services/security-service/security.yml - incubator-datalab - Git at Google

 # *****************************************************************************
 #
 #  Licensed to the Apache Software Foundation (ASF) under one
 #  or more contributor license agreements.  See the NOTICE file
 #  distributed with this work for additional information
 #  regarding copyright ownership.  The ASF licenses this file
 #  to you under the Apache License, Version 2.0 (the
 #  "License"); you may not use this file except in compliance
 #  with the License.  You may obtain a copy of the License at
 #
 #  http://www.apache.org/licenses/LICENSE-2.0
 #
 #  Unless required by applicable law or agreed to in writing,
 #  software distributed under the License is distributed on an
 #  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 #  KIND, either express or implied.  See the License for the
 #  specific language governing permissions and limitations
 #  under the License.
 #
 # ******************************************************************************

 <#include "ssn.yml">

 ldapUseConnectionPool: false
 ldapConnectionConfig:
 #  ldapHost: localhost
   ldapHost: LDAP_HOST
 #  ldapPort: 3890
   ldapPort: 389
   name: LDAP_USER,LDAP_DN
   credentials: LDAP_PASS
 useLdapBindTemplate: true
 ldapBindTemplate: uid=%s,LDAP_OU,LDAP_DN
 ldapBindAttribute: uid
 ldapSearchAttribute: uid
 ldapGroupAttribute: memberUid
 ldapGroupNameAttribute: cn
 ldapGroupUserAttribute: uid
 ldapSearchRequest:
   expirationTimeMsec: 600000
   scope: SUBTREE
   attributes:
   - cn
   - mail
   - uid
   - gidNumber
   timeLimit: 0
   base: LDAP_DN
   filter: "(&(objectClass=inetOrgPerson)(uid=$LDAP_SEARCH_ATTRIBUTE))"
 ldapGroupSearchRequest:
   expirationTimeMsec: 600000
   scope: SUBTREE
   attributes:
   - cn
   - memberUid
   timeLimit: 0
   base: LDAP_DN
   filter: "(&(objectClass=posixGroup))"
 server:
   requestLog:
     appenders:
       - type: file
         currentLogFilename: ${LOG_ROOT_DIR}/ssn/request-security.log
         archive: true
         archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/request-security-%d{yyyy-MM-dd}.log.gz
         archivedFileCount: 10
   applicationConnectors:
     - type: https
       port: 8090
       certAlias: dlab
       validateCerts: true
       keyStorePath: ${KEY_STORE_PATH}
       keyStorePassword: ${KEY_STORE_PASSWORD}
       trustStorePath: ${TRUST_STORE_PATH}
       trustStorePassword: ${TRUST_STORE_PASSWORD}
   adminConnectors:
     - type: https
       port: 8091
       certAlias: dlab
       validateCerts: true
       keyStorePath: ${KEY_STORE_PATH}
       keyStorePassword: ${KEY_STORE_PASSWORD}
       trustStorePath: ${TRUST_STORE_PATH}
       trustStorePassword: ${TRUST_STORE_PASSWORD}

 userInfoPersistenceEnabled: true

 <#if CLOUD_TYPE == "aws">
 awsUserIdentificationEnabled: true
 loginAuthenticationTimeout: 10
 <#elseif CLOUD_TYPE == "azure">
 loginAuthenticationTimeout: 20

 # Azure login configuration
 azureLoginConfiguration:
     # defines of LDAP server is used as authentication point, if false Azure OAuth authentication should be configured
     useLdap: <LOGIN_USE_LDAP>
     # Tenant id in Azure
     tenant: <LOGIN_TENANT_ID>
     # Authority url
     authority: https://login.microsoftonline.com/
     # Id of the application that logs in users
     clientId: <LOGIN_APPLICATION_ID>
     # Redirect url for OAuth2 Authorization code flow
     redirectUrl: https://<LOGIN_APPLICATION_REDIRECT_URL>/
     # defines if DLab checks user permission to the configured permissionScope(true|false).
     # If user does not have permissions(no Role assigned in permissionScope) he/she will not be logged in DLab
     validatePermissionScope: <VALIDATE_PERMISSION_SCOPE>
     # Scope for validation user permissions if validatePermissionScope: true
     permissionScope: <PERMISSION_SCOPE>
     # Authentication file that used for validation user permissions(query Microsoft API)
     managementApiAuthFile: <MANAGEMENT_API_AUTH_FILE>
      # defines how authorization code is sent to DLab
     responseMode: query
     # Type of consent that requires interaction with user(consent,login are allowed)
     prompt: consent
     # Defines if try to log in user silently without user interaction (with "none" prompt). if false start with configured prompt
     silent: true
     # login page of DLab
     loginPage: https://<LOGIN_PAGE>/

 <#elseif CLOUD_TYPE == "gcp">

 # GCP oauth2 login configuration
 gcpLoginConfiguration:
     oauth2authenticationEnabled: false
     clientId: <GCP_CLIENT_ID>
     clientSecret: <GCP_CLIENT_SECRET>
     redirectedUri: https://<GCP_REDIRECTED_URL>
     userStateCacheExpirationTime: 1
     userStateCacheSize: 1000
     applicationName: DLAB-webapp
 </#if>


 logging:
   level: INFO
   loggers:
     io.dropwizard: INFO
     com.epam: DEBUG
     com.aegisql: INFO
   appenders:
 #<#if DEV_MODE == "true">
     - type: console
 #</#if>
     - type: file
       currentLogFilename: ${LOG_ROOT_DIR}/ssn/security.log
       archive: true
       archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/security-%d{yyyy-MM-dd}.log.gz
       archivedFileCount: 10
	# *****************************************************************************
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#
	# ******************************************************************************

	<#include "ssn.yml">

	ldapUseConnectionPool: false
	ldapConnectionConfig:
	# ldapHost: localhost
	ldapHost: LDAP_HOST
	# ldapPort: 3890
	ldapPort: 389
	name: LDAP_USER,LDAP_DN
	credentials: LDAP_PASS
	useLdapBindTemplate: true
	ldapBindTemplate: uid=%s,LDAP_OU,LDAP_DN
	ldapBindAttribute: uid
	ldapSearchAttribute: uid
	ldapGroupAttribute: memberUid
	ldapGroupNameAttribute: cn
	ldapGroupUserAttribute: uid
	ldapSearchRequest:
	expirationTimeMsec: 600000
	scope: SUBTREE
	attributes:
	- cn
	- mail
	- uid
	- gidNumber
	timeLimit: 0
	base: LDAP_DN
	filter: "(&(objectClass=inetOrgPerson)(uid=$LDAP_SEARCH_ATTRIBUTE))"
	ldapGroupSearchRequest:
	expirationTimeMsec: 600000
	scope: SUBTREE
	attributes:
	- cn
	- memberUid
	timeLimit: 0
	base: LDAP_DN
	filter: "(&(objectClass=posixGroup))"
	server:
	requestLog:
	appenders:
	- type: file
	currentLogFilename: ${LOG_ROOT_DIR}/ssn/request-security.log
	archive: true
	archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/request-security-%d{yyyy-MM-dd}.log.gz
	archivedFileCount: 10
	applicationConnectors:
	- type: https
	port: 8090
	certAlias: dlab
	validateCerts: true
	keyStorePath: ${KEY_STORE_PATH}
	keyStorePassword: ${KEY_STORE_PASSWORD}
	trustStorePath: ${TRUST_STORE_PATH}
	trustStorePassword: ${TRUST_STORE_PASSWORD}
	adminConnectors:
	- type: https
	port: 8091
	certAlias: dlab
	validateCerts: true
	keyStorePath: ${KEY_STORE_PATH}
	keyStorePassword: ${KEY_STORE_PASSWORD}
	trustStorePath: ${TRUST_STORE_PATH}
	trustStorePassword: ${TRUST_STORE_PASSWORD}

	userInfoPersistenceEnabled: true

	<#if CLOUD_TYPE == "aws">
	awsUserIdentificationEnabled: true
	loginAuthenticationTimeout: 10
	<#elseif CLOUD_TYPE == "azure">
	loginAuthenticationTimeout: 20

	# Azure login configuration
	azureLoginConfiguration:
	# defines of LDAP server is used as authentication point, if false Azure OAuth authentication should be configured
	useLdap: <LOGIN_USE_LDAP>
	# Tenant id in Azure
	tenant: <LOGIN_TENANT_ID>
	# Authority url
	authority: https://login.microsoftonline.com/
	# Id of the application that logs in users
	clientId: <LOGIN_APPLICATION_ID>
	# Redirect url for OAuth2 Authorization code flow
	redirectUrl: https://<LOGIN_APPLICATION_REDIRECT_URL>/
	# defines if DLab checks user permission to the configured permissionScope(true\|false).
	# If user does not have permissions(no Role assigned in permissionScope) he/she will not be logged in DLab
	validatePermissionScope: <VALIDATE_PERMISSION_SCOPE>
	# Scope for validation user permissions if validatePermissionScope: true
	permissionScope: <PERMISSION_SCOPE>
	# Authentication file that used for validation user permissions(query Microsoft API)
	managementApiAuthFile: <MANAGEMENT_API_AUTH_FILE>
	# defines how authorization code is sent to DLab
	responseMode: query
	# Type of consent that requires interaction with user(consent,login are allowed)
	prompt: consent
	# Defines if try to log in user silently without user interaction (with "none" prompt). if false start with configured prompt
	silent: true
	# login page of DLab
	loginPage: https://<LOGIN_PAGE>/

	<#elseif CLOUD_TYPE == "gcp">

	# GCP oauth2 login configuration
	gcpLoginConfiguration:
	oauth2authenticationEnabled: false
	clientId: <GCP_CLIENT_ID>
	clientSecret: <GCP_CLIENT_SECRET>
	redirectedUri: https://<GCP_REDIRECTED_URL>
	userStateCacheExpirationTime: 1
	userStateCacheSize: 1000
	applicationName: DLAB-webapp
	</#if>


	logging:
	level: INFO
	loggers:
	io.dropwizard: INFO
	com.epam: DEBUG
	com.aegisql: INFO
	appenders:
	#<#if DEV_MODE == "true">
	- type: console
	#</#if>
	- type: file
	currentLogFilename: ${LOG_ROOT_DIR}/ssn/security.log
	archive: true
	archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/security-%d{yyyy-MM-dd}.log.gz
	archivedFileCount: 10