| # ***************************************************************************** |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # ****************************************************************************** |
| |
| <#include "ssn.yml"> |
| |
| ldapUseConnectionPool: false |
| ldapConnectionConfig: |
| # ldapHost: localhost |
| ldapHost: LDAP_HOST |
| # ldapPort: 3890 |
| ldapPort: 389 |
| name: LDAP_USER,LDAP_DN |
| credentials: LDAP_PASS |
| useLdapBindTemplate: true |
| ldapBindTemplate: uid=%s,LDAP_OU,LDAP_DN |
| ldapBindAttribute: uid |
| ldapSearchAttribute: uid |
| ldapGroupAttribute: memberUid |
| ldapGroupNameAttribute: cn |
| ldapGroupUserAttribute: uid |
| ldapSearchRequest: |
| expirationTimeMsec: 600000 |
| scope: SUBTREE |
| attributes: |
| - cn |
| - mail |
| - uid |
| - gidNumber |
| timeLimit: 0 |
| base: LDAP_DN |
| filter: "(&(objectClass=inetOrgPerson)(uid=$LDAP_SEARCH_ATTRIBUTE))" |
| ldapGroupSearchRequest: |
| expirationTimeMsec: 600000 |
| scope: SUBTREE |
| attributes: |
| - cn |
| - memberUid |
| timeLimit: 0 |
| base: LDAP_DN |
| filter: "(&(objectClass=posixGroup))" |
| server: |
| requestLog: |
| appenders: |
| - type: file |
| currentLogFilename: ${LOG_ROOT_DIR}/ssn/request-security.log |
| archive: true |
| archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/request-security-%d{yyyy-MM-dd}.log.gz |
| archivedFileCount: 10 |
| applicationConnectors: |
| - type: https |
| port: 8090 |
| certAlias: dlab |
| validateCerts: true |
| keyStorePath: ${KEY_STORE_PATH} |
| keyStorePassword: ${KEY_STORE_PASSWORD} |
| trustStorePath: ${TRUST_STORE_PATH} |
| trustStorePassword: ${TRUST_STORE_PASSWORD} |
| adminConnectors: |
| - type: https |
| port: 8091 |
| certAlias: dlab |
| validateCerts: true |
| keyStorePath: ${KEY_STORE_PATH} |
| keyStorePassword: ${KEY_STORE_PASSWORD} |
| trustStorePath: ${TRUST_STORE_PATH} |
| trustStorePassword: ${TRUST_STORE_PASSWORD} |
| |
| userInfoPersistenceEnabled: true |
| |
| <#if CLOUD_TYPE == "aws"> |
| awsUserIdentificationEnabled: true |
| loginAuthenticationTimeout: 10 |
| <#elseif CLOUD_TYPE == "azure"> |
| loginAuthenticationTimeout: 20 |
| |
| # Azure login configuration |
| azureLoginConfiguration: |
| # defines of LDAP server is used as authentication point, if false Azure OAuth authentication should be configured |
| useLdap: <LOGIN_USE_LDAP> |
| # Tenant id in Azure |
| tenant: <LOGIN_TENANT_ID> |
| # Authority url |
| authority: https://login.microsoftonline.com/ |
| # Id of the application that logs in users |
| clientId: <LOGIN_APPLICATION_ID> |
| # Redirect url for OAuth2 Authorization code flow |
| redirectUrl: https://<LOGIN_APPLICATION_REDIRECT_URL>/ |
| # defines if DLab checks user permission to the configured permissionScope(true|false). |
| # If user does not have permissions(no Role assigned in permissionScope) he/she will not be logged in DLab |
| validatePermissionScope: <VALIDATE_PERMISSION_SCOPE> |
| # Scope for validation user permissions if validatePermissionScope: true |
| permissionScope: <PERMISSION_SCOPE> |
| # Authentication file that used for validation user permissions(query Microsoft API) |
| managementApiAuthFile: <MANAGEMENT_API_AUTH_FILE> |
| # defines how authorization code is sent to DLab |
| responseMode: query |
| # Type of consent that requires interaction with user(consent,login are allowed) |
| prompt: consent |
| # Defines if try to log in user silently without user interaction (with "none" prompt). if false start with configured prompt |
| silent: true |
| # login page of DLab |
| loginPage: https://<LOGIN_PAGE>/ |
| |
| <#elseif CLOUD_TYPE == "gcp"> |
| |
| # GCP oauth2 login configuration |
| gcpLoginConfiguration: |
| oauth2authenticationEnabled: false |
| clientId: <GCP_CLIENT_ID> |
| clientSecret: <GCP_CLIENT_SECRET> |
| redirectedUri: https://<GCP_REDIRECTED_URL> |
| userStateCacheExpirationTime: 1 |
| userStateCacheSize: 1000 |
| applicationName: DLAB-webapp |
| </#if> |
| |
| |
| logging: |
| level: INFO |
| loggers: |
| io.dropwizard: INFO |
| com.epam: DEBUG |
| com.aegisql: INFO |
| appenders: |
| #<#if DEV_MODE == "true"> |
| - type: console |
| #</#if> |
| - type: file |
| currentLogFilename: ${LOG_ROOT_DIR}/ssn/security.log |
| archive: true |
| archivedLogFilenamePattern: ${LOG_ROOT_DIR}/ssn/security-%d{yyyy-MM-dd}.log.gz |
| archivedFileCount: 10 |