config

package
v1.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 8, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package config contains all knobs and defaults used to configure features of OpenFGA when running as a standalone server.

Index

Constants

View Source 
const (
	DefaultMaxRPCMessageSizeInBytes         = 512 * 1_204 // 512 KB
	DefaultMaxTuplesPerWrite                = 100
	DefaultMaxTypesPerAuthorizationModel    = 100
	DefaultMaxAuthorizationModelSizeInBytes = 256 * 1_024
	DefaultMaxAuthorizationModelCacheSize   = 100000
	DefaultChangelogHorizonOffset           = 0
	DefaultResolveNodeLimit                 = 25
	DefaultResolveNodeBreadthLimit          = 100
	DefaultUsersetBatchSize                 = 1000
	DefaultListObjectsDeadline              = 3 * time.Second
	DefaultListObjectsMaxResults            = 1000
	DefaultMaxConcurrentReadsForCheck       = math.MaxUint32
	DefaultMaxConcurrentReadsForListObjects = math.MaxUint32
	DefaultListUsersDeadline                = 3 * time.Second
	DefaultListUsersMaxResults              = 1000
	DefaultMaxConcurrentReadsForListUsers   = math.MaxUint32

	DefaultWriteContextByteLimit = 32 * 1_024 // 32KB

	DefaultCacheLimit = 10000

	DefaultCacheControllerEnabled = false
	DefaultCacheControllerTTL     = 10 * time.Second

	DefaultCheckQueryCacheEnabled = false
	DefaultCheckQueryCacheTTL     = 10 * time.Second

	DefaultCheckIteratorCacheEnabled    = false
	DefaultCheckIteratorCacheMaxResults = 10000

	// Care should be taken here - decreasing can cause API compatibility problems with Conditions.
	DefaultMaxConditionEvaluationCost = 100
	DefaultInterruptCheckFrequency    = 100

	DefaultCheckDispatchThrottlingEnabled          = false
	DefaultCheckDispatchThrottlingFrequency        = 10 * time.Microsecond
	DefaultCheckDispatchThrottlingDefaultThreshold = 100
	DefaultCheckDispatchThrottlingMaxThreshold     = 0 // 0 means use the default threshold as max

	// Batch Check.
	DefaultMaxChecksPerBatchCheck           = 50
	DefaultMaxConcurrentChecksPerBatchCheck = 50

	DefaultListObjectsDispatchThrottlingEnabled          = false
	DefaultListObjectsDispatchThrottlingFrequency        = 10 * time.Microsecond
	DefaultListObjectsDispatchThrottlingDefaultThreshold = 100
	DefaultListObjectsDispatchThrottlingMaxThreshold     = 0 // 0 means use the default threshold as max

	DefaultListUsersDispatchThrottlingEnabled          = false
	DefaultListUsersDispatchThrottlingFrequency        = 10 * time.Microsecond
	DefaultListUsersDispatchThrottlingDefaultThreshold = 100
	DefaultListUsersDispatchThrottlingMaxThreshold     = 0 // 0 means use the default threshold as max

	DefaultRequestTimeout = 3 * time.Second
)

Variables

This section is empty.

Functions

func DefaultContextTimeout added in v1.5.4 

func DefaultContextTimeout(config *Config) time.Duration

DefaultContextTimeout returns the runtime DefaultContextTimeout. If requestTimeout > 0, we should let the middleware take care of the timeout and the runtime.DefaultContextTimeout is used as last resort. Otherwise, use the http upstream timeout if http is enabled.

func MaxConditionEvaluationCost added in v1.5.5 

func MaxConditionEvaluationCost() uint64

MaxConditionEvaluationCost ensures a safe value for CEL evaluation cost.

Types

type AccessControlConfig added in v1.7.0 

type AccessControlConfig struct {
	Enabled bool
	StoreID string
	ModelID string
}

AccessControlConfig is the configuration for the access control feature.

type AuthnConfig 

type AuthnConfig struct {

	// Method is the authentication method that should be enforced (e.g. 'none', 'preshared',
	// 'oidc')
	Method                   string
	*AuthnOIDCConfig         `mapstructure:"oidc"`
	*AuthnPresharedKeyConfig `mapstructure:"preshared"`
}

AuthnConfig defines OpenFGA server configurations for authentication specific settings.

type AuthnOIDCConfig 

type AuthnOIDCConfig struct {
	Issuer         string
	IssuerAliases  []string
	Subjects       []string
	Audience       string
	ClientIDClaims []string
}

AuthnOIDCConfig defines configurations for the 'oidc' method of authentication.

type AuthnPresharedKeyConfig 

type AuthnPresharedKeyConfig struct {
	// Keys define the preshared keys to verify authn tokens against.
	Keys []string `json:"-"` // private field, won't be logged
}

AuthnPresharedKeyConfig defines configurations for the 'preshared' method of authentication.

type CacheConfig added in v1.7.0 

type CacheConfig struct {
	Limit uint32
}

type CheckIteratorCacheConfig added in v1.7.0 

type CheckIteratorCacheConfig struct {
	Enabled    bool
	MaxResults uint32
}

type CheckQueryCache 

type CheckQueryCache struct {
	Enabled bool
	TTL     time.Duration
}

CheckQueryCache defines configuration for caching when resolving check.

type Config 

type Config struct {

	// ListObjectsDeadline defines the maximum amount of time to accumulate ListObjects results
	// before the server will respond. This is to protect the server from misuse of the
	// ListObjects endpoints. It cannot be larger than HTTPConfig.UpstreamTimeout.
	ListObjectsDeadline time.Duration

	// ListObjectsMaxResults defines the maximum number of results to accumulate
	// before the non-streaming ListObjects API will respond to the client.
	// This is to protect the server from misuse of the ListObjects endpoints.
	ListObjectsMaxResults uint32

	// ListUsersDeadline defines the maximum amount of time to accumulate ListUsers results
	// before the server will respond. This is to protect the server from misuse of the
	// ListUsers endpoints. It cannot be larger than the configured server's request timeout (RequestTimeout or HTTPConfig.UpstreamTimeout).
	ListUsersDeadline time.Duration

	// ListUsersMaxResults defines the maximum number of results to accumulate
	// before the non-streaming ListUsers API will respond to the client.
	// This is to protect the server from misuse of the ListUsers endpoints.
	ListUsersMaxResults uint32

	// MaxTuplesPerWrite defines the maximum number of tuples per Write endpoint.
	MaxTuplesPerWrite int

	// MaxChecksPerBatchCheck defines the maximum number of tuples
	// that can be passed in each BatchCheck request.
	MaxChecksPerBatchCheck uint32

	// MaxConcurrentChecksPerBatchCheck defines the maximum number of checks
	// that can be run in simultaneously
	MaxConcurrentChecksPerBatchCheck uint32

	// MaxTypesPerAuthorizationModel defines the maximum number of type definitions per
	// authorization model for the WriteAuthorizationModel endpoint.
	MaxTypesPerAuthorizationModel int

	// MaxAuthorizationModelSizeInBytes defines the maximum size in bytes allowed for
	// persisting an Authorization Model.
	MaxAuthorizationModelSizeInBytes int

	// MaxConcurrentReadsForListObjects defines the maximum number of concurrent database reads
	// allowed in ListObjects queries
	MaxConcurrentReadsForListObjects uint32

	// MaxConcurrentReadsForCheck defines the maximum number of concurrent database reads allowed in
	// Check queries
	MaxConcurrentReadsForCheck uint32

	// MaxConcurrentReadsForListUsers defines the maximum number of concurrent database reads
	// allowed in ListUsers queries
	MaxConcurrentReadsForListUsers uint32

	// MaxConditionEvaluationCost defines the maximum cost for CEL condition evaluation before a request returns an error
	MaxConditionEvaluationCost uint64

	// ChangelogHorizonOffset is an offset in minutes from the current time. Changes that occur
	// after this offset will not be included in the response of ReadChanges.
	ChangelogHorizonOffset int

	// Experimentals is a list of the experimental features to enable in the OpenFGA server.
	Experimentals []string

	// AccessControl is the configuration for the access control feature.
	AccessControl AccessControlConfig

	// ResolveNodeLimit indicates how deeply nested an authorization model can be before a query
	// errors out.
	ResolveNodeLimit uint32

	// ResolveNodeBreadthLimit indicates how many nodes on a given level can be evaluated
	// concurrently in a query
	ResolveNodeBreadthLimit uint32

	// RequestTimeout configures request timeout.  If both HTTP upstream timeout and request timeout are specified,
	// request timeout will be prioritized
	RequestTimeout time.Duration

	// ContextPropagationToDatastore enables propagation of a requests context to the datastore,
	// thereby receiving API cancellation signals
	ContextPropagationToDatastore bool

	Datastore                     DatastoreConfig
	GRPC                          GRPCConfig
	HTTP                          HTTPConfig
	Authn                         AuthnConfig
	Log                           LogConfig
	Trace                         TraceConfig
	Playground                    PlaygroundConfig
	Profiler                      ProfilerConfig
	Metrics                       MetricConfig
	Cache                         CacheConfig
	CheckIteratorCache            CheckIteratorCacheConfig
	CheckQueryCache               CheckQueryCache
	DispatchThrottling            DispatchThrottlingConfig
	CheckDispatchThrottling       DispatchThrottlingConfig
	ListObjectsDispatchThrottling DispatchThrottlingConfig
	ListUsersDispatchThrottling   DispatchThrottlingConfig

	RequestDurationDatastoreQueryCountBuckets []string
	RequestDurationDispatchCountBuckets       []string
}

func DefaultConfig 

func DefaultConfig() *Config

DefaultConfig is the OpenFGA server default configurations.

func MustDefaultConfig added in v1.5.2 

func MustDefaultConfig() *Config

MustDefaultConfig returns default server config with the playground, tracing and metrics turned off.

func (*Config) Verify 

func (cfg *Config) Verify() error

func (*Config) VerifyBinarySettings added in v1.7.0 

func (cfg *Config) VerifyBinarySettings() error

func (*Config) VerifyCheckDispatchThrottlingConfig added in v1.5.4 

func (cfg *Config) VerifyCheckDispatchThrottlingConfig() error

VerifyCheckDispatchThrottlingConfig ensures GetCheckDispatchThrottlingConfig is called so that the right values are verified.

func (*Config) VerifyServerSettings added in v1.7.0 

func (cfg *Config) VerifyServerSettings() error

type DatastoreConfig 

type DatastoreConfig struct {
	// Engine is the datastore engine to use (e.g. 'memory', 'postgres', 'mysql', 'sqlite')
	Engine   string
	URI      string `json:"-"` // private field, won't be logged
	Username string
	Password string `json:"-"` // private field, won't be logged

	// MaxCacheSize is the maximum number of authorization models that will be cached in memory.
	MaxCacheSize int

	// MaxOpenConns is the maximum number of open connections to the database.
	MaxOpenConns int

	// MaxIdleConns is the maximum number of connections to the datastore in the idle connection
	// pool.
	MaxIdleConns int

	// ConnMaxIdleTime is the maximum amount of time a connection to the datastore may be idle.
	ConnMaxIdleTime time.Duration

	// ConnMaxLifetime is the maximum amount of time a connection to the datastore may be reused.
	ConnMaxLifetime time.Duration

	// Metrics is configuration for the Datastore metrics.
	Metrics DatastoreMetricsConfig
}

DatastoreConfig defines OpenFGA server configurations for datastore specific settings.

type DatastoreMetricsConfig added in v1.3.5 

type DatastoreMetricsConfig struct {
	// Enabled enables export of the Datastore metrics.
	Enabled bool
}

type DispatchThrottlingConfig added in v1.5.1 

type DispatchThrottlingConfig struct {
	Enabled      bool
	Frequency    time.Duration
	Threshold    uint32
	MaxThreshold uint32
}

DispatchThrottlingConfig defines configurations for dispatch throttling.

func GetCheckDispatchThrottlingConfig added in v1.5.4 

func GetCheckDispatchThrottlingConfig(logger logger.Logger, config *Config) DispatchThrottlingConfig

GetCheckDispatchThrottlingConfig is used to get the DispatchThrottlingConfig value for Check. To avoid breaking change we will try to get the value from config.DispatchThrottling but override it with config.CheckDispatchThrottling if a non-zero value exists there.

type GRPCConfig 

type GRPCConfig struct {
	Addr string
	TLS  *TLSConfig
}

GRPCConfig defines OpenFGA server configurations for grpc server specific settings.

type HTTPConfig 

type HTTPConfig struct {
	Enabled bool
	Addr    string
	TLS     *TLSConfig

	// UpstreamTimeout is the timeout duration for proxying HTTP requests upstream
	// to the grpc endpoint. It cannot be smaller than Config.ListObjectsDeadline.
	UpstreamTimeout time.Duration

	CORSAllowedOrigins []string
	CORSAllowedHeaders []string
}

HTTPConfig defines OpenFGA server configurations for HTTP server specific settings.

type LogConfig 

type LogConfig struct {
	// Format is the log format to use in the log output (e.g. 'text' or 'json')
	Format string

	// Level is the log level to use in the log output (e.g. 'none', 'debug', or 'info')
	Level string

	// Format of the timestamp in the log output (e.g. 'Unix'(default) or 'ISO8601')
	TimestampFormat string
}

LogConfig defines OpenFGA server configurations for log specific settings. For production we recommend using the 'json' log format.

type MetricConfig 

type MetricConfig struct {
	Enabled             bool
	Addr                string
	EnableRPCHistograms bool
}

MetricConfig defines configurations for serving custom metrics from OpenFGA.

type OTLPTraceConfig 

type OTLPTraceConfig struct {
	Endpoint string
	TLS      OTLPTraceTLSConfig
}

type OTLPTraceTLSConfig 

type OTLPTraceTLSConfig struct {
	Enabled bool
}

type PlaygroundConfig 

type PlaygroundConfig struct {
	Enabled bool
	Port    int
}

PlaygroundConfig defines OpenFGA server configurations for the Playground specific settings.

type ProfilerConfig 

type ProfilerConfig struct {
	Enabled bool
	Addr    string
}

ProfilerConfig defines server configurations specific to pprof profiling.

type TLSConfig 

type TLSConfig struct {
	Enabled  bool
	CertPath string `mapstructure:"cert"`
	KeyPath  string `mapstructure:"key"`
}

TLSConfig defines configuration specific to Transport Layer Security (TLS) settings.

type TraceConfig 

type TraceConfig struct {
	Enabled     bool
	OTLP        OTLPTraceConfig `mapstructure:"otlp"`
	SampleRatio float64
	ServiceName string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.