X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/80f26d7ffad85dc15a89bbf6f33a66e206832704..ed4d8462e763eb1d8c8f1548912495563cd9288f:/lib/config/config.default.yml

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index ca627d07e8..655e973c2f 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -433,7 +433,7 @@ Clusters:
       #
       # BalancePeriod determines the interval between start times of
       # successive scan/balance operations. If a scan/balance operation
-      # takes longer than RunPeriod, the next one will follow it
+      # takes longer than BalancePeriod, the next one will follow it
       # immediately.
       #
       # If SIGUSR1 is received during an idle period between operations,
@@ -538,7 +538,7 @@ Clusters:
         UUIDTTL: 5s
 
         # Block cache entries. Each block consumes up to 64 MiB RAM.
-        MaxBlockEntries: 4
+        MaxBlockEntries: 20
 
         # Collection cache entries.
         MaxCollectionEntries: 1000
@@ -633,6 +633,23 @@ Clusters:
         AuthenticationRequestParameters:
           SAMPLE: ""
 
+        # Accept an OIDC access token as an API token if the OIDC
+        # provider's UserInfo endpoint accepts it.
+        #
+        # AcceptAccessTokenScope should also be used when enabling
+        # this feature.
+        AcceptAccessToken: false
+
+        # Before accepting an OIDC access token as an API token, first
+        # check that it is a JWT whose "scope" value includes this
+        # value. Example: "https://zzzzz.example.com/" (your Arvados
+        # API endpoint).
+        #
+        # If this value is empty and AcceptAccessToken is true, all
+        # access tokens will be accepted regardless of scope,
+        # including non-JWT tokens. This is not recommended.
+        AcceptAccessTokenScope: ""
+
       PAM:
         # (Experimental) Use PAM to authenticate users.
         Enable: false
@@ -754,8 +771,15 @@ Clusters:
       # Default value zero means tokens don't have expiration.
       TokenLifetime: 0s
 
+      # If true (default) tokens issued through login are allowed to create
+      # new tokens.
+      # If false, tokens issued through login are not allowed to
+      # viewing/creating other tokens.  New tokens can only be created
+      # by going through login again.
+      IssueTrustedTokens: true
+
       # When the token is returned to a client, the token itself may
-      # be restricted from manipulating other tokens based on whether
+      # be restricted from viewing/creating other tokens based on whether
       # the client is "trusted" or not.  The local Workbench1 and
       # Workbench2 are trusted by default, but if this is a
       # LoginCluster, you probably want to include the other Workbench
@@ -1189,13 +1213,13 @@ Clusters:
         StorageClasses:
           default: true
           SAMPLE: true
-        Driver: s3
+        Driver: S3
         DriverParameters:
           # for s3 driver -- see
           # https://doc.arvados.org/install/configure-s3-object-storage.html
           IAMRole: aaaaa
-          AccessKey: aaaaa
-          SecretKey: aaaaa
+          AccessKeyID: aaaaa
+          SecretAccessKey: aaaaa
           Endpoint: ""
           Region: us-east-1a
           Bucket: aaaaa
@@ -1429,15 +1453,11 @@ Clusters:
         <img src="/arvados-logo-big.png" style="width: 20%; float: right; padding: 1em;" />
         <h2>Please log in.</h2>
 
-        <p>The "Log in" button below will show you a sign-in
-        page. After you log in, you will be redirected back to
-        Arvados Workbench.</p>
-
         <p>If you have never used Arvados Workbench before, logging in
         for the first time will automatically create a new
         account.</p>
 
-        <i>Arvados Workbench uses your name and email address only for
+        <i>Arvados Workbench uses your information only for
         identification, and does not retrieve any other personal
         information.</i>