X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/252e4cb551974b888cfe28cc4a51a241b91d529a..9c03bedaa6aa6a64b42dc61efcd6d46154fe6732:/lib/config/config.default.yml diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 411296cbea..a2a34448f1 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -184,12 +184,21 @@ Clusters: MaxItemsPerResponse: 1000 # Maximum number of concurrent requests to accept in a single - # service process, or 0 for no limit. Currently supported only - # by keepstore. + # service process, or 0 for no limit. MaxConcurrentRequests: 0 - # Maximum number of 64MiB memory buffers per keepstore server - # process, or 0 for no limit. + # Maximum number of 64MiB memory buffers per Keepstore server process, or + # 0 for no limit. When this limit is reached, up to + # (MaxConcurrentRequests - MaxKeepBlobBuffers) HTTP requests requiring + # buffers (like GET and PUT) will wait for buffer space to be released. + # Any HTTP requests beyond MaxConcurrentRequests will receive an + # immediate 503 response. + # + # MaxKeepBlobBuffers should be set such that (MaxKeepBlobBuffers * 64MiB + # * 1.1) fits comfortably in memory. On a host dedicated to running + # Keepstore, divide total memory by 88MiB to suggest a suitable value. + # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440 + # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79 MaxKeepBlobBuffers: 128 # API methods to disable. Disabled methods are not listed in the @@ -431,6 +440,13 @@ Clusters: # or omitted, pages are processed serially. BalanceCollectionBuffers: 1000 + # Maximum time for a rebalancing run. This ensures keep-balance + # eventually gives up and retries if, for example, a network + # error causes a hung connection that is never closed by the + # OS. It should be long enough that it doesn't interrupt a + # long-running balancing operation. + BalanceTimeout: 6h + # Default lifetime for ephemeral collections: 2 weeks. This must not # be less than BlobSigningTTL. DefaultTrashLifetime: 336h @@ -515,31 +531,163 @@ Clusters: MaxUUIDEntries: 1000 Login: - # These settings are provided by your OAuth2 provider (eg - # Google) used to perform upstream authentication. - ProviderAppID: "" - ProviderAppSecret: "" - - # (Experimental) Authenticate with Google, bypassing the - # SSO-provider gateway service. Use the Google Cloud console to - # enable the People API (APIs and Services > Enable APIs and - # services > Google People API > Enable), generate a Client ID - # and secret (APIs and Services > Credentials > Create - # credentials > OAuth client ID > Web application) and add your - # controller's /login URL (e.g., - # "https://zzzzz.example.com/login") as an authorized redirect - # URL. - # - # Incompatible with ForceLegacyAPI14. ProviderAppID must be - # blank. - GoogleClientID: "" - GoogleClientSecret: "" + # One of the following mechanisms (SSO, Google, PAM, LDAP, or + # LoginCluster) should be enabled; see + # https://doc.arvados.org/install/setup-login.html + + Google: + # Authenticate with Google. + Enable: false + + # Use the Google Cloud console to enable the People API (APIs + # and Services > Enable APIs and services > Google People API + # > Enable), generate a Client ID and secret (APIs and + # Services > Credentials > Create credentials > OAuth client + # ID > Web application) and add your controller's /login URL + # (e.g., "https://zzzzz.example.com/login") as an authorized + # redirect URL. + # + # Incompatible with ForceLegacyAPI14. ProviderAppID must be + # blank. + ClientID: "" + ClientSecret: "" + + # Allow users to log in to existing accounts using any verified + # email address listed by their Google account. If true, the + # Google People API must be enabled in order for Google login to + # work. If false, only the primary email address will be used. + AlternateEmailAddresses: true + + OpenIDConnect: + # Authenticate with an OpenID Connect provider. + Enable: false + + # Issuer URL, e.g., "https://login.example.com". + # + # This must be exactly equal to the URL returned by the issuer + # itself in its config response ("isser" key). If the + # configured value is "https://example" and the provider + # returns "https://example:443" or "https://example/" then + # login will fail, even though those URLs are equivalent + # (RFC3986). + Issuer: "" + + # Your client ID and client secret (supplied by the provider). + ClientID: "" + ClientSecret: "" + + # OpenID claim field containing the user's email + # address. Normally "email"; see + # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims + EmailClaim: "email" + + # OpenID claim field containing the email verification + # flag. Normally "email_verified". To accept every returned + # email address without checking a "verified" field at all, + # use the empty string "". + EmailVerifiedClaim: "email_verified" + + # OpenID claim field containing the user's preferred + # username. If empty, use the mailbox part of the user's email + # address. + UsernameClaim: "" + + PAM: + # (Experimental) Use PAM to authenticate users. + Enable: false + + # PAM service name. PAM will apply the policy in the + # corresponding config file (e.g., /etc/pam.d/arvados) or, if + # there is none, the default "other" config. + Service: arvados + + # Domain name (e.g., "example.com") to use to construct the + # user's email address if PAM authentication returns a + # username with no "@". If empty, use the PAM username as the + # user's email address, whether or not it contains "@". + # + # Note that the email address is used as the primary key for + # user records when logging in. Therefore, if you change + # PAMDefaultEmailDomain after the initial installation, you + # should also update existing user records to reflect the new + # domain. Otherwise, next time those users log in, they will + # be given new accounts instead of accessing their existing + # accounts. + DefaultEmailDomain: "" + + LDAP: + # Use an LDAP service to authenticate users. + Enable: false + + # Server URL, like "ldap://ldapserver.example.com:389" or + # "ldaps://ldapserver.example.com:636". + URL: "ldap://ldap:389" + + # Use StartTLS upon connecting to the server. + StartTLS: true + + # Skip TLS certificate name verification. + InsecureTLS: false + + # Strip the @domain part if a user supplies an email-style + # username with this domain. If "*", strip any user-provided + # domain. If "", never strip the domain part. Example: + # "example.com" + StripDomain: "" + + # If, after applying StripDomain, the username contains no "@" + # character, append this domain to form an email-style + # username. Example: "example.com" + AppendDomain: "" - # Allow users to log in to existing accounts using any verified - # email address listed by their Google account. If true, the - # Google People API must be enabled in order for Google login to - # work. If false, only the primary email address will be used. - GoogleAlternateEmailAddresses: true + # The LDAP attribute to filter on when looking up a username + # (after applying StripDomain and AppendDomain). + SearchAttribute: uid + + # Bind with this username (DN or UPN) and password when + # looking up the user record. + # + # Example user: "cn=admin,dc=example,dc=com" + SearchBindUser: "" + SearchBindPassword: "" + + # Directory base for username lookup. Example: + # "ou=Users,dc=example,dc=com" + SearchBase: "" + + # Additional filters to apply when looking up users' LDAP + # entries. This can be used to restrict access to a subset of + # LDAP users, or to disambiguate users from other directory + # entries that have the SearchAttribute present. + # + # Special characters in assertion values must be escaped (see + # RFC4515). + # + # Example: "(objectClass=person)" + SearchFilters: "" + + # LDAP attribute to use as the user's email address. + # + # Important: This must not be an attribute whose value can be + # edited in the directory by the users themselves. Otherwise, + # users can take over other users' Arvados accounts trivially + # (email address is the primary key for Arvados accounts.) + EmailAttribute: mail + + # LDAP attribute to use as the preferred Arvados username. If + # no value is found (or this config is empty) the username + # originally supplied by the user will be used. + UsernameAttribute: uid + + SSO: + # Authenticate with a separate SSO server. (Deprecated) + Enable: false + + # ProviderAppID and ProviderAppSecret are generated during SSO + # setup; see + # https://doc.arvados.org/v2.0/install/install-sso.html#update-config + ProviderAppID: "" + ProviderAppSecret: "" # The cluster ID to delegate the user database. When set, # logins on this cluster will be redirected to the login cluster @@ -860,13 +1008,29 @@ Clusters: # (azure) Instance configuration. CloudEnvironment: AzurePublicCloud - ResourceGroup: "" Location: centralus + + # (azure) The resource group where the VM and virtual NIC will be + # created. + ResourceGroup: "" + + # (azure) The resource group of the Network to use for the virtual + # NIC (if different from ResourceGroup) + NetworkResourceGroup: "" Network: "" Subnet: "" + + # (azure) Where to store the VM VHD blobs StorageAccount: "" BlobContainer: "" + + # (azure) How long to wait before deleting VHD and NIC + # objects that are no longer being used. DeleteDanglingResourcesAfter: 20s + + # Account (that already exists in the VM image) that will be + # set up with an ssh authorized key to allow the compute + # dispatcher to connect. AdminUsername: arvados InstanceTypes: @@ -919,10 +1083,13 @@ Clusters: Region: us-east-1a Bucket: aaaaa LocationConstraint: false + V2Signature: false IndexPageSize: 1000 ConnectTimeout: 1m ReadTimeout: 10m RaceWindow: 24h + # Use aws-s3-go (v2) instead of goamz + UseAWSS3v2Driver: false # For S3 driver, potentially unsafe tuning parameter, # intentionally excluded from main documentation. @@ -1108,7 +1275,7 @@ Clusters: RunningJobLogRecordsToFetch: 2000 # In systems with many shared projects, loading of dashboard and topnav - # cab be slow due to collections indexing; use the following parameters + # can be slow due to collections indexing; use the following parameters # to suppress these properties ShowRecentCollectionsOnDashboard: true ShowUserNotifications: true @@ -1196,3 +1363,8 @@ Clusters: # implementation. Note that it also disables some new federation # features and will be removed in a future release. ForceLegacyAPI14: false + +# (Experimental) Restart services automatically when config file +# changes are detected. Only supported by `arvados-server boot` in +# dev/test mode. +AutoReloadConfig: false