github.com/openfga/openfga@v1.5.4-rc1/.config-schema.json (about) 1 { 2 "properties": { 3 "maxTuplesPerWrite": { 4 "description": "The maximum allowed number of tuples per Write transaction.", 5 "type": "integer", 6 "default": 100, 7 "x-env-variable": "OPENFGA_MAX_TUPLES_PER_WRITE" 8 }, 9 "maxTypesPerAuthorizationModel": { 10 "description": "The maximum allowed number of type definitions per authorization model.", 11 "type": "integer", 12 "default": 100, 13 "x-env-variable": "OPENFGA_MAX_TYPES_PER_AUTHORIZATION_MODEL" 14 }, 15 "maxAuthorizationModelSizeInBytes": { 16 "description": "The maximum size in bytes allowed for persisting an Authorization Model (default is 256KB).", 17 "type": "integer", 18 "default": 262144, 19 "x-env-variable": "OPENFGA_MAX_AUTHORIZATION_MODEL_SIZE_IN_BYTES" 20 }, 21 "maxConcurrentReadsForCheck": { 22 "description": "The maximum allowed number of concurrent reads in a single Check query (default is MaxUint32).", 23 "type": "integer", 24 "default": 4294967295, 25 "x-env-variable": "OPENFGA_MAX_CONCURRENT_READS_FOR_CHECK" 26 }, 27 "maxConcurrentReadsForListObjects": { 28 "description": "The maximum allowed number of concurrent reads in a single ListObjects query (default is MaxUint32).", 29 "type": "integer", 30 "default": 4294967295, 31 "x-env-variable": "OPENFGA_MAX_CONCURRENT_READS_FOR_LIST_OBJECTS" 32 }, 33 "maxConcurrentReadsForListUsers": { 34 "description": "The maximum allowed number of concurrent reads in a single ListUsers query (default is MaxUint32).", 35 "type": "integer", 36 "default": 4294967295, 37 "x-env-variable": "OPENFGA_MAX_CONCURRENT_READS_FOR_LIST_USERS" 38 }, 39 "changelogHorizonOffset": { 40 "description": "The offset (in minutes) from the current time. Changes that occur after this offset will not be included in the response of ReadChanges.", 41 "type": "integer", 42 "default": 0, 43 "x-env-variable": "OPENFGA_CHANGELOG_HORIZON_OFFSET" 44 }, 45 "resolveNodeLimit": { 46 "description": "Maximum resolution depth to attempt before throwing an error (defines how deeply nested an authorization model can be before a query errors out).", 47 "type": "integer", 48 "default": 25, 49 "x-env-variable": "OPENFGA_RESOLVE_NODE_LIMIT" 50 }, 51 "resolveNodeBreadthLimit": { 52 "description": "Defines how many nodes on a given level can be evaluated concurrently in a Check resolution tree.", 53 "type": "integer", 54 "default": 100, 55 "x-env-variable": "OPENFGA_RESOLVE_NODE_BREADTH_LIMIT" 56 }, 57 "listObjectsDeadline": { 58 "description": "The timeout deadline for serving ListObjects requests", 59 "type": "string", 60 "format": "duration", 61 "default": "3s", 62 "x-env-variable": "OPENFGA_LIST_OBJECTS_DEADLINE" 63 }, 64 "listObjectsMaxResults": { 65 "description": "The maximum results to return in the non-streaming ListObjects API response. If 0, all results can be returned", 66 "type": "integer", 67 "minimum": 0, 68 "default": 1000, 69 "x-env-variable": "OPENFGA_LIST_OBJECTS_MAX_RESULTS" 70 }, 71 "listUsersDeadline": { 72 "description": "The timeout deadline for serving ListUsers requests. If 0s, there is no deadline", 73 "type": "string", 74 "format": "duration", 75 "default": "3s", 76 "x-env-variable": "OPENFGA_LIST_USERS_DEADLINE" 77 }, 78 "listUsersMaxResults": { 79 "description": "The maximum results to return in ListUsers API response. If 0, all results can be returned", 80 "type": "integer", 81 "minimum": 0, 82 "default": 1000, 83 "x-env-variable": "OPENFGA_LIST_USERS_MAX_RESULTS" 84 }, 85 "requestDurationDatastoreQueryCountBuckets": { 86 "description": "Datastore query count buckets used to label the histogram metric for measuring request duration.", 87 "type": "array", 88 "items": { 89 "minimum": 0, 90 "type": "integer" 91 }, 92 "minItems": 1, 93 "default": [50, 200], 94 "x-env-variable": "OPENFGA_REQUEST_DURATION_DATASTORE_QUERY_COUNT_BUCKETS" 95 }, 96 "requestDurationDispatchCountBuckets": { 97 "description": "Dispatch count buckets used to label the histogram metric for measuring request duration.", 98 "type": "array", 99 "items": { 100 "minimum": 0, 101 "type": "integer" 102 }, 103 "minItems": 1, 104 "default": [50, 200], 105 "x-env-variable": "OPENFGA_REQUEST_DURATION_DISPATCH_COUNT_BUCKETS" 106 }, 107 "experimentals": { 108 "description": "a list of experimental features to enable", 109 "type": "array", 110 "items": { 111 "type": "string", 112 "enum": ["enable-list-users"] 113 }, 114 "default": [], 115 "x-env-variable": "OPENFGA_EXPERIMENTALS" 116 }, 117 "playground": { 118 "type": "object", 119 "properties": { 120 "enabled": { 121 "description": "Enable/disable the OpenFGA Playground.", 122 "type": "boolean", 123 "default": true, 124 "x-env-variable": "OPENFGA_PLAYGROUND_ENABLED" 125 }, 126 "port": { 127 "description": "The port to serve the local OpenFGA Playground on.", 128 "type": "integer", 129 "default": 3000, 130 "x-env-variable": "OPENFGA_PLAYGROUND_PORT" 131 } 132 } 133 }, 134 "profiler": { 135 "type": "object", 136 "properties": { 137 "enabled": { 138 "description": "Enabled/disable pprof profiling.", 139 "type": "boolean", 140 "default": false, 141 "x-env-variable": "OPENFGA_PROFILER_ENABLED" 142 }, 143 "addr": { 144 "description": "The host:port address to serve the pprof profiler server on.", 145 "type": "string", 146 "default": ":3001", 147 "x-env-variable": "OPENFGA_PROFILER_ADDR" 148 } 149 } 150 }, 151 "datastore": { 152 "type": "object", 153 "properties": { 154 "engine": { 155 "description": "The datastore engine that will be used for persistence.", 156 "type": "string", 157 "enum": ["memory", "postgres", "mysql"], 158 "default": "memory", 159 "x-env-variable": "OPENFGA_DATASTORE_ENGINE" 160 }, 161 "uri": { 162 "description": "The connection uri to use to connect to the datastore (for any engine other than 'memory').", 163 "type": "string", 164 "examples": [ 165 "postgres://user:pass@host:port/datastore?opts", 166 "user:pass@tcp(mysql-host:port)/datastore?parseTime=true&other-opts" 167 ], 168 "x-env-variable": "OPENFGA_DATASTORE_URI" 169 }, 170 "username": { 171 "description": "The connection username to connect to the datastore (overwrites any username provided in the connection uri).", 172 "type": "string", 173 "x-env-variable": "OPENFGA_DATASTORE_USERNAME" 174 }, 175 "password": { 176 "description": "The connection password to connect to the datastore (overwrites any password provided in the connection uri).", 177 "type": "string", 178 "x-env-variable": "OPENFGA_DATASTORE_PASSWORD" 179 }, 180 "maxCacheSize": { 181 "description": "The maximum number of cache keys that the storage cache can store before evicting old keys.", 182 "type": "integer", 183 "default": 100000, 184 "x-env-variable": "OPENFGA_DATASTORE_MAX_CACHE_SIZE" 185 }, 186 "maxOpenConns": { 187 "description": "The maximum number of open connections to the datastore.", 188 "type": "integer", 189 "default": "30", 190 "x-env-variable": "OPENFGA_DATASTORE_MAX_OPEN_CONNS" 191 }, 192 "maxIdleConns": { 193 "description": "the maximum number of connections to the datastore in the idle connection pool.", 194 "type": "integer", 195 "default": "10", 196 "x-env-variable": "OPENFGA_DATASTORE_MAX_IDLE_CONNS" 197 }, 198 "connMaxIdleTime": { 199 "description": "the maximum amount of time a connection to the datastore may be idle", 200 "type": "duration", 201 "default": "connections are not closed due to idle time - database/sql default", 202 "x-env-variable": "OPENFGA_DATASTORE_CONN_MAX_IDLE_TIME" 203 }, 204 "connMaxLifetime": { 205 "description": "the maximum amount of time a connection to the datastore may be reused", 206 "type": "duration", 207 "default": "connections are not closed due to connection's age - database/sql default", 208 "x-env-variable": "OPENFGA_DATASTORE_CONN_MAX_LIFETIME" 209 }, 210 "metrics": { 211 "type": "object", 212 "properties": { 213 "enabled": { 214 "description": "enable/disable sql metrics for the datastore", 215 "type": "boolean", 216 "default": false, 217 "x-env-variable": "OPENFGA_DATASTORE_METRICS_ENABLED" 218 } 219 } 220 } 221 } 222 }, 223 "authn": { 224 "type": "object", 225 "properties": { 226 "method": { 227 "description": "The authentication method to use.", 228 "type": "string", 229 "enum": ["none", "preshared", "oidc"], 230 "default": "none", 231 "x-env-variable": "OPENFGA_AUTHN_METHOD" 232 }, 233 "preshared": { 234 "description": "One or more preshared keys to use for authentication. This must be set if `authn.method=preshared'.", 235 "$ref": "#/definitions/preshared" 236 }, 237 "oidc": { 238 "description": "The OIDC provider specific settings. This must be set if 'authn.method=oidc'.", 239 "$ref": "#/definitions/oidc" 240 } 241 242 } 243 }, 244 "grpc": { 245 "type": "object", 246 "properties": { 247 "addr": { 248 "description": "The host:port address to serve the grpc server on.", 249 "type": "string", 250 "default": "0.0.0.0:8081", 251 "x-env-variable": "OPENFGA_GRPC_ADDR" 252 }, 253 "tls": { 254 "type": "object", 255 "properties": { 256 "enabled": { 257 "description": "Enables or disables transport layer security (TLS).", 258 "type": "boolean", 259 "default": false, 260 "x-env-variable": "OPENFGA_GRPC_TLS_ENABLED" 261 }, 262 "cert": { 263 "description": "The (absolute) file path of the certificate to use for the TLS connection.", 264 "type": "string", 265 "x-env-variable": "OPENFGA_GRPC_TLS_CERT" 266 }, 267 "key": { 268 "description": "The (absolute) file path of the TLS key that should be used for the TLS connection.", 269 "x-env-variable": "OPENFGA_GRPC_TLS_KEY" 270 } 271 }, 272 "required": ["enabled", "cert", "key"] 273 } 274 } 275 }, 276 "http": { 277 "type": "object", 278 "properties": { 279 "enabled": { 280 "description": "Enables or disables the OpenFGA HTTP server. If this is set to true then 'grpc.enabled' must be set to true.", 281 "type": "boolean", 282 "default": true, 283 "x-env-variable": "OPENFGA_HTTP_ENABLED" 284 }, 285 "addr": { 286 "description": "The host:port address to serve the HTTP server on.", 287 "type": "string", 288 "default": "0.0.0.0:8080", 289 "x-env-variable": "OPENFGA_HTTP_ADDR" 290 }, 291 "tls": { 292 "type": "object", 293 "properties": { 294 "enabled": { 295 "description": "Enables or disables transport layer security (TLS).", 296 "type": "boolean", 297 "default": false, 298 "x-env-variable": "OPENFGA_HTTP_TLS_ENABLED" 299 }, 300 "cert": { 301 "description": "The (absolute) file path of the certificate to use for the TLS connection.", 302 "type": "string", 303 "x-env-variable": "OPENFGA_HTTP_TLS_CERT" 304 }, 305 "key": { 306 "description": "The (absolute) file path of the TLS key that should be used for the TLS connection.", 307 "x-env-variable": "OPENFGA_HTTP_TLS_KEY" 308 } 309 }, 310 "required": ["enabled", "cert", "key"] 311 }, 312 "upstreamTimeout": { 313 "description": "The timeout duration for proxying HTTP requests upstream to the grpc endpoint.", 314 "type": "string", 315 "default": "3s", 316 "x-env-variable": "OPENFGA_HTTP_UPSTREAM_TIMEOUT" 317 }, 318 "corsAllowedOrigins": { 319 "type": "array", 320 "items": { 321 "type": "string" 322 }, 323 "default": ["*"], 324 "x-env-variable": "OPENFGA_HTTP_CORS_ALLOWED_ORIGINS" 325 }, 326 "corsAllowedHeaders": { 327 "type": "array", 328 "items": { 329 "type": "string" 330 }, 331 "default": ["*"], 332 "x-env-variable": "OPENFGA_HTTP_CORS_ALLOWED_HEADERS" 333 } 334 } 335 }, 336 "log": { 337 "type": "object", 338 "properties": { 339 "format": { 340 "description": "The log format to output logs in. For production we recommend 'json' format.", 341 "type": "string", 342 "enum": ["text", "json"], 343 "default": "text", 344 "x-env-variable": "OPENFGA_LOG_FORMAT" 345 }, 346 "level": { 347 "description": "The log level to set. For production we recommend 'info' format.", 348 "type": "string", 349 "enum": ["none", "debug", "info", "warn", "error", "panic", "fatal"], 350 "default": "info", 351 "x-env-variable": "OPENFGA_LOG_LEVEL" 352 }, 353 "timestampFormat": { 354 "description": "The timestamp format to use for the log output.", 355 "type": "string", 356 "enum": ["Unix", "ISO8601"], 357 "default": "Unix", 358 "x-env-variable": "OPENFGA_LOG_TIMESTAMP_FORMAT" 359 } 360 } 361 }, 362 "trace": { 363 "type": "object", 364 "properties": { 365 "enabled": { 366 "description": "Enable tracing.", 367 "type": "bool", 368 "default": "false", 369 "x-env-variable": "OPENFGA_TRACE_ENABLED" 370 }, 371 "otlp": { 372 "type": "object", 373 "properties": { 374 "endpoint": { 375 "description": "The grpc endpoint of the trace collector", 376 "type": "string", 377 "default": "0.0.0.0:4317", 378 "x-env-variable": "OPENFGA_TRACE_OTLP_ENDPOINT" 379 }, 380 "tls": { 381 "type": "object", 382 "properties": { 383 "enabled": { 384 "description": "Whether to use TLS connection for the trace collector", 385 "type": "boolean", 386 "default": false, 387 "x-env-variable": "OPENFGA_TRACE_OTLP_TLS_ENABLED" 388 } 389 } 390 } 391 } 392 }, 393 "sampleRatio": { 394 "description": "The fraction of traces to sample. 1 means all, 0 means none.", 395 "type": "float", 396 "default": "0.2", 397 "x-env-variable": "OPENFGA_TRACE_SAMPLE_RATIO" 398 }, 399 "serviceName": { 400 "description": "The service name included in sampled traces.", 401 "type": "string", 402 "default": "openfga", 403 "x-env-variable": "OPENFGA_TRACE_SERVICE_NAME" 404 } 405 } 406 }, 407 "metrics": { 408 "type": "object", 409 "properties": { 410 "enabled": { 411 "description": "enable/disable prometheus metrics on the '/metrics' endpoint", 412 "type": "bool", 413 "default": "true", 414 "x-env-variable": "OPENFGA_METRICS_ENABLED" 415 }, 416 "addr": { 417 "description": "the host:port address to serve the prometheus metrics server on", 418 "type": "string", 419 "default": "0.0.0.0:2112", 420 "x-env-variable": "OPENFGA_METRICS_ADDR" 421 }, 422 "enableRPCHistograms": { 423 "description": "enables prometheus histogram metrics for RPC latency distributions", 424 "type": "bool", 425 "default": "false", 426 "x-env-variable": "OPENFGA_METRICS_ENABLE_RPC_HISTOGRAMS" 427 } 428 } 429 }, 430 "checkQueryCache": { 431 "type": "object", 432 "properties": { 433 "enabled": { 434 "description": "when executing Check and ListObjects requests, enables caching. This will turn Check and ListObjects responses into eventually consistent responses", 435 "type": "bool", 436 "default": "false", 437 "x-env-variable": "OPENFGA_CHECK_QUERY_CACHE_ENABLED" 438 }, 439 "limit": { 440 "description": "if caching of Check and ListObjects calls is enabled, this is the size limit (in items) of the cache", 441 "type": "integer", 442 "default": "10000", 443 "x-env-variable": "OPENFGA_CHECK_QUERY_CACHE_LIMIT" 444 }, 445 "ttl": { 446 "description": "if caching of Check and ListObjects is enabled, this is the TTL of each value", 447 "type": "string", 448 "format": "duration", 449 "default": "10s", 450 "x-env-variable": "OPENFGA_CHECK_QUERY_CACHE_TTL" 451 } 452 } 453 }, 454 "dispatchThrottling": { 455 "type": "object", 456 "properties": { 457 "enabled": { 458 "description": "enable throttling when request's number of dispatches is high", 459 "type": "bool", 460 "default": "false", 461 "x-env-variable": "OPENFGA_DISPATCH_THROTTLING_ENABLED" 462 }, 463 "frequency": { 464 "description": "the frequency period that the deprioritized throttling queue is evaluated. A higher value will result in more aggressive throttling", 465 "type": "duration", 466 "default": "10µs", 467 "x-env-variable": "OPENFGA_DISPATCH_THROTTLING_FREQUENCY" 468 }, 469 "threshold": { 470 "description": "define the number of recursive operations to occur before getting throttled", 471 "type": "integer", 472 "default": "100", 473 "x-env-variable": "OPENFGA_DISPATCH_THROTTLING_THRESHOLD" 474 }, 475 "maxThreshold": { 476 "description": "define the maximum dispatch threshold beyond above which requests will be throttled. 0 will use the 'dispatchThrottling.threshold' value as maximum", 477 "type": "integer", 478 "default": "0", 479 "x-env-variable": "OPENFGA_DISPATCH_THROTTLING_MAX_THRESHOLD" 480 } 481 } 482 }, 483 "requestTimeout": { 484 "description": "The timeout duration for a request.", 485 "type": "duration", 486 "default": "3s", 487 "x-env-variable": "OPENFGA_REQUEST_TIMEOUT" 488 } 489 }, 490 "definitions": { 491 "oidc": { 492 "type": "object", 493 "properties": { 494 "issuer": { 495 "description": "The OIDC issuer (authorization server) signing the tokens.", 496 "type": "string", 497 "x-env-variable": "OPENFGA_AUTHN_OIDC_ISSUER" 498 }, 499 "audience": { 500 "description": "The OIDC audience of the tokens being signed by the authorization server.", 501 "type": "string", 502 "x-env-variable": "OPENFGA_AUTHN_OIDC_AUDIENCE" 503 } 504 }, 505 "required": ["issuer", "audience"] 506 }, 507 "preshared": { 508 "type": "object", 509 "properties": { 510 "keys": { 511 "type": "array", 512 "items": { 513 "type": "string" 514 }, 515 "minItems": 1, 516 "x-env-variable": "OPENFGA_AUTHN_PRESHARED_KEYS" 517 } 518 }, 519 "required": ["keys"] 520 } 521 } 522 }