|
1 | 1 | # List of environment variables |
2 | 2 |
|
3 | | -## Core |
4 | | - |
5 | | -- `DIRACX_CONFIG_BACKEND_URL`: The URL of the configuration backend. |
6 | | - |
7 | | -## Services: |
8 | | - |
9 | | -- `DIRACX_SERVICE_AUTH_TOKEN_ISSUER`: The issuer for the auth tokens. |
10 | | -- `DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS`: A JSON-encoded list of allowed redirect URIs for the authorization code |
11 | | - flow. |
12 | | -- `DIRACX_SERVICE_AUTH_DEVICE_FLOW_EXPIRATION_SECONDS`: The expiration time for the device flow in seconds. |
13 | | -- `DIRACX_SERVICE_AUTH_AUTHORIZATION_FLOW_EXPIRATION_SECONDS`: The expiration time for the authorization flow in |
14 | | - seconds. |
15 | | -- `DIRACX_SERVICE_AUTH_STATE_KEY`: The key used to encrypt the state in the authorization code flow. |
16 | | -- `DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE`: The path to the JWKS file containing the token signing keys. |
17 | | -- `DIRACX_SERVICE_AUTH_TOKEN_ALLOWED_ALGORITHMS`: A JSON-encoded list of allowed algorithms for token signing. |
18 | | -- `DIRACX_SERVICE_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES`: The expiration time for the access token in minutes. |
19 | | -- `DIRACX_SERVICE_AUTH_REFRESH_TOKEN_EXPIRE_MINUTES`: The expiration time for the refresh token in minutes. |
20 | | -- `DIRACX_SANDBOX_STORE_BUCKET_NAME`: The name of the S3 bucket for the sandbox store. |
21 | | -- `DIRACX_SANDBOX_STORE_S3_CLIENT_KWARGS`: A JSON-encoded dictionary of keyword arguments for the S3 client. |
22 | | -- `DIRACX_SANDBOX_STORE_AUTO_CREATE_BUCKET`: Whether to automatically create the S3 bucket if it doesn't exist. |
23 | | -- `DIRACX_SANDBOX_STORE_URL_VALIDITY_SECONDS`: The validity of the presigned URLs for the sandbox store in seconds. |
24 | | -- `DIRACX_SANDBOX_STORE_SE_NAME`: The name of the storage element for the sandbox store. |
25 | | -- `DIRACX_LEGACY_EXCHANGE_HASHED_API_KEY`: The hashed API key for the legacy exchange endpoint. |
26 | | -- `DIRACX_SERVICE_JOBS_ENABLED`: Whether the jobs service is enabled. |
27 | | - |
28 | | -## Databases: |
29 | | - |
30 | | -- `DIRACX_DB_URL_<db_name>`: The URL for the SQL database `<db_name>`. |
31 | | -- `DIRACX_OS_DB_<db_name>`: A JSON-encoded dictionary of connection keyword arguments for the OpenSearch database `<db_name>` |
32 | | - |
33 | | -## OTEL: |
34 | | - |
35 | | -- `DIRACX_OTEL_ENABLED`: Whether OpenTelemetry is enabled. |
36 | | -- `DIRACX_OTEL_APPLICATION_NAME`: The name of the application for OpenTelemetry. |
37 | | -- `DIRACX_OTEL_GRPC_ENDPOINT`: The gRPC endpoint for the OpenTelemetry collector. |
38 | | -- `DIRACX_OTEL_GRPC_INSECURE`: Whether to use an insecure gRPC connection for the OpenTelemetry collector. |
39 | | -- `DIRACX_OTEL_HEADERS`: A JSON-encoded dictionary of headers to pass to the OpenTelemetry collector. |
| 3 | +*This page is auto-generated from the settings classes in `diracx.core.settings`.* |
| 4 | + |
| 5 | +## AuthSettings |
| 6 | + |
| 7 | +Settings for the authentication service. |
| 8 | + |
| 9 | +### `DIRACX_SERVICE_AUTH_DIRAC_CLIENT_ID` |
| 10 | + |
| 11 | +*Optional*, default value: `myDIRACClientID` |
| 12 | + |
| 13 | +OAuth2 client identifier for DIRAC services. |
| 14 | + |
| 15 | +This should match the client ID registered with the identity provider. |
| 16 | + |
| 17 | +### `DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS` |
| 18 | + |
| 19 | +*Optional*, default value: `[]` |
| 20 | + |
| 21 | +List of allowed redirect URLs for OAuth2 authorization flow. |
| 22 | + |
| 23 | +These URLs must be pre-registered and should match the redirect URIs |
| 24 | +configured in the OAuth2 client registration. |
| 25 | +Example: ["http://localhost:8000/docs/oauth2-redirect"] |
| 26 | + |
| 27 | +### `DIRACX_SERVICE_AUTH_DEVICE_FLOW_EXPIRATION_SECONDS` |
| 28 | + |
| 29 | +*Optional*, default value: `600` |
| 30 | + |
| 31 | +Expiration time in seconds for device flow authorization requests. |
| 32 | + |
| 33 | +After this time, the device code becomes invalid and users must restart |
| 34 | +the device flow process. Default: 10 minutes. |
| 35 | + |
| 36 | +### `DIRACX_SERVICE_AUTH_AUTHORIZATION_FLOW_EXPIRATION_SECONDS` |
| 37 | + |
| 38 | +*Optional*, default value: `300` |
| 39 | + |
| 40 | +Expiration time in seconds for authorization code flow. |
| 41 | + |
| 42 | +The time window during which the authorization code remains valid |
| 43 | +before it must be exchanged for tokens. Default: 5 minutes. |
| 44 | + |
| 45 | +### `DIRACX_SERVICE_AUTH_STATE_KEY` |
| 46 | + |
| 47 | +**Required** |
| 48 | + |
| 49 | +Encryption key used to encrypt/decrypt the state parameter passed to the IAM. |
| 50 | + |
| 51 | +This key ensures the integrity and confidentiality of state information |
| 52 | +during OAuth2 flows. Must be a valid Fernet key. |
| 53 | + |
| 54 | +### `DIRACX_SERVICE_AUTH_TOKEN_ISSUER` |
| 55 | + |
| 56 | +**Required** |
| 57 | + |
| 58 | +The issuer identifier for JWT tokens. |
| 59 | + |
| 60 | +This should be a URI that uniquely identifies the token issuer and |
| 61 | +matches the 'iss' claim in issued JWT tokens. |
| 62 | + |
| 63 | +### `DIRACX_SERVICE_AUTH_TOKEN_KEYSTORE` |
| 64 | + |
| 65 | +**Required** |
| 66 | + |
| 67 | +Keystore containing the cryptographic keys used for signing JWT tokens. |
| 68 | + |
| 69 | +This includes both public and private keys for token signature |
| 70 | +generation and verification. |
| 71 | + |
| 72 | +### `DIRACX_SERVICE_AUTH_TOKEN_ALLOWED_ALGORITHMS` |
| 73 | + |
| 74 | +*Optional*, default value: `['RS256', 'EdDSA']` |
| 75 | + |
| 76 | +List of allowed cryptographic algorithms for JWT token signing. |
| 77 | + |
| 78 | +Supported algorithms include RS256 (RSA with SHA-256) and EdDSA |
| 79 | +(Edwards-curve Digital Signature Algorithm). Default: ["RS256", "EdDSA"] |
| 80 | + |
| 81 | +### `DIRACX_SERVICE_AUTH_ACCESS_TOKEN_EXPIRE_MINUTES` |
| 82 | + |
| 83 | +*Optional*, default value: `20` |
| 84 | + |
| 85 | +Expiration time in minutes for access tokens. |
| 86 | + |
| 87 | +After this duration, access tokens become invalid and must be refreshed |
| 88 | +or re-obtained. Default: 20 minutes. |
| 89 | + |
| 90 | +### `DIRACX_SERVICE_AUTH_REFRESH_TOKEN_EXPIRE_MINUTES` |
| 91 | + |
| 92 | +*Optional*, default value: `60` |
| 93 | + |
| 94 | +Expiration time in minutes for refresh tokens. |
| 95 | + |
| 96 | +The maximum lifetime of refresh tokens before they must be re-issued |
| 97 | +through a new authentication flow. Default: 60 minutes. |
| 98 | + |
| 99 | +### `DIRACX_SERVICE_AUTH_AVAILABLE_PROPERTIES` |
| 100 | + |
| 101 | +*Optional* |
| 102 | + |
| 103 | +Set of security properties available in this DIRAC installation. |
| 104 | + |
| 105 | +These properties define various authorization capabilities and are used |
| 106 | +for access control decisions. Defaults to all available security properties. |
| 107 | + |
| 108 | +## SandboxStoreSettings |
| 109 | + |
| 110 | +Settings for the sandbox store. |
| 111 | + |
| 112 | +### `DIRACX_SANDBOX_STORE_BUCKET_NAME` |
| 113 | + |
| 114 | +**Required** |
| 115 | + |
| 116 | +Name of the S3 bucket used for storing job sandboxes. |
| 117 | + |
| 118 | +This bucket will contain input and output sandbox files for DIRAC jobs. |
| 119 | +The bucket must exist or auto_create_bucket must be enabled. |
| 120 | + |
| 121 | +### `DIRACX_SANDBOX_STORE_S3_CLIENT_KWARGS` |
| 122 | + |
| 123 | +**Required** |
| 124 | + |
| 125 | +Configuration parameters passed to the S3 client. |
| 126 | + |
| 127 | +### `DIRACX_SANDBOX_STORE_AUTO_CREATE_BUCKET` |
| 128 | + |
| 129 | +*Optional*, default value: `False` |
| 130 | + |
| 131 | +Whether to automatically create the S3 bucket if it doesn't exist. |
| 132 | + |
| 133 | +### `DIRACX_SANDBOX_STORE_URL_VALIDITY_SECONDS` |
| 134 | + |
| 135 | +*Optional*, default value: `300` |
| 136 | + |
| 137 | +Validity duration in seconds for pre-signed S3 URLs. |
| 138 | + |
| 139 | +This determines how long generated download/upload URLs remain valid |
| 140 | +before expiring. Default: 300 seconds (5 minutes). |
| 141 | + |
| 142 | +### `DIRACX_SANDBOX_STORE_SE_NAME` |
| 143 | + |
| 144 | +*Optional*, default value: `SandboxSE` |
| 145 | + |
| 146 | +Logical name of the Storage Element for the sandbox store. |
| 147 | + |
| 148 | +This name is used within DIRAC to refer to this sandbox storage |
| 149 | +endpoint in job descriptions and file catalogs. |
| 150 | + |
| 151 | +## OTELSettings |
| 152 | + |
| 153 | +Settings for the Open Telemetry Configuration. |
| 154 | + |
| 155 | +### `DIRACX_OTEL_ENABLED` |
| 156 | + |
| 157 | +*Optional*, default value: `False` |
| 158 | + |
| 159 | +### `DIRACX_OTEL_APPLICATION_NAME` |
| 160 | + |
| 161 | +*Optional*, default value: `diracx` |
| 162 | + |
| 163 | +### `DIRACX_OTEL_GRPC_ENDPOINT` |
| 164 | + |
| 165 | +*Optional*, default value: \`\` |
| 166 | + |
| 167 | +### `DIRACX_OTEL_GRPC_INSECURE` |
| 168 | + |
| 169 | +*Optional*, default value: `True` |
| 170 | + |
| 171 | +### `DIRACX_OTEL_HEADERS` |
| 172 | + |
| 173 | +*Optional*, default value: `None` |
0 commit comments