forked from AthenZ/athenz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzms.properties
435 lines (353 loc) · 19.1 KB
/
zms.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
# Athenz ZMS Servlet properties file.
# If there is a value specified in the commented property line,
# then it indicates the default value
# Default root directory for ZMS Server. This must be passed as
# part of the startup script since it is used before the
# properties file is accessed.
#athenz.zms.root_dir=/opt/athenz/zms
# Comma separated list of authority implementation classes to support
# authenticating principals in ZMS
athenz.zms.authority_classes=com.yahoo.athenz.auth.oauth.OAuthCertBoundJwtAccessTokenAuthority,com.yahoo.athenz.auth.impl.CertificateAuthority
# Principal Authority class. If defined and the caller asks for the header
# name for the getUserToken api, the header from this authority will be
# returned in the response. This class must be one of the classes listed
# in the athenz.zms.authority_classes setting
#athenz.zms.principal_authority_class=
# User Authority class. If defined and the server is configured to validate
# all user principals when adding them as members in a role (this is configured
# with athenz.zms.validate_user_members property), the ZMS Server will call
# the authority isValidUser api method for validation. This class must be one of
# the classes listed in the athenz.zms.authority_classes setting
#athenz.zms.user_authority_class=
# Specifies the user domain name for the current installation
athenz.user_domain=user
# Specifies the factory class that implements the Metrics interface
# used by the ZMS Server to report stats
#athenz.zms.metric_factory_class=com.yahoo.athenz.common.metrics.impl.NoOpMetricFactory
# Specifies the factory class that implements the AuditLoggerFactory
# interface used by the ZMS Server to log all changes to domain
# data for auditing purposes
#athenz.zms.audit_logger_factory_class=com.yahoo.athenz.common.server.log.impl.DefaultAuditLoggerFactory
# Specifies the factory class that implements the PrivateKeyStoreFactory
# interface used by the ZMS Server to get access to its host specific
# private key
#athenz.zms.private_key_store_factory_class=com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory
# If the datastore does not contain any domains during startup,
# the server will automatically create sys, sys.auth and user
# domains and assign the specified users (comma separated list)
# as the administrator for those domains
athenz.zms.domain_admin=user.github-<your github ID>
# If File Private Key store implementation is used in the Server,
# this setting specifies the path to the PEM encoded ZMS Server
# private key file (both RSA and EC privates keys are supported)
athenz.auth.private_key_store.private_key=/opt/athenz/zms/var/keys/zms_private.pem
# If File Private Key store implementation is used in the Server,
# this setting specifies the key identifier for the private key
# configured by the athenz.auth.private_key_store.private_key
# property
athenz.auth.private_key_store.private_key_id=0
# Specify the FQDN/hostname of the server. This value will be used as the
# h parameter in the ZMS generated UserTokens
#athenz.zms.hostname=
# If enabled, ZMS will be in maintenance read only mode where only
# get operations will succeed and all other put, post and delete
# operations will be rejected with invalid request error.
athenz.zms.read_only_mode=false
# Specifies the authorized service json configuration file path.
athenz.zms.authz_service_fname=/opt/athenz/zms/conf/zms_server/authorized_services.json
# Specifies the path to the solution templates json document
athenz.zms.solution_templates_fname=/opt/athenz/zms/conf/zms_server/solution_templates.json
# In case there is a concurrent update conflict, the server will retry
# the operation multiple times until this timeout is reached before
# returning a conflict status code back to the client
#athenz.zms.conflict_retry_timeout=60
# When ZMS determines that updating a domain data tables will cause a
# concurrent update issue and needs to retry the operation, it will sleep
# configured number of milliseconds before retrying
#athenz.zms.retry_delay_timeout=50
# This setting specifies the number of seconds how long the signed
# policy documents are valid for
#athenz.zms.signed_policy_timeout=604800
# The number of milliseconds to sleep between runs of the idle object
# evictor thread. When non-positive, no idle object evictor thread
# will be run. The pool default is -1, but we're using 30 minutes to
# make sure the evictor thread is running |
#athenz.db.pool_evict_idle_interval=1800000
# The minimum amount of time (in milliseconds) an object may sit
# idle in the pool before it is eligible for eviction by the idle
# object evictor (if any)
#athenz.db.pool_evict_idle_timeout=1800000
# The maximum number of connections that can remain idle in the pool,
# without extra ones being released, or negative for no limit
#athenz.db.pool_max_idle=8
# The maximum number of active connections that can be allocated
# from this pool at the same time, or negative for no limit
#athenz.db.pool_max_total=8
# The maximum lifetime in milliseconds of a connection. After this
# time is exceeded the connection will fail the next activation,
# passivation or validation test. A value of zero or less means the
# connection has an infinite lifetime
#athenz.db.pool_max_ttl=600000
# The maximum number of milliseconds that the pool will wait
# (when there are no available connections) for a connection to be
# returned before throwing an exception, or -1 to wait indefinitely
#athenz.db.pool_max_wait=-1
# The minimum number of connections that can remain idle in the pool,
# without extra ones being created, or zero to create none
#athenz.db.pool_min_idle=0
# The validation query used by the pool to determine if the connection
# is valid before returning it to the caller. The default value
# is the recommended query for the Mysql/J Connector
#athenz.db.pool_validation_query=/* ping */ SELECT 1
# The maximum number of seconds that the server should wait
# for the store connection object to return its results
#athenz.zms.store_operation_timeout=60
# Specifies the factory class that implements the ObjectStoreFactory
# interface used by the ZMS Server to store its data. In production,
# this is typically the jdbc/mysql object store while for tests it's
# the file object store
athenz.zms.object_store_factory_class=com.yahoo.athenz.zms.store.impl.JDBCObjectStoreFactory
# If the athenz.zms.object_store_factory_class property is using
# the file object store factory, then this setting specifies
# the subdirectory name where domain files will be stored.
# The parent directory is identified by the athenz.zms.file_store_path
# property
#athenz.zms.file_store_path=/opt/athenz/zms/var
# If the athenz.zms.object_store_factory_class property is using
# the file object store factory, then this setting specifies
# the directory name where file store subdirectory will
# be created to store domain files. The subdirectory is identified
# by the athenz.zms.file_store_name property
#athenz.zms.file_store_name=zms_root
# If the athenz.zms.object_store_factory_class property is using
# the jdbc object store factory identified with
# com.yahoo.athenz.zms.store.impl.JDBCObjectStoreFactory, then
# this setting specifies JDBC URL where the ZMS Server will store its data.
# The database server must be initialized with the ZMS
# server schema. For example, jdbc:mysql://localhost:3306/zms
# specifies a database called zms configured within a
# MySQL instance
athenz.zms.jdbc_store=jdbc:mysql://athenz-zms-db:3306/zms_server
# If the athenz.zms.object_store_factory_class property is using
# the jdbc/mysql object store factory then this setting
# specifies the name of the user that has full access to the configured
# ZMS server database
athenz.zms.jdbc_user=zms_admin
# If the athenz.zms.object_store_factory_class property is using
# the jdbc/mysql object store factory then this setting
# specifies the password key for the jdbc user that has been granted full
# access to the configured ZMS server database. The configured
# private key store will be called with the value of the key to
# retrieve the password to authenticate requests against the
# configured MySQL server.
#athenz.zms.jdbc_password=mariadb
# If the athenz.zms.object_store_factory_class property is using
# the jdbc/mysql object store factory then this setting specifies
# JDBC URL for slave databases that replicate ZMS Server's
# domain data. If configured, ZMS Server will use this database
# instance for any read only operation. It has the same syntax
# as the athenz.zms.jdbc_store property.
#athenz.zms.jdbc_ro_store=
# If the athenz.zms.jdbc_ro_store is configured then this property is
# the name of the user that has full access to the zms database
# if this property is not specified but athenz.zms.jdbc_ro_store
# is configured, the server will use the value of the
# athenz.zms.jdbc_user property.
#athenz.zms.jdbc_ro_user=
# If the athenz.zms.jdbc_ro_store is configured then this property
# specifies the password key for the jdbc user that has been granted
# full access to the configured zms database. If this property is not
# specified but athenz.zms.jdbc_ro_store is configured, the server
# will use the value of the athenz.zms.jdbc_password property.
# The configured private key store will be called with the value of
# the key to retrieve the password to authenticate requests against
# the configured MySQL server.
#athenz.zms.jdbc_ro_password=
# If using the jdbc connector (either mysql or aws) for zms
# data storage, this property specifies if the jdbc client
# should establish an SSL connection to the database server or not
#athenz.zms.jdbc_use_ssl=false
# if using the jdbc connector (either mysql or aws) for zms
# data storage and the athenz.zms.jdbc_use_ssl property is set
# to true, this property specifies whether or not the jdbc client
# must verify the server certificate or not
#athenz.zms.jdbc_verify_server_certificate=false
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store factory identified with
# com.yahoo.athenz.zms.store.impl.AWSObjectStoreFactory, then
# this setting specifies AWS RDS instance hostname.
# The database server must be initialized with the ZMS
# server schema.
#athenz.zms.aws_rds_master_instance=
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the database user configured with IAM Role AWS authentication
# and full access to the zms store database
#athenz.zms.aws_rds_user=
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the IMA role that has been enabled for authentication
#athenz.zms.aws_rds_iam_role=
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the port number for the RDL database instance
#athenz.zms.aws_rds_master_port=3306
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the database engine used in rds
#athenz.zms.aws_rds_engine=mysql
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# the database name in rds
#athenz.zms.aws_rds_database=zms_store
# If the athenz.zms.object_store_factory_class property is using
# the aws rds mysql object store then this setting specifies
# in seconds how often to update the aws credentials for the IAM role
#athenz.zms.aws_rds_creds_refresh_time=300
# The number of seconds ZMS issued User Tokens are valid for
#athenz.zms.user_token_timeout=3600
# Boolean setting to configure whether or not virtual domains are
# supported or not. These are domains created in the user's own
# "user" namespace
#athenz.zms.virtual_domain_support=true
# If virtual domain support is enabled, this setting specifies the
# number of sub domains in the user's virtual namespace that are
# allowed to be created. Value of 0 indicates no limit
#athenz.zms.virtual_domain_limit=5
# Number of bytes allowed to be specified in a domain name.
# This limit includes all subdomains as well. For example,
# athenz.storage.mysql domains length is 20.
#athenz.zms.domain_name_max_len=128
# Boolean setting to configure whether or not unique product
# IDs are required for top level domains
#athenz.zms.product_id_support=false
# Number of seconds the authentication library will honor
# token's expiration timeout.
#athenz.token_max_expiry=2592000
# User Authority - if UserAuthority is enabled as one of the authenticating
# authorities in the ZMS Server, this setting provides the pam service
# name used when validating the user specified password
#athenz.auth.user.pam_service_name=login
# Role Authority - when validating Role Tokens, this setting specifies the
# number seconds the library will allow the token to have a creation time
# in the future to accommodate time differences between server and client.
#athenz.auth.role.token_allowed_offset=300
# Role Authority - when authenticating principals based on the Role Token
# this setting specifies what HTTP header name in the request contains
# the token
#athenz.auth.role.header=Athenz-Role-Auth
# Principal Authority - when validating User/Service Tokens, this setting
# specifies the number seconds the library will allow the token to have
# a creation time in the future to accommodate time differences between
# server and client.
#athenz.auth.principal.token_allowed_offset=300
# Principal Authority - when authenticating principals based on their
# User/Service Tokens, this setting specifies what HTTP header name in
# the request contains the token
#athenz.auth.principal.header=Athenz-Principal-Auth
# Principal Authority - when authenticating principals based on their
# User/Service Tokens. this setting specifies whether or not to validate
# if the IP address of the incoming connection matches to the IP address
# in the token. The possible values are: OPS_ALL, OPS_NONE, OPS_WRITE
# OPS_WRITE indicates that only write/update operation will enforce
# this check.
#athenz.auth.principal.remote_ip_check_mode=OPS_WRITE
# If the ZMS webapp is deployed along other webapps that may
# run on non-TLS ports, this setting forces that requests to
# ZMS are only accepted on secure TLS ports.
#athenz.zms.secure_requests_only=true
# Quota Support: boolean value defining whether or not quota
# check is enabled.
#athenz.zms.quota_check=true
# Quota Support: default number of roles allowed to be created
# in a given domain.
#athenz.zms.quota_role=1000
# Quota Support: default number of members a single role may have
#athenz.zms.quota_role_member=100
# Quota Support: default number of polices allowed to be created
# in a given domain.
#athenz.zms.quota_policy=1000
# Quota Support: default number of assertions each policy may have
#athenz.zms.quota_assertion=100
# Quota Support: default number of services allowed to be created
# in a given domain.
#athenz.zms.quota_service=250
# Quota Support: default number of hosts each service may have
#athenz.zms.quota_service_host=10
# Quota Support: default number of public keys each service may have
#athenz.zms.quota_public_key=100
# Quota Support: default number of entities allowed to be created
# in a given domain
#athenz.zms.quota_entity=100
# Quota Support: default number of sub-domains each top level
# domain allowed to have.
#athenz.zms.quota_subdomain=100
# Comma separated list of URIs that require authentication according to the RDL
# but we want the server to make the authentication as optional. The URI can
# include regex values based on + character to match resource URIs
# for example, /zms/v1/domain/.+/service
athenz.zms.no_auth_uri_list=/zms/v1/status
# Comma separated list of http origin values that are whitelisted
# to request authorize service tokens. This is only used for the
# optionsUserToken method where we return CORS headers
#athenz.zms.cors_origin_list
# Comma separated list of http header values that are allowed
# to be included in the Access-Control-Request-Headers CORS
# preflight request and returned back to the client as the value
# of the Access-Control-Allow-Headers header.
athenz.zms.cors_header_list=*,Accept,Accept-Language,Content-Language,Content-Type,Authorization
# Comma separated list of service names that are reserved. The default
# list includes most common gTLDs so a service cannot obtain an identity
# x.509 certificate with a name that matches an actual domain e.g. yahoo.com
#athenz.zms.reserved_service_names=com,net,org,edu,biz,gov,mil,info,name,mobi,cloud
# Integer value specifying the min length of any service names. The default
# value of 3 is configured to prevent a service from obtaining an identity
# x.509 certificate with a name that matches country gTLD - e.g. yahoo.us
#athenz.zms.service_name_min_length=3
# Athenz ZMS Service Health Check file path. If configured, the
# /zms/v1/status command would return failure if the file setting
# is configured but the file is not present. The idea is that once
# the server is started, an external process will verify that
# the server is running correctly by running some checks and if
# successful, it will create that file so that the server can
# now report that the server is ready to accept production traffic
#athenz.zms.health_check_path=
# Boolean value indicating whether or not the ZMS server should
# call the configured user authority and verify if the given
# user is valid or not before adding the user to a role. The
# user authority is responsible for validating any usernames
# that might include wildcards (e.g. user.*).
#athenz.zms.validate_user_members=false
# If the athenz.zms.validate_user_members property is enabled
# then this setting provides additional set of comma separated
# domains that the system might be using referencing accounts
# that can be validated with the user authority
#athenz.zms.addl_user_check_domains=
# Boolean value indicating whether or not the ZMS server should
# verify if the given service exists in the given domain
# before adding the service to a role. The ZMS Service will
# automatically skip any service names that include wildcards
# (e.g. coretech.api*).
#athenz.zms.validate_service_members=false
# If athenz.zms.validate_service_members property is enabled
# then this setting includes comma separated list of domains
# that should be skipped from the service member validation
# checks. These could include CI/CD domains, for example,
# that include dynamic services that are not registered.
#athenz.zms.validate_service_members_skip_domains=
# Boolean value indicating whether or not the zms server
# should contact the master storage copy when returning
# data for signed domains api. In multi region environments
# this could generate large latency since the server
# needs to contact most likely a server (e.g. mysql instance)
# running in a different region.
#athenz.zms.master_copy_for_signed_domains=false
# Set the timezone of the database
# when retrieving the modified domain.
#athenz.zms.athenz.zms.mysql_server_timezone=
# Specifies the factory class that implements the StatusChecker interface
# Used to check the status of the ZMS server
#athenz.zms.status_checker_factory_class=
# Boolean property to enable the periodic update of Principal state from Authority.
# Default value is false.
#athenz.zms.enable_principal_state_updater=