| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| # ---- Build-time configuration ---- |
| # Build-time properties take effect when Quarkus processes java classes |
| # and creates Polaris jars. These properties cannot be overriden in runtime. |
| # Cf. https://quarkus.io/guides/all-config |
| |
| quarkus.banner.path=/org/apache/polaris/service/banner.txt |
| quarkus.http.auth.basic=false |
| quarkus.http.enable-compression=true |
| quarkus.http.enable-decompression=true |
| quarkus.http.compress-media-types=application/json,text/html,text/plain |
| quarkus.management.enabled=true |
| quarkus.micrometer.enabled=true |
| quarkus.micrometer.export.prometheus.enabled=true |
| quarkus.oidc.enabled=true |
| quarkus.otel.enabled=true |
| |
| # ---- Runtime Configuration ---- |
| # Below are default values for properties that can be changed in runtime. |
| |
| quarkus.config.mapping.validate-unknown=true |
| |
| quarkus.http.access-log.enabled=true |
| # quarkus.http.access-log.pattern=common |
| # Cannot use proactive authentication since Polaris requires CDI request context for authentication |
| quarkus.http.auth.proactive=false |
| quarkus.http.body.handle-file-uploads=false |
| quarkus.http.limits.max-body-size=10240K |
| |
| quarkus.http.cors.origins=http://localhost:8080 |
| quarkus.http.cors.methods=PATCH, POST, DELETE, GET, PUT |
| quarkus.http.cors.headers=* |
| quarkus.http.cors.exposed-headers=* |
| quarkus.http.cors.access-control-max-age=PT10M |
| quarkus.http.cors.access-control-allow-credentials=true |
| |
| quarkus.http.port=8181 |
| quarkus.http.test-port=0 |
| |
| quarkus.log.level=INFO |
| quarkus.log.console.enable=true |
| quarkus.log.console.level=ALL |
| quarkus.log.console.json.enabled=false |
| quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c{3.}] [%X{requestId},%X{realmId}] [%X{traceId},%X{parentId},%X{spanId},%X{sampled}] (%t) %s%e%n |
| quarkus.log.file.enable=true |
| quarkus.log.file.level=ALL |
| quarkus.log.file.json.enabled=false |
| quarkus.log.file.format=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c{3.}] [%X{requestId},%X{realmId}] [%X{traceId},%X{parentId},%X{spanId},%X{sampled}] (%t) %s%e%n |
| quarkus.log.file.path=./logs/polaris.log |
| quarkus.log.file.rotation.file-suffix=.yyyy-MM-dd.gz |
| quarkus.log.file.rotation.max-file-size=10M |
| quarkus.log.file.rotation.max-backup-index=14 |
| |
| # Useful loggers. Set "io.smallrye.config" to DEBUG to print the resolved configuration properties. |
| # quarkus.log.category."io.smallrye.config".level=INFO |
| # quarkus.log.category."org.apache.polaris".level=INFO |
| # quarkus.log.category."org.apache.iceberg.rest".level=INFO |
| |
| quarkus.management.port=8182 |
| quarkus.management.test-port=0 |
| |
| # OIDC settings. These settings are required only when using external authentication providers. |
| # See https://quarkus.io/guides/security-oidc-configuration-properties-reference |
| # Default tenant (disabled by default, set this to true if you use external authentication) |
| quarkus.oidc.tenant-enabled=false |
| # quarkus.oidc.auth-server-url=https://auth.example.com/realms/polaris |
| # quarkus.oidc.client-id=polaris |
| # Roles mapping; see https://quarkus.io/guides/security-oidc-bearer-token-authentication#token-claims-and-security-identity-roles |
| # quarkus.oidc.roles.role-claim-path=realm/groups |
| # Named tenants: |
| # quarkus.oidc.idp1.auth-server-url=https://auth.example.com/realms/polaris2 |
| # quarkus.oidc.idp1.client-id=polaris2 |
| |
| # quarkus.otel.sdk.disabled is set to `true` by default to avoid spuriour errors about |
| # trace collector connections being impossible to establish. This setting can be enabled |
| # at runtime after configuring other OTel properties for proper trace data collection. |
| quarkus.otel.sdk.disabled=true |
| # quarkus.otel.exporter.otlp.endpoint=http://otlp-collector:4317 |
| # quarkus.otel.resource.attributes=service.name=polaris,deployment.env=prod,region=us-west-2 |
| # quarkus.otel.service.name=polaris |
| # quarkus.otel.traces.sampler=parentbased_always_on |
| # quarkus.otel.traces.sampler.arg=1.0d |
| |
| # This setting is a build-time setting and MUST be specified in this file. |
| quarkus.test.integration-test-profile=it |
| |
| quarkus.fault-tolerance.global.timeout.enabled=false |
| # quarkus.fault-tolerance.global.timeout.unit=minutes |
| # quarkus.fault-tolerance.global.timeout.value=10 |
| |
| polaris.realm-context.type=default |
| polaris.realm-context.realms=POLARIS |
| polaris.realm-context.header-name=Polaris-Realm |
| polaris.realm-context.require-header=false |
| |
| polaris.features."ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING"=false |
| polaris.features."SUPPORTED_CATALOG_STORAGE_TYPES"=["S3","GCS","AZURE"] |
| # polaris.features."ENABLE_CATALOG_FEDERATION"=true |
| polaris.features."SUPPORTED_CATALOG_CONNECTION_TYPES"=["ICEBERG_REST"] |
| |
| # realm overrides |
| # polaris.features.realm-overrides."my-realm"."SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION"=true |
| |
| # polaris.persistence.type=eclipse-link |
| # polaris.persistence.type=in-memory-atomic |
| polaris.persistence.type=in-memory |
| # polaris.persistence.type=relational-jdbc |
| |
| polaris.secrets-manager.type=in-memory |
| # if set to true it will try to start localstack at build and run time for the local environment |
| # https://docs.quarkiverse.io/quarkus-amazon-services/dev/amazon-rds.html#_configuration_reference for more details |
| quarkus.rds.devservices.enabled=false |
| quarkus.rds.sync-client.type=apache |
| |
| polaris.file-io.type=default |
| |
| polaris.event-listener.type=no-op |
| |
| # Persistence event listener settings |
| # polaris.event-listener.type=persistence-in-memory-buffer |
| # polaris.event-listener.persistence-in-memory-buffer.buffer-time=5000ms |
| # polaris.event-listener.persistence-in-memory-buffer.max-buffer-size=5 |
| |
| # AWS CloudWatch event listener settings |
| # polaris.event-listener.type=aws-cloudwatch |
| # polaris.event-listener.aws-cloudwatch.log-group=polaris-cloudwatch-default-group |
| # polaris.event-listener.aws-cloudwatch.log-stream=polaris-cloudwatch-default-stream |
| # polaris.event-listener.aws-cloudwatch.region=us-east-1 |
| # polaris.event-listener.aws-cloudwatch.synchronous-mode=false |
| |
| polaris.log.request-id-header-name=Polaris-Request-Id |
| # polaris.log.mdc.aid=polaris |
| # polaris.log.mdc.sid=polaris-service |
| |
| polaris.metrics.tags.application=Polaris |
| # polaris.metrics.tags.service=polaris |
| # polaris.metrics.tags.environment=prod |
| # polaris.metrics.tags.region=us-west-2 |
| |
| # polaris.tasks.max-concurrent-tasks=100 |
| # polaris.tasks.max-queued-tasks=1000 |
| |
| polaris.rate-limiter.filter.type=no-op |
| polaris.rate-limiter.token-bucket.type=default |
| polaris.rate-limiter.token-bucket.requests-per-second=9999 |
| polaris.rate-limiter.token-bucket.window=PT10S |
| |
| # Polaris authentication settings |
| polaris.authentication.type=internal |
| polaris.authentication.authenticator.type=default |
| # Per-realm overrides: |
| # polaris.authentication.realm1.type=external |
| # polaris.authentication.realm1.authenticator.type=custom |
| |
| # Options effective when using internal auth (can be overridden in per realm): |
| polaris.authentication.token-service.type=default |
| polaris.authentication.token-broker.type=rsa-key-pair |
| polaris.authentication.token-broker.max-token-generation=PT1H |
| # polaris.authentication.token-broker.rsa-key-pair.public-key-file=/tmp/public.key |
| # polaris.authentication.token-broker.rsa-key-pair.private-key-file=/tmp/private.key |
| # polaris.authentication.token-broker.symmetric-key.secret=secret |
| # polaris.authentication.token-broker.symmetric-key.file=/tmp/symmetric.key |
| |
| # OIDC Principals mapping |
| polaris.oidc.principal-mapper.type=default |
| # polaris.oidc.principal-mapper.id-claim-path=sub |
| # polaris.oidc.principal-mapper.name-claim-path=preferred_username |
| # Per-tenant overrides: |
| # polaris.oidc.idp1.principal-mapper.id-claim-path=polaris/principal_id |
| # polaris.oidc.idp1.principal-mapper.name-claim-path=polaris/principal_name |
| |
| # OIDC Principal roles mapping |
| polaris.oidc.principal-roles-mapper.type=default |
| # Principal role mapping is done through quarkus.oidc.roles.role-claim-path |
| # The properties below define how the roles mapped by Quarkus are converted to Polaris roles |
| # polaris.oidc.principal-roles-mapper.filter=PRINCIPAL_ROLE:.* |
| # polaris.oidc.principal-roles-mapper.mappings[0].regex=PRINCIPAL_ROLE:(.*) |
| # polaris.oidc.principal-roles-mapper.mappings[0].replacement=PRINCIPAL_ROLE:$1 |
| # Per-tenant overrides: |
| # polaris.oidc.idp1.principal-roles-mapper.type=custom |
| # polaris.oidc.idp1.principal-roles-mapper.filter=POLARIS_ROLE:.* |
| # polaris.oidc.idp1.principal-roles-mapper.mappings[0].regex=POLARIS_ROLE:(.*) |
| # polaris.oidc.idp1.principal-roles-mapper.mappings[0].replacement=POLARIS_ROLE:$1 |
| |
| # If the following properties are unset, the default credential provider chain will be used |
| # polaris.storage.aws.access-key=accessKey |
| # polaris.storage.aws.secret-key=secretKey |
| # polaris.storage.gcp.token=token |
| # polaris.storage.gcp.lifespan=PT1H |
| |
| # Polaris authorization type settings |
| # Which authorizer to use: "internal" (PolarisAuthorizerImpl) or "opa" (OpaPolarisAuthorizer) |
| # polaris.authorization.type=internal |
| |
| # OPA Authorizer Configuration: effective only if polaris.authorization.type=opa |
| # NOTE: The OPA Authorizer is currently in Beta and is not a stable release. |
| # It may undergo breaking changes in future versions. |
| # polaris.authorization.opa.url=http://localhost:8181 |
| # polaris.authorization.opa.policy-path=/v1/data/polaris/authz/allow |
| |
| # OPA HTTP configuration |
| # polaris.authorization.opa.http.timeout=PT2S |
| # NOTE: Setting verify-ssl=false will trigger a severe production readiness check error |
| # as this exposes the service to security risks. |
| # polaris.authorization.opa.http.verify-ssl=false |
| # polaris.authorization.opa.http.trust-store-path=/path/to/truststore |
| # polaris.authorization.opa.http.trust-store-password=my-trust-store-password |
| |
| # OPA Authentication configuration |
| # Default is no authentication (type=none) |
| # To enable bearer token authentication, use type=bearer |
| # polaris.authorization.opa.auth.type=none |
| # To enable bearer token authentication, uncomment the following: |
| # polaris.authorization.opa.auth.type=bearer |
| |
| # Static bearer token configuration: |
| # polaris.authorization.opa.auth.bearer.static-token.value=my-static-token |
| |
| # Alternative file-based bearer token configuration: |
| # polaris.authorization.opa.auth.bearer.file-based.path=/path/to/token/file |
| # polaris.authorization.opa.auth.bearer.file-based.refresh-interval=PT5M |
| # polaris.authorization.opa.auth.bearer.file-based.jwt-expiration-refresh=true |
| # polaris.authorization.opa.auth.bearer.file-based.jwt-expiration-buffer=PT1M |
| |
| # Polaris Credential Manager Config |
| polaris.credential-manager.type=default |
| |
| quarkus.arc.ignored-split-packages=\ |
| org.apache.polaris.service.catalog.api,\ |
| org.apache.polaris.service.catalog.api.impl,\ |
| org.apache.polaris.service.metrics,\ |
| org.apache.polaris.service.config,\ |
| org.apache.polaris.service.auth,\ |
| org.apache.polaris.service.auth.external,\ |
| org.apache.polaris.service.auth.external.mapping,\ |
| org.apache.polaris.service.auth.external.tenant,\ |
| org.apache.polaris.service.auth.internal,\ |
| org.apache.polaris.service.events,\ |
| org.apache.polaris.service.task,\ |
| org.apache.polaris.service.secrets,\ |
| org.apache.polaris.service.storage,\ |
| org.apache.polaris.service.tracing,\ |
| org.apache.polaris.service.ratelimiter,\ |
| org.apache.polaris.service.catalog.io,\ |
| org.apache.polaris.service.legacy,\ |
| org.apache.polaris.service.context,\ |
| org.apache.polaris.service.persistence,\ |
| org.apache.polaris.service.logging,\ |
| org.apache.polaris.service.types,\ |
| org.apache.polaris.admintool.config,\ |
| org.apache.polaris.admintool |
| |
| ## Quarkus required setting for third party indexing |
| # fixed at buildtime |
| quarkus.index-dependency.avro.group-id=org.apache.avro |
| quarkus.index-dependency.avro.artifact-id=avro |
| quarkus.index-dependency.guava.group-id=com.google.guava |
| quarkus.index-dependency.guava.artifact-id=guava |
| quarkus.index-dependency.protobuf.group-id=com.google.protobuf |
| quarkus.index-dependency.protobuf.artifact-id=protobuf-java |
| |
| # force the locale, just in case the system's using another default locale |
| quarkus.default-locale=en_US |
| |
