11453: Improve config docs. Disable remote auth by default.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index 47b4bf1281511034f48b0842d7458d69cbf56562..89f9892d473a90740cfbe447168b8fe4a2bc94b5 100644 (file)
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -386,14 +386,23 @@ common:
   ### Federation support.
   ###
 
-  # Map known prefixes to hosts. Example:
+  # You can enable use of this cluster by users who are authenticated
+  # by a remote Arvados site. Control which remote hosts are trusted
+  # to authenticate which user IDs by configuring remote_hosts,
+  # remote_hosts_via_dns, or both. The default configuration disables
+  # remote authentication.
+
+  # Map known prefixes to hosts. For example, if user IDs beginning
+  # with "zzzzz-" should be authenticated by the Arvados server at
+  # "zzzzz.example.com", use:
+  #
   # remote_hosts:
   #   zzzzz: zzzzz.example.com
   remote_hosts: {}
 
   # Use {prefix}.arvadosapi.com for any prefix not given in
   # remote_hosts above.
-  remote_hosts_via_dns: true
+  remote_hosts_via_dns: false
 
   ###
   ### Remaining assorted configuration options.