Settings

pydantic model gafaelfawr.config.Settings

pydantic model of Gafaelfawr configuration file.

This describes the configuration file as parsed from disk. This model will be converted to a Config dataclass for internal use so that some settings can be duplicated, rewritten, or parsed into internal formats for later convenience.

Several fields use an empty dictionary or empty list as a default value. Due to a quirk in how Python handles empty dict and list constructors, the caller must be careful to never modify those fields and instead treat the value as read-only. In practice, this isn’t much of a concern since this object is only used to convert to a Config object.

Parameters:

data (Any)

Show JSON schema
{
   "title": "Settings",
   "description": "pydantic model of Gafaelfawr configuration file.\n\nThis describes the configuration file as parsed from disk.  This model\nwill be converted to a `Config` dataclass for internal use so that some\nsettings can be duplicated, rewritten, or parsed into internal formats for\nlater convenience.\n\nSeveral fields use an empty dictionary or empty list as a default value.\nDue to a quirk in how Python handles empty dict and list constructors, the\ncaller must be careful to never modify those fields and instead treat the\nvalue as read-only.  In practice, this isn't much of a concern since this\nobject is only used to convert to a `Config` object.",
   "type": "object",
   "properties": {
      "realm": {
         "title": "Realm",
         "type": "string"
      },
      "logLevel": {
         "allOf": [
            {
               "$ref": "#/$defs/LogLevel"
            }
         ],
         "default": "INFO"
      },
      "sessionSecretFile": {
         "format": "path",
         "title": "Sessionsecretfile",
         "type": "string"
      },
      "redisUrl": {
         "title": "Redisurl",
         "type": "string"
      },
      "redisPasswordFile": {
         "anyOf": [
            {
               "format": "path",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Redispasswordfile"
      },
      "databaseUrl": {
         "title": "Databaseurl",
         "type": "string"
      },
      "databasePasswordFile": {
         "anyOf": [
            {
               "format": "path",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Databasepasswordfile"
      },
      "bootstrapTokenFile": {
         "anyOf": [
            {
               "format": "path",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Bootstraptokenfile"
      },
      "tokenLifetimeMinutes": {
         "default": 1380,
         "title": "Tokenlifetimeminutes",
         "type": "integer"
      },
      "proxies": {
         "anyOf": [
            {
               "items": {
                  "anyOf": [
                     {
                        "format": "ipv4network",
                        "type": "string"
                     },
                     {
                        "format": "ipv6network",
                        "type": "string"
                     }
                  ]
               },
               "type": "array"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Proxies"
      },
      "afterLogoutUrl": {
         "format": "uri",
         "minLength": 1,
         "title": "Afterlogouturl",
         "type": "string"
      },
      "errorFooter": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Errorfooter"
      },
      "slackWebhookFile": {
         "anyOf": [
            {
               "format": "path",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Slackwebhookfile"
      },
      "cadcBaseUuid": {
         "anyOf": [
            {
               "format": "uuid",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Cadcbaseuuid"
      },
      "github": {
         "anyOf": [
            {
               "$ref": "#/$defs/GitHubSettings"
            },
            {
               "type": "null"
            }
         ],
         "default": null
      },
      "oidc": {
         "anyOf": [
            {
               "$ref": "#/$defs/OIDCSettings"
            },
            {
               "type": "null"
            }
         ],
         "default": null
      },
      "ldap": {
         "anyOf": [
            {
               "$ref": "#/$defs/LDAPSettings"
            },
            {
               "type": "null"
            }
         ],
         "default": null
      },
      "firestore": {
         "anyOf": [
            {
               "$ref": "#/$defs/FirestoreSettings"
            },
            {
               "type": "null"
            }
         ],
         "default": null
      },
      "oidcServer": {
         "anyOf": [
            {
               "$ref": "#/$defs/OIDCServerSettings"
            },
            {
               "type": "null"
            }
         ],
         "default": null
      },
      "quota": {
         "anyOf": [
            {
               "$ref": "#/$defs/QuotaSettings"
            },
            {
               "type": "null"
            }
         ],
         "default": null
      },
      "initialAdmins": {
         "items": {
            "type": "string"
         },
         "title": "Initialadmins",
         "type": "array"
      },
      "knownScopes": {
         "additionalProperties": {
            "type": "string"
         },
         "default": {},
         "description": "Known scopes (the keys) and their descriptions (the values)",
         "title": "Known scopes",
         "type": "object"
      },
      "groupMapping": {
         "additionalProperties": {
            "items": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "$ref": "#/$defs/GitHubGroup"
                  }
               ]
            },
            "type": "array"
         },
         "default": {},
         "description": "Mappings of scopes to lists of groups that provide them",
         "title": "Scope to group mapping",
         "type": "object"
      }
   },
   "$defs": {
      "FirestoreSettings": {
         "additionalProperties": false,
         "description": "pydantic model of Firestore configuration.",
         "properties": {
            "project": {
               "title": "Project",
               "type": "string"
            }
         },
         "required": [
            "project"
         ],
         "title": "FirestoreSettings",
         "type": "object"
      },
      "GitHubGroup": {
         "additionalProperties": false,
         "description": "An individual GitHub team.",
         "properties": {
            "github": {
               "$ref": "#/$defs/GitHubGroupTeam"
            }
         },
         "required": [
            "github"
         ],
         "title": "GitHubGroup",
         "type": "object"
      },
      "GitHubGroupTeam": {
         "additionalProperties": false,
         "description": "Specification for a GitHub team.",
         "properties": {
            "organization": {
               "title": "Organization",
               "type": "string"
            },
            "team": {
               "title": "Team",
               "type": "string"
            }
         },
         "required": [
            "organization",
            "team"
         ],
         "title": "GitHubGroupTeam",
         "type": "object"
      },
      "GitHubSettings": {
         "additionalProperties": false,
         "description": "pydantic model of GitHub configuration.",
         "properties": {
            "clientId": {
               "title": "Clientid",
               "type": "string"
            },
            "clientSecretFile": {
               "format": "path",
               "title": "Clientsecretfile",
               "type": "string"
            }
         },
         "required": [
            "clientId",
            "clientSecretFile"
         ],
         "title": "GitHubSettings",
         "type": "object"
      },
      "LDAPSettings": {
         "additionalProperties": false,
         "description": "pydantic model of LDAP configuration.",
         "properties": {
            "url": {
               "title": "Url",
               "type": "string"
            },
            "userDn": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "title": "Userdn"
            },
            "useKerberos": {
               "default": false,
               "title": "Usekerberos",
               "type": "boolean"
            },
            "passwordFile": {
               "anyOf": [
                  {
                     "format": "path",
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "title": "Passwordfile"
            },
            "groupBaseDn": {
               "title": "Groupbasedn",
               "type": "string"
            },
            "groupObjectClass": {
               "default": "posixGroup",
               "title": "Groupobjectclass",
               "type": "string"
            },
            "groupMemberAttr": {
               "default": "member",
               "title": "Groupmemberattr",
               "type": "string"
            },
            "groupSearchByDn": {
               "default": false,
               "title": "Groupsearchbydn",
               "type": "boolean"
            },
            "userBaseDn": {
               "title": "Userbasedn",
               "type": "string"
            },
            "userSearchAttr": {
               "default": "uid",
               "title": "Usersearchattr",
               "type": "string"
            },
            "nameAttr": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": "displayName",
               "title": "Nameattr"
            },
            "emailAttr": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": "mail",
               "title": "Emailattr"
            },
            "uidAttr": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": "uidNumber",
               "title": "Uidattr"
            },
            "gidAttr": {
               "anyOf": [
                  {
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": "gidNumber",
               "title": "Gidattr"
            },
            "addUserGroup": {
               "default": false,
               "title": "Addusergroup",
               "type": "boolean"
            }
         },
         "required": [
            "url",
            "groupBaseDn",
            "userBaseDn"
         ],
         "title": "LDAPSettings",
         "type": "object"
      },
      "LogLevel": {
         "description": "Python logging level.\n\nAny case variation is accepted when converting a string to an enum value\nvia the class constructor.",
         "enum": [
            "DEBUG",
            "INFO",
            "WARNING",
            "ERROR",
            "CRITICAL"
         ],
         "title": "LogLevel",
         "type": "string"
      },
      "NotebookQuotaSettings": {
         "additionalProperties": false,
         "description": "Quota settings for the Notebook Aspect.",
         "properties": {
            "cpu": {
               "title": "Cpu",
               "type": "number"
            },
            "memory": {
               "title": "Memory",
               "type": "number"
            }
         },
         "required": [
            "cpu",
            "memory"
         ],
         "title": "NotebookQuotaSettings",
         "type": "object"
      },
      "OIDCServerSettings": {
         "additionalProperties": false,
         "description": "pydantic model of issuer configuration.",
         "properties": {
            "issuer": {
               "format": "uri",
               "maxLength": 2083,
               "minLength": 1,
               "title": "Issuer",
               "type": "string"
            },
            "keyId": {
               "title": "Keyid",
               "type": "string"
            },
            "keyFile": {
               "format": "path",
               "title": "Keyfile",
               "type": "string"
            },
            "secretsFile": {
               "format": "path",
               "title": "Secretsfile",
               "type": "string"
            },
            "dataRightsMapping": {
               "additionalProperties": {
                  "items": {
                     "type": "string"
                  },
                  "type": "array"
               },
               "default": {},
               "description": "Mapping of group names to keywords for data releases, indicating membership in that group grants access to that data release. Used to construct the ``data_rights`` claim, which can be requested by asking for the ``rubin`` scope.",
               "examples": [
                  {
                     "g_users": [
                        "dp0.1",
                        "dp0.2",
                        "dp0.3"
                     ]
                  }
               ],
               "title": "Group to data rights mapping",
               "type": "object"
            }
         },
         "required": [
            "issuer",
            "keyId",
            "keyFile",
            "secretsFile"
         ],
         "title": "OIDCServerSettings",
         "type": "object"
      },
      "OIDCSettings": {
         "additionalProperties": false,
         "description": "pydantic model of OpenID Connect configuration.",
         "properties": {
            "clientId": {
               "title": "Clientid",
               "type": "string"
            },
            "clientSecretFile": {
               "format": "path",
               "title": "Clientsecretfile",
               "type": "string"
            },
            "loginUrl": {
               "format": "uri",
               "minLength": 1,
               "title": "Loginurl",
               "type": "string"
            },
            "loginParams": {
               "additionalProperties": {
                  "type": "string"
               },
               "default": {},
               "description": "Additional parameters to the login URL",
               "title": "Additional login parameters",
               "type": "object"
            },
            "redirectUrl": {
               "format": "uri",
               "minLength": 1,
               "title": "Redirecturl",
               "type": "string"
            },
            "tokenUrl": {
               "format": "uri",
               "minLength": 1,
               "title": "Tokenurl",
               "type": "string"
            },
            "enrollmentUrl": {
               "anyOf": [
                  {
                     "format": "uri",
                     "minLength": 1,
                     "type": "string"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null,
               "title": "Enrollmenturl"
            },
            "scopes": {
               "default": [],
               "description": "Scopes to request from the authentication provider. The ``openid`` scope will always be added and does not need to be specified.",
               "items": {
                  "type": "string"
               },
               "title": "Scopes to request",
               "type": "array"
            },
            "issuer": {
               "title": "Issuer",
               "type": "string"
            },
            "audience": {
               "title": "Audience",
               "type": "string"
            },
            "usernameClaim": {
               "default": "uid",
               "title": "Usernameclaim",
               "type": "string"
            }
         },
         "required": [
            "clientId",
            "clientSecretFile",
            "loginUrl",
            "redirectUrl",
            "tokenUrl",
            "issuer",
            "audience"
         ],
         "title": "OIDCSettings",
         "type": "object"
      },
      "QuotaGrantSettings": {
         "additionalProperties": false,
         "description": "One grant of quotas.\n\nThere may be one of these per group, as well as a default one, in the\noverall quota configuration.",
         "properties": {
            "api": {
               "additionalProperties": {
                  "type": "integer"
               },
               "default": {},
               "description": "Mapping of service names to quota of requests per 15 minutes",
               "title": "Service quotas",
               "type": "object"
            },
            "notebook": {
               "anyOf": [
                  {
                     "$ref": "#/$defs/NotebookQuotaSettings"
                  },
                  {
                     "type": "null"
                  }
               ],
               "default": null
            }
         },
         "title": "QuotaGrantSettings",
         "type": "object"
      },
      "QuotaSettings": {
         "additionalProperties": false,
         "description": "Quota settings.",
         "properties": {
            "default": {
               "$ref": "#/$defs/QuotaGrantSettings"
            },
            "groups": {
               "additionalProperties": {
                  "$ref": "#/$defs/QuotaGrantSettings"
               },
               "default": {},
               "description": "Additional quota grants by group name",
               "title": "Quota grants by group",
               "type": "object"
            }
         },
         "required": [
            "default"
         ],
         "title": "QuotaSettings",
         "type": "object"
      }
   },
   "additionalProperties": false,
   "required": [
      "realm",
      "sessionSecretFile",
      "redisUrl",
      "databaseUrl",
      "afterLogoutUrl",
      "initialAdmins"
   ]
}

Fields:
Validators:
field afterLogoutUrl: AnyHttpUrl [Required] (name 'after_logout_url')

Default URL to which to send the user after logging out.

Constraints:
  • allowed_schemes = [‘http’, ‘https’]

Validated by:
  • _validate_userinfo

field bootstrapTokenFile: Path | None = None (name 'bootstrap_token_file')

File containing the bootstrap authentication token.

This token can be used with specific routes in the admin API to change the list of admins and create service and user tokens.

Validated by:
  • _validate_userinfo

field cadcBaseUuid: UUID | None = None (name 'cadc_base_uuid')

Namespace UUID used to generate UUIDs for CADC-compatible auth.

Validated by:
  • _validate_userinfo

field databasePasswordFile: Path | None = None (name 'database_password_file')

File containing the password for the PostgreSQL database.

Validated by:
  • _validate_userinfo

field databaseUrl: str [Required] (name 'database_url')

URL for the PostgreSQL database.

Validated by:
  • _validate_userinfo

HTML to add (inside <p>) to login error pages.

Validated by:
  • _validate_userinfo

field firestore: FirestoreSettings | None = None

Settings for Firestore-based UID/GID assignment.

Validated by:
  • _validate_userinfo

field github: GitHubSettings | None = None

Settings for the GitHub authentication provider.

Validated by:
  • _validate_userinfo

field groupMapping: dict[str, list[str | GitHubGroup]] = {} (name 'group_mapping')

Mappings of scopes to lists of groups that provide them

Validated by:
  • _validate_userinfo

field initialAdmins: list[str] [Required] (name 'initial_admins')

Initial token administrators to configure when initializing database.

Validated by:
  • _validate_initial_admins

  • _validate_userinfo

field knownScopes: dict[str, str] = {} (name 'known_scopes')

Known scopes (the keys) and their descriptions (the values)

Validated by:
  • _valid_known_scopes

  • _validate_userinfo

field ldap: LDAPSettings | None = None

Settings for the LDAP-based group lookups with OIDC provider.

Validated by:
  • _validate_userinfo

field logLevel: LogLevel = LogLevel.INFO (name 'log_level')

Logging level.

Validated by:
  • _validate_userinfo

field oidc: OIDCSettings | None = None

Settings for the OpenID Connect authentication provider.

Validated by:
  • _validate_userinfo

field oidcServer: OIDCServerSettings | None = None (name 'oidc_server')

Settings for the internal OpenID Connect server.

Validated by:
  • _validate_userinfo

field proxies: list[IPv4Network | IPv6Network] | None = None

Trusted proxy IP netblocks in front of Gafaelfawr.

If this is set to a non-empty list, it will be used as the trusted list of proxies when parsing X-Forwarded-For for the /auth route. IP addresses from that header will be discarded from the right side when they are within a netblock in this list until a non-matching IP is reached or there is only one IP left, and then that IP will be used as the remote IP for logging purposes. This will allow logging of accurate client IP addresses.

Validated by:
  • _validate_userinfo

field quota: QuotaSettings | None = None

Quota for users.

Validated by:
  • _validate_userinfo

field realm: str [Required]

Realm for HTTP authentication.

Validated by:
  • _validate_userinfo

field redisPasswordFile: Path | None = None (name 'redis_password_file')

File containing the password to use when connecting to Redis.

Validated by:
  • _validate_userinfo

field redisUrl: str [Required] (name 'redis_url')

URL for the Redis server that stores sessions.

Validated by:
  • _validate_userinfo

field sessionSecretFile: Path [Required] (name 'session_secret_file')

File containing encryption secret for session cookie and store.

Validated by:
  • _validate_userinfo

field slackWebhookFile: Path | None = None (name 'slack_webhook_file')

File containing the Slack webhook to which to post alerts.

Validated by:
  • _validate_userinfo

field tokenLifetimeMinutes: int = 1380 (name 'token_lifetime_minutes')

Number of minutes into the future that a token should expire.

Validated by:
  • _validate_userinfo