motley_cue.confΒΆ

## Configuration for motley_cue

########
[mapper]
########
## various service-specific settings
##
## log_level -- default: WARNING
log_level = WARNING
## log_file -- default: /dev/stderr
# log_file = /var/log/motley_cue/mapper.log
##
## enable swagger documentation -- default: False
# enable_docs = False
## location of swagger docs -- default: /docs
# docs_url = /docs
## location of redoc docs -- default: /redoc
# redoc_url = /redoc
##
## API version -- default: v1
## supported versions: v1
# api_version = v1

############
[mapper.otp]
############
## use one-time passwords (OTP) instead of tokens as ssh password -- default: True
## this can be used when access tokens are too long to be used as passwords (>1k)
# use_otp = True
##
## backend for storing the OTP-AT mapping -- default: memory
## supported backends: memory, sqlite, sqlitedict
## memory: stores the mapping in memory, will be lost on restart; cannot be used in
##         a multi-process environment, e.g. with gunicorn
## sqlite: stores the mapping in a sqlite database
## sqlitedict: stores the mapping in a sqlite database, but uses a python dict
##             as cache, so that the database is only accessed on changes
# backend = memory
##
## location for storing token database -- default: /tmp/tokenmap.db
## only used when backend is sqlite or sqlitedict
## a prefix of ${backend}_ is added to the filename to avoid conflicts
# db_location = /tmp/tokenmap.db
## path to file containing key for encrypting token db -- default: /tmp/motley_cue.key
## key must be a URL-safe base64-encoded 32-byte key, and it will be created if it doesn't exist
# keyfile = /tmp/motley_cue.key


#########
[privacy]
#########
## configuration related to privacy policy
##
## contact information for service operator to be included in privacy policy -- default: NOT CONFIGURED
## this is an email address and MUST be filled in
# privacy_contact = NOT CONFIGURED
##
## privacy policy location (markdown file) -- default: /etc/motley_cue/privacystatement.md
# privacy_file = /etc/motley_cue/privacystatement.md


#########
[DEFAULT]
#########
## Magic section that provides default values for all sections below.
## These values are overwritten by values in each section, if specified.
## DO NOT CHANGE this section unless you really want to apply the changes to ALL OPs.
##
## this is the only key without a default value, must be specified for each section
# op_url =
##
## scopes required from the OP to access the service -- default: ["openid", "profile", "email", "eduperson_entitlement"]
## sane defaults for each OP are provided in the examples below
scopes = ["openid", "profile", "email", "eduperson_entitlement"]
##
######################
## USER AUTHORISATION
######################
## authorise all users from trusted OP, defaults to False if not specified
authorise_all = False
## list of VOs whose users are authorised to use the service
authorised_vos = []
## the OIDC claim containing the VOs specified above
vo_claim = eduperson_entitlement
## how many VOs need to be matched from the list, valid options: all, one, or an int
## defaults to one if not specified
vo_match = one
## list of individual users authorised to use the service
## specified through OIDC 'sub', relative to the section's OP ('iss')
## defaults to empy list if not specified
authorised_users = []
##
## audience claim specific to this service (OPTIONAL); it can be a string or a list of strings
## if empty or not specified, audience checking will not be used for authorisation
## !! be aware that many OPs do not support this feature, in which case it will be ignored for authorisation
# audience = ssh_localhost
##
## You can find out your 'sub' and VOs you are a member of by using flaat:
##      $ pip install flaat
##      $ flaat-userinfo $TOKEN
## where $TOKEN contains an Access Token from the OP you are interested it.
## A commandline tool to retrieve access tokens is:
##      oidc-agent [https://github.com/indigo-dc/oidc-agent]
##
#################################################################################
## ADMIN AUTHORISATION
##
## Each OP includes authorisation for the /admin endpoint,
## which allows suspending and resuming access for given users.
##
## Currently, only individual admins can be authorised (by 'sub' claim).
## This is meant for infrastructure security contacts.
## In the future, we plan to support this feature for VO managers too, to suspend
## members of their own VO (by using VO roles encoded in AARC-G002 entitlements).
##################################################################################
## list of authorised admins
authorised_admins = []
## allow admins to suspend users from any OP
## defaults to False, which means an admin can only suspend users from their own OP
# authorise_admins_for_all_ops = False




#########################################################################################
## AUTHORISATION PER OIDC PROVIDER
##
## The following sections are used to configure auhtorisation of users from multiple OPs.
## Any section named [authorisation.*] configures the authorisation for a single OP.
##
## Feel free to add more sections to support your desired OPs.
## You can overwrite any of the default values by simply specifying a new value.
## Take a look at the examples in the comments to help get you started.
#########################################################################################

###################
[authorisation.egi]
###################
op_url = https://aai.egi.eu/auth/realms/egi

## USER AUTHORISATION
## In this example, there is one VO whose members can use the service.
## In addition, individual users are authorised by 'sub' claim.
## These users don't have to be members of the authorised VOs.
# authorised_vos = [
#         "urn:mace:egi.eu:group:eosc-synergy.eu:role=member"
#     ]
# authorised_users = [
#         "c2370093c19496aeb46103cce3ccdc7b183f54ac9ba9c859dea94dfba23aacd5@egi.eu"
#     ]

## ADMIN AUTHORISATION
## In this example, the three admins specified below can suspend any user on this service.
# authorised_admins = [
#         "d7a53cbe3e966c53ac64fde7355956560282158ecac8f3d2c770b474862f4756@egi.eu",
#         "7ca006d6b7e61023cec493a74e57849ae9145815@eduteams.org",
#         "c2370093c19496aeb46103cce3ccdc7b183f54ac9ba9c859dea94dfba23aacd5@egi.eu"
#     ]
# authorise_admins_for_all_ops = True

###################
[authorisation.egi-dev]
###################
op_url = https://aai-dev.egi.eu/auth/realms/egi


###################
[authorisation.wlcg]
###################
op_url =  https://wlcg.cloud.cnaf.infn.it/

## if you plan to use oidc-agent forwarding for delegation and need more scopes, add them too.
## e.g. for wlcg: storage.read:/ storage.create:/ compute.read compute.modify compute.create compute.cancel storage.modify:/ storage.stage:/
scopes = ["openid", "profile", "email", "wlcg", "wlcg.groups", "eduperson_entitlement"]

## USER AUTHORISATION
## In this example, there is one VO whose members can use the service,
## found in the 'wlcg.groups' claim
# authorised_vos = [
#         "/wlcg"
#     ]
# vo_claim = wlcg.groups
## you can set different audience values per OP, e.g.
# audience = ssh_localhost_wlcg

## ADMIN AUTHORISATION
## no admin users allowed from this OP


#############################
[authorisation.helmholtz-dev]
#############################
op_url = https://login-dev.helmholtz.de/oauth2

## USER AUTHORISATION
## In this example, the user has to be a member of all the specified VOs.
# authorised_vos = [
#         "urn:geant:helmholtz.de:group:KIT#login-dev.helmholtz.de",
#         "urn:geant:helmholtz.de:group:Helmholtz-member#login-dev.helmholtz.de"
#     ]
# vo_match = all

## ADMIN AUTHORISATION
## no admin users allowed from this OP


###################
[authorisation.kit]
###################
op_url = https://oidc.scc.kit.edu/auth/realms/kit

## KIT supports scope 'entitlements' instead of 'eduperson_entitlement'
scopes = ["openid", "profile", "email", "entitlements"]

## USER AUTHORISATION
## In this example, any KIT user can access the service.
# authorise_all = True

## ADMIN AUTHORISATION
## In this example, two admins are authorised to suspend / resume accounts
## of KIT users on this service.
# authorised_admins = [
#         "4cbcd471-1f51-4e54-97b8-2dd5177e25ec",
#         "d0c5d6f7-ca8b-4430-954f-37289ab38913"
#     ]


####################
[authorisation.deep]
####################
op_url = https://iam.deep-hybrid-datacloud.eu

## USER AUTHORISATION
## example for supported VOs with a different claim
# authorised_vos = [
#         "KIT-Cloud"
#     ]
# vo_claim = groups

## ADMIN AUTHORISATION
## no admin users allowed from this OP


#########################
[authorisation.helmholtz]
#########################
op_url = https://login.helmholtz.de/oauth2/

## USER AUTHORISATION
## In this example, when no additional authorisation is specified besides the OP URL,
## no users from this OP are in fact authorised on the service.

## ADMIN AUTHORISATION
## In this example, even though Helmholtz users are not authorised on this service,
## the admin specified can suspend users from other OPs.
## Note that the admin is NOT authorised to USE the service.
# authorised_admins = [
#         "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
#     ]
# authorise_admins_for_all_ops = True


######################
[authorisation.google]
######################
## OPs like google have opaque tokens instead of JWT. Furthermore, there is little
## information that can be retrieved about a user and used for authN & authZ.
## As such, only the 'sub' claim can reliably be used for authorisation below.
## Keep in mind that the assurance of google accounts is probably not sufficient
## You can configure allowed assurance profiles in feudal_adapter.conf
op_url = https://accounts.google.com/

## google does not support the eduperson_entitlement scope
scopes = ["openid", "profile"]

## USER AUTHORISATION
## In this example, individual users are authorised by 'sub' claim.
# authorised_users = [
#         "THIS-IS-A-SUB-CLAIM"
#     ]

## ADMIN AUTHORISATION
## no admin users allowed from this OP