[ARVADOS] updated: 1.3.0-1246-g8f653bcac
Git user
git at public.curoverse.com
Wed Jul 3 13:28:19 UTC 2019
Summary of changes:
apps/workbench/app/models/arvados_api_client.rb | 4 +-
.../app/views/application/_breadcrumbs.html.erb | 2 +-
apps/workbench/config/application.default.yml | 201 +--------------------
apps/workbench/config/arvados_config.rb | 8 +-
.../controllers/application_controller_test.rb | 2 +-
build/run-tests.sh | 11 +-
lib/config/cmd.go | 14 +-
lib/config/config.default.yml | 145 +++++++++++++--
lib/config/generated_config.go | 145 +++++++++++++--
sdk/go/arvados/config.go | 1 +
services/api/config/arvados_config.rb | 4 +-
11 files changed, 283 insertions(+), 254 deletions(-)
via 8f653bcac661fd5dae37c9f93d9027bb2242b8db (commit)
from cf98484b422c29dfa251da5a176e18096f09aa7a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 8f653bcac661fd5dae37c9f93d9027bb2242b8db
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Wed Jul 3 09:20:43 2019 -0400
14812: Migrate previously missed config items
Remove defaults from application.defaults.yml that now come from
arvados-server
Migrate comments describing configuration items
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/apps/workbench/app/models/arvados_api_client.rb b/apps/workbench/app/models/arvados_api_client.rb
index 6be15c698..3c9bfa793 100644
--- a/apps/workbench/app/models/arvados_api_client.rb
+++ b/apps/workbench/app/models/arvados_api_client.rb
@@ -61,7 +61,7 @@ class ArvadosApiClient
404 => NotFoundException,
}
- @@profiling_enabled = Rails.configuration.profiling_enabled
+ @@profiling_enabled = Rails.configuration.Workbench.ProfilingEnabled
@@discovery = nil
# An API client object suitable for handling API requests on behalf
@@ -101,7 +101,7 @@ class ArvadosApiClient
.select { |ca_path| File.readable?(ca_path) }
.each { |ca_path| @api_client.ssl_config.add_trust_ca(ca_path) }
end
- if Rails.configuration.api_response_compression
+ if Rails.configuration.Workbench.APIResponseCompression
@api_client.transparent_gzip_decompression = true
end
end
diff --git a/apps/workbench/app/views/application/_breadcrumbs.html.erb b/apps/workbench/app/views/application/_breadcrumbs.html.erb
index 8be27fc7b..c3c2e07da 100644
--- a/apps/workbench/app/views/application/_breadcrumbs.html.erb
+++ b/apps/workbench/app/views/application/_breadcrumbs.html.erb
@@ -31,7 +31,7 @@ SPDX-License-Identifier: AGPL-3.0 %>
<i class="glyphicon fa-fw glyphicon-search"></i> Search all projects ...
<% end %>
</li>
- <% if !Rails.configuration.Users.AnonymousUserToken.empty? and Rails.configuration.enable_public_projects_page %>
+ <% if !Rails.configuration.Users.AnonymousUserToken.empty? and Rails.configuration.Workbench.EnablePublicProjectsPage %>
<li role="menuitem"><a href="/projects/public" role="menuitem"><i class="fa fa-fw fa-list"></i> Browse public projects </a>
</li>
<% end %>
diff --git a/apps/workbench/config/application.default.yml b/apps/workbench/config/application.default.yml
index 2fa844239..9ea2cb34a 100644
--- a/apps/workbench/config/application.default.yml
+++ b/apps/workbench/config/application.default.yml
@@ -73,18 +73,6 @@ production:
profiling_enabled: false
log_level: info
- arvados_insecure_https: false
-
- data_import_dir: /data/arvados-workbench-upload/data
- data_export_dir: /data/arvados-workbench-download/data
-
- # API server configuration
- arvados_login_base: ~
- arvados_v1_base: ~
- arvados_insecure_https: ~
-
- site_name: Arvados Workbench
-
test:
cache_classes: true
eager_load: false
@@ -133,65 +121,6 @@ test:
common:
assets.js_compressor: false
assets.css_compressor: false
- data_import_dir: /tmp/arvados-workbench-upload
- data_export_dir: /tmp/arvados-workbench-download
- arvados_login_base: https://arvados.local/login
- arvados_v1_base: https://arvados.local/arvados/v1
- arvados_insecure_https: true
- activation_contact_link: mailto:info at arvados.org
- arvados_docsite: http://doc.arvados.org
- arvados_public_data_doc_url: http://arvados.org/projects/arvados/wiki/Public_Pipelines_and_Datasets
- arvados_theme: default
- show_user_agreement_inline: false
- secret_token: ~
- secret_key_base: false
- default_openid_prefix: https://www.google.com/accounts/o8/id
- send_user_setup_notification_email: true
- testing_override_login_url: false
-
- # Scratch directory used by the remote repository browsing
- # feature. If it doesn't exist, it (and any missing parents) will be
- # created using mkdir_p.
- repository_cache: <%= File.expand_path 'tmp/git', Rails.root %>
-
- # Set user_profile_form_fields to enable and configure the user
- # profile page. Default is set to false. A commented example with
- # full description is provided below.
- user_profile_form_fields: false
-
- # Below is a sample setting of user_profile_form_fields config parameter.
- # This configuration parameter should be set to either false (to disable) or
- # to an array as shown below.
- # Configure the list of input fields to be displayed in the profile page
- # using the attribute "key" for each of the input fields.
- # This sample shows configuration with one required and one optional form fields.
- # For each of these input fields:
- # You can specify "type" as "text" or "select".
- # List the "options" to be displayed for each of the "select" menu.
- # Set "required" as "true" for any of these fields to make them required.
- # If any of the required fields are missing in the user's profile, the user will be
- # redirected to the profile page before they can access any Workbench features.
- #user_profile_form_fields:
- # - key: organization
- # type: text
- # form_field_title: Institution/Company
- # form_field_description: Your organization
- # required: true
- # - key: role
- # type: select
- # form_field_title: Your role
- # form_field_description: Choose the category that best describes your role in your organization.
- # options:
- # - Bio-informatician
- # - Computational biologist
- # - Biologist or geneticist
- # - Software developer
- # - IT
- # - Other
-
- # Use "user_profile_form_message" to configure the message you want to display on
- # the profile page.
- user_profile_form_message: Welcome to Arvados. All <span style="color:red">required fields</span> must be completed before you can proceed.
# Override the automatic version string. With the default value of
# false, the version string is read from git-commit.version in
@@ -204,131 +133,5 @@ common:
# Rails.root (included in vendor packages).
package_version: false
- # report notification to and from addresses
- issue_reporter_email_from: arvados at example.com
- issue_reporter_email_to: arvados at example.com
- support_email_address: arvados at example.com
-
- # generic issue email from
- email_from: arvados at example.com
-
- # Mimetypes of applications for which the view icon
- # would be enabled in a collection's show page.
- # It is sufficient to list only applications here.
- # No need to list text and image types.
- application_mimetypes_with_view_icon: [cwl, fasta, go, javascript, json, pdf, python, x-python, r, rtf, sam, x-sh, vnd.realvnc.bed, xml, xsl]
-
- # the maximum number of bytes to load in the log viewer
- log_viewer_max_bytes: 1000000
-
- # Set anonymous_user_token to enable anonymous user access. You can get
- # the token by running "bundle exec ./script/get_anonymous_user_token.rb"
- # in the directory where your API server is running.
- anonymous_user_token: false
-
- # when anonymous_user_token is configured, show public projects page
- enable_public_projects_page: true
-
- # by default, disable the "Getting Started" popup which is specific to the public beta install
- enable_getting_started_popup: false
-
- # Ask Arvados API server to compress its response payloads.
- api_response_compression: true
-
- # Timeouts for API requests.
- api_client_connect_timeout: 120
- api_client_receive_timeout: 300
-
- # ShellInABox service endpoint URL for a given VM. If false, do not
- # offer web shell logins.
- #
- # E.g., using a path-based proxy server to forward connections to shell hosts:
- # https://webshell.uuid_prefix.arvadosapi.com/%{hostname}
- #
- # E.g., using a name-based proxy server to forward connections to shell hosts:
- # https://%{hostname}.webshell.uuid_prefix.arvadosapi.com/
- shell_in_a_box_url: false
-
- # Format of preview links. If false, use keep_web_download_url
- # instead, and disable inline preview.
- # If both are false, Workbench won't start, this is a mandatory configuration.
- #
- # Examples:
- # keep_web_url: https://%{uuid_or_pdh}.collections.uuid_prefix.arvadosapi.com
- # keep_web_url: https://%{uuid_or_pdh}--collections.uuid_prefix.arvadosapi.com
- #
- # Example supporting only public data and collection-sharing links
- # (other data will be handled as downloads via keep_web_download_url):
- # keep_web_url: https://collections.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
- keep_web_url: false
-
- # Format of download links. If false, use keep_web_url with
- # disposition=attachment query param.
- #
- # The host part of the keep_web_download_url value here must match
- # the -attachment-only-host argument given to keep-web: if
- # keep_web_download_url is "https://FOO.EXAMPLE/c=..." then keep-web
- # must run with "-attachment-only-host=FOO.EXAMPLE".
- #
- # If keep_web_download_url is false, and keep_web_url uses a
- # single-origin form, then Workbench will show an error page
- # when asked to download or preview private data.
- #
- # Example:
- # keep_web_download_url: https://download.uuid_prefix.arvadosapi.com/c=%{uuid_or_pdh}
- keep_web_download_url: false
-
- # In "trust all content" mode, Workbench will redirect download
- # requests to keep-web, even in the cases when keep-web would have
- # to expose XSS vulnerabilities in order to handle the redirect.
- #
- # When enabling this setting, the -trust-all-content flag on the
- # keep-web server must also be enabled. For more detail, see
- # https://godoc.org/github.com/curoverse/arvados/services/keep-web
- #
- # This setting has no effect in the recommended configuration, where
- # the host part of keep_web_url begins with %{uuid_or_pdh}: in this
- # case XSS protection is provided by browsers' same-origin policy.
- #
- # The default setting (false) is appropriate for a multi-user site.
- trust_all_content: false
-
- # Maximum number of historic log records of a running job to fetch
- # and display in the Log tab, while subscribing to web sockets.
- running_job_log_records_to_fetch: 2000
-
- # In systems with many shared projects, loading of dashboard and topnav
- # cab be slow due to collections indexing; use the following parameters
- # to suppress these properties
- show_recent_collections_on_dashboard: true
- show_user_notifications: true
-
- # Token to be included in all healthcheck requests. Disabled by default.
- # Workbench expects request header of the format "Authorization: Bearer xxx"
- ManagementToken: false
-
- # Enable/disable "multi-site search" in top nav (true/false), or
- # link it to the multi-site search on a remote Workbench site.
- #
- # Example:
- # multi_site_search: https://workbench.qr1hi.arvadosapi.com/collections/multisite
- multi_site_search: false
-
- #
- # Link to use for Arvados Workflow Composer app, or false if not available.
- #
- composer_url: false
-
- #
- # Should workbench allow management of local git repositories? Set to false if
- # the jobs api is disabled and there are no local git repositories.
- #
- repositories: true
-
- #
- # Add an item to the user menu pointing to workbench2_url, if not false.
- #
- # Example:
- # workbench2_url: https://workbench2.qr1hi.arvadosapi.com
- #
- workbench2_url: false
+ # only used by tests
+ testing_override_login_url: false
diff --git a/apps/workbench/config/arvados_config.rb b/apps/workbench/config/arvados_config.rb
index baceff501..5a6cdfffa 100644
--- a/apps/workbench/config/arvados_config.rb
+++ b/apps/workbench/config/arvados_config.rb
@@ -21,7 +21,9 @@ require 'open3'
# Load the defaults, used by config:migrate and fallback loading
# legacy application.yml
-Open3.popen2("arvados-server", "config-defaults") do |stdin, stdout, status_thread|
+Open3.popen2("arvados-server", "config-dump", "-config=-") do |stdin, stdout, status_thread|
+ stdin.write("Clusters: {xxxxx: {}}")
+ stdin.close
confs = YAML.load(stdout, deserialize_symbols: false)
clusterID, clusterConfig = confs["Clusters"].first
$arvados_config_defaults = clusterConfig
@@ -52,6 +54,7 @@ arvcfg = ConfigLoader.new
arvcfg.declare_config "ManagementToken", String, :ManagementToken
arvcfg.declare_config "TLS.Insecure", Boolean, :arvados_insecure_https
+arvcfg.declare_config "Collections.TrustAllContent", Boolean, :trust_all_content
arvcfg.declare_config "Services.Controller.ExternalURL", URI, :arvados_v1_base, ->(cfg, k, v) {
u = URI(v)
@@ -97,7 +100,8 @@ arvcfg.declare_config "Workbench.ApplicationMimetypesWithViewIcon", Hash, :appli
arvcfg.declare_config "Workbench.RunningJobLogRecordsToFetch", Integer, :running_job_log_records_to_fetch
arvcfg.declare_config "Workbench.LogViewerMaxBytes", Integer, :log_viewer_max_bytes
-arvcfg.declare_config "Workbench.TrustAllContent", Boolean, :trust_all_content
+arvcfg.declare_config "Workbench.ProfilingEnabled", Boolean, :profiling_enabled
+arvcfg.declare_config "Workbench.APIResponseCompression", Boolean, :api_response_compression
arvcfg.declare_config "Workbench.UserProfileFormFields", Hash, :user_profile_form_fields, ->(cfg, k, v) {
if !v
v = []
diff --git a/apps/workbench/test/controllers/application_controller_test.rb b/apps/workbench/test/controllers/application_controller_test.rb
index 9acb8cadb..72c3e0ab0 100644
--- a/apps/workbench/test/controllers/application_controller_test.rb
+++ b/apps/workbench/test/controllers/application_controller_test.rb
@@ -449,7 +449,7 @@ class ApplicationControllerTest < ActionController::TestCase
false,
].each do |config|
test "invoke show with include_accept_encoding_header config #{config}" do
- Rails.configuration.include_accept_encoding_header_in_api_requests = config
+ Rails.configuration.APIResponseCompression = config
@controller = CollectionsController.new
get(:show, params: {id: api_fixture('collections')['foo_file']['uuid']}, session: session_for(:admin))
diff --git a/build/run-tests.sh b/build/run-tests.sh
index 6572765b9..ebe00f797 100755
--- a/build/run-tests.sh
+++ b/build/run-tests.sh
@@ -616,7 +616,9 @@ initialize() {
export R_LIBS
export GOPATH
- export PATH=$PATH:$GOPATH/bin
+ # Make sure our compiled binaries under test override anything
+ # else that might be in the environment.
+ export PATH=$GOPATH/bin:$PATH
# Jenkins config requires that glob tmp/*.log match something. Ensure
# that happens even if we don't end up running services that set up
@@ -1216,6 +1218,13 @@ for p in "${pythonstuff[@]}"; do
done
testfuncargs["sdk/cli"]="sdk/cli"
+testfuncargs["sdk/R"]="sdk/R"
+testfuncargs["sdk/java-v2"]="sdk/java-v2"
+testfuncargs["apps/workbench_units"]="apps/workbench_units"
+testfuncargs["apps/workbench_functionals"]="apps/workbench_functionals"
+testfuncargs["apps/workbench_integration"]="apps/workbench_integration"
+testfuncargs["apps/workbench_benchmark"]="apps/workbench_benchmark"
+testfuncargs["apps/workbench_profile"]="apps/workbench_profile"
if [[ -z ${interactive} ]]; then
install_all
diff --git a/lib/config/cmd.go b/lib/config/cmd.go
index b08ca0dec..0351ad02a 100644
--- a/lib/config/cmd.go
+++ b/lib/config/cmd.go
@@ -159,19 +159,7 @@ func (defaultsCommand) RunCommand(prog string, args []string, stdin io.Reader, s
}
}()
- var src map[string]interface{}
- err = yaml.Unmarshal(DefaultYAML, &src)
- if err != nil {
- err = fmt.Errorf("loading default config data: %s", err)
- return 1
- }
- removeSampleKeys(src)
-
- out, err := yaml.Marshal(src)
- if err != nil {
- return 1
- }
- _, err = stdout.Write(out)
+ _, err = stdout.Write(DefaultYAML)
if err != nil {
return 1
}
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index f17c13d2a..4b0da2354 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -48,10 +48,57 @@ Clusters:
ExternalURL: ""
WebDAV:
InternalURLs: {}
+ # Base URL for Workbench inline preview. If blank, use
+ # WebDAVDownload instead, and disable inline preview.
+ # If both are empty, downloading collections from workbench
+ # will be impossible.
+ #
+ # It is important to properly configure the download service
+ # to migitate cross-site-scripting (XSS) attacks. A HTML page
+ # can be stored in collection. If an attacker causes a victim
+ # to visit that page through Workbench, it will be rendered by
+ # the browser. If all collections are served at the same
+ # domain, the browser will consider collections as coming from
+ # the same origin and having access to the same browsing data,
+ # enabling malicious Javascript on that page to access Arvados
+ # on behalf of the victim.
+ #
+ # This is mitigating by having separate domains for each
+ # collection, or limiting preview to circumstances where the
+ # collection is not accessed with the user's regular
+ # full-access token.
+ #
+ # Serve preview links using uuid or pdh in subdomain
+ # (requires wildcard DNS and TLS certificate)
+ # https://*.collections.uuid_prefix.arvadosapi.com
+ #
+ # Serve preview links using uuid or pdh in main domain
+ # (requires wildcard DNS and TLS certificate)
+ # https://*--collections.uuid_prefix.arvadosapi.com
+ #
+ # Serve preview links by setting uuid or pdh in the path.
+ # This configuration only allows previews of public data or
+ # collection-sharing links, because these use the anonymous
+ # user token or the token is already embedded in the URL.
+ # Other data must be handled as downloads via WebDAVDownload:
+ # https://collections.uuid_prefix.arvadosapi.com
+ #
ExternalURL: ""
+
WebDAVDownload:
InternalURLs: {}
+ # Base URL for download links. If blank, serve links to WebDAV
+ # with disposition=attachment query param. Unlike preview links,
+ # browsers do not render attachments, so there is no risk of XSS.
+ #
+ # If WebDAVDownload is blank, and WebDAV uses a
+ # single-origin form, then Workbench will show an error page
+ #
+ # Serve download links by setting uuid or pdh in the path:
+ # https://download.uuid_prefix.arvadosapi.com
+ #
ExternalURL: ""
+
Keepstore:
InternalURLs: {}
ExternalURL: "-"
@@ -306,6 +353,19 @@ Clusters:
ManagedProperties:
SAMPLE: {Function: original_owner, Protected: true}
+ # In "trust all content" mode, Workbench will redirect download
+ # requests to WebDAV preview link, even in the cases when
+ # WebDAV would have to expose XSS vulnerabilities in order to
+ # handle the redirect (see discussion on Services.WebDAV).
+ #
+ # This setting has no effect in the recommended configuration,
+ # where the WebDAV is configured to have a separate domain for
+ # every collection; in this case XSS protection is provided by
+ # browsers' same-origin policy.
+ #
+ # The default setting (false) is appropriate for a multi-user site.
+ TrustAllContent: false
+
Login:
# These settings are provided by your OAuth2 provider (e.g.,
# sso-provider).
@@ -627,9 +687,13 @@ Clusters:
MailchimpAPIKey: ""
MailchimpListID: ""
SendUserSetupNotificationEmail: true
+
+ # Bug/issue report notification to and from addresses
IssueReporterEmailFrom: ""
IssueReporterEmailTo: ""
SupportEmailAddress: ""
+
+ # Generic issue email from
EmailFrom: ""
RemoteClusters:
"*":
@@ -665,24 +729,44 @@ Clusters:
ArvadosPublicDataDocURL: https://playground.arvados.org/projects/public
ShowUserAgreementInline: false
SecretKeyBase: ""
+
+ # Scratch directory used by the remote repository browsing
+ # feature. If it doesn't exist, it (and any missing parents) will be
+ # created using mkdir_p.
RepositoryCache: /var/www/arvados-workbench/current/tmp/git
+
+ # Below is a sample setting of user_profile_form_fields config parameter.
+ # This configuration parameter should be set to either false (to disable) or
+ # to a map as shown below.
+ # Configure the map of input fields to be displayed in the profile page
+ # using the attribute "key" for each of the input fields.
+ # This sample shows configuration with one required and one optional form fields.
+ # For each of these input fields:
+ # You can specify "Type" as "text" or "select".
+ # List the "Options" to be displayed for each of the "select" menu.
+ # Set "Required" as "true" for any of these fields to make them required.
+ # If any of the required fields are missing in the user's profile, the user will be
+ # redirected to the profile page before they can access any Workbench features.
UserProfileFormFields: {}
- # exampleTextValue: # key that will be set in properties
- # Type: text #
- # FormFieldTitle: ""
- # FormFieldDescription: ""
- # Required: true
- # Position: 1
- # exampleOptionsValue:
- # Type: select
- # FormFieldTitle: ""
- # FormFieldDescription: ""
- # Required: true
- # Position: 1
- # Options:
- # red: {}
- # blue: {}
- # yellow: {}
+ # exampleTextValue: # key that will be set in properties
+ # Type: text #
+ # FormFieldTitle: ""
+ # FormFieldDescription: ""
+ # Required: true
+ # Position: 1
+ # exampleOptionsValue:
+ # Type: select
+ # FormFieldTitle: ""
+ # FormFieldDescription: ""
+ # Required: true
+ # Position: 1
+ # Options:
+ # red: {}
+ # blue: {}
+ # yellow: {}
+
+ # Use "UserProfileFormMessage to configure the message you want
+ # to display on the profile page.
UserProfileFormMessage: 'Welcome to Arvados. All <span style="color:red">required fields</span> must be completed before you can proceed.'
# Mimetypes of applications for which the view icon
@@ -705,19 +789,46 @@ Clusters:
vnd.realvnc.bed: {}
xml: {}
xsl: {}
+
+ # The maximum number of bytes to load in the log viewer
LogViewerMaxBytes: 1M
+
+ # When anonymous_user_token is configured, show public projects page
EnablePublicProjectsPage: true
+
+ # By default, disable the "Getting Started" popup which is specific to Arvados playground
EnableGettingStartedPopup: false
+
+ # Ask Arvados API server to compress its response payloads.
APIResponseCompression: true
+
+ # Timeouts for API requests.
APIClientConnectTimeout: 2m
APIClientReceiveTimeout: 5m
+
+ # Maximum number of historic log records of a running job to fetch
+ # and display in the Log tab, while subscribing to web sockets.
RunningJobLogRecordsToFetch: 2000
+
+ # In systems with many shared projects, loading of dashboard and topnav
+ # cab be slow due to collections indexing; use the following parameters
+ # to suppress these properties
ShowRecentCollectionsOnDashboard: true
ShowUserNotifications: true
+
+ # Enable/disable "multi-site search" in top nav ("true"/"false"), or
+ # a link to the multi-site search page on a "home" Workbench site.
+ #
+ # Example:
+ # https://workbench.qr1hi.arvadosapi.com/collections/multisite
MultiSiteSearch: ""
+
+ # Should workbench allow management of local git repositories? Set to false if
+ # the jobs api is disabled and there are no local git repositories.
Repositories: true
+
SiteName: Arvados Workbench
- TrustAllContent: false
+ ProfilingEnabled: false
# Workbench2 configs
VocabularyURL: ""
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 1bb046ff9..3c667ff4a 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -54,10 +54,57 @@ Clusters:
ExternalURL: ""
WebDAV:
InternalURLs: {}
+ # Base URL for Workbench inline preview. If blank, use
+ # WebDAVDownload instead, and disable inline preview.
+ # If both are empty, downloading collections from workbench
+ # will be impossible.
+ #
+ # It is important to properly configure the download service
+ # to migitate cross-site-scripting (XSS) attacks. A HTML page
+ # can be stored in collection. If an attacker causes a victim
+ # to visit that page through Workbench, it will be rendered by
+ # the browser. If all collections are served at the same
+ # domain, the browser will consider collections as coming from
+ # the same origin and having access to the same browsing data,
+ # enabling malicious Javascript on that page to access Arvados
+ # on behalf of the victim.
+ #
+ # This is mitigating by having separate domains for each
+ # collection, or limiting preview to circumstances where the
+ # collection is not accessed with the user's regular
+ # full-access token.
+ #
+ # Serve preview links using uuid or pdh in subdomain
+ # (requires wildcard DNS and TLS certificate)
+ # https://*.collections.uuid_prefix.arvadosapi.com
+ #
+ # Serve preview links using uuid or pdh in main domain
+ # (requires wildcard DNS and TLS certificate)
+ # https://*--collections.uuid_prefix.arvadosapi.com
+ #
+ # Serve preview links by setting uuid or pdh in the path.
+ # This configuration only allows previews of public data or
+ # collection-sharing links, because these use the anonymous
+ # user token or the token is already embedded in the URL.
+ # Other data must be handled as downloads via WebDAVDownload:
+ # https://collections.uuid_prefix.arvadosapi.com
+ #
ExternalURL: ""
+
WebDAVDownload:
InternalURLs: {}
+ # Base URL for download links. If blank, serve links to WebDAV
+ # with disposition=attachment query param. Unlike preview links,
+ # browsers do not render attachments, so there is no risk of XSS.
+ #
+ # If WebDAVDownload is blank, and WebDAV uses a
+ # single-origin form, then Workbench will show an error page
+ #
+ # Serve download links by setting uuid or pdh in the path:
+ # https://download.uuid_prefix.arvadosapi.com
+ #
ExternalURL: ""
+
Keepstore:
InternalURLs: {}
ExternalURL: "-"
@@ -312,6 +359,19 @@ Clusters:
ManagedProperties:
SAMPLE: {Function: original_owner, Protected: true}
+ # In "trust all content" mode, Workbench will redirect download
+ # requests to WebDAV preview link, even in the cases when
+ # WebDAV would have to expose XSS vulnerabilities in order to
+ # handle the redirect (see discussion on Services.WebDAV).
+ #
+ # This setting has no effect in the recommended configuration,
+ # where the WebDAV is configured to have a separate domain for
+ # every collection; in this case XSS protection is provided by
+ # browsers' same-origin policy.
+ #
+ # The default setting (false) is appropriate for a multi-user site.
+ TrustAllContent: false
+
Login:
# These settings are provided by your OAuth2 provider (e.g.,
# sso-provider).
@@ -633,9 +693,13 @@ Clusters:
MailchimpAPIKey: ""
MailchimpListID: ""
SendUserSetupNotificationEmail: true
+
+ # Bug/issue report notification to and from addresses
IssueReporterEmailFrom: ""
IssueReporterEmailTo: ""
SupportEmailAddress: ""
+
+ # Generic issue email from
EmailFrom: ""
RemoteClusters:
"*":
@@ -671,24 +735,44 @@ Clusters:
ArvadosPublicDataDocURL: https://playground.arvados.org/projects/public
ShowUserAgreementInline: false
SecretKeyBase: ""
+
+ # Scratch directory used by the remote repository browsing
+ # feature. If it doesn't exist, it (and any missing parents) will be
+ # created using mkdir_p.
RepositoryCache: /var/www/arvados-workbench/current/tmp/git
+
+ # Below is a sample setting of user_profile_form_fields config parameter.
+ # This configuration parameter should be set to either false (to disable) or
+ # to a map as shown below.
+ # Configure the map of input fields to be displayed in the profile page
+ # using the attribute "key" for each of the input fields.
+ # This sample shows configuration with one required and one optional form fields.
+ # For each of these input fields:
+ # You can specify "Type" as "text" or "select".
+ # List the "Options" to be displayed for each of the "select" menu.
+ # Set "Required" as "true" for any of these fields to make them required.
+ # If any of the required fields are missing in the user's profile, the user will be
+ # redirected to the profile page before they can access any Workbench features.
UserProfileFormFields: {}
- # exampleTextValue: # key that will be set in properties
- # Type: text #
- # FormFieldTitle: ""
- # FormFieldDescription: ""
- # Required: true
- # Position: 1
- # exampleOptionsValue:
- # Type: select
- # FormFieldTitle: ""
- # FormFieldDescription: ""
- # Required: true
- # Position: 1
- # Options:
- # red: {}
- # blue: {}
- # yellow: {}
+ # exampleTextValue: # key that will be set in properties
+ # Type: text #
+ # FormFieldTitle: ""
+ # FormFieldDescription: ""
+ # Required: true
+ # Position: 1
+ # exampleOptionsValue:
+ # Type: select
+ # FormFieldTitle: ""
+ # FormFieldDescription: ""
+ # Required: true
+ # Position: 1
+ # Options:
+ # red: {}
+ # blue: {}
+ # yellow: {}
+
+ # Use "UserProfileFormMessage to configure the message you want
+ # to display on the profile page.
UserProfileFormMessage: 'Welcome to Arvados. All <span style="color:red">required fields</span> must be completed before you can proceed.'
# Mimetypes of applications for which the view icon
@@ -711,19 +795,46 @@ Clusters:
vnd.realvnc.bed: {}
xml: {}
xsl: {}
+
+ # The maximum number of bytes to load in the log viewer
LogViewerMaxBytes: 1M
+
+ # When anonymous_user_token is configured, show public projects page
EnablePublicProjectsPage: true
+
+ # By default, disable the "Getting Started" popup which is specific to Arvados playground
EnableGettingStartedPopup: false
+
+ # Ask Arvados API server to compress its response payloads.
APIResponseCompression: true
+
+ # Timeouts for API requests.
APIClientConnectTimeout: 2m
APIClientReceiveTimeout: 5m
+
+ # Maximum number of historic log records of a running job to fetch
+ # and display in the Log tab, while subscribing to web sockets.
RunningJobLogRecordsToFetch: 2000
+
+ # In systems with many shared projects, loading of dashboard and topnav
+ # cab be slow due to collections indexing; use the following parameters
+ # to suppress these properties
ShowRecentCollectionsOnDashboard: true
ShowUserNotifications: true
+
+ # Enable/disable "multi-site search" in top nav ("true"/"false"), or
+ # a link to the multi-site search page on a "home" Workbench site.
+ #
+ # Example:
+ # https://workbench.qr1hi.arvadosapi.com/collections/multisite
MultiSiteSearch: ""
+
+ # Should workbench allow management of local git repositories? Set to false if
+ # the jobs api is disabled and there are no local git repositories.
Repositories: true
+
SiteName: Arvados Workbench
- TrustAllContent: false
+ ProfilingEnabled: false
# Workbench2 configs
VocabularyURL: ""
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 943e0a07a..3f71c6b44 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -141,6 +141,7 @@ type Cluster struct {
FileViewersConfigURL string
LogViewerMaxBytes ByteSize
MultiSiteSearch string
+ ProfilingEnabled bool
Repositories bool
RepositoryCache string
RunningJobLogRecordsToFetch int
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index 74f09675b..cf4b842c4 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -45,7 +45,9 @@ end
# Load the defaults, used by config:migrate and fallback loading
# legacy application.yml
-Open3.popen2("arvados-server", "config-defaults") do |stdin, stdout, status_thread|
+Open3.popen2("arvados-server", "config-dump", "-config=-") do |stdin, stdout, status_thread|
+ stdin.write("Clusters: {xxxxx: {}}")
+ stdin.close
confs = YAML.load(stdout, deserialize_symbols: false)
clusterID, clusterConfig = confs["Clusters"].first
$arvados_config_defaults = clusterConfig
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list