-
Notifications
You must be signed in to change notification settings - Fork 11
/
opentdf-kas-mode.yaml
110 lines (108 loc) · 2.98 KB
/
opentdf-kas-mode.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# configures the platform to run only the KAS and well known service
# build off this config file if you intend on running a (or multiple) seperate kas instance(s)
mode: kas
sdk_config:
core:
endpoint: http://localhost:8080
plaintext: true
client_id: opentdf
client_secret: secret
logger:
level: debug
type: text
output: stdout
services:
kas:
keyring:
- kid: e1
alg: ec:secp256r1
- kid: e1
alg: ec:secp256r1
legacy: true
- kid: r1
alg: rsa:2048
- kid: r1
alg: rsa:2048
legacy: true
server:
tls:
enabled: false
cert: ./keys/platform.crt
key: ./keys/platform-key.pem
auth:
enabled: true
enforceDPoP: false
public_client_id: 'opentdf-public'
audience: 'http://localhost:8080'
issuer: http://localhost:8888/auth/realms/opentdf
policy:
## Default policy for all requests
default: #"role:standard"
## Dot notation is used to access nested claims (i.e. realm_access.roles)
claim: # realm_access.roles
## Maps the external role to the opentdf role
## Note: left side is used in the policy, right side is the external role
map:
# standard: opentdf-standard
# admin: opentdf-admin
## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
csv: #|
# p, role:admin, *, *, allow
## Custom model (see https://casbin.org/docs/syntax-for-models/)
model: #|
# [request_definition]
# r = sub, res, act, obj
#
# [policy_definition]
# p = sub, res, act, obj, eft
#
# [role_definition]
# g = _, _
#
# [policy_effect]
# e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
#
# [matchers]
# m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
cors:
enabled: false
# "*" to allow any origin or a specific domain like "https://yourdomain.com"
allowedorigins:
- '*'
# List of methods. Examples: "GET,POST,PUT"
allowedmethods:
- GET
- POST
- PATCH
- PUT
- DELETE
- OPTIONS
# List of headers that are allowed in a request
allowedheaders:
- ACCEPT
- Authorization
- Content-Type
- X-CSRF-Token
- X-Request-ID
# List of response headers that browsers are allowed to access
exposedheaders:
- Link
# Sets whether credentials are included in the CORS request
allowcredentials: true
# Sets the maximum age (in seconds) of a specific CORS preflight request
maxage: 3600
grpc:
reflectionEnabled: true # Default is false
cryptoProvider:
type: standard
standard:
keys:
- kid: r1
alg: rsa:2048
private: kas-private.pem
cert: kas-cert.pem
- kid: e1
alg: ec:secp256r1
private: kas-ec-private.pem
cert: kas-ec-cert.pem
port: 8181