X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9df537c24b1b042b512d89bcea3f088f3d5ab08e..1acd7bc736df6bc2b3030f1553bb4492a749d10a:/lib/config/config.default.yml diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 89156719b2..d7a67e7721 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -12,6 +12,8 @@ Clusters: xxxxx: + # Token used internally by Arvados components to authenticate to + # one another. Use a string of at least 50 random alphanumerics. SystemRootToken: "" # Token to be included in all healthcheck requests. Disabled by default. @@ -156,6 +158,13 @@ Clusters: dbname: "" SAMPLE: "" API: + # Limits for how long a client token created by regular users can be valid, + # and also is used as a default expiration policy when no expiration date is + # specified. + # Default value zero means token expirations don't get clamped and no + # default expiration is set. + MaxTokenLifetime: 0s + # Maximum size (in bytes) allowed for a single API request. This # limit is published in the discovery document for use by clients. # Note: You must separately configure the upstream web server or @@ -195,7 +204,7 @@ Clusters: # * 1.1) fits comfortably in memory. On a host dedicated to running # Keepstore, divide total memory by 88MiB to suggest a suitable value. # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440 - # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79 + # kB, compute 7125440 / (88 * 1024)=79 and set MaxKeepBlobBuffers: 79 MaxKeepBlobBuffers: 128 # API methods to disable. Disabled methods are not listed in the @@ -212,11 +221,6 @@ Clusters: # serving a single incoming multi-cluster (federated) request. MaxRequestAmplification: 4 - # RailsSessionSecretToken is a string of alphanumeric characters - # used by Rails to sign session tokens. IMPORTANT: This is a - # site secret. It should be at least 50 characters. - RailsSessionSecretToken: "" - # Maximum wall clock time to spend handling an incoming request. RequestTimeout: 5m @@ -258,9 +262,6 @@ Clusters: # The e-mail address of the user you would like to become marked as an admin # user on their first login. - # In the default configuration, authentication happens through the Arvados SSO - # server, which uses OAuth2 against Google's servers, so in that case this - # should be an address associated with a Google account. AutoAdminUserWithEmail: "" # If AutoAdminFirstUser is set to true, the first user to log in when no @@ -276,9 +277,10 @@ Clusters: NewUserNotificationRecipients: {} NewInactiveUserNotificationRecipients: {} - # Set AnonymousUserToken to enable anonymous user access. You can get - # the token by running "bundle exec ./script/get_anonymous_user_token.rb" - # in the directory where your API server is running. + # Set AnonymousUserToken to enable anonymous user access. Populate this + # field with a long random string. Then run "bundle exec + # ./script/get_anonymous_user_token.rb" in the directory where your API + # server is running to record the token in the database. AnonymousUserToken: "" # If a new user has an alternate email address (local@domain) @@ -287,6 +289,20 @@ Clusters: # address is used. PreferDomainForUsername: "" + UserSetupMailText: | + <% if not @user.full_name.empty? -%> + <%= @user.full_name %>, + <% else -%> + Hi there, + <% end -%> + + Your Arvados account has been set up. You can log in at + + <%= Rails.configuration.Services.Workbench1.ExternalURL %> + + Thanks, + Your Arvados administrator. + AuditLogs: # Time to keep audit logs, in seconds. (An audit log is a row added # to the "logs" table in the PostgreSQL database each time an @@ -514,21 +530,30 @@ Clusters: TrustAllContent: false # Cache parameters for WebDAV content serving: - # * TTL: Maximum time to cache manifests and permission checks. - # * UUIDTTL: Maximum time to cache collection state. - # * MaxBlockEntries: Maximum number of block cache entries. - # * MaxCollectionEntries: Maximum number of collection cache entries. - # * MaxCollectionBytes: Approximate memory limit for collection cache. - # * MaxPermissionEntries: Maximum number of permission cache entries. - # * MaxUUIDEntries: Maximum number of UUID cache entries. WebDAVCache: + # Time to cache manifests, permission checks, and sessions. TTL: 300s + + # Time to cache collection state. UUIDTTL: 5s - MaxBlockEntries: 4 + + # Block cache entries. Each block consumes up to 64 MiB RAM. + MaxBlockEntries: 4 + + # Collection cache entries. MaxCollectionEntries: 1000 - MaxCollectionBytes: 100000000 + + # Approximate memory limit (in bytes) for collection cache. + MaxCollectionBytes: 100000000 + + # Permission cache entries. MaxPermissionEntries: 1000 - MaxUUIDEntries: 1000 + + # UUID cache entries. + MaxUUIDEntries: 1000 + + # Persistent sessions. + MaxSessions: 100 Login: # One of the following mechanisms (SSO, Google, PAM, LDAP, or @@ -546,9 +571,6 @@ Clusters: # ID > Web application) and add your controller's /login URL # (e.g., "https://zzzzz.example.com/login") as an authorized # redirect URL. - # - # Incompatible with ForceLegacyAPI14. ProviderAppID must be - # blank. ClientID: "" ClientSecret: "" @@ -558,6 +580,17 @@ Clusters: # work. If false, only the primary email address will be used. AlternateEmailAddresses: true + # Send additional parameters with authentication requests. See + # https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters + # for a list of supported parameters. + AuthenticationRequestParameters: + # Show the "choose which Google account" page, even if the + # client is currently logged in to exactly one Google + # account. + prompt: select_account + + SAMPLE: "" + OpenIDConnect: # Authenticate with an OpenID Connect provider. Enable: false @@ -592,6 +625,14 @@ Clusters: # address. UsernameClaim: "" + # Send additional parameters with authentication requests, + # like {display: page, prompt: consent}. See + # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest + # and refer to your provider's documentation for supported + # parameters. + AuthenticationRequestParameters: + SAMPLE: "" + PAM: # (Experimental) Use PAM to authenticate users. Enable: false @@ -689,6 +730,16 @@ Clusters: ProviderAppID: "" ProviderAppSecret: "" + Test: + # Authenticate users listed here in the config file. This + # feature is intended to be used in test environments, and + # should not be used in production. + Enable: false + Users: + SAMPLE: + Email: alice@example.com + Password: xyzzy + # The cluster ID to delegate the user database. When set, # logins on this cluster will be redirected to the login cluster # (login cluster must appear in RemoteClusters with Proxy: true) @@ -698,6 +749,22 @@ Clusters: # remain valid before it needs to be revalidated. RemoteTokenRefresh: 5m + # How long a client token created from a login flow will be valid without + # asking the user to re-login. Example values: 60m, 8h. + # Default value zero means tokens don't have expiration. + TokenLifetime: 0s + + # When the token is returned to a client, the token itself may + # be restricted from manipulating other tokens based on whether + # the client is "trusted" or not. The local Workbench1 and + # Workbench2 are trusted by default, but if this is a + # LoginCluster, you probably want to include the other Workbench + # instances in the federation in this list. + TrustedClients: + SAMPLE: + "https://workbench.federate1.example": {} + "https://workbench.federate2.example": {} + Git: # Path to git or gitolite-shell executable. Each authenticated # request will execute this program with the single argument "http-backend" @@ -777,7 +844,11 @@ Clusters: # stale locks from a previous dispatch process. StaleLockTimeout: 1m - # The crunch-run command to manage the container on a node + # The crunch-run command used to start a container on a worker node. + # + # When dispatching to cloud VMs, this is used only if + # DeployRunnerBinary in the CloudVMs section is set to the empty + # string. CrunchRunCommand: "crunch-run" # Extra arguments to add to crunch-run invocation @@ -833,6 +904,26 @@ Clusters: # period. LogUpdateSize: 32MiB + ShellAccess: + # An admin user can use "arvados-client shell" to start an + # interactive shell (with any user ID) in any running + # container. + Admin: false + + # Any user can use "arvados-client shell" to start an + # interactive shell (with any user ID) in any running + # container that they started, provided it isn't also + # associated with a different user's container request. + # + # Interactive sessions make it easy to alter the container's + # runtime environment in ways that aren't recorded or + # reproducible. Consider the implications for automatic + # container reuse before enabling and using this feature. In + # particular, note that starting an interactive session does + # not disqualify a container from being reused by a different + # user/workflow in the future. + User: false + SLURM: PrioritySpread: 0 SbatchArgumentsList: [] @@ -923,6 +1014,11 @@ Clusters: # Time before repeating SIGTERM when killing a container. TimeoutSignal: 5s + # Time to give up on a process (most likely arv-mount) that + # still holds a container lockfile after its main supervisor + # process has exited, and declare the instance broken. + TimeoutStaleRunLock: 5s + # Time to give up on SIGTERM and write off the worker. TimeoutTERM: 2m @@ -930,6 +1026,12 @@ Clusters: # unlimited). MaxCloudOpsPerSecond: 0 + # Maximum concurrent node creation operations (0 = unlimited). This is + # recommended by Azure in certain scenarios (see + # https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image) + # and can be used with other cloud providers too, if desired. + MaxConcurrentInstanceCreateOps: 0 + # Interval between cloud provider syncs/updates ("list all # instances"). SyncInterval: 1m @@ -954,6 +1056,8 @@ Clusters: # Worker VM image ID. # (aws) AMI identifier # (azure) managed disks: the name of the managed disk image + # (azure) shared image gallery: the name of the image definition. Also + # see the SharedImageGalleryName and SharedImageGalleryImageVersion fields. # (azure) unmanaged disks (deprecated): the complete URI of the VHD, e.g. # https://xxxxx.blob.core.windows.net/system/Microsoft.Compute/Images/images/xxxxx.vhd ImageID: "" @@ -965,7 +1069,7 @@ Clusters: # # Use the empty string to disable this step: nothing will be # copied, and cloud instances are assumed to have a suitable - # version of crunch-run installed. + # version of crunch-run installed; see CrunchRunCommand above. DeployRunnerBinary: "/proc/self/exe" # Tags to add on all resources (VMs, NICs, disks) created by @@ -992,7 +1096,7 @@ Clusters: # Cloud-specific driver parameters. DriverParameters: - # (ec2) Credentials. + # (ec2) Credentials. Omit or leave blank if using IAM role. AccessKeyID: "" SecretAccessKey: "" @@ -1028,6 +1132,11 @@ Clusters: # image can be found (if different from ResourceGroup). ImageResourceGroup: "" + # (azure) shared image gallery: the name of the gallery + SharedImageGalleryName: "" + # (azure) shared image gallery: the version of the image definition + SharedImageGalleryImageVersion: "" + # (azure) unmanaged disks (deprecated): Where to store the VM VHD blobs StorageAccount: "" BlobContainer: "" @@ -1080,13 +1189,13 @@ Clusters: StorageClasses: default: true SAMPLE: true - Driver: s3 + Driver: S3 DriverParameters: # for s3 driver -- see # https://doc.arvados.org/install/configure-s3-object-storage.html IAMRole: aaaaa - AccessKey: aaaaa - SecretKey: aaaaa + AccessKeyID: aaaaa + SecretAccessKey: aaaaa Endpoint: "" Region: us-east-1a Bucket: aaaaa @@ -1292,7 +1401,7 @@ Clusters: # a link to the multi-site search page on a "home" Workbench site. # # Example: - # https://workbench.qr1hi.arvadosapi.com/collections/multisite + # https://workbench.zzzzz.arvadosapi.com/collections/multisite MultiSiteSearch: "" # Should workbench allow management of local git repositories? Set to false if @@ -1310,6 +1419,10 @@ Clusters: VocabularyURL: "" FileViewersConfigURL: "" + # Idle time after which the user's session will be auto closed. + # This feature is disabled when set to zero. + IdleTimeout: 0s + # Workbench welcome screen, this is HTML text that will be # incorporated directly onto the page. WelcomePageHTML: | @@ -1365,13 +1478,6 @@ Clusters: # this blank. SSHHelpHostSuffix: "" - # Bypass new (Arvados 1.5) API implementations, and hand off - # requests directly to Rails instead. This can provide a temporary - # workaround for clients that are incompatible with the new API - # implementation. Note that it also disables some new federation - # features and will be removed in a future release. - ForceLegacyAPI14: false - # (Experimental) Restart services automatically when config file # changes are detected. Only supported by `arvados-server boot` in # dev/test mode.