X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/41305b5ac71cc9a306dc654c42c11ffcc4258a47..f5162efc3578d0420e869e3fcbda46454a855909:/lib/config/generated_config.go diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index 34f0a0c92b..ee23084135 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -30,49 +30,42 @@ Clusters: # In each of the service sections below, the keys under # InternalURLs are the endpoints where the service should be - # listening, and reachable from other hosts in the cluster. - SAMPLE: - InternalURLs: - "http://host1.example:12345": {} - "http://host2.example:12345": - # Rendezvous is normally empty/omitted. When changing the - # URL of a Keepstore service, Rendezvous should be set to - # the old URL (with trailing slash omitted) to preserve - # rendezvous ordering. - Rendezvous: "" - SAMPLE: - Rendezvous: "" - ExternalURL: "-" + # listening, and reachable from other hosts in the + # cluster. Example: + # + # InternalURLs: + # "http://host1.example:12345": {} + # "http://host2.example:12345": {} RailsAPI: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "-" Controller: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" Websocket: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" Keepbalance: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "-" GitHTTP: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" GitSSH: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" DispatchCloud: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} + ExternalURL: "-" + DispatchLSF: + InternalURLs: {SAMPLE: {}} ExternalURL: "-" - SSO: - InternalURLs: {} - ExternalURL: "" Keepproxy: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" WebDAV: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} # Base URL for Workbench inline preview. If blank, use # WebDAVDownload instead, and disable inline preview. # If both are empty, downloading collections from workbench @@ -111,7 +104,7 @@ Clusters: ExternalURL: "" WebDAVDownload: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} # Base URL for download links. If blank, serve links to WebDAV # with disposition=attachment query param. Unlike preview links, # browsers do not render attachments, so there is no risk of XSS. @@ -125,13 +118,19 @@ Clusters: ExternalURL: "" Keepstore: - InternalURLs: {} + InternalURLs: + SAMPLE: + # Rendezvous is normally empty/omitted. When changing the + # URL of a Keepstore service, Rendezvous should be set to + # the old URL (with trailing slash omitted) to preserve + # rendezvous ordering. + Rendezvous: "" ExternalURL: "-" Composer: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" WebShell: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} # ShellInABox service endpoint URL for a given VM. If empty, do not # offer web shell logins. # @@ -142,13 +141,13 @@ Clusters: # https://*.webshell.uuid_prefix.arvadosapi.com ExternalURL: "" Workbench1: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" Workbench2: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "" Health: - InternalURLs: {} + InternalURLs: {SAMPLE: {}} ExternalURL: "-" PostgreSQL: @@ -164,6 +163,13 @@ Clusters: dbname: "" SAMPLE: "" API: + # Limits for how long a client token created by regular users can be valid, + # and also is used as a default expiration policy when no expiration date is + # specified. + # Default value zero means token expirations don't get clamped and no + # default expiration is set. + MaxTokenLifetime: 0s + # Maximum size (in bytes) allowed for a single API request. This # limit is published in the discovery document for use by clients. # Note: You must separately configure the upstream web server or @@ -203,7 +209,7 @@ Clusters: # * 1.1) fits comfortably in memory. On a host dedicated to running # Keepstore, divide total memory by 88MiB to suggest a suitable value. # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440 - # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79 + # kB, compute 7125440 / (88 * 1024)=79 and set MaxKeepBlobBuffers: 79 MaxKeepBlobBuffers: 128 # API methods to disable. Disabled methods are not listed in the @@ -261,9 +267,6 @@ Clusters: # The e-mail address of the user you would like to become marked as an admin # user on their first login. - # In the default configuration, authentication happens through the Arvados SSO - # server, which uses OAuth2 against Google's servers, so in that case this - # should be an address associated with a Google account. AutoAdminUserWithEmail: "" # If AutoAdminFirstUser is set to true, the first user to log in when no @@ -279,9 +282,10 @@ Clusters: NewUserNotificationRecipients: {} NewInactiveUserNotificationRecipients: {} - # Set AnonymousUserToken to enable anonymous user access. You can get - # the token by running "bundle exec ./script/get_anonymous_user_token.rb" - # in the directory where your API server is running. + # Set AnonymousUserToken to enable anonymous user access. Populate this + # field with a long random string. Then run "bundle exec + # ./script/get_anonymous_user_token.rb" in the directory where your API + # server is running to record the token in the database. AnonymousUserToken: "" # If a new user has an alternate email address (local@domain) @@ -434,7 +438,7 @@ Clusters: # # BalancePeriod determines the interval between start times of # successive scan/balance operations. If a scan/balance operation - # takes longer than RunPeriod, the next one will follow it + # takes longer than BalancePeriod, the next one will follow it # immediately. # # If SIGUSR1 is received during an idle period between operations, @@ -461,6 +465,13 @@ Clusters: # long-running balancing operation. BalanceTimeout: 6h + # Maximum number of replication_confirmed / + # storage_classes_confirmed updates to write to the database + # after a rebalancing run. When many updates are needed, this + # spreads them over a few runs rather than applying them all at + # once. + BalanceUpdateLimit: 100000 + # Default lifetime for ephemeral collections: 2 weeks. This must not # be less than BlobSigningTTL. DefaultTrashLifetime: 336h @@ -522,33 +533,70 @@ Clusters: # WebDAV would have to expose XSS vulnerabilities in order to # handle the redirect (see discussion on Services.WebDAV). # - # This setting has no effect in the recommended configuration, - # where the WebDAV is configured to have a separate domain for - # every collection; in this case XSS protection is provided by - # browsers' same-origin policy. + # This setting has no effect in the recommended configuration, where the + # WebDAV service is configured to have a separate domain for every + # collection and XSS protection is provided by browsers' same-origin + # policy. # # The default setting (false) is appropriate for a multi-user site. TrustAllContent: false # Cache parameters for WebDAV content serving: - # * TTL: Maximum time to cache manifests and permission checks. - # * UUIDTTL: Maximum time to cache collection state. - # * MaxBlockEntries: Maximum number of block cache entries. - # * MaxCollectionEntries: Maximum number of collection cache entries. - # * MaxCollectionBytes: Approximate memory limit for collection cache. - # * MaxPermissionEntries: Maximum number of permission cache entries. - # * MaxUUIDEntries: Maximum number of UUID cache entries. WebDAVCache: + # Time to cache manifests, permission checks, and sessions. TTL: 300s + + # Time to cache collection state. UUIDTTL: 5s - MaxBlockEntries: 4 + + # Block cache entries. Each block consumes up to 64 MiB RAM. + MaxBlockEntries: 20 + + # Collection cache entries. MaxCollectionEntries: 1000 - MaxCollectionBytes: 100000000 + + # Approximate memory limit (in bytes) for collection cache. + MaxCollectionBytes: 100000000 + + # Permission cache entries. MaxPermissionEntries: 1000 - MaxUUIDEntries: 1000 + + # UUID cache entries. + MaxUUIDEntries: 1000 + + # Persistent sessions. + MaxSessions: 100 + + # Selectively set permissions for regular users and admins to + # download or upload data files using the upload/download + # features for Workbench, WebDAV and S3 API support. + WebDAVPermission: + User: + Download: true + Upload: true + Admin: + Download: true + Upload: true + + # Selectively set permissions for regular users and admins to be + # able to download or upload blocks using arv-put and + # arv-get from outside the cluster. + KeepproxyPermission: + User: + Download: true + Upload: true + Admin: + Download: true + Upload: true + + # Post upload / download events to the API server logs table, so + # that they can be included in the arv-user-activity report. + # You can disable this if you find that it is creating excess + # load on the API server and you don't need it. + WebDAVLogEvents: true Login: - # One of the following mechanisms (SSO, Google, PAM, LDAP, or + # One of the following mechanisms (Google, PAM, LDAP, or # LoginCluster) should be enabled; see # https://doc.arvados.org/install/setup-login.html @@ -563,9 +611,6 @@ Clusters: # ID > Web application) and add your controller's /login URL # (e.g., "https://zzzzz.example.com/login") as an authorized # redirect URL. - # - # Incompatible with ForceLegacyAPI14. ProviderAppID must be - # blank. ClientID: "" ClientSecret: "" @@ -575,6 +620,17 @@ Clusters: # work. If false, only the primary email address will be used. AlternateEmailAddresses: true + # Send additional parameters with authentication requests. See + # https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters + # for a list of supported parameters. + AuthenticationRequestParameters: + # Show the "choose which Google account" page, even if the + # client is currently logged in to exactly one Google + # account. + prompt: select_account + + SAMPLE: "" + OpenIDConnect: # Authenticate with an OpenID Connect provider. Enable: false @@ -609,6 +665,31 @@ Clusters: # address. UsernameClaim: "" + # Send additional parameters with authentication requests, + # like {display: page, prompt: consent}. See + # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest + # and refer to your provider's documentation for supported + # parameters. + AuthenticationRequestParameters: + SAMPLE: "" + + # Accept an OIDC access token as an API token if the OIDC + # provider's UserInfo endpoint accepts it. + # + # AcceptAccessTokenScope should also be used when enabling + # this feature. + AcceptAccessToken: false + + # Before accepting an OIDC access token as an API token, first + # check that it is a JWT whose "scope" value includes this + # value. Example: "https://zzzzz.example.com/" (your Arvados + # API endpoint). + # + # If this value is empty and AcceptAccessToken is true, all + # access tokens will be accepted regardless of scope, + # including non-JWT tokens. This is not recommended. + AcceptAccessTokenScope: "" + PAM: # (Experimental) Use PAM to authenticate users. Enable: false @@ -696,16 +777,6 @@ Clusters: # originally supplied by the user will be used. UsernameAttribute: uid - SSO: - # Authenticate with a separate SSO server. (Deprecated) - Enable: false - - # ProviderAppID and ProviderAppSecret are generated during SSO - # setup; see - # https://doc.arvados.org/v2.0/install/install-sso.html#update-config - ProviderAppID: "" - ProviderAppSecret: "" - Test: # Authenticate users listed here in the config file. This # feature is intended to be used in test environments, and @@ -730,8 +801,15 @@ Clusters: # Default value zero means tokens don't have expiration. TokenLifetime: 0s + # If true (default) tokens issued through login are allowed to create + # new tokens. + # If false, tokens issued through login are not allowed to + # viewing/creating other tokens. New tokens can only be created + # by going through login again. + IssueTrustedTokens: true + # When the token is returned to a client, the token itself may - # be restricted from manipulating other tokens based on whether + # be restricted from viewing/creating other tokens based on whether # the client is "trusted" or not. The local Workbench1 and # Workbench2 are trusted by default, but if this is a # LoginCluster, you probably want to include the other Workbench @@ -820,7 +898,11 @@ Clusters: # stale locks from a previous dispatch process. StaleLockTimeout: 1m - # The crunch-run command to manage the container on a node + # The crunch-run command used to start a container on a worker node. + # + # When dispatching to cloud VMs, this is used only if + # DeployRunnerBinary in the CloudVMs section is set to the empty + # string. CrunchRunCommand: "crunch-run" # Extra arguments to add to crunch-run invocation @@ -834,6 +916,9 @@ Clusters: # Minimum time between two attempts to run the same container MinRetryPeriod: 0s + # Container runtime: "docker" (default) or "singularity" (experimental) + RuntimeEngine: docker + Logging: # When you run the db:delete_old_container_logs task, it will find # containers that have been finished for at least this many seconds, @@ -876,6 +961,26 @@ Clusters: # period. LogUpdateSize: 32MiB + ShellAccess: + # An admin user can use "arvados-client shell" to start an + # interactive shell (with any user ID) in any running + # container. + Admin: false + + # Any user can use "arvados-client shell" to start an + # interactive shell (with any user ID) in any running + # container that they started, provided it isn't also + # associated with a different user's container request. + # + # Interactive sessions make it easy to alter the container's + # runtime environment in ways that aren't recorded or + # reproducible. Consider the implications for automatic + # container reuse before enabling and using this feature. In + # particular, note that starting an interactive session does + # not disqualify a container from being reused by a different + # user/workflow in the future. + User: false + SLURM: PrioritySpread: 0 SbatchArgumentsList: [] @@ -923,6 +1028,19 @@ Clusters: # (See http://ruby-doc.org/core-2.2.2/Kernel.html#method-i-format for more.) AssignNodeHostname: "compute%d" + LSF: + # Additional arguments to bsub when submitting Arvados + # containers as LSF jobs. + BsubArgumentsList: [] + + # Use sudo to switch to this user account when submitting LSF + # jobs. + # + # This account must exist on the hosts where LSF jobs run + # ("execution hosts"), as well as on the host where the + # Arvados LSF dispatcher runs ("submission host"). + BsubSudoUser: "crunch" + JobsAPI: # Enable the legacy 'jobs' API (crunch v1). This value must be a string. # @@ -1021,7 +1139,7 @@ Clusters: # # Use the empty string to disable this step: nothing will be # copied, and cloud instances are assumed to have a suitable - # version of crunch-run installed. + # version of crunch-run installed; see CrunchRunCommand above. DeployRunnerBinary: "/proc/self/exe" # Tags to add on all resources (VMs, NICs, disks) created by @@ -1048,7 +1166,7 @@ Clusters: # Cloud-specific driver parameters. DriverParameters: - # (ec2) Credentials. + # (ec2) Credentials. Omit or leave blank if using IAM role. AccessKeyID: "" SecretAccessKey: "" @@ -1141,13 +1259,13 @@ Clusters: StorageClasses: default: true SAMPLE: true - Driver: s3 + Driver: S3 DriverParameters: # for s3 driver -- see # https://doc.arvados.org/install/configure-s3-object-storage.html IAMRole: aaaaa - AccessKey: aaaaa - SecretKey: aaaaa + AccessKeyID: aaaaa + SecretAccessKey: aaaaa Endpoint: "" Region: us-east-1a Bucket: aaaaa @@ -1381,15 +1499,11 @@ Clusters:

Please log in.

-

The "Log in" button below will show you a sign-in - page. After you log in, you will be redirected back to - Arvados Workbench.

-

If you have never used Arvados Workbench before, logging in for the first time will automatically create a new account.

- Arvados Workbench uses your name and email address only for + Arvados Workbench uses your information only for identification, and does not retrieve any other personal information. @@ -1430,13 +1544,6 @@ Clusters: # this blank. SSHHelpHostSuffix: "" - # Bypass new (Arvados 1.5) API implementations, and hand off - # requests directly to Rails instead. This can provide a temporary - # workaround for clients that are incompatible with the new API - # implementation. Note that it also disables some new federation - # features and will be removed in a future release. - ForceLegacyAPI14: false - # (Experimental) Restart services automatically when config file # changes are detected. Only supported by ` + "`" + `arvados-server boot` + "`" + ` in # dev/test mode.