Config

pydantic settings gafaelfawr.config.Config

Configuration for Gafaelfawr.

Parameters:

data (Any)

Fields:

• afterLogoutUrl (pydantic.networks.HttpUrl)

• baseInternalUrl (pydantic.networks.HttpUrl)

• baseUrl (pydantic.networks.HttpUrl)

• bootstrapToken (pydantic.types.SecretStr)

• cilogon (gafaelfawr.config.CILogonConfig | None)

• databasePassword (pydantic.types.SecretStr)

• databaseUrl (pydantic_core._pydantic_core.Url)

• errorFooter (str | None)

• firestore (gafaelfawr.config.FirestoreConfig | None)

• github (gafaelfawr.config.GitHubConfig | None)

• groupMapping (dict[str, list[str | gafaelfawr.config.GitHubGroup]])

• initialAdmins (list[str])

• internalDatabase (bool)

• knownScopes (dict[str, str])

• ldap (gafaelfawr.config.LDAPConfig | None)

• logLevel (safir.logging._models.LogLevel)

• metrics (safir.metrics._config.DisabledMetricsConfiguration | safir.metrics._config.KafkaMetricsConfiguration)

• oidc (gafaelfawr.config.OIDCConfig | None)

• oidcServer (gafaelfawr.config.OIDCServerConfig | None)

• proxies (list[ipaddress.IPv4Network | ipaddress.IPv6Network] | None)

• quota (gafaelfawr.config.QuotaConfig | None)

• realm (str)

• redisPassword (pydantic.types.SecretStr | None)

• redisUrl (pydantic_core._pydantic_core.Url)

• sessionSecret (pydantic.types.SecretStr)

• slackAlerts (bool)

• slackWebhook (pydantic.types.SecretStr | None)

• tokenLifetime (datetime.timedelta)

• updateSchema (bool)

Validators:

• _validate_bootstrap_token » bootstrapToken

• _validate_initial_admins » initialAdmins

• _validate_known_scopes » knownScopes

• _validate_optional » all fields

• _validate_scopes » all fields

• _validate_token_lifetime » tokenLifetime

• _validate_userinfo » all fields

field afterLogoutUrl: HttpUrl [Required] (name 'after_logout_url')

Default URL to which to send the user after logging out

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field baseInternalUrl: HttpUrl [Required] (name 'base_internal_url')

Base URL for internal-only routes such as /ingress/auth

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field baseUrl: HttpUrl [Required] (name 'base_url')

Base URL for user-facing routes such as /login

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field bootstrapToken: SecretStr [Required] (name 'bootstrap_token')

File containing the bootstrap authentication token. This token can be used with specific routes in the admin API to change the list of admins and create service and user tokens.

Validated by:

• _validate_bootstrap_token

• _validate_optional

• _validate_scopes

• _validate_userinfo

field cilogon: CILogonConfig | None = None

Configuration for the CILogon authentication provider

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field databasePassword: SecretStr [Required] (name 'database_password')

Password for the PostgreSQL database

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field databaseUrl: EnvAsyncPostgresDsn [Required] (name 'database_url')

DSN for the PostgreSQL database

Constraints:

• allowed_schemes = [‘postgresql’, ‘postgresql+asyncpg’]

• host_required = True

• func = <function _validate_env_async_postgres_dsn at 0x7fe683267920>

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field errorFooter: str | None = None (name 'error_footer')

HTML to add (inside <p>) to login error pages

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field firestore: FirestoreConfig | None = None

Configuration for UID/GID allocation using Firestore

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field github: GitHubConfig | None = None

Configuration for the GitHub authentication provider

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field groupMapping: dict[str, list[str | GitHubGroup]] = {} (name 'group_mapping')

Mappings of scopes to lists of groups that provide them

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field initialAdmins: list[str] = [] (name 'initial_admins')

List of usernames to mark as admins during database initialization

Validated by:

• _validate_initial_admins

• _validate_optional

• _validate_scopes

• _validate_userinfo

field internalDatabase: bool = False (name 'internal_database')

Whether to use a cluster-internal database. This setting is only used by Helm, not by Gafaelfawr itself.

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field knownScopes: dict[str, str] = {} (name 'known_scopes')

Known scopes (the keys) and their descriptions (the values)

Validated by:

• _validate_known_scopes

• _validate_optional

• _validate_scopes

• _validate_userinfo

field ldap: LDAPConfig | None = None

Configuration for retrieving user information from LDAP

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field logLevel: LogLevel = LogLevel.INFO (name 'log_level')

Python logging level

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field metrics: MetricsConfiguration [Required]

Configuration for reporting metrics to Kafka

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field oidc: OIDCConfig | None = None

Configuration for the OpenID Connect authentication provider

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field oidcServer: OIDCServerConfig | None = None (name 'oidc_server')

Configuration for Gafaelfawr’s internal OpenID Connect server

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field proxies: list[IPv4Network | IPv6Network] | None = None

If this is set to a non-empty list, it will be used as the trusted list of proxies when parsing the X-Forwarded-For HTTP header in incoming requests. IP addresses from that header will be discarded from the right side when they are within a netblock in this list until a non-matching IP is reached or there is only one IP left, and then that IP will be used as the remote IP for logging purposes. This allows logging of accurate client IP addresses.

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field quota: QuotaConfig | None = None

Rules for assigning quota to users

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field realm: str [Required]

Realm for HTTP authentication

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field redisPassword: SecretStr | None = None (name 'redis_password')

Password for the Redis server that stores tokens

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field redisUrl: EnvRedisDsn [Required] (name 'redis_url')

DSN for the Redis server that stores tokens

Constraints:

• allowed_schemes = [‘redis’]

• default_host = localhost

• default_port = 6379

• default_path = /0

• func = <function _validate_env_redis_dsn at 0x7fe6832679c0>

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field sessionSecret: SecretStr [Required] (name 'session_secret')

Fernet encryption key used for session cookie and store

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field slackAlerts: bool = False (name 'slack_alerts')

Whether to enable Slack alerts. If true, slack_webhook must also be set.

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field slackWebhook: SecretStr | None = None (name 'slack_webhook')

If set, alerts will be posted to this Slack webhook

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

field tokenLifetime: HumanTimedelta = datetime.timedelta(days=30) (name 'token_lifetime')

Lifetime of newly-created session tokens

Constraints:

• func = <function _validate_human_timedelta at 0x7fe683267a60>

• json_schema_input_type = PydanticUndefined

Validated by:

• _validate_optional

• _validate_scopes

• _validate_token_lifetime

• _validate_userinfo

field updateSchema: bool = False (name 'update_schema')

This setting is interpreted by Helm and triggers a SQL schema update via a Helm hook. It is not used by Gafaelfawr directly.

Validated by:

• _validate_optional

• _validate_scopes

• _validate_userinfo

configure_logging()

Configure logging based on the Gafaelfawr configuration.

Return type:

None

classmethod from_file(path)

Construct a Config object from a configuration file.

Parameters:

path (Path) – Path to the configuration file in YAML.

Returns:

The corresponding Config object.

Return type:

Config

get_scopes_for_group(group)

Return the scopes granted by a given group membership.

Parameters:

group (str) – Name of the group.

Returns:

Scopes granted by that group membership. This will be the empty set if the group was not recognized.

Return type:

frozenset of str

model_post_init(context, /)

This function is meant to behave like a BaseModel method to initialise private attributes.

It takes context as an argument since that’s what pydantic-core passes when calling it.

Args:

self: The BaseModel instance. context: The context.

Parameters:

• self (BaseModel)

• context (Any)

Return type:

None

property add_user_group: bool

Whether to add a synthetic private user group.