X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/07dbd859d0b05d79680570c00c43a722102d7ea3..62c33a15f68895d6a388f68d2827e9fd5705c5df:/lib/config/generated_config.go diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index f40093a96c..df08dd00e2 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -190,12 +190,21 @@ Clusters: MaxItemsPerResponse: 1000 # Maximum number of concurrent requests to accept in a single - # service process, or 0 for no limit. Currently supported only - # by keepstore. + # service process, or 0 for no limit. MaxConcurrentRequests: 0 - # Maximum number of 64MiB memory buffers per keepstore server - # process, or 0 for no limit. + # Maximum number of 64MiB memory buffers per Keepstore server process, or + # 0 for no limit. When this limit is reached, up to + # (MaxConcurrentRequests - MaxKeepBlobBuffers) HTTP requests requiring + # buffers (like GET and PUT) will wait for buffer space to be released. + # Any HTTP requests beyond MaxConcurrentRequests will receive an + # immediate 503 response. + # + # MaxKeepBlobBuffers should be set such that (MaxKeepBlobBuffers * 64MiB + # * 1.1) fits comfortably in memory. On a host dedicated to running + # Keepstore, divide total memory by 88MiB to suggest a suitable value. + # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440 + # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79 MaxKeepBlobBuffers: 128 # API methods to disable. Disabled methods are not listed in the @@ -521,31 +530,123 @@ Clusters: MaxUUIDEntries: 1000 Login: - # These settings are provided by your OAuth2 provider (eg - # Google) used to perform upstream authentication. - ProviderAppID: "" - ProviderAppSecret: "" - - # (Experimental) Authenticate with Google, bypassing the - # SSO-provider gateway service. Use the Google Cloud console to - # enable the People API (APIs and Services > Enable APIs and - # services > Google People API > Enable), generate a Client ID - # and secret (APIs and Services > Credentials > Create - # credentials > OAuth client ID > Web application) and add your - # controller's /login URL (e.g., - # "https://zzzzz.example.com/login") as an authorized redirect - # URL. - # - # Incompatible with ForceLegacyAPI14. ProviderAppID must be - # blank. - GoogleClientID: "" - GoogleClientSecret: "" + # One of the following mechanisms (SSO, Google, PAM, LDAP, or + # LoginCluster) should be enabled; see + # https://doc.arvados.org/install/setup-login.html + + Google: + # Authenticate with Google. + Enable: false + + # Use the Google Cloud console to enable the People API (APIs + # and Services > Enable APIs and services > Google People API + # > Enable), generate a Client ID and secret (APIs and + # Services > Credentials > Create credentials > OAuth client + # ID > Web application) and add your controller's /login URL + # (e.g., "https://zzzzz.example.com/login") as an authorized + # redirect URL. + # + # Incompatible with ForceLegacyAPI14. ProviderAppID must be + # blank. + ClientID: "" + ClientSecret: "" + + # Allow users to log in to existing accounts using any verified + # email address listed by their Google account. If true, the + # Google People API must be enabled in order for Google login to + # work. If false, only the primary email address will be used. + AlternateEmailAddresses: true + + PAM: + # (Experimental) Use PAM to authenticate users. + Enable: false + + # PAM service name. PAM will apply the policy in the + # corresponding config file (e.g., /etc/pam.d/arvados) or, if + # there is none, the default "other" config. + Service: arvados + + # Domain name (e.g., "example.com") to use to construct the + # user's email address if PAM authentication returns a + # username with no "@". If empty, use the PAM username as the + # user's email address, whether or not it contains "@". + # + # Note that the email address is used as the primary key for + # user records when logging in. Therefore, if you change + # PAMDefaultEmailDomain after the initial installation, you + # should also update existing user records to reflect the new + # domain. Otherwise, next time those users log in, they will + # be given new accounts instead of accessing their existing + # accounts. + DefaultEmailDomain: "" + + LDAP: + # Use an LDAP service to authenticate users. + Enable: false + + # Server URL, like "ldap://ldapserver.example.com:389" or + # "ldaps://ldapserver.example.com:636". + URL: "ldap://ldap:389" + + # Use StartTLS upon connecting to the server. + StartTLS: true + + # Skip TLS certificate name verification. + InsecureTLS: false - # Allow users to log in to existing accounts using any verified - # email address listed by their Google account. If true, the - # Google People API must be enabled in order for Google login to - # work. If false, only the primary email address will be used. - GoogleAlternateEmailAddresses: true + # Strip the @domain part if a user supplies an email-style + # username with this domain. If "*", strip any user-provided + # domain. If "", never strip the domain part. Example: + # "example.com" + StripDomain: "" + + # If, after applying StripDomain, the username contains no "@" + # character, append this domain to form an email-style + # username. Example: "example.com" + AppendDomain: "" + + # The LDAP attribute to filter on when looking up a username + # (after applying StripDomain and AppendDomain). + SearchAttribute: uid + + # Bind with this username (DN or UPN) and password when + # looking up the user record. + # + # Example user: "cn=admin,dc=example,dc=com" + SearchBindUser: "" + SearchBindPassword: "" + + # Directory base for username lookup. Example: + # "ou=Users,dc=example,dc=com" + SearchBase: "" + + # Additional filters for username lookup. Special characters + # in assertion values must be escaped (see RFC4515). Example: + # "(objectClass=person)" + SearchFilters: "" + + # LDAP attribute to use as the user's email address. + # + # Important: This must not be an attribute whose value can be + # edited in the directory by the users themselves. Otherwise, + # users can take over other users' Arvados accounts trivially + # (email address is the primary key for Arvados accounts.) + EmailAttribute: mail + + # LDAP attribute to use as the preferred Arvados username. If + # no value is found (or this config is empty) the username + # originally supplied by the user will be used. + UsernameAttribute: uid + + SSO: + # Authenticate with a separate SSO server. + Enable: false + + # ProviderAppID and ProviderAppSecret are generated during SSO + # setup; see + # https://doc.arvados.org/install/install-sso.html#update-config + ProviderAppID: "" + ProviderAppSecret: "" # The cluster ID to delegate the user database. When set, # logins on this cluster will be redirected to the login cluster @@ -1202,4 +1303,9 @@ Clusters: # implementation. Note that it also disables some new federation # features and will be removed in a future release. ForceLegacyAPI14: false + +# (Experimental) Restart services automatically when config file +# changes are detected. Only supported by ` + "`" + `arvados-server boot` + "`" + ` in +# dev/test mode. +AutoReloadConfig: false `)