Auth Machine Service Configuration

Introduction

The Infinite Scale Auth Machine service

Configuration

Environment Variables

The auth-machine extension is configured via the following environment variables:

  • latest

  • 2.0.0

Environment variables for the auth-machine service
Name Type Default Value Description

OCIS_TRACING_ENABLED
AUTH_MACHINE_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
AUTH_MACHINE_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
AUTH_MACHINE_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
AUTH_MACHINE_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
AUTH_MACHINE_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
AUTH_MACHINE_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
AUTH_MACHINE_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
AUTH_MACHINE_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

AUTH_MACHINE_DEBUG_ADDR

string

127.0.0.1:9167

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

AUTH_MACHINE_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

AUTH_MACHINE_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

AUTH_MACHINE_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

AUTH_MACHINE_GRPC_ADDR

string

127.0.0.1:9166

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

AUTH_MACHINE_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
AUTH_MACHINE_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.

OCIS_MACHINE_AUTH_API_KEY
AUTH_MACHINE_API_KEY

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

Environment variables for the auth-machine service
Name Type Default Value Description

OCIS_TRACING_ENABLED
AUTH_MACHINE_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
AUTH_MACHINE_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
AUTH_MACHINE_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
AUTH_MACHINE_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
AUTH_MACHINE_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
AUTH_MACHINE_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
AUTH_MACHINE_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
AUTH_MACHINE_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

AUTH_MACHINE_DEBUG_ADDR

string

127.0.0.1:9167

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

AUTH_MACHINE_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

AUTH_MACHINE_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

AUTH_MACHINE_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

AUTH_MACHINE_GRPC_ADDR

string

127.0.0.1:9166

The bind address of the GRPC service.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

AUTH_MACHINE_GRPC_PROTOCOL

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
AUTH_MACHINE_JWT_SECRET

string

The secret to mint and validate jwt tokens.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN

bool

false

Disables the encoding of the user’s group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.

OCIS_MACHINE_AUTH_API_KEY
AUTH_MACHINE_API_KEY

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

YAML Example

  • latest

  • 2.0.0

# Autogenerated
# Filename: auth-machine-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9167
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9166
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
machine_auth_api_key: ""
# Autogenerated
# Filename: auth-machine-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9167
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9166
  tls:
    enabled: false
    cert: ""
    key: ""
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
skip_user_groups_in_token: false
machine_auth_api_key: ""