Merge branch 'patch-1' of https://github.com/mr-c/arvados into mr-c-patch-1

[arvados.git] / lib / config / config.default.yml

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index a0afedca26fc4d89f1b92d857996ff6178e49b50..907acdc87847f9c052aee71c5e1d1fbe8c4f78aa 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -440,6 +440,13 @@ Clusters:
       # or omitted, pages are processed serially.
       BalanceCollectionBuffers: 1000
 
+      # Maximum time for a rebalancing run. This ensures keep-balance
+      # eventually gives up and retries if, for example, a network
+      # error causes a hung connection that is never closed by the
+      # OS. It should be long enough that it doesn't interrupt a
+      # long-running balancing operation.
+      BalanceTimeout: 6h
+
       # Default lifetime for ephemeral collections: 2 weeks. This must not
       # be less than BlobSigningTTL.
       DefaultTrashLifetime: 336h
@@ -555,13 +562,36 @@ Clusters:
         # Authenticate with an OpenID Connect provider.
         Enable: false
 
-        # Issuer URL, e.g., "https://accounts.google.com"
+        # Issuer URL, e.g., "https://login.example.com".
+        #
+        # This must be exactly equal to the URL returned by the issuer
+        # itself in its config response ("isser" key). If the
+        # configured value is "https://example" and the provider
+        # returns "https://example:443" or "https://example/" then
+        # login will fail, even though those URLs are equivalent
+        # (RFC3986).
         Issuer: ""
 
         # Your client ID and client secret (supplied by the provider).
         ClientID: ""
         ClientSecret: ""
 
+        # OpenID claim field containing the user's email
+        # address. Normally "email"; see
+        # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+        EmailClaim: "email"
+
+        # OpenID claim field containing the email verification
+        # flag. Normally "email_verified".  To accept every returned
+        # email address without checking a "verified" field at all,
+        # use the empty string "".
+        EmailVerifiedClaim: "email_verified"
+
+        # OpenID claim field containing the user's preferred
+        # username. If empty, use the mailbox part of the user's email
+        # address.
+        UsernameClaim: ""
+
       PAM:
         # (Experimental) Use PAM to authenticate users.
         Enable: false
@@ -625,9 +655,15 @@ Clusters:
         # "ou=Users,dc=example,dc=com"
         SearchBase: ""
 
-        # Additional filters for username lookup. Special characters
-        # in assertion values must be escaped (see RFC4515). Example:
-        # "(objectClass=person)"
+        # Additional filters to apply when looking up users' LDAP
+        # entries. This can be used to restrict access to a subset of
+        # LDAP users, or to disambiguate users from other directory
+        # entries that have the SearchAttribute present.
+        #
+        # Special characters in assertion values must be escaped (see
+        # RFC4515).
+        #
+        # Example: "(objectClass=person)"
         SearchFilters: ""
 
         # LDAP attribute to use as the user's email address.