X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9a71dd94cb72a5fd1ed74ca71b4961de4108db02..f81d411d2becc23fe640366620d9568149d89bd6:/lib/config/generated_config.go diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index ec5bc187d7..96da19dfcd 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -446,6 +446,13 @@ Clusters: # or omitted, pages are processed serially. BalanceCollectionBuffers: 1000 + # Maximum time for a rebalancing run. This ensures keep-balance + # eventually gives up and retries if, for example, a network + # error causes a hung connection that is never closed by the + # OS. It should be long enough that it doesn't interrupt a + # long-running balancing operation. + BalanceTimeout: 6h + # Default lifetime for ephemeral collections: 2 weeks. This must not # be less than BlobSigningTTL. DefaultTrashLifetime: 336h @@ -557,6 +564,40 @@ Clusters: # work. If false, only the primary email address will be used. AlternateEmailAddresses: true + OpenIDConnect: + # Authenticate with an OpenID Connect provider. + Enable: false + + # Issuer URL, e.g., "https://login.example.com". + # + # This must be exactly equal to the URL returned by the issuer + # itself in its config response ("isser" key). If the + # configured value is "https://example" and the provider + # returns "https://example:443" or "https://example/" then + # login will fail, even though those URLs are equivalent + # (RFC3986). + Issuer: "" + + # Your client ID and client secret (supplied by the provider). + ClientID: "" + ClientSecret: "" + + # OpenID claim field containing the user's email + # address. Normally "email"; see + # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims + EmailClaim: "email" + + # OpenID claim field containing the email verification + # flag. Normally "email_verified". To accept every returned + # email address without checking a "verified" field at all, + # use the empty string "". + EmailVerifiedClaim: "email_verified" + + # OpenID claim field containing the user's preferred + # username. If empty, use the mailbox part of the user's email + # address. + UsernameClaim: "" + PAM: # (Experimental) Use PAM to authenticate users. Enable: false @@ -620,9 +661,15 @@ Clusters: # "ou=Users,dc=example,dc=com" SearchBase: "" - # Additional filters for username lookup. Special characters - # in assertion values must be escaped (see RFC4515). Example: - # "(objectClass=person)" + # Additional filters to apply when looking up users' LDAP + # entries. This can be used to restrict access to a subset of + # LDAP users, or to disambiguate users from other directory + # entries that have the SearchAttribute present. + # + # Special characters in assertion values must be escaped (see + # RFC4515). + # + # Example: "(objectClass=person)" SearchFilters: "" # LDAP attribute to use as the user's email address.