Merge branch '17335-oidc-auth-params'

author Tom Clegg <tom@curii.com>

Sat, 6 Feb 2021 23:45:15 +0000 (18:45 -0500)

committer Tom Clegg <tom@curii.com>

Sat, 6 Feb 2021 23:45:15 +0000 (18:45 -0500)
author Tom Clegg <tom@curii.com>
Sat, 6 Feb 2021 23:45:15 +0000 (18:45 -0500)
committer Tom Clegg <tom@curii.com>
Sat, 6 Feb 2021 23:45:15 +0000 (18:45 -0500)
diff --combined lib/config/config.default.yml

index db0b363582d69b9a0ad43dead14b1825a1834f21,3f478306584e5029be1d70fec11a200d98dd0b55..68e518732d6f85b8ef377a4f22ea1efebf16af46
--- 1/lib/config/config.default.yml
--- 2/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@@ -197,7 -197,7 +197,7 @@@ Clusters
         # * 1.1) fits comfortably in memory. On a host dedicated to running
         # Keepstore, divide total memory by 88MiB to suggest a suitable value.
         # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440
- -      # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79
+ +      # kB, compute 7125440 / (88 * 1024)=79 and set MaxKeepBlobBuffers: 79
         MaxKeepBlobBuffers: 128
   
         # API methods to disable. Disabled methods are not listed in the
@@@ -567,6 -567,17 +567,17 @@@
           # work. If false, only the primary email address will be used.
           AlternateEmailAddresses: true
   
+         # Send additional parameters with authentication requests. See
+         # https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
+         # for a list of supported parameters.
+         AuthenticationRequestParameters:
+           # Show the "choose which Google account" page, even if the
+           # client is currently logged in to exactly one Google
+           # account.
+           prompt: select_account
+ 
+           SAMPLE: ""
+ 
         OpenIDConnect:
           # Authenticate with an OpenID Connect provider.
           Enable: false
@@@ -601,6 -612,14 +612,14 @@@
           # address.
           UsernameClaim: ""
   
+         # Send additional parameters with authentication requests,
+         # like {display: page, prompt: consent}. See
+         # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+         # and refer to your provider's documentation for supported
+         # parameters.
+         AuthenticationRequestParameters:
+           SAMPLE: ""
+ 
         PAM:
           # (Experimental) Use PAM to authenticate users.
           Enable: false
@@@ -868,26 -887,6 +887,26 @@@
           # period.
           LogUpdateSize: 32MiB
   
+ +      ShellAccess:
+ +        # An admin user can use "arvados-client shell" to start an
+ +        # interactive shell (with any user ID) in any running
+ +        # container.
+ +        Admin: false
+ +
+ +        # Any user can use "arvados-client shell" to start an
+ +        # interactive shell (with any user ID) in any running
+ +        # container that they started, provided it isn't also
+ +        # associated with a different user's container request.
+ +        #
+ +        # Interactive sessions make it easy to alter the container's
+ +        # runtime environment in ways that aren't recorded or
+ +        # reproducible. Consider the implications for automatic
+ +        # container reuse before enabling and using this feature. In
+ +        # particular, note that starting an interactive session does
+ +        # not disqualify a container from being reused by a different
+ +        # user/workflow in the future.
+ +        User: false
+ +
         SLURM:
           PrioritySpread: 0
           SbatchArgumentsList: []
diff --combined lib/config/export.go

index 2d666e638bea225d5ec1f4e1dc974a6695481494,2dbb11bba3f27a4c073776b8e302a6ff69d71f21..3d0e27c7224f0c886643ef8be7f671ae8a1a2d74
--- 1/lib/config/export.go
--- 2/lib/config/export.go
+++ b/lib/config/export.go
@@@ -59,211 -59,210 +59,213 @@@ func ExportJSON(w io.Writer, cluster *a
   // exists.
   var whitelist = map[string]bool{
         // | sort -t'"' -k2,2
-       "API":                                          true,
-       "API.AsyncPermissionsUpdateInterval":           false,
-       "API.DisabledAPIs":                             false,
-       "API.KeepServiceRequestTimeout":                false,
-       "API.MaxConcurrentRequests":                    false,
-       "API.MaxIndexDatabaseRead":                     false,
-       "API.MaxItemsPerResponse":                      true,
-       "API.MaxKeepBlobBuffers":                       false,
-       "API.MaxRequestAmplification":                  false,
-       "API.MaxRequestSize":                           true,
-       "API.RequestTimeout":                           true,
-       "API.SendTimeout":                              true,
-       "API.WebsocketClientEventQueue":                false,
-       "API.WebsocketServerEventQueue":                false,
-       "AuditLogs":                                    false,
-       "AuditLogs.MaxAge":                             false,
-       "AuditLogs.MaxDeleteBatch":                     false,
-       "AuditLogs.UnloggedAttributes":                 false,
-       "ClusterID":                                    true,
-       "Collections":                                  true,
-       "Collections.BalanceCollectionBatch":           false,
-       "Collections.BalanceCollectionBuffers":         false,
-       "Collections.BalancePeriod":                    false,
-       "Collections.BalanceTimeout":                   false,
-       "Collections.BlobDeleteConcurrency":            false,
-       "Collections.BlobMissingReport":                false,
-       "Collections.BlobReplicateConcurrency":         false,
-       "Collections.BlobSigning":                      true,
-       "Collections.BlobSigningKey":                   false,
-       "Collections.BlobSigningTTL":                   true,
-       "Collections.BlobTrash":                        false,
-       "Collections.BlobTrashCheckInterval":           false,
-       "Collections.BlobTrashConcurrency":             false,
-       "Collections.BlobTrashLifetime":                false,
-       "Collections.CollectionVersioning":             false,
-       "Collections.DefaultReplication":               true,
-       "Collections.DefaultTrashLifetime":             true,
-       "Collections.ForwardSlashNameSubstitution":     true,
-       "Collections.ManagedProperties":                true,
-       "Collections.ManagedProperties.*":              true,
-       "Collections.ManagedProperties.*.*":            true,
-       "Collections.PreserveVersionIfIdle":            true,
-       "Collections.S3FolderObjects":                  true,
-       "Collections.TrashSweepInterval":               false,
-       "Collections.TrustAllContent":                  false,
-       "Collections.WebDAVCache":                      false,
-       "Containers":                                   true,
-       "Containers.CloudVMs":                          false,
-       "Containers.CrunchRunArgumentsList":            false,
-       "Containers.CrunchRunCommand":                  false,
-       "Containers.DefaultKeepCacheRAM":               true,
-       "Containers.DispatchPrivateKey":                false,
-       "Containers.JobsAPI":                           true,
-       "Containers.JobsAPI.Enable":                    true,
-       "Containers.JobsAPI.GitInternalDir":            false,
-       "Containers.Logging":                           false,
-       "Containers.LogReuseDecisions":                 false,
-       "Containers.MaxComputeVMs":                     false,
-       "Containers.MaxDispatchAttempts":               false,
-       "Containers.MaxRetryAttempts":                  true,
-       "Containers.MinRetryPeriod":                    true,
-       "Containers.ReserveExtraRAM":                   true,
-       "Containers.ShellAccess":                       true,
-       "Containers.ShellAccess.Admin":                 true,
-       "Containers.ShellAccess.User":                  true,
-       "Containers.SLURM":                             false,
-       "Containers.StaleLockTimeout":                  false,
-       "Containers.SupportedDockerImageFormats":       true,
-       "Containers.SupportedDockerImageFormats.*":     true,
-       "Containers.UsePreemptibleInstances":           true,
-       "ForceLegacyAPI14":                             false,
-       "Git":                                          false,
-       "InstanceTypes":                                true,
-       "InstanceTypes.*":                              true,
-       "InstanceTypes.*.*":                            true,
-       "Login":                                        true,
-       "Login.Google":                                 true,
-       "Login.Google.AlternateEmailAddresses":         false,
-       "Login.Google.ClientID":                        false,
-       "Login.Google.ClientSecret":                    false,
-       "Login.Google.Enable":                          true,
-       "Login.LDAP":                                   true,
-       "Login.LDAP.AppendDomain":                      false,
-       "Login.LDAP.EmailAttribute":                    false,
-       "Login.LDAP.Enable":                            true,
-       "Login.LDAP.InsecureTLS":                       false,
-       "Login.LDAP.SearchAttribute":                   false,
-       "Login.LDAP.SearchBase":                        false,
-       "Login.LDAP.SearchBindPassword":                false,
-       "Login.LDAP.SearchBindUser":                    false,
-       "Login.LDAP.SearchFilters":                     false,
-       "Login.LDAP.StartTLS":                          false,
-       "Login.LDAP.StripDomain":                       false,
-       "Login.LDAP.URL":                               false,
-       "Login.LDAP.UsernameAttribute":                 false,
-       "Login.LoginCluster":                           true,
-       "Login.OpenIDConnect":                          true,
-       "Login.OpenIDConnect.ClientID":                 false,
-       "Login.OpenIDConnect.ClientSecret":             false,
-       "Login.OpenIDConnect.EmailClaim":               false,
-       "Login.OpenIDConnect.EmailVerifiedClaim":       false,
-       "Login.OpenIDConnect.Enable":                   true,
-       "Login.OpenIDConnect.Issuer":                   false,
-       "Login.OpenIDConnect.UsernameClaim":            false,
-       "Login.PAM":                                    true,
-       "Login.PAM.DefaultEmailDomain":                 false,
-       "Login.PAM.Enable":                             true,
-       "Login.PAM.Service":                            false,
-       "Login.RemoteTokenRefresh":                     true,
-       "Login.SSO":                                    true,
-       "Login.SSO.Enable":                             true,
-       "Login.SSO.ProviderAppID":                      false,
-       "Login.SSO.ProviderAppSecret":                  false,
-       "Login.Test":                                   true,
-       "Login.Test.Enable":                            true,
-       "Login.Test.Users":                             false,
-       "Login.TokenLifetime":                          false,
-       "Login.TrustedClients":                         false,
-       "Mail":                                         true,
-       "Mail.EmailFrom":                               false,
-       "Mail.IssueReporterEmailFrom":                  false,
-       "Mail.IssueReporterEmailTo":                    false,
-       "Mail.MailchimpAPIKey":                         false,
-       "Mail.MailchimpListID":                         false,
-       "Mail.SendUserSetupNotificationEmail":          false,
-       "Mail.SupportEmailAddress":                     true,
-       "ManagementToken":                              false,
-       "PostgreSQL":                                   false,
-       "RemoteClusters":                               true,
-       "RemoteClusters.*":                             true,
-       "RemoteClusters.*.ActivateUsers":               true,
-       "RemoteClusters.*.Host":                        true,
-       "RemoteClusters.*.Insecure":                    true,
-       "RemoteClusters.*.Proxy":                       true,
-       "RemoteClusters.*.Scheme":                      true,
-       "Services":                                     true,
-       "Services.*":                                   true,
-       "Services.*.ExternalURL":                       true,
-       "Services.*.InternalURLs":                      false,
-       "SystemLogs":                                   false,
-       "SystemRootToken":                              false,
-       "TLS":                                          false,
-       "Users":                                        true,
-       "Users.AdminNotifierEmailFrom":                 false,
-       "Users.AnonymousUserToken":                     true,
-       "Users.AutoAdminFirstUser":                     false,
-       "Users.AutoAdminUserWithEmail":                 false,
-       "Users.AutoSetupNewUsers":                      false,
-       "Users.AutoSetupNewUsersWithRepository":        false,
-       "Users.AutoSetupNewUsersWithVmUUID":            false,
-       "Users.AutoSetupUsernameBlacklist":             false,
-       "Users.EmailSubjectPrefix":                     false,
-       "Users.NewInactiveUserNotificationRecipients":  false,
-       "Users.NewUserNotificationRecipients":          false,
-       "Users.NewUsersAreActive":                      false,
-       "Users.PreferDomainForUsername":                false,
-       "Users.UserNotifierEmailFrom":                  false,
-       "Users.UserProfileNotificationAddress":         false,
-       "Users.UserSetupMailText":                      false,
-       "Volumes":                                      true,
-       "Volumes.*":                                    true,
-       "Volumes.*.*":                                  false,
-       "Volumes.*.AccessViaHosts":                     true,
-       "Volumes.*.AccessViaHosts.*":                   true,
-       "Volumes.*.AccessViaHosts.*.ReadOnly":          true,
-       "Volumes.*.ReadOnly":                           true,
-       "Volumes.*.Replication":                        true,
-       "Volumes.*.StorageClasses":                     true,
-       "Volumes.*.StorageClasses.*":                   false,
-       "Workbench":                                    true,
-       "Workbench.ActivationContactLink":              false,
-       "Workbench.APIClientConnectTimeout":            true,
-       "Workbench.APIClientReceiveTimeout":            true,
-       "Workbench.APIResponseCompression":             true,
-       "Workbench.ApplicationMimetypesWithViewIcon":   true,
-       "Workbench.ApplicationMimetypesWithViewIcon.*": true,
-       "Workbench.ArvadosDocsite":                     true,
-       "Workbench.ArvadosPublicDataDocURL":            true,
-       "Workbench.DefaultOpenIdPrefix":                false,
-       "Workbench.EnableGettingStartedPopup":          true,
-       "Workbench.EnablePublicProjectsPage":           true,
-       "Workbench.FileViewersConfigURL":               true,
-       "Workbench.IdleTimeout":                        true,
-       "Workbench.InactivePageHTML":                   true,
-       "Workbench.LogViewerMaxBytes":                  true,
-       "Workbench.MultiSiteSearch":                    true,
-       "Workbench.ProfilingEnabled":                   true,
-       "Workbench.Repositories":                       false,
-       "Workbench.RepositoryCache":                    false,
-       "Workbench.RunningJobLogRecordsToFetch":        true,
-       "Workbench.SecretKeyBase":                      false,
-       "Workbench.ShowRecentCollectionsOnDashboard":   true,
-       "Workbench.ShowUserAgreementInline":            true,
-       "Workbench.ShowUserNotifications":              true,
-       "Workbench.SiteName":                           true,
-       "Workbench.SSHHelpHostSuffix":                  true,
-       "Workbench.SSHHelpPageHTML":                    true,
-       "Workbench.Theme":                              true,
-       "Workbench.UserProfileFormFields":              true,
-       "Workbench.UserProfileFormFields.*":            true,
-       "Workbench.UserProfileFormFields.*.*":          true,
-       "Workbench.UserProfileFormFields.*.*.*":        true,
-       "Workbench.UserProfileFormMessage":             true,
-       "Workbench.VocabularyURL":                      true,
-       "Workbench.WelcomePageHTML":                    true,
+       "API":                                                 true,
+       "API.AsyncPermissionsUpdateInterval":                  false,
+       "API.DisabledAPIs":                                    false,
+       "API.KeepServiceRequestTimeout":                       false,
+       "API.MaxConcurrentRequests":                           false,
+       "API.MaxIndexDatabaseRead":                            false,
+       "API.MaxItemsPerResponse":                             true,
+       "API.MaxKeepBlobBuffers":                              false,
+       "API.MaxRequestAmplification":                         false,
+       "API.MaxRequestSize":                                  true,
+       "API.RequestTimeout":                                  true,
+       "API.SendTimeout":                                     true,
+       "API.WebsocketClientEventQueue":                       false,
+       "API.WebsocketServerEventQueue":                       false,
+       "AuditLogs":                                           false,
+       "AuditLogs.MaxAge":                                    false,
+       "AuditLogs.MaxDeleteBatch":                            false,
+       "AuditLogs.UnloggedAttributes":                        false,
+       "ClusterID":                                           true,
+       "Collections":                                         true,
+       "Collections.BalanceCollectionBatch":                  false,
+       "Collections.BalanceCollectionBuffers":                false,
+       "Collections.BalancePeriod":                           false,
+       "Collections.BalanceTimeout":                          false,
+       "Collections.BlobDeleteConcurrency":                   false,
+       "Collections.BlobMissingReport":                       false,
+       "Collections.BlobReplicateConcurrency":                false,
+       "Collections.BlobSigning":                             true,
+       "Collections.BlobSigningKey":                          false,
+       "Collections.BlobSigningTTL":                          true,
+       "Collections.BlobTrash":                               false,
+       "Collections.BlobTrashCheckInterval":                  false,
+       "Collections.BlobTrashConcurrency":                    false,
+       "Collections.BlobTrashLifetime":                       false,
+       "Collections.CollectionVersioning":                    false,
+       "Collections.DefaultReplication":                      true,
+       "Collections.DefaultTrashLifetime":                    true,
+       "Collections.ForwardSlashNameSubstitution":            true,
+       "Collections.ManagedProperties":                       true,
+       "Collections.ManagedProperties.*":                     true,
+       "Collections.ManagedProperties.*.*":                   true,
+       "Collections.PreserveVersionIfIdle":                   true,
+       "Collections.S3FolderObjects":                         true,
+       "Collections.TrashSweepInterval":                      false,
+       "Collections.TrustAllContent":                         false,
+       "Collections.WebDAVCache":                             false,
+       "Containers":                                          true,
+       "Containers.CloudVMs":                                 false,
+       "Containers.CrunchRunArgumentsList":                   false,
+       "Containers.CrunchRunCommand":                         false,
+       "Containers.DefaultKeepCacheRAM":                      true,
+       "Containers.DispatchPrivateKey":                       false,
+       "Containers.JobsAPI":                                  true,
+       "Containers.JobsAPI.Enable":                           true,
+       "Containers.JobsAPI.GitInternalDir":                   false,
+       "Containers.Logging":                                  false,
+       "Containers.LogReuseDecisions":                        false,
+       "Containers.MaxComputeVMs":                            false,
+       "Containers.MaxDispatchAttempts":                      false,
+       "Containers.MaxRetryAttempts":                         true,
+       "Containers.MinRetryPeriod":                           true,
+       "Containers.ReserveExtraRAM":                          true,
++      "Containers.ShellAccess":                              true,
++      "Containers.ShellAccess.Admin":                        true,
++      "Containers.ShellAccess.User":                         true,
+       "Containers.SLURM":                                    false,
+       "Containers.StaleLockTimeout":                         false,
+       "Containers.SupportedDockerImageFormats":              true,
+       "Containers.SupportedDockerImageFormats.*":            true,
+       "Containers.UsePreemptibleInstances":                  true,
+       "ForceLegacyAPI14":                                    false,
+       "Git":                                                 false,
+       "InstanceTypes":                                       true,
+       "InstanceTypes.*":                                     true,
+       "InstanceTypes.*.*":                                   true,
+       "Login":                                               true,
+       "Login.Google":                                        true,
+       "Login.Google.AlternateEmailAddresses":                false,
+       "Login.Google.AuthenticationRequestParameters":        false,
+       "Login.Google.ClientID":                               false,
+       "Login.Google.ClientSecret":                           false,
+       "Login.Google.Enable":                                 true,
+       "Login.LDAP":                                          true,
+       "Login.LDAP.AppendDomain":                             false,
+       "Login.LDAP.EmailAttribute":                           false,
+       "Login.LDAP.Enable":                                   true,
+       "Login.LDAP.InsecureTLS":                              false,
+       "Login.LDAP.SearchAttribute":                          false,
+       "Login.LDAP.SearchBase":                               false,
+       "Login.LDAP.SearchBindPassword":                       false,
+       "Login.LDAP.SearchBindUser":                           false,
+       "Login.LDAP.SearchFilters":                            false,
+       "Login.LDAP.StartTLS":                                 false,
+       "Login.LDAP.StripDomain":                              false,
+       "Login.LDAP.URL":                                      false,
+       "Login.LDAP.UsernameAttribute":                        false,
+       "Login.LoginCluster":                                  true,
+       "Login.OpenIDConnect":                                 true,
+       "Login.OpenIDConnect.AuthenticationRequestParameters": false,
+       "Login.OpenIDConnect.ClientID":                        false,
+       "Login.OpenIDConnect.ClientSecret":                    false,
+       "Login.OpenIDConnect.EmailClaim":                      false,
+       "Login.OpenIDConnect.EmailVerifiedClaim":              false,
+       "Login.OpenIDConnect.Enable":                          true,
+       "Login.OpenIDConnect.Issuer":                          false,
+       "Login.OpenIDConnect.UsernameClaim":                   false,
+       "Login.PAM":                                           true,
+       "Login.PAM.DefaultEmailDomain":                        false,
+       "Login.PAM.Enable":                                    true,
+       "Login.PAM.Service":                                   false,
+       "Login.RemoteTokenRefresh":                            true,
+       "Login.SSO":                                           true,
+       "Login.SSO.Enable":                                    true,
+       "Login.SSO.ProviderAppID":                             false,
+       "Login.SSO.ProviderAppSecret":                         false,
+       "Login.Test":                                          true,
+       "Login.Test.Enable":                                   true,
+       "Login.Test.Users":                                    false,
+       "Login.TokenLifetime":                                 false,
+       "Login.TrustedClients":                                false,
+       "Mail":                                                true,
+       "Mail.EmailFrom":                                      false,
+       "Mail.IssueReporterEmailFrom":                         false,
+       "Mail.IssueReporterEmailTo":                           false,
+       "Mail.MailchimpAPIKey":                                false,
+       "Mail.MailchimpListID":                                false,
+       "Mail.SendUserSetupNotificationEmail":                 false,
+       "Mail.SupportEmailAddress":                            true,
+       "ManagementToken":                                     false,
+       "PostgreSQL":                                          false,
+       "RemoteClusters":                                      true,
+       "RemoteClusters.*":                                    true,
+       "RemoteClusters.*.ActivateUsers":                      true,
+       "RemoteClusters.*.Host":                               true,
+       "RemoteClusters.*.Insecure":                           true,
+       "RemoteClusters.*.Proxy":                              true,
+       "RemoteClusters.*.Scheme":                             true,
+       "Services":                                            true,
+       "Services.*":                                          true,
+       "Services.*.ExternalURL":                              true,
+       "Services.*.InternalURLs":                             false,
+       "SystemLogs":                                          false,
+       "SystemRootToken":                                     false,
+       "TLS":                                                 false,
+       "Users":                                               true,
+       "Users.AdminNotifierEmailFrom":                        false,
+       "Users.AnonymousUserToken":                            true,
+       "Users.AutoAdminFirstUser":                            false,
+       "Users.AutoAdminUserWithEmail":                        false,
+       "Users.AutoSetupNewUsers":                             false,
+       "Users.AutoSetupNewUsersWithRepository":               false,
+       "Users.AutoSetupNewUsersWithVmUUID":                   false,
+       "Users.AutoSetupUsernameBlacklist":                    false,
+       "Users.EmailSubjectPrefix":                            false,
+       "Users.NewInactiveUserNotificationRecipients":         false,
+       "Users.NewUserNotificationRecipients":                 false,
+       "Users.NewUsersAreActive":                             false,
+       "Users.PreferDomainForUsername":                       false,
+       "Users.UserNotifierEmailFrom":                         false,
+       "Users.UserProfileNotificationAddress":                false,
+       "Users.UserSetupMailText":                             false,
+       "Volumes":                                             true,
+       "Volumes.*":                                           true,
+       "Volumes.*.*":                                         false,
+       "Volumes.*.AccessViaHosts":                            true,
+       "Volumes.*.AccessViaHosts.*":                          true,
+       "Volumes.*.AccessViaHosts.*.ReadOnly":                 true,
+       "Volumes.*.ReadOnly":                                  true,
+       "Volumes.*.Replication":                               true,
+       "Volumes.*.StorageClasses":                            true,
+       "Volumes.*.StorageClasses.*":                          false,
+       "Workbench":                                           true,
+       "Workbench.ActivationContactLink":                     false,
+       "Workbench.APIClientConnectTimeout":                   true,
+       "Workbench.APIClientReceiveTimeout":                   true,
+       "Workbench.APIResponseCompression":                    true,
+       "Workbench.ApplicationMimetypesWithViewIcon":          true,
+       "Workbench.ApplicationMimetypesWithViewIcon.*":        true,
+       "Workbench.ArvadosDocsite":                            true,
+       "Workbench.ArvadosPublicDataDocURL":                   true,
+       "Workbench.DefaultOpenIdPrefix":                       false,
+       "Workbench.EnableGettingStartedPopup":                 true,
+       "Workbench.EnablePublicProjectsPage":                  true,
+       "Workbench.FileViewersConfigURL":                      true,
+       "Workbench.IdleTimeout":                               true,
+       "Workbench.InactivePageHTML":                          true,
+       "Workbench.LogViewerMaxBytes":                         true,
+       "Workbench.MultiSiteSearch":                           true,
+       "Workbench.ProfilingEnabled":                          true,
+       "Workbench.Repositories":                              false,
+       "Workbench.RepositoryCache":                           false,
+       "Workbench.RunningJobLogRecordsToFetch":               true,
+       "Workbench.SecretKeyBase":                             false,
+       "Workbench.ShowRecentCollectionsOnDashboard":          true,
+       "Workbench.ShowUserAgreementInline":                   true,
+       "Workbench.ShowUserNotifications":                     true,
+       "Workbench.SiteName":                                  true,
+       "Workbench.SSHHelpHostSuffix":                         true,
+       "Workbench.SSHHelpPageHTML":                           true,
+       "Workbench.Theme":                                     true,
+       "Workbench.UserProfileFormFields":                     true,
+       "Workbench.UserProfileFormFields.*":                   true,
+       "Workbench.UserProfileFormFields.*.*":                 true,
+       "Workbench.UserProfileFormFields.*.*.*":               true,
+       "Workbench.UserProfileFormMessage":                    true,
+       "Workbench.VocabularyURL":                             true,
+       "Workbench.WelcomePageHTML":                           true,
   }
   
   func redactUnsafe(m map[string]interface{}, mPrefix, lookupPrefix string) error {
diff --combined lib/config/generated_config.go

index 817585c0feb5b226d4f901f044931a224828008a,64dbf41209a57288dc04c6ef164cdbca318af45c..8ef787771ebb9986f3b88f52ec69a6851d2eb8d2
--- 1/lib/config/generated_config.go
--- 2/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@@ -203,7 -203,7 +203,7 @@@ Clusters
         # * 1.1) fits comfortably in memory. On a host dedicated to running
         # Keepstore, divide total memory by 88MiB to suggest a suitable value.
         # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440
- -      # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79
+ +      # kB, compute 7125440 / (88 * 1024)=79 and set MaxKeepBlobBuffers: 79
         MaxKeepBlobBuffers: 128
   
         # API methods to disable. Disabled methods are not listed in the
@@@ -573,6 -573,17 +573,17 @@@
           # work. If false, only the primary email address will be used.
           AlternateEmailAddresses: true
   
+         # Send additional parameters with authentication requests. See
+         # https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
+         # for a list of supported parameters.
+         AuthenticationRequestParameters:
+           # Show the "choose which Google account" page, even if the
+           # client is currently logged in to exactly one Google
+           # account.
+           prompt: select_account
+ 
+           SAMPLE: ""
+ 
         OpenIDConnect:
           # Authenticate with an OpenID Connect provider.
           Enable: false
@@@ -607,6 -618,14 +618,14 @@@
           # address.
           UsernameClaim: ""
   
+         # Send additional parameters with authentication requests,
+         # like {display: page, prompt: consent}. See
+         # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+         # and refer to your provider's documentation for supported
+         # parameters.
+         AuthenticationRequestParameters:
+           SAMPLE: ""
+ 
         PAM:
           # (Experimental) Use PAM to authenticate users.
           Enable: false
@@@ -874,26 -893,6 +893,26 @@@
           # period.
           LogUpdateSize: 32MiB
   
+ +      ShellAccess:
+ +        # An admin user can use "arvados-client shell" to start an
+ +        # interactive shell (with any user ID) in any running
+ +        # container.
+ +        Admin: false
+ +
+ +        # Any user can use "arvados-client shell" to start an
+ +        # interactive shell (with any user ID) in any running
+ +        # container that they started, provided it isn't also
+ +        # associated with a different user's container request.
+ +        #
+ +        # Interactive sessions make it easy to alter the container's
+ +        # runtime environment in ways that aren't recorded or
+ +        # reproducible. Consider the implications for automatic
+ +        # container reuse before enabling and using this feature. In
+ +        # particular, note that starting an interactive session does
+ +        # not disqualify a container from being reused by a different
+ +        # user/workflow in the future.
+ +        User: false
+ +
         SLURM:
           PrioritySpread: 0
           SbatchArgumentsList: []
diff --combined sdk/go/arvados/config.go

index 8222035a330c8212b5c705ffe5160656ec51ab73,2e39985c2a7cca989866d20eb250f1643873739e..4a56c930213abf389a782fd593622d776da9584f
--- 1/sdk/go/arvados/config.go
--- 2/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@@ -151,19 -151,21 +151,21 @@@ type Cluster struct 
                         UsernameAttribute  string
                 }
                 Google struct {
-                       Enable                  bool
-                       ClientID                string
-                       ClientSecret            string
-                       AlternateEmailAddresses bool
+                       Enable                          bool
+                       ClientID                        string
+                       ClientSecret                    string
+                       AlternateEmailAddresses         bool
+                       AuthenticationRequestParameters map[string]string
                 }
                 OpenIDConnect struct {
-                       Enable             bool
-                       Issuer             string
-                       ClientID           string
-                       ClientSecret       string
-                       EmailClaim         string
-                       EmailVerifiedClaim string
-                       UsernameClaim      string
+                       Enable                          bool
+                       Issuer                          string
+                       ClientID                        string
+                       ClientSecret                    string
+                       EmailClaim                      string
+                       EmailVerifiedClaim              string
+                       UsernameClaim                   string
+                       AuthenticationRequestParameters map[string]string
                 }
                 PAM struct {
                         Enable             bool
@@@ -429,10 -431,6 +431,10 @@@ type ContainersConfig struct 
                 LogUpdatePeriod              Duration
                 LogUpdateSize                ByteSize
         }
+ +      ShellAccess struct {
+ +              Admin bool
+ +              User  bool
+ +      }
         SLURM struct {
                 PrioritySpread             int64
                 SbatchArgumentsList        []string
author	Tom Clegg <tom@curii.com>
	Sat, 6 Feb 2021 23:45:15 +0000 (18:45 -0500)
committer	Tom Clegg <tom@curii.com>
	Sat, 6 Feb 2021 23:45:15 +0000 (18:45 -0500)
		1	2
lib/config/config.default.yml	patch \|	diff1 \|	diff2 \|	blob \| history
lib/config/export.go	patch \|	diff1 \|	diff2 \|	blob \| history
lib/config/generated_config.go	patch \|	diff1 \|	diff2 \|	blob \| history
sdk/go/arvados/config.go	patch \|	diff1 \|	diff2 \|	blob \| history