer, :crunch_log_throttle_bytes
150 arvcfg.declare_config "Containers.Logging.LogThrottleLines", Integer, :crunch_log_throttle_lines
151 arvcfg.declare_config "Containers.Logging.LimitLogBytesPerJob", Integer, :crunch_limit_log_bytes_per_job
152 arvcfg.declare_config "Containers.Logging.LogPartialLineThrottlePeriod", ActiveSupport::Duration, :crunch_log_partial_line_throttle_period
153 arvcfg.declare_config "Containers.Logging.LogUpdatePeriod", ActiveSupport::Duration, :crunch_log_update_period
154 arvcfg.declare_config "Containers.Logging.LogUpdateSize", Integer, :crunch_log_update_size
155 arvcfg.declare_config "Containers.Logging.MaxAge", ActiveSupport::Duration, :clean_container_log_rows_after
156 arvcfg.declare_config "Containers.SLURM.Managed.DNSServerConfDir", Pathname, :dns_server_conf_dir
157 arvcfg.declare_config "Containers.SLURM.Managed.DNSServerConfTemplate", Pathname, :dns_server_conf_template
158 arvcfg.declare_config "Containers.SLURM.Managed.DNSServerReloadCommand", String, :dns_server_reload_command
159 arvcfg.declare_config "Containers.SLURM.Managed.DNSServerUpdateCommand", String, :dns_server_update_command
160 arvcfg.declare_config "Containers.SLURM.Managed.ComputeNodeDomain", String, :compute_node_domain
161 arvcfg.declare_config "Containers.SLURM.Managed.ComputeNodeNameservers", Hash, :compute_node_nameservers, ->(cfg, k, v) { arrayToHash cfg, "Containers.SLURM.Managed.ComputeNodeNameservers", v }
162 arvcfg.declare_config "Containers.SLURM.Managed.AssignNodeHostname", String, :assign_node_hostname
163 arvcfg.declare_config "Containers.JobsAPI.Enable", String, :enable_legacy_jobs_api, ->(cfg, k, v) { ConfigLoader.set_cfg cfg, "Containers.JobsAPI.Enable", v.to_s }
164 arvcfg.declare_config "Containers.JobsAPI.GitInternalDir", String, :git_internal_dir
165 arvcfg.declare_config "Mail.MailchimpAPIKey", String, :mailchimp_api_key
166 arvcfg.declare_config "Mail.MailchimpListID", String, :mailchimp_list_id
167 arvcfg.declare_config "Services.Controller.ExternalURL", URI
168 arvcfg.declare_config "Services.Workbench1.ExternalURL", URI, :workbench_address
169 arvcfg.declare_config "Services.Websocket.ExternalURL", URI, :websocket_address
170 arvcfg.declare_config "Services.WebDAV.ExternalURL", URI, :keep_web_service_url
171 arvcfg.declare_config "Services.GitHTTP.ExternalURL", URI, :git_repo_https_base
172 arvcfg.declare_config "Services.GitSSH.ExternalURL", URI, :git_repo_ssh_base, ->(cfg, k, v) { ConfigLoader.set_cfg cfg, "Services.GitSSH.ExternalURL", "ssh://#{v}" }
173 arvcfg.declare_config "RemoteClusters", Hash, :remote_hosts, ->(cfg, k, v) {
174   h = if cfg["RemoteClusters"] then
175         cfg["RemoteClusters"].deep_dup
176       else
177         {}
178       end
179   v.each do |clusterid, host|
180     if h[clusterid].nil?
181       h[clusterid] = {
182         "Host" => host,
183         "Proxy" => true,
184         "Scheme" => "https",
185         "Insecure" => false,
186         "ActivateUsers" => false
187       }
188     end
189   end
190   ConfigLoader.set_cfg cfg, "RemoteClusters", h
191 }
192 arvcfg.declare_config "RemoteClusters.*.Proxy", Boolean, :remote_hosts_via_dns
193
194 dbcfg = ConfigLoader.new
195
196 dbcfg.declare_config "PostgreSQL.ConnectionPool", Integer, :pool
197 dbcfg.declare_config "PostgreSQL.Connection.host", String, :host
198 dbcfg.declare_config "PostgreSQL.Connection.port", String, :port
199 dbcfg.declare_config "PostgreSQL.Connection.user", String, :username
200 dbcfg.declare_config "PostgreSQL.Connection.password", String, :password
201 dbcfg.declare_config "PostgreSQL.Connection.dbname", String, :database
202 dbcfg.declare_config "PostgreSQL.Connection.template", String, :template
203 dbcfg.declare_config "PostgreSQL.Connection.encoding", String, :encoding
204 dbcfg.declare_config "PostgreSQL.Connection.collation", String, :collation
205
206 application_config = {}
207 %w(application.default application).each do |cfgfile|
208   path = "#{::Rails.root.to_s}/config/#{cfgfile}.yml"
209   confs = ConfigLoader.load(path, erb: true)
210   # Ignore empty YAML file:
211   next if confs == false
212   application_config.deep_merge!(confs['common'] || {})
213   application_config.deep_merge!(confs[::Rails.env.to_s] || {})
214 end
215
216 db_config = {}
217 path = "#{::Rails.root.to_s}/config/database.yml"
218 if !ENV['ARVADOS_CONFIG_NOLEGACY'] && File.exist?(path)
219   db_config = ConfigLoader.load(path, erb: true)
220 end
221
222 $remaining_config = arvcfg.migrate_config(application_config, $arvados_config)
223 dbcfg.migrate_config(db_config[::Rails.env.to_s] || {}, $arvados_config)
224
225 if application_config[:auto_activate_users_from]
226   application_config[:auto_activate_users_from].each do |cluster|
227     if $arvados_config.RemoteClusters[cluster]
228       $arvados_config.RemoteClusters[cluster]["ActivateUsers"] = true
229     end
230   end
231 end
232
233 if application_config[:host] || application_config[:port] || application_config[:scheme]
234   if !application_config[:host] || application_config[:host].empty?
235     raise "Must set 'host' when setting 'port' or 'scheme'"
236   end
237   $arvados_config.Services["Controller"]["ExternalURL"] = URI((application_config[:scheme] || "https")+"://"+application_config[:host]+
238                                                               (if application_config[:port] then ":#{application_config[:port]}" else "" end))
239 end
240
241 # Checks for wrongly typed configuration items, coerces properties
242 # into correct types (such as Duration), and optionally raise error
243 # for essential configuration that can't be empty.
244 arvcfg.coercion_and_check $arvados_config_defaults, check_nonempty: false
245 arvcfg.coercion_and_check $arvados_config_global, check_nonempty: false
246 arvcfg.coercion_and_check $arvados_config, check_nonempty: true
247 dbcfg.coercion_and_check $arvados_config, check_nonempty: true
248
249 # * $arvados_config_defaults is the defaults
250 # * $arvados_config_global is $arvados_config_defaults merged with the contents of /etc/arvados/config.yml
251 # These are used by the rake config: tasks
252 #
253 # * $arvados_config is $arvados_config_global merged with the migrated contents of application.yml
254 # This is what actually gets copied into the Rails configuration object.
255
256 if $arvados_config["Collections"]["DefaultTrashLifetime"] < 86400.seconds then
257   raise "default_trash_lifetime is %d, must be at least 86400" % Rails.configuration.Collections.DefaultTrashLifetime
258 end
259
260 #
261 # Special case for test database where there's no database.yml,
262 # because the Arvados config.yml doesn't have a concept of multiple
263 # rails environments.
264 #
265 if ::Rails.env.to_s == "test" && db_config["test"].nil?
266   $arvados_config["PostgreSQL"]["Connection"]["dbname"] = "arvados_test"
267 end
268 if ::Rails.env.to_s == "test"
269   # Use template0 when creating a new database. Avoids
270   # character-encoding/collation problems.
271   $arvados_config["PostgreSQL"]["Connection"]["template"] = "template0"
272   # Some test cases depend on en_US.UTF-8 collation.
273   $arvados_config["PostgreSQL"]["Connection"]["collation"] = "en_US.UTF-8"
274 end
275
276 if ENV["ARVADOS_CONFIG"] == "none"
277   # We need the postgresql connection URI to be valid, even if we
278   # don't use it.
279   $arvados_config["PostgreSQL"]["Connection"]["host"] = "localhost"
280   $arvados_config["PostgreSQL"]["Connection"]["user"] = "x"
281   $arvados_config["PostgreSQL"]["Connection"]["password"] = "x"
282   $arvados_config["PostgreSQL"]["Connection"]["dbname"] = "x"
283 end
284
285 if $arvados_config["PostgreSQL"]["Connection"]["password"].empty?
286   raise "Database password is empty, PostgreSQL section is: #{$arvados_config["PostgreSQL"]}"
287 end
288
289 dbhost = $arvados_config["PostgreSQL"]["Connection"]["host"]
290 if $arvados_config["PostgreSQL"]["Connection"]["port"] != 0
291   dbhost += ":#{$arvados_config["PostgreSQL"]["Connection"]["port"]}"
292 end
293
294 #
295 # If DATABASE_URL is set, then ActiveRecord won't error out if database.yml doesn't exist.
296 #
297 # For config migration, we've previously populated the PostgreSQL
298 # section of the config from database.yml
299 #
300 database_url = "postgresql://#{CGI.escape $arvados_config["PostgreSQL"]["Connection"]["user"]}:"+
301                       "#{CGI.escape $arvados_config["PostgreSQL"]["Connection"]["password"]}@"+
302                       "#{dbhost}/#{CGI.escape $arvados_config["PostgreSQL"]["Connection"]["dbname"]}?"+
303                       "template=#{$arvados_config["PostgreSQL"]["Connection"]["template"]}&"+
304                       "encoding=#{$arvados_config["PostgreSQL"]["Connection"]["client_encoding"]}&"+
305                       "collation=#{$arvados_config["PostgreSQL"]["Connection"]["collation"]}&"+
306                       "pool=#{$arvados_config["PostgreSQL"]["ConnectionPool"]}"
307
308 ENV["DATABASE_URL"] = database_url
309
310 Server::Application.configure do
311   # Copy into the Rails config object.  This also turns Hash into
312   # OrderedOptions so that application code can use
313   # Rails.configuration.API.Blah instead of
314   # Rails.configuration.API["Blah"]
315   ConfigLoader.copy_into_config $arvados_config, config
316   ConfigLoader.copy_into_config $remaining_config, config
317
318   # We don't rely on cookies for authentication, so instead of
319   # requiring a signing key in config, we assign a new random one at
320   # startup.
321   secrets.secret_key_base = rand(1<<255).to_s(36)
322 end