-
Notifications
You must be signed in to change notification settings - Fork 32
Expand file tree
/
Copy pathopentdf-dev.yaml
More file actions
187 lines (187 loc) · 5.75 KB
/
Copy pathopentdf-dev.yaml
File metadata and controls
187 lines (187 loc) · 5.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
logger:
level: debug
type: text
output: stderr
# DB and Server configurations are defaulted for local development
# db:
# host: localhost
# port: 5432
# user: postgres
# password: changeme
# sslmode: prefer
# connect_timeout_seconds: 15
# pool:
# max_connection_count: 4
# min_connection_count: 0
# min_idle_connections_count: 0
# max_connection_lifetime_seconds: 3600
# max_connection_idle_seconds: 1800
# health_check_period_seconds: 60
services:
kas:
registered_kas_uri: http://localhost:8080 # Should match what you have registered for *this* KAS in the policy db.
preview:
ec_tdf_enabled: false
hybrid_tdf_enabled: false
key_management: false
root_key: a8c4824daafcfa38ed0d13002e92b08720e6c4fcee67d52e954c1a6e045907d1 # For local development testing only
keyring:
- kid: e1
alg: ec:secp256r1
- kid: e1
alg: ec:secp256r1
legacy: true
- kid: r1
alg: rsa:2048
- kid: r1
alg: rsa:2048
legacy: true
entityresolution:
log_level: info
url: http://localhost:8888/auth
clientid: "tdf-entity-resolution"
clientsecret: "secret"
realm: "opentdf"
legacykeycloak: true
inferid:
from:
email: true
username: true
# cache_expiration: 30s # disabled unless present and > 0
# policy is enabled by default in mode 'all'
# policy:
# enabled: true
# list_request_limit_default: 1000
# list_request_limit_max: 2500
# authorization:
# entitlement_policy_cache:
# enabled: false
# refresh_interval: 30s
server:
public_hostname: localhost
tls:
enabled: false
cert: ./keys/platform.crt
key: ./keys/platform-key.pem
auth:
enabled: true
enforceDPoP: false
audience: "http://localhost:8080"
issuer: http://localhost:8888/auth/realms/opentdf
policy:
## Dot notation is used to access nested claims (i.e. realm_access.roles)
# Claim that represents the user (i.e. email)
username_claim: # preferred_username
# That claim to access groups (i.e. realm_access.roles)
groups_claim: # realm_access.roles
# Claim the represents the idP client ID
client_id_claim: # azp
# Optional external role provider (name is resolved via StartOptions)
# roles_provider:
# name: external
# config: {} # provider-specific (any object)
## Extends the builtin policy
extension: |
g, opentdf-admin, role:admin
g, opentdf-standard, role:standard
## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
csv: #|
# p, role:admin, *, *, allow
## Custom model (see https://casbin.org/docs/syntax-for-models/)
model: #|
# [request_definition]
# r = sub, res, act, obj
#
# [policy_definition]
# p = sub, res, act, obj, eft
#
# [role_definition]
# g = _, _
#
# [policy_effect]
# e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
#
# [matchers]
# m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
trace:
enabled: false
provider:
name: file # file | otlp
file:
path: "./traces/traces.log"
prettyPrint: true # Optional, default is compact JSON
maxSize: 50 # Optional, default 20MB
maxBackups: 5 # Optional, default 10
maxAge: 14 # Optional, default 30 days
compress: true # Optional, default false
# otlp:
# protocol: grpc # Optional, defaults to grpc
# endpoint: "localhost:4317"
# insecure: true # Set to false if Jaeger requires TLS
# headers: {} # Add if authentication is needed
# HTTP
# protocol: "http/protobuf"
# endpoint: "http://localhost:4318" # Default OTLP HTTP port
# insecure: true # If collector is just HTTP, not HTTPS
# headers: {} # Add if authentication is needed
cors:
enabled: true
# "*" to allow any origin or a specific domain like "https://yourdomain.com"
allowedorigins:
- "*"
# List of methods. Examples: "GET,POST,PUT"
allowedmethods:
- GET
- POST
- PATCH
- PUT
- DELETE
- OPTIONS
# List of headers that are allowed in a request
allowedheaders:
- Accept
- Accept-Encoding
- Authorization
- Connect-Protocol-Version
- Content-Length
- Content-Type
- Dpop
- X-CSRF-Token
- X-Requested-With
- X-Rewrap-Additional-Context
# List of response headers that browsers are allowed to access
exposedheaders:
- Link
# Sets whether credentials are included in the CORS request
allowcredentials: true
# Sets the maximum age (in seconds) of a specific CORS preflight request
maxage: 3600
# Additive fields - append to base lists without replacing defaults
# Use these to add custom values without having to copy all defaults
# additionalmethods: []
# additionalheaders:
# - X-Custom-Header
# additionalexposedheaders: []
grpc:
reflectionEnabled: true # Default is false
# http:
# # HTTP server configuration
# # Negative values indicate no timeout, default will be used if the timeout is set to 0
# readTimeout: 15s
# writeTimeout: 15s
# readHeaderTimeout: 10s
# idleTimeout: 20s
# maxHeaderBytes: 1048576 # 1 MB
cryptoProvider:
type: standard
standard:
keys:
- kid: r1
alg: rsa:2048
private: kas-private.pem
cert: kas-cert.pem
- kid: e1
alg: ec:secp256r1
private: kas-ec-private.pem
cert: kas-ec-cert.pem
port: 8080