-
Notifications
You must be signed in to change notification settings - Fork 11
/
opentdf-example.yaml
106 lines (106 loc) · 2.98 KB
/
opentdf-example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
logger:
level: debug
type: text
output: stdout
# DB and Server configurations are defaulted for local development
db:
host: opentdfdb
# port: 5432
# user: postgres
# password: changeme
# mode: all
services:
kas:
eccertid: e1
rsacertid: r1
entityresolution:
url: http://keycloak:8888/auth
clientid: "tdf-entity-resolution"
clientsecret: "secret"
realm: "opentdf"
legacykeycloak: true
inferid:
from:
email: true
username: true
# policy is enabled by default in mode 'all'
# policy:
# enabled: true
# list_request_limit_default: 1000
# list_request_limit_max: 2500
server:
auth:
enabled: true
enforceDPoP: false
public_client_id: "opentdf-public"
audience: "http://localhost:8080"
issuer: http://keycloak:8888/auth/realms/opentdf
policy:
## Dot notation is used to access nested claims (i.e. realm_access.roles)
# Claim that represents the user (i.e. email)
username_claim: # preferred_username
# That claim to access groups (i.e. realm_access.roles)
groups_claim: # realm_access.roles
## Extends the builtin policy
extension: |
g, opentdf-admin, role:admin
g, opentdf-standard, role:standard
## Custom policy that overrides builtin policy (see examples https://github.com/casbin/casbin/tree/master/examples)
csv: #|
# p, role:admin, *, *, allow
## Custom model (see https://casbin.org/docs/syntax-for-models/)
model: #|
# [request_definition]
# r = sub, res, act, obj
#
# [policy_definition]
# p = sub, res, act, obj, eft
#
# [role_definition]
# g = _, _
#
# [policy_effect]
# e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
#
# [matchers]
# m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
cors:
# "*" to allow any origin or a specific domain like "https://yourdomain.com"
allowedorigins:
- "*"
# List of methods. Examples: "GET,POST,PUT"
allowedmethods:
- GET
- POST
- PATCH
- PUT
- DELETE
- OPTIONS
# List of headers that are allowed in a request
allowedheaders:
- ACCEPT
- Authorization
- Content-Type
- X-CSRF-Token
# List of response headers that browsers are allowed to access
exposedheaders:
- Link
# Sets whether credentials are included in the CORS request
allowcredentials: true
# Sets the maximum age (in seconds) of a specific CORS preflight request
maxage: 3600
grpc:
reflectionEnabled: true # Default is false
cryptoProvider:
type: standard
standard:
keys:
- kid: r1
alg: rsa:2048
private: /keys/kas-private.pem
cert: /keys/kas-cert.pem
- kid: e1
alg: ec:secp256r1
private: /keys/kas-ec-private.pem
cert: /keys/kas-ec-cert.pem
port: 8080