X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/224f4793b7c147cb3ef9a261e3a60cddb557e1f1..42bf31f017a009585eaac2fe44a83b2596b3e5c8:/lib/config/generated_config.go diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index 7ed332151b..8ef787771e 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -18,6 +18,8 @@ var DefaultYAML = []byte(`# Copyright (C) The Arvados Authors. All rights reserv Clusters: xxxxx: + # Token used internally by Arvados components to authenticate to + # one another. Use a string of at least 50 random alphanumerics. SystemRootToken: "" # Token to be included in all healthcheck requests. Disabled by default. @@ -201,7 +203,7 @@ Clusters: # * 1.1) fits comfortably in memory. On a host dedicated to running # Keepstore, divide total memory by 88MiB to suggest a suitable value. # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440 - # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79 + # kB, compute 7125440 / (88 * 1024)=79 and set MaxKeepBlobBuffers: 79 MaxKeepBlobBuffers: 128 # API methods to disable. Disabled methods are not listed in the @@ -218,11 +220,6 @@ Clusters: # serving a single incoming multi-cluster (federated) request. MaxRequestAmplification: 4 - # RailsSessionSecretToken is a string of alphanumeric characters - # used by Rails to sign session tokens. IMPORTANT: This is a - # site secret. It should be at least 50 characters. - RailsSessionSecretToken: "" - # Maximum wall clock time to spend handling an incoming request. RequestTimeout: 5m @@ -264,9 +261,6 @@ Clusters: # The e-mail address of the user you would like to become marked as an admin # user on their first login. - # In the default configuration, authentication happens through the Arvados SSO - # server, which uses OAuth2 against Google's servers, so in that case this - # should be an address associated with a Google account. AutoAdminUserWithEmail: "" # If AutoAdminFirstUser is set to true, the first user to log in when no @@ -282,9 +276,10 @@ Clusters: NewUserNotificationRecipients: {} NewInactiveUserNotificationRecipients: {} - # Set AnonymousUserToken to enable anonymous user access. You can get - # the token by running "bundle exec ./script/get_anonymous_user_token.rb" - # in the directory where your API server is running. + # Set AnonymousUserToken to enable anonymous user access. Populate this + # field with a long random string. Then run "bundle exec + # ./script/get_anonymous_user_token.rb" in the directory where your API + # server is running to record the token in the database. AnonymousUserToken: "" # If a new user has an alternate email address (local@domain) @@ -293,6 +288,20 @@ Clusters: # address is used. PreferDomainForUsername: "" + UserSetupMailText: | + <% if not @user.full_name.empty? -%> + <%= @user.full_name %>, + <% else -%> + Hi there, + <% end -%> + + Your Arvados account has been set up. You can log in at + + <%= Rails.configuration.Services.Workbench1.ExternalURL %> + + Thanks, + Your Arvados administrator. + AuditLogs: # Time to keep audit logs, in seconds. (An audit log is a row added # to the "logs" table in the PostgreSQL database each time an @@ -564,6 +573,17 @@ Clusters: # work. If false, only the primary email address will be used. AlternateEmailAddresses: true + # Send additional parameters with authentication requests. See + # https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters + # for a list of supported parameters. + AuthenticationRequestParameters: + # Show the "choose which Google account" page, even if the + # client is currently logged in to exactly one Google + # account. + prompt: select_account + + SAMPLE: "" + OpenIDConnect: # Authenticate with an OpenID Connect provider. Enable: false @@ -598,6 +618,14 @@ Clusters: # address. UsernameClaim: "" + # Send additional parameters with authentication requests, + # like {display: page, prompt: consent}. See + # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest + # and refer to your provider's documentation for supported + # parameters. + AuthenticationRequestParameters: + SAMPLE: "" + PAM: # (Experimental) Use PAM to authenticate users. Enable: false @@ -719,6 +747,17 @@ Clusters: # Default value zero means tokens don't have expiration. TokenLifetime: 0s + # When the token is returned to a client, the token itself may + # be restricted from manipulating other tokens based on whether + # the client is "trusted" or not. The local Workbench1 and + # Workbench2 are trusted by default, but if this is a + # LoginCluster, you probably want to include the other Workbench + # instances in the federation in this list. + TrustedClients: + SAMPLE: + "https://workbench.federate1.example": {} + "https://workbench.federate2.example": {} + Git: # Path to git or gitolite-shell executable. Each authenticated # request will execute this program with the single argument "http-backend" @@ -854,6 +893,26 @@ Clusters: # period. LogUpdateSize: 32MiB + ShellAccess: + # An admin user can use "arvados-client shell" to start an + # interactive shell (with any user ID) in any running + # container. + Admin: false + + # Any user can use "arvados-client shell" to start an + # interactive shell (with any user ID) in any running + # container that they started, provided it isn't also + # associated with a different user's container request. + # + # Interactive sessions make it easy to alter the container's + # runtime environment in ways that aren't recorded or + # reproducible. Consider the implications for automatic + # container reuse before enabling and using this feature. In + # particular, note that starting an interactive session does + # not disqualify a container from being reused by a different + # user/workflow in the future. + User: false + SLURM: PrioritySpread: 0 SbatchArgumentsList: [] @@ -1026,7 +1085,7 @@ Clusters: # Cloud-specific driver parameters. DriverParameters: - # (ec2) Credentials. + # (ec2) Credentials. Omit or leave blank if using IAM role. AccessKeyID: "" SecretAccessKey: ""