You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
unboundedpress/restheart/etc/restheart.yml.template

444 lines
19 KiB
Plaintext

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

## RESTHeart Configuration File.
---
#### Listeners
# Listeners allow to specify the protocol, ip, port and to use.
# The supported protocols are: http, https and ajp. You can setup a listener per protocol (up to 3).
# WARNING: RESTHeart uses basic authentication; usernames and passwords are sent over the net on each request.
# Using the http listener is not secure: users credentials can be sniffed by a man-in-the-middle attack.
# Use the http listener only on trusted environments.
https-listener: true
https-host: 0.0.0.0
https-port: 4443
http-listener: true
http-host: 0.0.0.0
http-port: 8080
ajp-listener: false
ajp-host: 0.0.0.0
ajp-port: 8009
#### Instance
# The name of this restheart instance. displayed in log, also allows to implement instance specific custom code
# For instance, an email notifier hook can send emails to a test email address in development environments
instance-name: {{{ instance-name }}}
# Optional base URL for the instance. When RESTHeart is exposed via a reverse-proxy
# or an API gateway it allows mapping the Location header correctly.
#instance-base-url: http://localhost
#### default representation format (PLAIN_JSON or HAL)
default-representation-format: {{{ default-representation-format }}}
#### use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility
ansi-console: true
#### Allow unescaped characters in URL
# Starting with Undertow 1.4.23 URLs validation became much stricter.
# However, this is breaking existing clients. Now you can decide which behaviour you prefer
allow-unescaped-characters-in-url: true
#### SSL Configuration
# Configure the keystore to enable the https listener.
# RESTHeart comes with a self-signed certificate that makes straightforward enabling https.
# Specify use-embedded-keystore: true to use it (this is the default setting).
# Using the self-signed certificate leads to issues with some clients;
# for instance, with curl you need to specify the "--insecure" option or you'll get an error message.
use-embedded-keystore: true
# To use your own certificate you need to import it (and eventually the CA certificates chain) into a java keystore
# and specify use-embedded-keystore: false and the keystore-file,keystore-password and certpassword configuration properties.
# Refer to the java keystore documentation for that.
#keystore-file: /path/to/keystore/file
#keystore-password: password
#certpassword: password
#### MongoDB
# Specify the mongodb connection using a Mongo Client URI.
# The format of the URI is:
# mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
#
# The URI option authSource allows to specify the authetication database, example:
# mongodb://user:secret@127.0.0.1/?authSource=authdb
#
# More information at http://api.mongodb.org/java/current/com/mongodb/MongoClientURI.html
# Be sure that the following credentials match with the
# MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD in docker-compose.yml
# WARNING: change in both files the below default credentials!
mongo-uri: {{{ mongo-uri }}}
# Use mongo-mounts to bind URls to mongodb resources using the out-of-the-box URL rewrite feature.
# The where URI can be an absolute path (eg. /api) or path template (eg. /{foo}/bar/*).
# The values of the path templates properties are available:
# - in the what property (e.g. what: /{foo}_db/coll)
# - programmatically from RequestContext.getPathTemplateParamenters() method.
# It is not possible to mix absolute paths and path templates: where URIs need to be
# either all absolute paths or all path templates.
mongo-mounts:
- what: "*"
where: /
#### Static Web Resources
# Static web resources to bind to the specified URL.
# The 'what' property is the path of the directory containing the resources.
# The path is either absolute (starting with /) or relative to the restheart.jar directory
# If embedded is true, the resources are either included in the restheart.jar or in the classpath
static-resources-mounts:
- what: browser
where: /browser
welcome-file: browser.html
secured: false
embedded: true
### Initializer
# A custom initializer implmenting the org.restheart.init.Initializer interface
# Can be used to inizialize data or add global transformers, checkers or security predicates
# See org.restheart.init.TestInitializer for a simple example
#initializer-class: org.restheart.init.TestInitializer
#### Application Logic
# RESTHeart has a pipeline architecture where specialized undertow handlers are chained to serve the requests.
# In order to provide additional application logic, custom hanlders pipes can be bound under the /_logic URL.
# The custom hanlder must extends the org.restheart.handlers.ApplicationLogicHandler class
# Use application-logic-mounts to configure custom handlers.
# In the following example two built-in application logic handlers are defined:
# PingHandler bound to /_logic/ping that implements a simple ping service
# GetRoleHandler bound to /_logic/roles that returns the current user authentication status and eventually its roles
# CacheInvalidator bound to /_logic/ic that invalidates a db or collection cache entry
application-logic-mounts:
- what: org.restheart.handlers.applicationlogic.PingHandler
where: /ping
secured: false
args:
msg: "ciao from the restheart team"
- what: org.restheart.handlers.applicationlogic.GetRoleHandler
where: /roles
secured: false
args:
url: /_logic/roles
- what: org.restheart.handlers.applicationlogic.CacheInvalidator
where: /ic
secured: true
- what: org.restheart.handlers.applicationlogic.CsvLoaderHandler
where: /csv
secured: true
### Metadata Named Singletons
# Metadata implementation can rely on singletons, this section configures the
# singleton factory #org.restheart.metadata.NamedSingletonsFactory
metadata-named-singletons:
# checkers group used by handler:
# org.restheart.handlers.metadata.CheckMetadataHandler
# More information in checkers javadoc
- group: checkers
interface: org.restheart.metadata.checkers.Checker
singletons:
- name: jsonSchema
class: org.restheart.metadata.checkers.JsonSchemaChecker
- name: checkContent
class: org.restheart.metadata.checkers.JsonPathConditionsChecker
- name: checkContentSize
class: org.restheart.metadata.checkers.ContentSizeChecker
# transformers group used by handlers:
# org.restheart.handlers.metadata.RequestTransformerMetadataHandler and
# org.restheart.handlers.metadata.ResponseTransformerMetadataHandler
# More information in transformers javadoc
- group: transformers
interface: org.restheart.metadata.transformers.Transformer
singletons:
- name: addRequestProperties
class: org.restheart.metadata.transformers.RequestPropsInjecterTransformer
- name: filterProperties
class: org.restheart.metadata.transformers.FilterTransformer
- name: stringsToOids
class: org.restheart.metadata.transformers.ValidOidsStringsAsOidsTransformer
- name: oidsToStrings
class: org.restheart.metadata.transformers.OidsAsStringsTransformer
- name: writeResult
class: org.restheart.metadata.transformers.WriteResultTransformer
- name: hashProperties
class: org.restheart.metadata.transformers.HashTransformer
# hooks group used by handler:
# org.restheart.handlers.metadata.HookHandler
# More information in hook javadoc
- group: hooks
interface: org.restheart.metadata.hooks.Hook
singletons:
- name: snooper
class: org.restheart.metadata.hooks.SnooperHook
### Security
# The security is configured by setting:
# idm: the Identity Manager responsible of authentication
# access-manager: the Access Manager responsible of authorization
# auth-mechanism: the additional Authentication Mechanism to use
# The RESTHeart security is pluggable and you can provide you own
# implementation of both IDM and AM. the provided default
# implementations of IDM and AM are SimpleFileIdentityManager,
# DbIdentityManager, JwtIdentityManager and SimpleAccessManager.
# conf-file paths are either absolute (starting with /)
# or relative to the restheart.jar directory
idm:
implementation-class: org.restheart.security.impl.SimpleFileIdentityManager
conf-file: ./etc/security.yml
access-manager:
implementation-class: org.restheart.security.impl.SimpleAccessManager
conf-file: ./etc/security.yml
# RESTHeart uses the BasicAuthenticationMechanism by default.
# A different mechanism can be specified via the auth-mechanism configuration option
# the implementation-class must specify a factory class implementing
# the interface org.restheart.security.AuthenticationMechanismFactory
# See http://undertow.io/undertow-docs/undertow-docs-2.0.0/index.html#security
# JwtAuthenticationManagerFactory and IdentityAuthenticationManagerFactory
# for example implementations
# Identity Authentication Manager
# All requests are bound to the specified user
#auth-mechanism:
# implementation-class: org.restheart.security.impl.IdentityAuthenticationManagerFactory
# username: a
# pwd: a
# Jwt Authentication Manager
# Authentication via Json Web Token https://jwt.io
# algorithm: RSA (RS256 | RS384 |RS512) or HMAC (HS256 | HS384 | HS512)
# key: for RSA the base64 encoded of the public key; for HMAC, the secret key
# base64Encoded: set to true if the jwt token is base64 encoded. optional, default valud: false
# usernameClaim: the claim that holds the username. optional, default value: 'sub' (jwt subject).
# rolesClaim: the claim that holds the roles as string or array of strings
# issuer: verify the issues (iss claim). optional, default value matches: null (don't check iss)
# audience: verify the audience (aud claim). optional, default value matches: null (don't check aud)
#auth-mechanism:
# implementation-class: org.restheart.security.impl.JwtAuthenticationManagerFactory
# algorithm: HS256
# key: secret
# base64Encoded: false
# usernameClaim: sub
# rolesClaim: roles
# issuer: myIssuer
# audience: myAudience
# Authentication Token
# Note: you need to pay attention to the authentitcation token in case of multi-node deployments (horizontal scalability).
# In this case, you need to either disable it or use a load balancer with the sticky session option
# or use a distributed auth token cache implementation (not provided in the current version).
auth-token-enabled: {{{ auth-token-enabled }}}
auth-token-ttl: {{{ auth-token-ttl }}}
# Check if aggregation variables use operators. allowing operators in aggregation variables
# is risky. requester can inject operators modifying the query
aggregation-check-operators: true
#### Logging
# enable-log-console: true => log messages to the console (default value: true)
# enable-log-file: true => log messages to a file (default value: true)
# log-file-path: to specify the log file path (default value: restheart.log in system temporary directory)
# log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO)
# requests-log-level: log the request-response. 0 => no log, 1 => light log, 2 => detailed dump
# requests-log-trace-headers: add the HTTP headers you want to be put on the MDC for logback. Use with %X{header-name} in logback.xml.
# Useful for tracing support in the logs. Leave empty to deactivate this feature.
# metrics-gathering-level: metrics gathering for which level? OFF => no gathering, ROOT => gathering at root level,
# DATABASE => at db level, COLLECTION => at collection level
# WARNING: use requests-log-level level 2 only for development purposes, it logs user credentials (Authorization and Auth-Token headers)
enable-log-file: true
log-file-path: /var/log/restheart.log
enable-log-console: true
log-level: INFO
requests-log-level: 1
metrics-gathering-level: DATABASE
requests-log-trace-headers:
# - x-b3-traceid # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation
# - x-b3-spanid
# - x-b3-parentspanid
# - x-b3-sampled # ^^
# - uber-trace-id # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity
# - traceparent # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md
# - tracestate # ^^
#### ETag policy
# the following configuration defines the default etag check policy
# the policy applies for dbs, collections (also applies to file buckets) and documents
# valid values are REQUIRED, REQUIRED_FOR_DELETE, OPTIONAL
etag-check-policy:
db: REQUIRED_FOR_DELETE
coll: REQUIRED_FOR_DELETE
doc: OPTIONAL
#### Performace Settings
## Read Performance
# default-pagesize is the number of documents returned when the pagesize query
# parameter is not specified
# see https://restheart.org/learn/query-documents/#paging
default-pagesize: {{{ default-pagesize }}}
# max-pagesize sets the maximum allowed value of the pagesize query parameter
# generally, the greater the pagesize, the more json serializan overhead occurs
# the rule of thumb is not exeeding 1000
max-pagesize: 1000
# cursor-batch-size sets the mongodb cursor batchSize
# see https://docs.mongodb.com/manual/reference/method/cursor.batchSize/
# cursor-batch-size should be smaller or equal to the max-pagesize
# the rule of thumb is setting cursor-batch-size equal to max-pagesize
# a small cursor-batch-size (e.g. 101, the default mongodb batchSize)
# speeds up requests with small pagesize
cursor-batch-size: 1000
## Eager DB Cursor Preallocation Policy
# In big collections, reading a far page involves skipping the db cursor for many documents resulting in a performance bottleneck
# For instance, with default pagesize of 100, a GET with page=50.000 involves 500.000 skips on the db cursor.
# The eager db cursor preallocation engine boosts up performaces (in some use cases, up to 1000%). the following options control its behavior.
eager-cursor-allocation-pool-size: 100
eager-cursor-allocation-linear-slice-width: 1000
eager-cursor-allocation-linear-slice-delta: 100
eager-cursor-allocation-linear-slice-heights: [ 4, 2, 1 ]
eager-cursor-allocation-random-max-cursors: 20
eager-cursor-allocation-random-slice-min-width: 1000
# In order to save bandwitdth RESTHeart can force requests to support the giz encoding (if not, requests will be rejected)
force-gzip-encoding: false
# local-cache allows to cache the db and collection properties to drammatically improve performaces.
# Without caching, a GET on a document would requires two additional queries to retrieve the db and the collection properties.
# Pay attention to local caching only in case of multi-node deployments (horizontal scalability).
# In this case a change in a db or collection properties would reflect on other nodes at worst after the TTL (cache entries time to live).
# In most of the cases Dbs and collections properties only change at development time.
local-cache-enabled: true
# TTL in milliseconds; specify a value < 0 to never expire cached entries
local-cache-ttl: 1000
schema-cache-enabled: true
# TTL in milliseconds; specify a value < 0 to never expire cached entries
schema-cache-ttl: 60000
# Limit for the maximum number of concurrent requests being served
requests-limit: 1000
# Time limit in milliseconds for processing queries on the server (without network latency). 0 means no time limit
query-time-limit: 0
# Time limit in milliseconds for processing aggregations on the server (without network latency). 0 means no time limit
aggregation-time-limit: 0
# Number of I/O threads created for non-blocking tasks. at least 2. suggested value: core*2
io-threads: 2
# Number of threads created for blocking tasks (such as ones involving db access). suggested value: core*16
worker-threads: 8
# Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call
buffer-size: 16384
buffers-per-region: 20
# Should the buffer pool use direct buffers, this instructs the JVM to use native (if possible) I/O operations on the buffers
direct-buffers: true
#### Connetction Options
## see http://undertow.io/undertow-docs/undertow-docs-2.0.0/index.html#common-listener-options
connection-options:
# The maximum size of a HTTP header block, in bytes.
# If a client sends more data that this as part of the request header then the connection will be closed.
# Defaults to 1Mbyte.
MAX_HEADER_SIZE: 1048576
# The default maximum size of a request entity.
# Defaults to unlimited.
MAX_ENTITY_SIZE: -1
#The default maximum size of the HTTP entity body when using the mutiltipart parser.
# Generall this will be larger than MAX_ENTITY_SIZE
# If this is not specified it will be the same as MAX_ENTITY_SIZE
MULTIPART_MAX_ENTITY_SIZE: -1
# The idle timeout in milliseconds after which the channel will be closed.
# If the underlying channel already has a read or write timeout set
# the smaller of the two values will be used for read/write timeouts.
# Defaults to unlimited (-1).
IDLE_TIMEOUT: -1
# The maximum allowed time of reading HTTP request in milliseconds.
# -1 or missing value disables this functionality.
REQUEST_PARSE_TIMEOUT: -1
# The amount of time the connection can be idle with no current requests
# before it is closed;
# Defaults to unlimited (-1).
NO_REQUEST_TIMEOUT: -1
# The maximum number of query parameters that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 1000.
MAX_PARAMETERS: 1000
# The maximum number of headers that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 200.
MAX_HEADERS: 200
# The maximum number of cookies that are permitted in a request.
# If a client sends more than this number the connection will be closed.
# This limit is necessary to protect against hash based denial of service attacks.
# Defaults to 200.
MAX_COOKIES: 200
# The charset to use to decode the URL and query parameters.
# Defaults to UTF-8.
URL_CHARSET: UTF-8
# If this is true then a Connection: keep-alive header will be added to responses,
# even when it is not strictly required by the specification.
# Defaults to true
ALWAYS_SET_KEEP_ALIVE: true
# If this is true then a Date header will be added to all responses.
# The HTTP spec says this header should be added to all responses,
# unless the server does not have an accurate clock.
# Defaults to true
ALWAYS_SET_DATE: true