github.com/pelicanplatform/pelican@v1.0.5/docs/parameters.yaml (about) 1 # 2 # Copyright (C) 2023, Pelican Project, Morgridge Institute for Research 3 # 4 # Licensed under the Apache License, Version 2.0 (the "License"); you 5 # may not use this file except in compliance with the License. You may 6 # obtain a copy of the License at 7 # 8 # http://www.apache.org/licenses/LICENSE-2.0 9 # 10 # Unless required by applicable law or agreed to in writing, software 11 # distributed under the License is distributed on an "AS IS" BASIS, 12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 # See the License for the specific language governing permissions and 14 # limitations under the License. 15 # 16 17 # This file contains structured documentation about the Pelican parameters. 18 # While it is somewhat human-readable, it is meant to help with the documentation 19 # generation. 20 21 ############################ 22 # Top-Level Configs # 23 ############################ 24 --- 25 name: ConfigBase 26 description: >- 27 The directory containing the Pelican configurations and data when the utility 28 is run as non-root. Automatically configured; cannot be overridden. 29 default: "~/.config/pelican" 30 components: ["*"] 31 type: filename 32 --- 33 name: Debug 34 description: >- 35 A bool indicating whether Pelican should emit debug messages in its log. 36 type: bool 37 default: false 38 components: ["*"] 39 --- 40 name: TLSSkipVerify 41 description: >- 42 When set to true, Pelican will skip TLS verification. This allows a "man in the middle" attack on the connection but can simplify testing. Intended for developers. 43 type: bool 44 default: false 45 components: ["origin", "nsregistry", "director"] 46 --- 47 name: IssuerKey 48 description: >- 49 A filepath to the file containing a PEM-encoded ecdsa private key which later will be parsed 50 into a JWK and serves as the private key to sign various JWTs issued by this server 51 52 A public JWK will be derived from this private key and used as the key for token verification 53 type: filename 54 root_default: /etc/pelican/issuer.jwk 55 default: $ConfigBase/issuer.jwk 56 components: ["client", "nsregistry", "director"] 57 --- 58 name: Transport.DialerTimeout 59 description: >- 60 Maximum time allowed for establishing a connection to target host. 61 type: duration 62 default: 10s 63 components: ["client", "nsregistry", "origin"] 64 --- 65 name: Transport.DialerKeepAlive 66 description: >- 67 Maximum time a TCP connection should be kept alive without any activity. 68 type: duration 69 default: 30s 70 components: ["client", "nsregistry", "origin"] 71 --- 72 name: Transport.MaxIdleConns 73 description: >- 74 Maximum number of idle connections that the HTTP client should maintain in its connection pool. 75 type: int 76 default: 30 77 components: ["client", "nsregistry", "origin"] 78 --- 79 name: Transport.IdleConnTimeout 80 description: >- 81 Maximum duration an idle connection should remain open in the connection pool. 82 type: duration 83 default: 90s 84 components: ["client", "nsregistry", "origin"] 85 --- 86 name: Transport.TLSHandshakeTimeout 87 description: >- 88 Maximum time allowed for the TLS handshake to complete when making an HTTPS connection 89 type: duration 90 default: 15s 91 components: ["client", "nsregistry", "origin"] 92 --- 93 name: Transport.ExpectContinueTimeout 94 description: >- 95 Timeout to control how long the client should wait for the "Expect: 100-continue" response from the server before sending the request 96 body. 97 type: duration 98 default: 1s 99 components: ["client", "nsregistry", "origin"] 100 --- 101 name: Transport.ResponseHeaderTimeout 102 description: >- 103 Maximum time the client should wait for the response headers to be received from the server 104 type: duration 105 default: 10s 106 components: ["client", "nsregistry", "origin"] 107 --- 108 109 ############################ 110 # Log-Level Configs # 111 ############################ 112 name: Logging.Level 113 description: >- 114 A string defining the log level of the client. Options include (going from most info to least): Trace, Debug, Info, Warn, Error, Fatal, Panic. 115 type: string 116 default: Error 117 components: ["*"] 118 --- 119 name: Logging.LogLocation 120 description: >- 121 A filename defining a file to write log outputs to, if the user desires. 122 type: filename 123 default: none 124 components: ["*"] 125 --- 126 127 ############################ 128 # Federation-Level Configs # 129 ############################ 130 name: Federation.DiscoveryUrl 131 description: >- 132 A URL pointing to the federation's metadata discovery host. 133 type: url 134 default: none 135 components: ["*"] 136 --- 137 name: Federation.TopologyNamespaceUrl 138 description: >- 139 A URL containing namespace information for origins and caches configured via the OSG Topology application (a legacy integration). The URL 140 should point to the hosted namespace.json. 141 type: url 142 osdf_default: https://topology.opensciencegrid.org/stashcache/namespaces.json 143 default: none 144 components: ["director", "nsregistry"] 145 --- 146 name: Federation.TopologyReloadInterval 147 description: >- 148 The frequency, in minutes, that topology should be reloaded. 149 type: duration 150 osdf_default: 10 151 default: none 152 components: ["director", "nsregistry"] 153 --- 154 name: Federation.DirectorUrl 155 description: >- 156 A URL indicating where a director service is hosted. 157 type: url 158 osdf_default: Default is determined dynamically through metadata at <federation URL>/.well-known/pelican-configuration 159 default: none 160 components: ["client", "origin"] 161 --- 162 name: Federation.NamespaceUrl 163 description: >- 164 A URL indicating where the namespace registry service is hosted. 165 type: url 166 osdf_default: Default is determined dynamically through metadata at <federation URL>/.well-known/pelican-configuration 167 default: none 168 components: ["client", "director", "origin"] 169 --- 170 name: Federation.JwkUrl 171 description: >- 172 A URL indicating where the JWKS for the Federation is hosted. 173 type: url 174 osdf_default: Default is determined dynamically through metadata at <federtion URL>/.well-known/pelican-configuration 175 default: none 176 components: ["client", "origin"] 177 --- 178 179 ############################ 180 # Client-Level Configs # 181 ############################ 182 name: Client.StoppedTransferTimeout 183 description: >- 184 A timeout indicating when a "stopped transfer" event should be triggered. 185 type: int 186 default: 100 187 components: ["client"] 188 --- 189 name: Client.SlowTransferRampupTime 190 description: >- 191 A duration indicating the rampup period for a slow transfer. 192 type: int 193 default: 30 194 components: ["client"] 195 --- 196 name: Client.SlowTransferWindow 197 description: >- 198 A duration indicating the sliding window over which to consider transfer speeds for slow transfers. 199 type: int 200 default: 30 201 components: ["client"] 202 --- 203 name: Client.DisableHttpProxy 204 description: >- 205 A bool indicating whether the client's HTTP proxy should be disabled. 206 type: bool 207 default: false 208 components: ["client"] 209 --- 210 name: DisableHttpProxy 211 description: >- 212 A legacy configuration for disabling the client's HTTP proxy. See Client.DisableHttpProxy for new config. 213 type: bool 214 default: false 215 components: ["client"] 216 --- 217 name: Client.DisableProxyFallback 218 description: >- 219 A bool indicating whether the a proxy fallback should be used by the client. 220 type: bool 221 default: false 222 components: ["client"] 223 --- 224 name: DisableProxyFallback 225 description: >- 226 A legacy configuration for disabling the client's proxy fallback. See Client.DisableProxyFallback for new config. 227 type: bool 228 default: false 229 components: ["client"] 230 --- 231 name: Client.MinimumDownloadSpeed 232 description: >- 233 The minimum speed allowed for a client download before an error is thrown. 234 type: int 235 default: 102400 236 components: ["client"] 237 --- 238 name: MinimumDownloadSpeed 239 description: >- 240 A legacy configuration for setting the client's minimum download speed. See Client.MinimumDownloadSpeed for new config. 241 type: int 242 default: 102400 243 components: ["client"] 244 --- 245 246 ############################ 247 # Origin-level Configs # 248 ############################ 249 name: Origin.Url 250 description: >- 251 The origin's configured URL, as reported to XRootD. This is the file transfer endpoint for the origin. 252 253 This Url must not have the same port number as the one in Server.ExternalWebUrl (if any) or Server.WebPort 254 type: url 255 default: https://${Server.Hostname}:${Xrootd.Port} 256 components: ["origin"] 257 --- 258 name: Origin.ExportVolume 259 description: >- 260 A path to the volume exported by an origin. 261 type: string 262 default: none 263 components: ["origin"] 264 --- 265 name: Origin.NamespacePrefix 266 description: >- 267 The filepath prefix at which an origin's contents are made globally available, eg /pelican/PUBLIC. 268 type: string 269 default: none 270 components: ["origin"] 271 --- 272 name: Origin.Multiuser 273 description: >- 274 A bool indicating whether an origin is "multiuser", ie whether the underlying XRootD instance must be configured in multi user mode. 275 type: bool 276 root_default: true 277 default: false 278 components: ["origin"] 279 --- 280 name: Origin.EnableCmsd 281 description: >- 282 A bool indicating whether the origin should enable the `cmsd` daemon. 283 type: bool 284 default: true 285 components: ["origin"] 286 --- 287 name: Origin.SelfTest 288 description: >- 289 A bool indicating whether the origin should perform self health checks. 290 type: bool 291 default: true 292 components: ["origin"] 293 --- 294 name: Origin.EnableUI 295 description: >- 296 Indicate whether the origin should enable its web UI. 297 type: bool 298 default: true 299 components: ["origin"] 300 --- 301 name: Origin.EnableIssuer 302 description: >- 303 Enable the built-in issuer daemon for the origin. 304 type: bool 305 default: false 306 components: ["origin"] 307 --- 308 name: Origin.ScitokensRestrictedPaths 309 description: >- 310 Enable the built-in issuer daemon for the origin. 311 type: stringSlice 312 default: none 313 components: ["origin"] 314 --- 315 name: Origin.ScitokensMapSubject 316 description: >- 317 Enable the built-in issuer daemon for the origin. 318 type: bool 319 default: false 320 components: ["origin"] 321 --- 322 name: Origin.ScitokensDefaultUser 323 description: >- 324 Enable the built-in issuer daemon for the origin. 325 type: string 326 default: none 327 components: ["origin"] 328 --- 329 name: Origin.ScitokensUsernameClaim 330 description: >- 331 Enable the built-in issuer daemon for the origin. 332 type: string 333 default: none 334 components: ["origin"] 335 --- 336 name: Origin.ScitokensNameMapFile 337 description: >- 338 Enable the built-in issuer daemon for the origin. 339 type: string 340 default: none 341 components: ["origin"] 342 --- 343 name: Origin.XRootDPrefix 344 description: >- 345 The directory prefix for the xrootd origin configuration files. 346 type: string 347 default: origin 348 components: ["origin"] 349 --- 350 name: Origin.EnableVoms 351 description: >- 352 Enable X.509 / VOMS-based authentication. This allows HTTP clients to 353 present X.509 client credentials in order to authenticate. The configuration 354 of the authorization for these clients must be done by the admin; Pelican 355 does not support automatic VOMS authorization configuration. 356 type: bool 357 default: true 358 components: ["origin"] 359 --- 360 name: Origin.EnableDirListing 361 description: >- 362 Allows the origin to enable directory listings. Needs to be enabled for recursive 363 downloads to work properly and for directories to be visable. 364 type: bool 365 default: false 366 --- 367 name: Origin.Mode 368 description: >- 369 The backend mode to be used by an origin. Current values that can be selected from 370 are either "posix" or "s3". 371 type: string 372 default: posix 373 components: ["origin"] 374 --- 375 name: Origin.S3ServiceName 376 description: >- 377 The S3 Service Name to be used by the XRootD plugin. 378 type: string 379 default: none 380 components: ["origin"] 381 --- 382 name: Origin.S3Region 383 description: >- 384 The S3 region to be used by the XRootD plugin. 385 type: string 386 default: none 387 components: ["origin"] 388 --- 389 name: Origin.S3Bucket 390 description: >- 391 The S3 bucket to be used by the XRootD plugin. 392 type: string 393 default: none 394 components: ["origin"] 395 --- 396 name: Origin.S3ServiceUrl 397 description: >- 398 The S3 service URL to be used by the XRootD plugin. 399 type: string 400 default: none 401 components: ["origin"] 402 --- 403 name: Origin.S3AccessKeyfile 404 description: >- 405 A path to a file containing an S3 access keyfile for authenticated buckets when an origin is run in S3 mode. 406 type: filename 407 default: none 408 components: ["origin"] 409 --- 410 name: Origin.S3SecretKeyfile 411 description: >- 412 A path to a file containing an S3 secret keyfile for authenticated buckets when an origin is run in S3 mode. 413 type: filename 414 default: none 415 components: ["origin"] 416 --- 417 418 419 ############################ 420 # Cache-level configs # 421 ############################ 422 name: Cache.DataLocation 423 description: >- 424 The directory for the location of the cache data files - this is where the actual data in the cache is stored. 425 This should *not* be in the same path as XRootD.Mount or else it will expose the data files as part of the files within the cache. 426 type: string 427 root_default: /run/pelican/xcache 428 default: $XDG_RUNTIME_DIR/pelican/xcache 429 components: ["cache"] 430 --- 431 name: Cache.ExportLocation 432 description: >- 433 The location of the export directory. Everything under this directory will be exposed as part of the cache. This is 434 relative to the mount location. 435 type: string 436 default: / 437 components: ["cache"] 438 --- 439 name: Cache.XRootDPrefix 440 description: >- 441 The directory prefix for the xrootd cache configuration files. 442 type: string 443 default: cache 444 components: ["cache"] 445 --- 446 name: Cache.Port 447 description: >- 448 The port over which the xrootd cache should be made available (this will overwrite Xrootd.Port) 449 type: int 450 default: 8447 451 components: ["cache"] 452 --- 453 name: Cache.EnableVoms 454 description: >- 455 Enable X.509 / VOMS-based authentication for the cache. This allows HTTP clients 456 to present X.509 client credentials in order to authenticate. The configuration 457 of the authorization for these clients must be done by the admin; Pelican 458 does not support automatic VOMS authorization configuration. 459 type: bool 460 default: false 461 components: ["cache"] 462 --- 463 464 ############################ 465 # Director-level configs # 466 ############################ 467 name: Director.DefaultResponse 468 description: >- 469 The default response type of a redirect for a director instance. Can be either "cache" or "origin". If a director 470 is hosted at https://director.com, then a GET request to https://director.com/foo/bar.txt will either redirect to 471 the nearest cache for namespace /foo if Director.DefaultResponse is set to "cache" or to the origin for /foo if 472 it is set to "origin". 473 type: string 474 default: cache 475 components: ["director"] 476 --- 477 name: Director.CacheResponseHostnames 478 description: >- 479 A list of virtual hostnames for the director. If a request is sent by the client to one of these hostnames, 480 the director assumes it should respond with a redirect to a cache. 481 482 If present, the hostname is taken from the X-Forwarded-Host header in the request. Otherwise, Host is used. 483 type: stringSlice 484 default: none 485 components: ["director"] 486 --- 487 name: Director.OriginResponseHostnames 488 description: >- 489 A list of virtual hostnames for the director. If a request is sent by the client to one of these hostnames, 490 the director assumes it should respond with a redirect to an origin. 491 492 If present, the hostname is taken from the X-Forwarded-Host header in the request. Otherwise, Host is used. 493 type: stringSlice 494 default: none 495 components: ["director"] 496 --- 497 name: Director.MaxMindKeyFile 498 description: >- 499 A filepath to a MaxMind API key. The director service uses the MaxMind GeoLite City database (available [here](https://dev.maxmind.com/geoip/docs/databases/city-and-country)) 500 to determine which cache is nearest to a client's IP address. The database, if not already found, will be downloaded 501 automatically when a director is served and a valid key is present. 502 type: url 503 default: none 504 components: ["director"] 505 --- 506 name: Director.GeoIPLocation 507 description: >- 508 A filepath to the intended location of the MaxMind GeoLite City database. This option can be used either to load 509 an existing database, or to configure the preferred download location if Pelican has a MaxMind API key. 510 type: filename 511 root_default: /var/cache/pelican/maxmind/GeoLite2-City.mmdb 512 default: $ConfigBase/maxmind/GeoLite2-city.mmdb 513 components: ["director"] 514 --- 515 516 ############################ 517 # Registry-level configs # 518 ############################ 519 name: Registry.DbLocation 520 description: >- 521 A filepath to the intended location of the namespace registry's database. 522 type: filename 523 root_default: /var/lib/pelican/registry.sqlite 524 default: $ConfigBase/ns-registry.sqlite 525 components: ["nsregistry"] 526 --- 527 name: Registry.RequireKeyChaining 528 description: >- 529 Specifies whether namespaces requesting registration must possess a key matching any already-registered super/sub namespaces. For 530 example, if true and a namespace `/foo/bar` is already registered, then registration of `/foo` or `/foo/bar/baz` can only be done 531 using keys registered to `/foo/bar`. 532 type: bool 533 default: true 534 components: ["nsregistry"] 535 --- 536 537 ############################ 538 # Server-level configs # 539 ############################ 540 name: Server.TLSCertificate 541 description: >- 542 A filepath to a file containing an X.509 host certificate to use for TLS 543 authentication when running server components of Pelican. 544 545 If you override this filepath, you need to provide the matched-pair private key 546 via Server.TLSKey and a Certificate Authority (CA) certificate via Server.TLSCACertificateFile 547 type: filename 548 root_default: /etc/pelican/certificates/tls.crt 549 default: "$ConfigBase/certificates/tls.crt" 550 components: ["origin", "nsregistry", "director"] 551 --- 552 name: Server.TLSCACertificateFile 553 description: >- 554 A filepath to the TLS Certificate Authority (CA) certificate file, to be used by XRootD 555 and internal HTTP client requests. 556 557 Do not override this filepath unless you want to provide your TLS host certifacte 558 type: filename 559 root_default: /etc/pelican/certificates/tlsca.pem 560 default: "$ConfigBase/certificates/tlsca.pem" 561 components: ["origin", "nsregistry", "director"] 562 --- 563 name: Server.TLSCACertificateDirectory 564 description: >- 565 A filepath to the directory used for storing TLS Certificate Authority (CA) certificate 566 to be used by XRootD only. 567 568 This is exclusive with Server.TLSCACertificateFile for XRootD and this value takes priority 569 over Server.TLSCACertificateFile 570 type: string 571 default: none 572 components: ["origin", "nsregistry", "director"] 573 --- 574 name: Server.TLSCAKey 575 description: >- 576 The name of a file containing a private key corresponding to the TLSCACertificate. 577 Used when running server components of Pelican. 578 type: filename 579 root_default: /etc/pelican/certificates/tlsca.key 580 default: "$ConfigBase/certificates/tlsca.key" 581 components: ["origin", "nsregistry", "director"] 582 --- 583 name: Server.TLSKey 584 description: >- 585 The name of a file containing a private key corresponding to the TLSCertificate. 586 Used when running server components of Pelican. 587 type: filename 588 root_default: /etc/pelican/certificates/tls.key 589 default: "$ConfigBase/certificates/tls.key" 590 components: ["origin", "nsregistry", "director"] 591 --- 592 name: Server.WebPort 593 description: >- 594 The port number the Pelican web interface and internal web APIs will be bound to. 595 type: int 596 default: 8444 597 components: ["origin", "director", "nsregistry"] 598 --- 599 name: Server.WebHost 600 description: >- 601 A string-encoded IP address that the Pelican web engine is configured to listen on. 602 type: string 603 default: "0.0.0.0" 604 components: ["origin", "director", "nsregistry"] 605 --- 606 name: Server.ExternalWebUrl 607 description: >- 608 A URL indicating the Pelican web interface and internal web APIs address as it appears externally. 609 610 This URL must not have the same port number as the one in Origin.Url (if any) or Xrootd.Port 611 type: url 612 default: https://${Server.Hostname}:${Server.WebPort} 613 components: ["origin", "director", "nsregistry"] 614 --- 615 name: Server.Hostname 616 description: >- 617 The server's hostname, by default it's os.Hostname(). 618 type: string 619 default: none 620 components: ["origin", "director", "nsregistry"] 621 --- 622 name: Server.IssuerUrl 623 description: >- 624 The URL and port at which the server's issuer can be accessed. 625 type: string 626 # Setting default to none for now because it changes based on server type and server mode. 627 default: none 628 components: ["origin", "director", "nsregistry"] 629 --- 630 name: Server.IssuerHostname 631 description: >- 632 The hostname at which the server's issuer can be accessed. 633 type: string 634 # Setting default to none for now because it changes based on server type and server mode. 635 default: none 636 components: ["origin", "director", "nsregistry"] 637 --- 638 name: Server.IssuerPort 639 description: >- 640 The port at which the server's issuer can be accessed. 641 type: int 642 # Setting default to none for now because it changes based on server type and server mode. 643 default: none 644 components: ["origin", "director", "nsregistry"] 645 --- 646 name: Server.IssuerJwks 647 description: >- 648 A filepath indicating where the server's public JSON web keyset can be found. 649 type: string 650 default: none 651 components: ["origin", "director", "nsregistry"] 652 --- 653 name: Server.UIActivationCodeFile 654 description: >- 655 If the server's web UI has not yet been configured, this file will 656 contain the activation code necessary to turn it on. 657 type: string 658 default: $ConfigBase/server-web-activation-code 659 components: ["origin", "cache", "nsregistry", "director"] 660 --- 661 name: Server.UIPasswordFile 662 description: >- 663 A filepath specifying where the server's web UI password file should be stored. 664 type: string 665 default: $ConfigBase/server-web-passwd 666 components: ["origin", "cache", "nsregistry", "director"] 667 --- 668 669 670 ################################ 671 # Issuer's Configurations # 672 ################################ 673 name: Issuer.TomcatLocation 674 description: >- 675 Location of the system tomcat installation 676 type: string 677 default: /opt/tomcat 678 components: ["origin"] 679 --- 680 name: Issuer.ScitokensServerLocation 681 description: >- 682 Location of the scitoken server installation 683 type: string 684 default: /opt/scitokens-server 685 components: ["origin"] 686 --- 687 name: Issuer.QDLLocation 688 description: >- 689 Location of the QDL language and scripts install on the system 690 type: string 691 default: /opt/qdl 692 components: ["origin"] 693 --- 694 name: Issuer.AuthenticationSource 695 description: >- 696 How users should authenticate with the issuer. Currently-supported values are: 697 - `none` (default): No authentication is performed. All requests are successful and assumed to 698 be a user named `nobody`. 699 - `OIDC`: Use the server's OIDC configuration to authenticate with an external identity provider. 700 type: string 701 default: OIDC 702 components: ["origin"] 703 --- 704 name: Issuer.OIDCAuthenticationRequirements 705 description: >- 706 A list of claim-value pairs that indicate required values from the OIDC ID token to authenticate. 707 For example, the following setting: 708 709 ``` 710 - claim: idp_name 711 value: University of Wisconsin-Madison 712 ``` 713 714 would only allow tokens with `"idp_name": "University of Wisconsin-Madison"` set to authenticate. 715 type: object 716 default: [] 717 components: ["origin"] 718 --- 719 name: Issuer.OIDCAuthenticationUserClaim 720 description: >- 721 The claim in the OIDC ID token to be used as the "username" for the issuer 722 type: string 723 default: sub 724 components: ["origin"] 725 --- 726 name: Issuer.GroupSource 727 description: >- 728 How the issuer should determine group information based on the authenticated identity. Valid values are: 729 - `none` (default): No group information should be used. 730 - `file`: Read groups from an external, JSON-formatted file. The file should contain a single JSON object 731 with keys corresponding to the "user" name and the value a list of strings that are interpretted as the 732 user's groups. 733 type: string 734 default: none 735 components: ["origin"] 736 --- 737 name: Issuer.GroupFile 738 description: >- 739 The location of a file containing group information. The file should contain a single JSON object with 740 keys corresponding to the "user" name and the value a list of strings that are interpretted as the user's 741 groups. 742 type: string 743 default: none 744 components: ["origin"] 745 --- 746 name: Issuer.GroupRequirements 747 description: >- 748 Group membership requirements. A request must be mapped to one of the groups in this list to successfully 749 authenticate. 750 type: stringSlice 751 default: [] 752 components: ["origin"] 753 --- 754 name: Issuer.AuthorizationTemplates 755 description: >- 756 The authorizations that should be generated for an authenticated request. Value should be a list of 757 authorized actions. 758 759 Each action is a key-value pair with the following keys defined: 760 - `actions`: A list of authorized actions. Valid string values are `read`, `modify`, and `create`. 761 - `prefix`: A prefix where the actions are authorized. If the prefix contains the substring `$USER`, the 762 string is replaced with the authenticated username. If the prefix contains the substring `$GROUP`, then 763 an authorization is emitted for _each group_ authenticated. 764 765 For example, if the request is authenticated as user `bbockelm` with groups `dept_a` and `dept_b`, then 766 the following configuration: 767 768 ``` 769 - actions: ["read", "create"] 770 prefix: /projects/$GROUP 771 - actions: ["read", "modify"] 772 prefix: /home/$USER 773 ``` 774 775 will result in the following authorizations: 776 - read /projects/dept_a 777 - create /projects/dept_a 778 - read /projects/dept_b 779 - create /projects/dept_b 780 - read /home/bbockelm 781 - modify /home/bbockelm 782 type: object 783 default: [] 784 components: ["origin"] 785 --- 786 787 ################################### 788 # Server's OIDC Configuration # 789 ################################### 790 name: OIDC.ClientIDFile 791 description: >- 792 A filepath to a file containing an OIDC Client ID. This is used by the namespace registry to establish OIDC information 793 for authenticated registration. 794 type: filename 795 root_default: /etc/pelican/oidc-client-id 796 default: $ConfigBase/oidc-client-id 797 components: ["nsregistry", "origin"] 798 --- 799 name: OIDC.ClientID 800 description: >- 801 The OIDC ClientID to use for the server. 802 type: string 803 default: none 804 components: ["nsregistry", "origin"] 805 --- 806 name: OIDC.ClientSecretFile 807 description: >- 808 A filepath to a file containing an OIDC Client Secret. This is used by the namespace registry to establish OIDC information 809 for authenticated registration. 810 type: filename 811 root_default: /etc/pelican/oidc-client-secret 812 default: $ConfigBase/oidc-client-secret 813 components: ["nsregistry", "origin"] 814 --- 815 name: OIDC.DeviceAuthEndpoint 816 description: >- 817 A URL describing an OIDC Device Auth Endpoint. This is used by the namespace registry to establish OIDC information 818 for authenticated registration. 819 type: url 820 default: none 821 components: ["nsregistry", "origin"] 822 --- 823 name: OIDC.TokenEndpoint 824 description: >- 825 A URL describing an OIDC Token Endpoint. This is used by the namespace registry to establish OIDC information 826 for authenticated registration. 827 type: url 828 default: none 829 components: ["nsregistry", "origin"] 830 --- 831 name: OIDC.UserInfoEndpoint 832 description: >- 833 A URL describing an OIDC User Info Endpoint. This is used by the namespace registry to establish OIDC information 834 for authenticated registration. 835 type: url 836 default: none 837 components: ["nsregistry", "origin"] 838 --- 839 name: OIDC.AuthorizationEndpoint 840 description: >- 841 A URL containing the OIDC authorization endpoint. 842 type: url 843 default: none 844 components: ["origin"] 845 --- 846 name: OIDC.Issuer 847 description: >- 848 The URL of the OIDC issuer. If set, OIDC auto-discovery may be used to find other endpoints (token, user info, 849 device auth). 850 type: url 851 default: none 852 components: ["nsregistry", "origin"] 853 --- 854 855 ############################ 856 # XRootD-level Configs # 857 ############################ 858 name: Xrootd.Port 859 description: >- 860 The port over which XRootD should be made available. 861 type: int 862 default: 8443 863 components: ["origin", "cache"] 864 --- 865 name: Xrootd.RunLocation 866 description: >- 867 A directory where temporary configurations will be stored for the xrootd daemon 868 started by the origin or cache. 869 870 For non-root servers, if $XDG_RUNTIME_DIR is not set, a temporary directory will 871 be created (and removed on shutdown) 872 type: filename 873 root_default: /run/pelican/xrootd 874 default: $XDG_RUNTIME_DIR/pelican 875 components: ["origin", "cache"] 876 --- 877 name: Xrootd.RobotsTxtFile 878 description: >- 879 Origins may be indexed by web search engines; to control the behavior of search 880 engines, one may provide local policy via a [robots.txt file](https://en.wikipedia.org/wiki/Robots.txt). 881 882 If this file is not present, it will be auto-created with a default policy of 883 blocking all indexing. 884 type: filename 885 root_default: /etc/pelican/robots.txt 886 default: $ConfigBase/robots.txt 887 components: ["origin"] 888 --- 889 name: Xrootd.ScitokensConfig 890 description: >- 891 The location of a file configuring xrootd's 892 [token-based authorization subsystem](https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/README.md). 893 This file allows arbitrary changes to the authorization configuration and will be merged with any 894 auto-generated configuration; it's recommended for use by experts only. 895 type: filename 896 root_default: /etc/pelican/xrootd/scitokens.cfg 897 default: $ConfigBase/xrootd/scitokens.cfg 898 --- 899 name: Xrootd.Mount 900 description: >- 901 The mount path for an instance of XRootD. 902 type: string 903 default: none 904 components: ["origin"] 905 --- 906 name: Xrootd.MacaroonsKeyFile 907 description: >- 908 The filepath to a Macaroons key for setting up authorization in XRootD. 909 type: string 910 default: none 911 components: ["origin"] 912 --- 913 name: Xrootd.Authfile 914 description: >- 915 The filepath to an auth file for setting up authorization in XRootD. 916 type: string 917 default: none 918 components: ["origin"] 919 --- 920 name: Xrootd.ManagerHost 921 description: >- 922 A URL pointing toward the XRootD instance's Manager Host. 923 type: url 924 default: none 925 components: ["origin"] 926 --- 927 name: Xrootd.SummaryMonitoringHost 928 description: >- 929 A URL pointing toward the XRootD instance's Summary Monitoring Host. 930 type: url 931 default: none 932 components: ["origin"] 933 --- 934 name: Xrootd.DetailedMonitoringHost 935 description: >- 936 A URL pointing toward the XRootD instance's Detailed Monitoring Host. 937 type: url 938 default: none 939 components: ["origin"] 940 --- 941 name: Xrootd.LocalMonitoringHost 942 description: >- 943 A URL pointing toward the XRootD instance's Local Monitoring Host. 944 type: url 945 default: none 946 components: ["origin"] 947 --- 948 name: Xrootd.Sitename 949 description: >- 950 The sitename, as configured for XRootD. 951 type: string 952 default: none 953 components: ["origin"] 954 --- 955 956 ############################ 957 # Monitoring-level configs # 958 ############################ 959 name: Monitoring.DataLocation 960 description: >- 961 A filepath where Prometheus should host its monitoring data. 962 type: string 963 root_default: /var/lib/pelican/monitoring/data 964 default: $ConfigBase/monitoring/data 965 components: ["origin"] 966 --- 967 name: Monitoring.PortLower 968 description: >- 969 The lower end of a range of monitoring ports for Prometheus configuration. 970 type: int 971 default: 9930 972 components: ["origin"] 973 --- 974 name: Monitoring.PortHigher 975 description: >- 976 The lower end of a range of monitoring ports for Prometheus configuration. 977 type: int 978 default: 9999 979 components: ["origin"] 980 --- 981 name: Monitoring.AggregatePrefixes 982 description: >- 983 A list of path-like prefixes, potentially containing a glob (wildcard character), indicating 984 how the Prometheus-based monitoring should aggregate records when reporting. For example, 985 if `/foo/*` is on the aggregate path list, then the monitoring data for a download of 986 objects `/foo/bar` and `/foo/baz` will be aggregated into a single series, `/foo`. 987 type: stringSlice 988 default: ["/*"] 989 components: ["origin"] 990 --- 991 name: Monitoring.TokenExpiresIn 992 description: >- 993 The duration of which the tokens for various Prometheus endpoints expire. 994 995 This includes tokens for director's Prometheus origin discovery endpoint, 996 director's origin scraper, and server's self-scraper 997 type: duration 998 default: 1h 999 components: ["origin", "director", "nsregistry"] 1000 --- 1001 name: Monitoring.TokenRefreshInterval 1002 description: >- 1003 The interval of which the token issuer for various Prometheus endpoints 1004 refreshes the token for monitoring. 1005 1006 The tokens that are affected by this config are the same as the one in Monitoring.TokenExpiresIn. 1007 This value must be less than Monitoring.TokenExpiresIn. 1008 type: duration 1009 default: 59m 1010 components: ["origin", "director", "nsregistry"] 1011 --- 1012 name: Monitoring.MetricAuthorization 1013 description: >- 1014 If authorization (Bearer token) is required for accesing /metrics endpoint 1015 type: bool 1016 default: true 1017 components: ["origin", "director", "nsregistry"] 1018 --- 1019 1020 ############################ 1021 # Plugin-level configs # 1022 ############################ 1023 name: Plugin.Token 1024 description: >- 1025 The specified token for pelican plugin staging 1026 type: string 1027 default: none 1028 components: ["plugin"] 1029 --- 1030 name: StagePlugin.Hook 1031 description: >- 1032 Flag to specify HTCondor hook behavior 1033 type: bool 1034 default: false 1035 components: ["plugin"] 1036 --- 1037 name: StagePlugin.MountPrefix 1038 description: >- 1039 Prefix corresponding to the local mount point of the origin 1040 type: string 1041 default: none 1042 components: ["plugin"] 1043 --- 1044 name: StagePlugin.OriginPrefix 1045 description: >- 1046 Prefix corresponding to the local origin 1047 type: string 1048 default: none 1049 components: ["plugin"] 1050 --- 1051 name: StagePlugin.ShadowOriginPrefix 1052 description: >- 1053 Prefix corresponding to the shadow origin 1054 type: string 1055 default: none 1056 components: ["plugin"]