X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/aa58b06d72a858fd63e091622a5bd8b3a9287e72..3377c83ecf5937d5f02c15ef3683181572559137:/services/api/config/application.default.yml

diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index 848675cb55..d62fb4ea02 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -129,3 +129,13 @@ common:
   # Amount of time (in seconds) for which a blob permission signature
   # remains valid.  Default: 2 weeks (1209600 seconds)
   blob_signing_ttl: 1209600
+
+  # Allow clients to create collections by providing a manifest with
+  # unsigned data blob locators. IMPORTANT: This effectively disables
+  # access controls for data stored in Keep: a client who knows a hash
+  # can write a manifest that references the hash, pass it to
+  # collections.create (which will create a permission link), use
+  # collections.get to obtain a signature for that data locator, and
+  # use that signed locator to retrieve the data from Keep.
+  # Do not use turn this on if you want to 
+  permit_create_collection_with_unsigned_manifest: false