MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (eg
- # Google) used to perform upstream authentication.
- ProviderAppID: ""
- ProviderAppSecret: ""
-
- # (Experimental) Authenticate with Google, bypassing the
- # SSO-provider gateway service. Use the Google Cloud console to
- # enable the People API (APIs and Services > Enable APIs and
- # services > Google People API > Enable), generate a Client ID
- # and secret (APIs and Services > Credentials > Create
- # credentials > OAuth client ID > Web application) and add your
- # controller's /login URL (e.g.,
- # "https://zzzzz.example.com/login") as an authorized redirect
- # URL.
- #
- # Incompatible with ForceLegacyAPI14. ProviderAppID must be
- # blank.
- GoogleClientID: ""
- GoogleClientSecret: ""
-
- # Allow users to log in to existing accounts using any verified
- # email address listed by their Google account. If true, the
- # Google People API must be enabled in order for Google login to
- # work. If false, only the primary email address will be used.
- GoogleAlternateEmailAddresses: true
-
- # (Experimental) Use PAM to authenticate logins, using the
- # specified PAM service name.
- #
- # Cannot be used in combination with OAuth2 (ProviderAppID) or
- # Google (GoogleClientID). Cannot be used on a cluster acting as
- # a LoginCluster.
- PAM: false
- PAMService: arvados
-
- # Domain name (e.g., "example.com") to use to construct the
- # user's email address if PAM authentication returns a username
- # with no "@". If empty, use the PAM username as the user's
- # email address, whether or not it contains "@".
- #
- # Note that the email address is used as the primary key for
- # user records when logging in. Therefore, if you change
- # PAMDefaultEmailDomain after the initial installation, you
- # should also update existing user records to reflect the new
- # domain. Otherwise, next time those users log in, they will be
- # given new accounts instead of accessing their existing
- # accounts.
- PAMDefaultEmailDomain: ""
+ # One of the following mechanisms (SSO, Google, PAM, LDAP, or
+ # LoginCluster) should be enabled; see
+ # https://doc.arvados.org/install/setup-login.html
+
+ Google:
+ # Authenticate with Google.
+ Enable: false
+
+ # Use the Google Cloud console to enable the People API (APIs
+ # and Services > Enable APIs and services > Google People API
+ # > Enable), generate a Client ID and secret (APIs and
+ # Services > Credentials > Create credentials > OAuth client
+ # ID > Web application) and add your controller's /login URL
+ # (e.g., "https://zzzzz.example.com/login") as an authorized
+ # redirect URL.
+ #
+ # Incompatible with ForceLegacyAPI14. ProviderAppID must be
+ # blank.
+ ClientID: ""
+ ClientSecret: ""
+
+ # Allow users to log in to existing accounts using any verified
+ # email address listed by their Google account. If true, the
+ # Google People API must be enabled in order for Google login to
+ # work. If false, only the primary email address will be used.
+ AlternateEmailAddresses: true
+
+ PAM:
+ # (Experimental) Use PAM to authenticate users.
+ Enable: false
+
+ # PAM service name. PAM will apply the policy in the
+ # corresponding config file (e.g., /etc/pam.d/arvados) or, if
+ # there is none, the default "other" config.
+ Service: arvados
+
+ # Domain name (e.g., "example.com") to use to construct the
+ # user's email address if PAM authentication returns a
+ # username with no "@". If empty, use the PAM username as the
+ # user's email address, whether or not it contains "@".
+ #
+ # Note that the email address is used as the primary key for
+ # user records when logging in. Therefore, if you change
+ # PAMDefaultEmailDomain after the initial installation, you
+ # should also update existing user records to reflect the new
+ # domain. Otherwise, next time those users log in, they will
+ # be given new accounts instead of accessing their existing
+ # accounts.
+ DefaultEmailDomain: ""
LDAP:
# Use an LDAP service to authenticate users.
# originally supplied by the user will be used.
UsernameAttribute: uid
+ SSO:
+ # Authenticate with a separate SSO server.
+ Enable: false
+
+ # ProviderAppID and ProviderAppSecret are generated during SSO
+ # setup; see
+ # https://doc.arvados.org/install/install-sso.html#update-config
+ ProviderAppID: ""
+ ProviderAppSecret: ""
+
# The cluster ID to delegate the user database. When set,
# logins on this cluster will be redirected to the login cluster
# (login cluster must appear in RemoteClusters with Proxy: true)