X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6a202a2765bdbac5062fd34231804527edfb6a14..6f1c0e1dd16f53ce4fb7e8785a130e5f588500e5:/services/api/config/application.default.yml

diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index 8a1c6447d8..ddc6eede83 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -27,6 +27,11 @@ common:
   # generate permission signatures for Keep locators. It must be
   # identical to the permission key given to Keep. IMPORTANT: This is
   # a site secret. It should be at least 50 characters.
+  #
+  # Modifying blob_signing_key will invalidate all existing
+  # signatures, which can cause programs to fail (e.g., arv-put,
+  # arv-get, and Crunch jobs).  To avoid errors, rotate keys only when
+  # no such processes are running.
   blob_signing_key: ~
 
   # These settings are provided by your OAuth2 provider (e.g.,
@@ -65,6 +70,16 @@ common:
   # websockets, otherwise none at all.
   websocket_address: false
 
+  # Maximum number of websocket connections allowed
+  websocket_max_connections: 500
+
+  # Maximum number of events a single connection can be backlogged
+  websocket_max_notify_backlog: 1000
+
+  # Maximum number of subscriptions a single websocket connection can have
+  # active.
+  websocket_max_filters: 10
+
   # Git repositories must be readable by api server, or you won't be
   # able to submit crunch jobs. To pass the test suites, put a clone
   # of the arvados tree in {git_repositories_dir}/arvados.git or
@@ -148,21 +163,19 @@ common:
   ###
 
   # Lifetime (in seconds) of blob permission signatures generated by
-  # the API server. This will become a part of the blob signing key,
-  # and will cause clients to retry or fail if changed while they are
-  # in progres.This determines how long a client can take (after
+  # the API server. This determines how long a client can take (after
   # retrieving a collection record) to retrieve the collection data
   # from Keep. If the client needs more time than that (assuming the
   # collection still has the same content and the relevant user/token
   # still has permission) the client can retrieve the collection again
   # to get fresh signatures.
   #
-  # Datamanager considers an unreferenced block older than this to be
-  # eligible for garbage collection. Therefore, it should never be
-  # smaller than the corresponding value used by any local keepstore
-  # service (see keepstore -blob-signature-ttl flag). This rule
-  # prevents datamanager from trying to garbage-collect recently
-  # written blocks while clients are still holding valid signatures.
+  # This must be exactly equal to the -blob-signature-ttl flag used by
+  # keepstore servers.  Otherwise, reading data blocks and saving
+  # collections will fail with HTTP 403 permission errors.
+  #
+  # Modifying blob_signature_ttl invalidates existing signatures; see
+  # blob_signing_key note above.
   #
   # The default is 2 weeks.
   blob_signature_ttl: 1209600
@@ -342,6 +355,12 @@ common:
 
   crunch_log_partial_line_throttle_period: 5
 
+  # Enable asynchronous permission graph rebuild.  Must run
+  # script/permission-updater.rb as a separate process.  When the permission
+  # cache is invalidated, the background process will update the permission
+  # graph cache.  This feature is experimental!
+  async_permissions_update: false
+
 development:
   force_ssl: false
   cache_classes: false