-
Notifications
You must be signed in to change notification settings - Fork 32
Expand file tree
/
Copy pathopentdf-example.yaml
More file actions
138 lines (138 loc) · 4 KB
/
Copy pathopentdf-example.yaml
File metadata and controls
138 lines (138 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
logger:
level: debug
type: text
output: stdout
# DB and Server configurations are defaulted for local development
db:
host: opentdfdb
# port: 5432
# user: postgres
# password: changeme
# sslmode: prefer
# connect_timeout_seconds: 15
# pool:
# max_connection_count: 4
# min_connection_count: 0
# min_idle_connections_count: 0
# max_connection_lifetime_seconds: 3600
# max_connection_idle_seconds: 1800
# health_check_period_seconds: 60
# mode: all
services:
kas:
eccertid: e1
rsacertid: r1
entityresolution:
url: http://keycloak:8888/auth
clientid: "tdf-entity-resolution"
clientsecret: "secret"
realm: "opentdf"
legacykeycloak: true
inferid:
from:
email: true
username: true
# policy is enabled by default in mode 'all'
# policy:
# enabled: true
# list_request_limit_default: 1000
# list_request_limit_max: 2500
# authorization:
# entitlement_policy_cache:
# enabled: false
# refresh_interval: 30s
server:
auth:
enabled: true
enforceDPoP: false
audience: "http://localhost:8080"
issuer: http://keycloak:8888/auth/realms/opentdf
policy:
## Dot notation is used to access nested claims (i.e. realm_access.roles)
# Claim that represents the user (i.e. email)
username_claim: # preferred_username
# That claim to access groups (i.e. realm_access.roles)
groups_claim: # realm_access.roles
# Claim the represents the idP client ID
client_id_claim: # azp
## Extends the builtin policy
extension: |
g, opentdf-admin, role:admin
g, opentdf-standard, role:standard
## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
csv: #|
# p, role:admin, *, *, allow
## Custom model (see https://casbin.org/docs/syntax-for-models/)
model: #|
# [request_definition]
# r = sub, res, act, obj
#
# [policy_definition]
# p = sub, res, act, obj, eft
#
# [role_definition]
# g = _, _
#
# [policy_effect]
# e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
#
# [matchers]
# m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
cors:
# "*" to allow any origin or a specific domain like "https://yourdomain.com"
allowedorigins:
- "*"
# List of methods. Examples: "GET,POST,PUT"
allowedmethods:
- GET
- POST
- PATCH
- PUT
- DELETE
- OPTIONS
# List of headers that are allowed in a request
allowedheaders:
- Accept
- Accept-Encoding
- Authorization
- Connect-Protocol-Version
- Content-Length
- Content-Type
- Dpop
- X-CSRF-Token
- X-Requested-With
- X-Rewrap-Additional-Context
# List of response headers that browsers are allowed to access
exposedheaders:
- Link
# Sets whether credentials are included in the CORS request
allowcredentials: true
# Sets the maximum age (in seconds) of a specific CORS preflight request
maxage: 3600
grpc:
reflectionEnabled: true # Default is false
cryptoProvider:
type: standard
standard:
keys:
- kid: r1
alg: rsa:2048
private: /keys/kas-private.pem
cert: /keys/kas-cert.pem
- kid: e1
alg: ec:secp256r1
private: /keys/kas-ec-private.pem
cert: /keys/kas-ec-cert.pem
- kid: x1
alg: hpqt:xwing
private: /keys/kas-xwing-private.pem
cert: /keys/kas-xwing-public.pem
- kid: h1
alg: hpqt:secp256r1-mlkem768
private: /keys/kas-p256mlkem768-private.pem
cert: /keys/kas-p256mlkem768-public.pem
- kid: h2
alg: hpqt:secp384r1-mlkem1024
private: /keys/kas-p384mlkem1024-private.pem
cert: /keys/kas-p384mlkem1024-public.pem
port: 8080